A rare case in Jersey regarding the rights of data subjects to access their own personal data under Article 7 of the Data Protection (Jersey) Law 2005 (the "Law") has demonstrated that even 11 years after the Law was enacted, there remains significant uncertainty about one of its most fundamental provisions.
Dr Alwitry (Dr A) is a consultant ophthalmologist. He applied for a job as consultant at the General Hospital and entered into a contract of employment in August 2012 with the States Employment Board. This contract was revoked in November 2012.
Dr A brought proceedings for unfair dismissal which were subsequently withdrawn.
Dr A's legal representatives also made subject access requests under Article 7 of the Law.
Whilst a number of documents were disclosed, a number were also withheld on the following basis:
- The request was said to go beyond what was proportionate.
- The subject access request was being made for an improper purpose - that is to say as a tool to obtain discovery of documents intended to further litigation and professional complaints raised by Dr A.
- Part of the request related to unredacted copies of material which had been redacted to remove names of witnesses. This was resisted on the grounds that personal data of third parties should not be disclosed without their informed consent.
Article 7 of the Law provides that individuals (known as "data subjects") have certain information rights (although there are a number of exceptions and exemptions). The rights – normally known as subject access – entitle an individual (on payment of a fee) to be:
- told whether any of their personal data is being processed;
- given a description of their personal data, the reasons it is being processed, and whether it will be disclosed to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
The Law states that a data controller does not have to comply with the request to the extent that doing so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual's consent.
The Royal Court held that:
- The Respondents had not complied with their duty to identify all of the personal data belonging to Dr A. It was therefore ordered that they should do so.
- The burden of proof in relation to establishing that a subject access request has been made for an improper purpose lies on the data controller – in this case that burden had not been discharged.
- Where the disclosure of Dr A's personal data would involve the disclosure of information relating to third parties, then the identity of those interviewed as a result of the various investigations which had been undertaken and the opinions which they expressed should be disclosed. Other names, such as the identity of note takers and other candidates, should be redacted.
The judgment was in large part unsurprising: it endorsed UK case law in relation to data protection (which is based on materially identical UK legislation).
However, the judgment did contain some more problematic elements:
- There is a significant amount of technical guidance – and a very detailed Code of Practice – published by the UK Information Commissioner (UK ICO). This does not appear to have informed either the arguments before the court or the judgment itself.
- It ordered the disclosure of documents. The Law does not entitle data subjects to documents or copies of documents. Instead, it provides that data subjects are entitled to disclosure in intelligble form of their personal data. It is open to the data controller to extract the personal data and copy it into another document.
- The judgment was perhaps lacking in
the analysis of when it is appropriate to disclose personal data
belonging to third parties. Whilst it correctly stated that a
"balancing exercise" is necessary, the judgment also
"However, in balancing the respective rights for the purposes of Article 7(7)(b) of the Data Protection Law – what is reasonable to be disclosed notwithstanding their objection to disclosure - the Court will have regard to whether their personal data is ancillary to the main purpose for which the data is held, and here that is obviously so. A good way of testing that is to ask the question whether the data which represents material relevant to both the Representor and others would be retrievable in a proportionate way if held not on equipment operating automatically in response to instructions given for that purpose, but held manually in a relevant filing system. If held on the latter basis, one would find the data under "A" for Alwitry and not under the initial of whoever had expressed an opinion relevant to whether the Representors job offer should be withdrawn. That empirical test emphasises how on any normal reading of the facts here, the context is that the data is more directly concerned with the Representor than with anyone else..."
This does not indicate that a balancing exercise between the rights of data subjects is occurring – it instead suggests that the court is applying a relevance test which in our opinion forms no part of the Law. The Law itself provides factors which should be taken into account when deciding whether it is reasonable to disclose information even without the consent of a third party. These include:
- any duty of confidentiality owed to the third-party individual,
- any steps taken to try to get the third-party individual's consent,
- whether the third-party individual is capable of giving consent, and
- any stated refusal of consent by the third-party individual.
The UK ICO suggests that the following additional factors should be taken into account:
- Information generally known by the individual making the request. Third-party information relating to a member of staff (acting in the course of their duties) who is well known to the individual making the request through their previous dealings would be more likely to be disclosed than information relating to an otherwise anonymous private individual.
- Circumstances relating to the individual making the request. The importance of the information to the requester is also a relevant factor. The need to preserve confidentiality for a third party must be weighed against the requester's right to access information about his or her life.
Responsing to subject access requests
There is a great deal of assistance available from the Jersey Information Commissioner.
Additionally, the UK ICO has produced a Code of Practice on dealing with subject access requests, which sets out ways in which most if not all problems can be addressed.
The ICO also makes two fundamental points:
- If an organisation responds transparently to subject access requests and complies with the obligations under the law to the best of its abilities, it is less likely to get into costly disputes and difficulties.
- There are certain "indicators of
good practice", such as:
- training and guidance for staff
- dedicated request handling staff
- a logging and checklist system which tracks the progress of a subject access request, including date of receipt and steps taken to locate personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.