Data Protection Act 1998 - good news on subject access requests!

11 December 2003

Durant v Financial Services Authority (2003) EWCA Civ 1746.

There has been a steady increase in requests made by individuals for copies of information relating to them held by organisations in computerised or hard copy filing systems. These can be extremely time consuming to deal with and the maximum charge that an organisation can make is a meagre £10.

However, the Court of Appeal has just handed down a major decision that should reverse this trend and strengthen an organisation's position when refusing to pass over the large quantities of data that individuals are currently requesting.

As with anything to do with data protection, the result of this case is heavily dependent on fine distinctions drawn against wordy definitions. We attempt to summarise the findings in the following paragraphs, but the bottom line is that if you receive a subject access request, do not assume that you have to provide every last document. And, if you have any doubts about the extent to which you have to comply, we would be happy to help.

The decision considered the following questions:

1. What determines what information amounts to 'personal data' in s 1(1) of the Act, entitling the individual identified by it to disclosure?

2. What exactly is a 'relevant filing system' in s 1(1) of the Act?

3. When is it 'reasonable in all the circumstances' for a data controller to comply with a request for personal data under s 7 of the Act (right of access to personal data), where that data contains information relating to a third party who has not consented to disclosure?

4. By what principles should a court be guided when assessing whether to exercise its discretion under s 7(9) of the Act, to order a data controller to comply with a subject access request?

The answers are as follows:

1. Personal data - the entitlement of an individual to have access to his or her 'personal data' is to enable that person to check whether the data controller's processing of it affects or infringes his or her privacy, in his or her personal or family life, business or professional capacity. It is not a licence to obtain any information, readily accessible or not, to any documents or information in which the applicant is named or involved. Not all information bearing an individual's name is personal data. To amount to personal data, it must be 'biographical' and should have the applicant as its focus.

2. Relevant filing system - Relevant filing systems relate to hard copy data held by organisations, which are administered manually rather than electronically. An individual only has a right to data contained in a relevant filing system.

The decision points out that the intention of the Act is to provide, as near as possible, 'the same standard or sophistication of accessibility to personal data in manual filing systems as to computerised records', and the idea behind the words 'relevant filing system' contemplates the organisation of hard copy data (and therefore the manual search of such data) as mirroring that which a computer would use to process the same information.

A relevant filing system therefore means a manual filing system which comprises a set of information structured either by reference to individuals, or to criteria relating to individuals in such a way that access to specific information relating to a particular individual is readily available. A file in which papers are kept, for example, in date order, may well fall outside this description.

3. Third party information - This is the question of the redaction (or 'blanking out') of information which would identify third parties, when responding to an applicant's subject access request. Where the information relating to third parties is not part of the applicant's personal data, it should not be provided. Where the third party information does form part of the personal data sought, whether or not it should be disclosed or redacted 'all depends on the circumstances'.

4. Discretion - Under s 7(9) of the Act, the court has discretion to order a data controller to comply with a request for information. Unsurprisingly, this case concludes that this discretion is 'general and untrammelled'.

Since this is a Court of Appeal case, it may be appealed. If it is, we will let you know!