This Guidance relates to all requests for subject access under section 7 of the Data Protection Act 1998. However, many of the issues covered in the Guidance will have particular relevance in circumstances where requests for subject access go beyond the interaction between an individual and the state and move into areas such as the formulation and development of Government policy. There is no express exemption in the 1998 Act for the formulation of policy (by contrast with section 35 of the Freedom of Information Act 2000), though, as noted below, other exemptions may well apply.
It is important that, in handling requests, Departments adopt a consistent approach. The purpose of this Guidance is to assist Departments to determine what they must do to comply with the legislation. There may well be other interpretations of the statutory duties imposed by the Act, and in the end this is a matter for the courts to decide. But the interpretation set out in this Guidance is consistent with legal advice received from Treasury Counsel and Departments should not depart from this Guidance unilaterally. If, in any case, a Department considers that it would be right to adopt a different interpretation of the legislation, or to disclose either more or less information, than required by the legislation, they should seek the agreement of the Data Protection Practitioners' Group. Contact:
The Guidance is necessary because:
there may be a great deal of information held and the amount of work needed to identify all the information which must be disclosed could be considerable;
there is a risk involved in disclosing information about people other than the data subject (which could itself be a breach of the law);
the subject matter of the request could itself be sensitive.
This Guidance may be affected as other legislation (notably the Freedom of Information Act 2000) comes into force, or as a result of court decisions. The Guidance will be regularly reviewed to keep it up to date.
Personal data is information relating to an identifiable living individual. It includes information about the intentions of a data controller towards the data subject and applies not only to information which itself identifies the data subject but also to information relating to an individual who can be identified from other information which is in the possession of, or is likely to come into the possession of, the data controller.
All automatically processed (ie computerised) personal data are covered, irrespective of the form in which the computer processes them. For example, the 1998 Act applies to the content of e-mails, address lists and CCTV material, as well as personal data contained in databases.
A reference to a name, on its own, without any other information may not be sufficient to constitute personal data under the Act. However, it is likely that the context in which the name is held will enable some information to be inferred about an individual in such a way that it would be personal data for these purposes.
The 1998 Act also applies to a limited range of manual records. Three criteria must be met for a manual record to be within the scope of the Act:
the information must be part of a structured set of information, relating to individuals;
the structuring must be done either by reference to individuals or by reference to criteria relating to individuals (e.g a unique personal identification number);
the structuring must allow specific information relating to a particular individual to be readily accessible.
Lord Williams of Mostyn set out the Government's view of what this meant in the House of Lords (OR: 16 March 1998, Cols 467-468 ):
"Our intentions are clear. We do not wish the definition to apply to miscellaneous collections of paper about individuals, even if the collections are assembled in a file with the individual's name or other unique identifier on the front, if specific data cannot be readily extracted from that collection.
"An example might be a personnel file with my name on the front. Let us assume that the file contains every piece of paper or other document about me which the personnel section has collected over the course of my career, and those papers are held in the file in date order, with no means of readily identifying specific information about me, except by looking at every document. The Government's clear intention is that such files should not be caught. We want to catch only those records from which specific information about individuals can be readily extracted.
"Let us take the case of a personnel file consisting only of information about my sickness record during my career. If that file has my name on the front and is part of a structured set, that file will be caught because the specific information about me, my sickness record, is readily available.
"'Specific' information is intended to mean and does mean distinct information within the file which can be distinguished from other information in the file and separately accessed. It means information of a distinct identity which sets it apart from the rest of the generality of personal information held."
Departments should not disclose information from manual records unless they are satisfied that, on a strict interpretation of the legislation, the records fall within the scope of the 1998 Act or they have taken a clear policy decision, after consultation with other Departments, through the Data Protection Practitioners' group, that they should disclose information over and above that required by the legislation. In such circumstances, they should make it clear that they are not obliged by law to disclose such information, but are doing so as a matter of policy. If one Department's manual records are structured in such a way that they are not caught by the Act, but comparable records in another Department are within the scope of the 1998 Act, there is no need for the first Department to take the view that it must treat its records as being within scope, though for policy reasons, they may wish to take a consistent approach.
If Departments receive a very general request, for example, "please give me everything you have on me", the Act allows them to seek more detailed information (section 7(3), as substituted by paragraph 1 of Schedule 6 to the Freedom of Information Act).
The test is of what further information the Department "reasonably requires" to locate the information sought. Points to note are:
in dealing with an open-ended request it would be unreasonable to ask someone to provide information he or she is unlikely to possess - for example, someone outside the Department is unlikely to have any knowledge of the structure of the records in the Department;
it may well be reasonable to ask for some general pointers, such as the approximate date of a particular incident;
if the request comes from a person who has knowledge of how the Department works (e.g, an employee) it may be reasonable to ask that person to provide more detailed information about the likely location of the personal data sought, or to state whether the individual has dealings with the Department on a particular subject;
Departments may ask a person why he or she believes their personal data are being processed if that information is reasonably required to help locate the data.
The Act provides a right of access in permanent form to the information that is held about the applicant. The information must be communicated in an intelligible form (section 7(1)(c) ). There is no requirement for the individual to have a printout or photocopy of the original material, though this will often be the simplest way of giving access. But a freshly typed record of the information would suffice, and this may be the desirable way of providing access to information where the original document has to be edited to remove non disclosable information.
A subject access request may cover information which relates to one or more people other than the data subject (this may include Ministers and officials). The information about the other person will be personal data about that person, to which the usual data protection rules, including the restrictions on disclosure, apply.
In such circumstances, by virtue of section 7(4) of the Act, the Department does not have to give access to the information in question unless either:
the other person has consented to the disclosure of their data to the applicant; or
in all the circumstances it is reasonable to make the disclosure without that person's consent.
The Act (section 7(6)) sets out criteria to which Departments must have regard in considering whether it would be reasonable to disclose information without consent (although other considerations may also be relevant). The criteria specified are:
any duty of confidentiality owed to that person;
any steps the Department has taken to seek their consent;
whether the person is capable of giving consent; and
any express refusal of consent by them.
It is important to note that, if consent is not forthcoming and it is not reasonable to make the disclosure without consent, the Department must (by section 7(5) ) make available as much information as it can without revealing the identity of the other person (for example by omitting the person's name, or other identifying particulars).
Instructing a computer to delete a particular item may not result in the item being destroyed immediately. At least for a period, the information might still be retrievable albeit with substantial cost and disruption to the system. However, where it is the intention that data should be permanently deleted, and this is not achieved only because the technology will not permit it, Departments may regard such data as having been permanently deleted.
This approach is not justified where the data have only been temporarily deleted and are stored in such a way that they could easily be recovered.
Where back up data are identical to, or not significantly different from, current data, Departments may determine that there is little point in giving the applicant copies of both sets. Where material changes have been made, it may be necessary to give access to some or all versions of the personal data. Back up data are data held specifically for the purpose of recreating a file in the event of the current data being destroyed.
These are described briefly in the Annex to this paper.
Departments might have extensive holdings of personal data about an applicant which can only be checked in detail by the investment of a great deal of time and other resources. It is necessary to distinguish which data benefit from an exemption and which do not. But in making that distinction, Departments might wish to take a broad view of which data are held for which purpose. Analysing each reference to the data subject in detail requires the input of a great deal of time and other resources. It is arguable that the Act does not require such fine sifting of the material. If it is established that an exemption applies to data held for a particular purpose, Departments may take the view that all the data held for that purpose are covered. Care should be taken, however, in relation to case by case exemptions, that the broad view remains linked to the case in question. This approach should simplify and speed up the process of considering subject access requests.
The absence of an express exemption for policy documents (to be contrasted with the exemption in section 35 of the Freedom of Information Act) does not mean that all personal data in policy documents must be disclosed. Depending on the subject matter, a number of exemptions under the 1998 Act could be relevant. More generally the subject access exemption for research, statistical and historical purposes (section 33(4)) may apply. This exemption is available where:
the data are processed only for research (including statistical or historical) purposes; and
the data are not processed to support measures or decisions with respect to particular individuals; and
the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject; and
the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.
Draft documents, that is those which have been superseded by a later document, may be retained only for archival (historical) purposes, to ensure that there is a complete record of the events leading to a decision. The decision itself will have been, or will fall to be, taken on the basis of a final document. Thus the personal data contained in these documents may fall within the ambit of section 33.
Where final decisions have been taken, the documents on which those decisions were made will, at some point in time, be held only for historical purposes. Documents should be regarded as "live" for at least the length of the limitation period for judicial review (at least three months from the date on which the decision was taken), but thereafter Departments may be able to make use of the section 33 exemption on the basis that the documents (and therefore the personal data contained in them) are held only for historical purposes. However, the exemption will not apply to the extent that, and for such time as, the documents are used or held for other purposes.
ANNEX A
| Section 28 : | Provides an exemption to protect national security. |
| Section 29: | *Covers
personal data processed for:
|
| Section 30: | *Provides powers for the Lord Chancellor to make orders providing exemptions in relation to health, education and social work records. Orders relating to all three categories of record have been made. |
| Section 31: | *Covers personal data processed for the purposes of discharging a wide range of regulatory functions. |
| Section 32: | Covers personal data processed for journalistic, literary or artistic purposes. |
| Section 33 : | Covers personal data processed only for research, statistical or historical purposes, subject to certain conditions. |
| Section 34: | Covers personal data which are statutorily made available to the public. |
| Section 38: | Provides a power for the Lord Chancellor to make orders providing exemptions where disclosure of information is statutorily prohibited or restricted, subject to certain conditions. |
| Schedule 7 | |
| Paragraph 1: | Covers confidential references given by data controllers in relation to education, employment or the provision of services. |
| Paragraph 2: | *Provides an exemption to protect the combat effectiveness of the armed forces. |
| Paragraph 3: | Covers personal data processed for the purposes of making appointments of judges and QCs, and the conferring of honours or dignities. |
| Paragraph 4: | Provides a power for the Lord Chancellor to make orders providing exemptions in relation to Crown appointments. An order designating a limited number of appointments has been made. |
| Paragraph 5: | *Covers personal data processed for the purposes of management forecasting or management planning. |
| Paragraph 6: | *Provides an exemption for personal data processed for corporate finance services. |
| Paragraph 7: | *Covers personal data consisting of records of the data controller's intentions in relation to negotiations with the data subject. |
| Paragraph 8: | Modifies the 40 day maximum period for dealing with subject access requests in relation to examination marks. |
| Paragraph 9: | Covers examination scripts. |
| Paragraph 10: | Covers personal data in respect of which legal professional privilege could be claimed. Legal advice is that this exemption covers legal advice given by Departments' in-house lawyers. |
| Paragraph 11: | Provides an exemption for circumstances in which by granting access a person would incriminate himself in respect of an offence other than one under the 1998 Act. |