Feeds

Privacy watchdog: Some things just aren't personal

Orgs get top tips on coughing complaint files

Security for virtualized datacentres

Organisations do not have to issue all the information stored in complaint files in order to comply with individuals' personal data access requests, the UK's data protection watchdog has said.

Under the Data Protection Act (DPA) individuals have the right to access all personal data organisations store about them, but generally have no rights to access information held about others. The Information Commissioner's Office (ICO) said organisations only have to issue the information that relates to an individual which allows them to be identified following a 'subject access request' from that individual.

"For information to be personal data it must relate to an individual and allow an individual to be identified from it – not all the information in a file will do this," the ICO said in its guidance (23-page / 472KB PDF).

"However, the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it can be the individual’s personal data. Even if information is used to inform a decision about someone, this does not necessarily mean that the information is personal data," the ICO said.

"Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual," it said.

The ICO said that examples of information that may not need to be disclosed to comply with a subject access request include details of policy discussions, such as disciplinary procedures.

The ICO's guidance included advice on how organisations can determine whether opinions stated in complaints files qualify as personal data and said that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The ICO's guidance also advised organisations over how to consider the disclosure of personal data under UK freedom of information (FOI) laws. The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies, subject to some exceptions.

Under the FOI laws public organisations are generally exempt from disclosing third party personal information, but organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed, the ICO has previously said.

"Third party personal data cannot be disclosed if it would be unfair to do so," the ICO said in its guidance.

"Fairness in the DPA is particularly about fairness to any person the personal data were obtained from – ie, it is primarily about fairness to the data subject.

"However, other factors, such as a person’s seniority, role and the legitimate interests of the public in the disclosure of the personal data must also be taken into account when assessing fairness. In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity than about a private citizen," the ICO's complaints guidance said.

Organisations should maintain records of information with appropriate filing systems in order to comply with requests under the DPA or FOI laws, the ICO said.

"If organisations have good information management procedures in place, this will make it easier for them to deal with either DPA or FOIA access requests," the ICO guidance said.

"For example, reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is and to make a decision about its disclosure. It may be possible to establish a routine where the same sorts of requests are made to the same sorts of file," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.