Feeds

Privacy watchdog: Some things just aren't personal

Orgs get top tips on coughing complaint files

Seven Steps to Software Security

Organisations do not have to issue all the information stored in complaint files in order to comply with individuals' personal data access requests, the UK's data protection watchdog has said.

Under the Data Protection Act (DPA) individuals have the right to access all personal data organisations store about them, but generally have no rights to access information held about others. The Information Commissioner's Office (ICO) said organisations only have to issue the information that relates to an individual which allows them to be identified following a 'subject access request' from that individual.

"For information to be personal data it must relate to an individual and allow an individual to be identified from it – not all the information in a file will do this," the ICO said in its guidance (23-page / 472KB PDF).

"However, the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it can be the individual’s personal data. Even if information is used to inform a decision about someone, this does not necessarily mean that the information is personal data," the ICO said.

"Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual," it said.

The ICO said that examples of information that may not need to be disclosed to comply with a subject access request include details of policy discussions, such as disciplinary procedures.

The ICO's guidance included advice on how organisations can determine whether opinions stated in complaints files qualify as personal data and said that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The ICO's guidance also advised organisations over how to consider the disclosure of personal data under UK freedom of information (FOI) laws. The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies, subject to some exceptions.

Under the FOI laws public organisations are generally exempt from disclosing third party personal information, but organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed, the ICO has previously said.

"Third party personal data cannot be disclosed if it would be unfair to do so," the ICO said in its guidance.

"Fairness in the DPA is particularly about fairness to any person the personal data were obtained from – ie, it is primarily about fairness to the data subject.

"However, other factors, such as a person’s seniority, role and the legitimate interests of the public in the disclosure of the personal data must also be taken into account when assessing fairness. In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity than about a private citizen," the ICO's complaints guidance said.

Organisations should maintain records of information with appropriate filing systems in order to comply with requests under the DPA or FOI laws, the ICO said.

"If organisations have good information management procedures in place, this will make it easier for them to deal with either DPA or FOIA access requests," the ICO guidance said.

"For example, reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is and to make a decision about its disclosure. It may be possible to establish a routine where the same sorts of requests are made to the same sorts of file," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The Power of One Infographic

More from The Register

next story
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.