Data Protection: Access Denied

The decision in Mr Durant’s case prompted the Commissioner to re-think its policy guidelines to employers in dealing with the Subject Access Request under section 7 of the Data Protection Act (‘DPA’). The facts of the case are relatively straightforward: the consequences significant and wide ranging.

Following a failed employment claim against Barclays Bank, Mr Durant made a Subject Access Request to Barclays Bank and the Financial Services Authority. His request was, among other things, for all documents relating to his unsuccessful litigation. This request was clearly an attempt to re-open the failed case. The FSA complied with the request in part, but refused to disclose certain documents contained in manual files, including a file relating specifically to Mr Durant’s complaints against Barclays Bank. The Court of Appeal found against Mr Durant and made it clear that disproportionate requests of this type would no longer be tolerated.

In making this wide ranging Section 7 Request in the hope of re-igniting his failed claim the Court of Appeal saw Mr Durant’s behaviour as,

The Court’s scathing criticisms of Mr Durant’s behaviour marked a change in how the Section 7 Request could be used. This prompted the Commissioner to review its policy guidelines to employers in this area. Both the Durant case and the new Guidelines will now give employer’s ample scope to deny access for the majority of Subject Access Requests. Let’s have a look at how they do this.

Two hurdles have now been put in place, significantly restricting the scope of the Section 7 Request. If the applicant does not pass either hurdle the request can be denied. The first hurdle for an applicant is that the request must be for "Personal Data." So what can be described as "Personal Data?"

The real thrust of these requests must now be a desire to access data in order to ensure that one’s right to privacy is not being infringed. With this as the cardinal principle Personal Data is now seen as information, "that affects the [individual’s] privacy…" The information must therefore be, "biographical in a significant sense…" and have the applicant as its subject. So what does this mean in practice?

The Information Commissioner therefore offers some useful examples of what is and is not "Personal Data." If the Subject Access Request does not relate to such "Personal Data" the employer can refuse the request.

The following is a non exhaustive list of examples of "Personal Data:"

• information about the medical history of an individual
• an individual’s salary
• information concerning an individual’s tax liabilities
• information comprising individual’s bank statements
• information about individual’s spending preferences

The following examples come outside the definition of "Personal Data:"

• reference to a person’s name where the name is not associated with any other personal information
• incidental mention in the minutes of a business meeting of an individual’s attendance at that meeting in an official capacity; or
• where an individual’s name appears on a document or email indicating only that it has been sent or copied to the particular individual and no other information about the individual is contained within the document.

This is a much more restrictive approach to what can and can’t be reasonably requested as part of a Subject Access Request. Gone are the days when a blanket request for all information relating to the applicant must be complied with, no matter the relevance. It will now be much easier for an employer to refuse aspects of the Section 7 Requests on these grounds.

This second hurdle, contained within the Durant decision and more recently the Commissioner’s Guidelines, is a very useful tool allowing employers to refuse the Subject Access Request in many circumstances.

It is commonly accepted that these requests can relate not only to computer files but also to manual files. Often the real burden for employers in complying with these requests is in trawling through manual files for documents. This will no longer be necessary. The request for documents in manual files only need be granted in the narrowest of circumstances.

The Subject Access Request can only now require that manual files be disclosed if such files are "of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system." To explain this, the Durant case sets out a two tier test. If the applicant does not pass the test the employer can refuse the request. The test is as follows:

• "It must be possible to identify at the outset of a search with reasonable certainty and speed the file or files in which relevant personal information is held; and
• it must be possible to locate that information within the file or files, without having to leaf through them."

Let’s just remind ourselves of what "personal" information means. This is information which relates in a biographical sense to the applicant and has him or her as its focus. So going back to the test, unless this kind of information can be easily and quickly identified at the outset of the search of the manual files, without having to leaf through these files, the request can be denied. This seems easy to apply in theory, but what about in practice?

The Information Commissioner offers some useful guidance in this area to allow employers to apply the test with greater certainty in practice. The Commissioner’s "Temp Test" therefore provides a useful rule of thumb:

The Commissioner also provides some useful examples of applying the Temp Test to the originally named imaginary applicant, John Smith. These include the following:

• If John Smith makes a Subject Access Request for details of the leave he has taken in the last six months and you hold a file entitled "John Smith" and it is sub-divided into categories such as "sickness" and "leave," the test is passed and the relevant personal documents in this filing system must be disclosed;
• However, should John make the same request and your filing system includes only a file entitled "John Smith" but no sub-division of its contents and the documents in the file are randomly dropped in requiring the temp to leaf through the file contents the test is not passed and similar personal documents need not be disclosed.

Whilst many of us would aim to have such a well organised personnel filing system, this will not be so for the vast majority. Many of these requests can therefore be refused where they pertain to manual files because the filing system does not pass the Temp Test.

Some might say that the pendulum has swung too far the other way. Certainly the cynics among us would point out that there is something to be said for a disorganised manual filing system. But what is clear is that following Durant and the very useful guidance from the Information Commissioner, employers can afford to be a lot more relaxed when receiving the Section 7 Request. Now is not the time to dismiss all such requests out of hand. It would be a good idea to seek advice on receipt of these requests in order to be clear of the position. However employers should be aware that they can be a lot more restrictive in what is provided in response to these requests, particularly where the request relates to manual files.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.