UK: Data Protection Case Study: Request for Access, Know What to Send

Dear Mr Bell,

As the HR Director for ABC Engineering, Bill Bell knows that under UK Data Protection legislation¹ Mary, who was a manager in the company two years ago and is now the director of a supplier company, has rights to the information that ABC holds about her. However, he is unsure what his obligations are and what information Mary is actually entitled to. Sarah Staines answers this case study and clarifies the legal position on dissemination of such information.

There are two key initial considerations that Bill needs to take into account:

1. Is Mary a "data subject"- an individual who is the subject of personal data held by ABC and therefore entitled to make a request? As ABC kept records of her employment, the answer is yes. As she is also named in some of the supplier files as the director of her new company, the answer is yes again.

2. What "personal data" does Bill need to disclose? The information held by ABC relates to Mary but is it personal data protected by the Act? The definition of personal data has been clarified in a recent court case² as information that affects a person’s privacy, whether in their personal or family life, business or professional capacity. So how does Bill decide whether the information ABC holds about Mary affects her privacy?

Firstly, Bill must consider context. Do the records go beyond recording Mary’s involvement in ABC’s business, its decisions and operations and become biographical about her? Secondly, he must consider focus. Is the information focused on Mary or is she just incidental to the record?

Mary was asked to create a strategy paper on the future development of her department and present it to the ABC board. Her name was on the paper and her attendance at the Board meeting was recorded in the Minutes. However, neither of these are personal references to her employment. Therefore, neither the context nor focus tests are satisfied here, - these documents do not contain sensitive or intimate data about Mary (address, race, date of birth etc.) and her privacy is not affected by them.

During her employment with ABC, Mary received a written warning about taking more than her allocated holiday leave. She objected to the warning as she believed she had been given permission to take the additional holiday and was subsequently permitted to speak to the Board to seek the removal of the written warning from her otherwise unblemished record. The context of both the original letter and the Board minutes relate to her professional capacity. The focus of both also directly relate to her. Mary’s personal privacy could be affected by use of these records and so Bill is obliged by law to disclose the information to her.

Privacy protection under the Data Protection Act is only granted to records stored on a computer or in a "relevant" filing system. This includes paper files but only if they are structured in ways that are broadly equivalent to indexed computer files. However, it is worth noting that the question of what amounts to a relevant filing system has been the cause of much debate. Case law has tried to refine the definition as paper files structured by reference to individuals (or criteria relating to individuals) in such a way that the information is "readily accessible".

Applying this to our case studies, if the records in Example 1 were only held on computer that would still not make them "personal data" because the context and focus tests are not satisfied. The records in Example 2, although satisfying the focus and context test, would only be "personal data" if they were kept on computer or in a "relevant filing system". If the warning letter was just filed in chronological order in Mary's paper based HR file then it is unlikely to be subject to the Act. However, if it was carefully sectioned out into a separate "disciplinary record" file then it might be conceived as "readily accessible". Similarly, if Board Minutes are only held in chronological order in a paper file, their storage is unlikely to fit the description of a "relevant filing system".

The Act states that Bill has 40 days to reply to a data subject access request and that he may only charge up to £10 administration fee for supplying a response (the 40 days doesn’t start running until the £10 fee is paid).

He must first consider whether he has enough information to be satisfied that it is Mary making the request. Her privacy would be compromised if information about her were sent to the wrong person. He could check this in one of three ways:

• By asking her to supply information that only she would know.

• By asking for the request to be countersigned by an adult who knows her (not a relative).

• By seeking a phone number and asking someone who used to work with her to call and confirm her identity.

He must also be clear about what information she is seeking. He is only obliged to comply with her request if he has enough information to locate the personal data she requests³ Bear in mind that all this administration is only going to reward him with a maximum of £10. The Act clearly states that you do not have to provide information that requires a disproportionate amount of effort to retrieve. There is no need to trawl through boxes of papers but you do have to undertake more than a cursory flick through a cabinet.

Once he is satisfied it is Mary making the request, has received the fee and Mary has confirmed that she only wants her personnel records and not those relating to her directorship of the supplier company, then Bill asks his IT manager to create a printout of the personnel computer records that relate to and identify Mary.

He finds that the records show her name and the address she lived at when she worked for them, her date of birth, the date when she started work with them, her grade and salary and the date she stopped working for them. It also records that a reference was sent to a prospective employer - that record shows the name and address of the requesting company but not the content of that reference. He also notes that the record shows Mary’s bank details, which were used to make her salary payments.

He must now prepare a reply to Mary and send her the printouts or a description of them – setting out details of the purposes for which the information was or will be used, the names of anyone who has had access to them and the source of the information (if it wasn’t Mary herself). Bill writes and tells her that all health and disciplinary records have been deleted from the computer records and that the paper files are held in date order and so are not relevant.

Mary writes back to Bill thanking him for the records and pointing out that ABC Engineering should really have culled her bank details from their records as soon as her final salary was paid. She is right – there is no reason for them to have kept that data. She also asks him to update her address details although she accepts that the address recorded was correct at the date she left the company. She points out that she did write to them not long afterwards to ask them to note her new address.

When Bill receives her letter he feels pleased, but sensibly puts in place an audit of any "personal data" the company holds, gives instructions to review all computer records for obsolete personal information so it can be culled and puts in place a policy for personal information to be regularly updated. After all, the HR department's paper files have always been a bit of a mess!

If you have any doubt about the validity of a data subject access request or are not sure which documents to copy or identify to the person requesting them, contact your legal advisor or the Information Commissioners Office.⁴

Best practice is to:

• Only keep records that are collected and stored in compliance with the legislation.

• Cull records regularly and make sure they are kept up to date.

• Set up internal procedures to respond sensibly and quickly to genuine data subject’s access requests.

Sarah Staines is a data protection specialist at Pictons Solicitors.

Footnotes

©Pictons 2004. First published in Pictons’ "In the Know" email newsletter, free subscription available at www.pictons.co.uk

Pictons Solicitors is regulated by the Law Society. The information in this article is correct at the time of publication in April 2004. Every care is taken in the preparation of this article. However, no responsibility can be accepted to any person who acts on the basis of information contained in it. You are recommended to obtain specific advice in respect of individual cases.