Feeds

Privacy watchdog: Some things just aren't personal

Orgs get top tips on coughing complaint files

Secure remote control for conventional and virtual desktops

Organisations do not have to issue all the information stored in complaint files in order to comply with individuals' personal data access requests, the UK's data protection watchdog has said.

Under the Data Protection Act (DPA) individuals have the right to access all personal data organisations store about them, but generally have no rights to access information held about others. The Information Commissioner's Office (ICO) said organisations only have to issue the information that relates to an individual which allows them to be identified following a 'subject access request' from that individual.

"For information to be personal data it must relate to an individual and allow an individual to be identified from it – not all the information in a file will do this," the ICO said in its guidance (23-page / 472KB PDF).

"However, the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it can be the individual’s personal data. Even if information is used to inform a decision about someone, this does not necessarily mean that the information is personal data," the ICO said.

"Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual," it said.

The ICO said that examples of information that may not need to be disclosed to comply with a subject access request include details of policy discussions, such as disciplinary procedures.

The ICO's guidance included advice on how organisations can determine whether opinions stated in complaints files qualify as personal data and said that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The ICO's guidance also advised organisations over how to consider the disclosure of personal data under UK freedom of information (FOI) laws. The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies, subject to some exceptions.

Under the FOI laws public organisations are generally exempt from disclosing third party personal information, but organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed, the ICO has previously said.

"Third party personal data cannot be disclosed if it would be unfair to do so," the ICO said in its guidance.

"Fairness in the DPA is particularly about fairness to any person the personal data were obtained from – ie, it is primarily about fairness to the data subject.

"However, other factors, such as a person’s seniority, role and the legitimate interests of the public in the disclosure of the personal data must also be taken into account when assessing fairness. In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity than about a private citizen," the ICO's complaints guidance said.

Organisations should maintain records of information with appropriate filing systems in order to comply with requests under the DPA or FOI laws, the ICO said.

"If organisations have good information management procedures in place, this will make it easier for them to deal with either DPA or FOIA access requests," the ICO guidance said.

"For example, reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is and to make a decision about its disclosure. It may be possible to establish a routine where the same sorts of requests are made to the same sorts of file," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.