|
The third in a
series of articles examines the right of individuals to gain access to
their personal data
There are seven
separate rights of individuals under the Data Protection Act. The most
significant is the right of an individual to make a 'data subject
access request' (the remaining rights will be analysed in the next
edition) and thereby to essentially obtain a copy of all personal data
held about him by any UK business.
Form of the Subject
Access Request
The Act does not
specify any particular method of request for data subject access, save
that it be 'in writing'. It is not clear whether this would
include email. Since it is possible that it does not, the request
would best be by letter, sent by conventional post, and signed by the
data subject.
A data controller need
not comply with the request where the controller is uncertain as to
the identity of the person making the it. It is not clear what degree
of identification the data controller is entitled to require of the
data subject, except that any such requirement must be
'reasonable'. It is suggested that where a data subject sends a personally signed
letter to a data controller, that will in most cases constitute
sufficient identification.
However, there may be
occasions when compliance with a subject access request that has been
made by signed letter may be inappropriate, and may even constitute a
breach of the Act. Take for example, the case of a wife making an
access request to a travel company in the name of her husband, and
requesting copy of her husband's recent holiday booking form so that
she can check for the names of any vacation companions!
A data controller is
entitled to charge a fee for subject access, but that fee must not
usually be more than the statutory maximum sum of £10. A slightly
higher fee may be payable in the case of certain education and health
records - in each case subject to a maximum of £50.
Obligations of
Businesses
By virtue of the right
to make a subject access request, any individual is able to contact
any UK business and request to know whether that business is
processing personal data concerning him. By virtue of section 7 of the
Act, a business processing any such data must give the individual a
description of:
(i) the personal
data of which that individual is the data subject;
(ii) the purposes for
which they are being or are to be processed; and
(iii) the recipients
or classes of recipients to whom they are or may be disclosed.
Further, the
individual is entitled to have communicated to him, in an intelligible
form, the information itself and the business's source of that
information. Where any processing of the individual's personal data
is undertaken by some automated means, he is entitled to be informed
of the logic involved in the decision-taking - see further below.
Paper-based Records
From October 24th
2001, all paper-based records that form part of a 'relevant filing
system' will be included within the ambit of a data subject access
request. This means that the quantity of material that a data subject
is entitled to see will dramatically increase.
A 'relevant filing
system' is, by virtue of section 1(1):
"Any set of
information relating to individuals to the extent that, although the
information is not processed by means of equipment operating
automatically in response to instructions given for that purpose, the
set is structured, either by reference to individuals or by reference
to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily
accessible".
Therefore, the key is
that the method of filing (structuring) must make for easy access to
particular data. If I am able to come to you and say, 'please
retrieve my file', and you are able to find my information within a
reasonable time, then it is likely that your manual filing system is
one that will be caught by the Act.
Advice for Data
Controllers
All data controllers
must be in a position to comply with a data subject access request.
This is likely to mean an overhaul of existing data processing
systems.
As far as paper-based
records are concerned, businesses should audit all such data to ensure
that there is nothing within those pages that the business would not
wish the data subject to see. If certain records must not be accessed
by any relevant individual, then appropriate action should be taken - this
may take the form of removing the paper from any 'structured file'
or, where appropriate, destroying it.
Human resources
departments are particularly concerned about the new obligation to
disclose paper-based records - they often have massive quantities of
paper stored in manual files by alphabetical reference to employees'
surnames. Managers of such departments will be especially keen to
ensure that all such files are kept up to date and do not contain
material that should not be seen by employees or, often more
importantly, ex-employees.
A data subject access
request will be deemed to relate to all the information contained in
the box above in relation to all his personal data held by the
controller. However, a data subject may, by virtue of section 7(7)
expressly limit his application to certain specific data.
The obligation on a
data controller to supply the personal data to the data subject in an
intelligible form should usually be complied with by sending copies of
all relevant files. Where codes have been employed by the controller,
the data subject should be given either a decoded version or the key.
A copy of the data
does not have to be made available to the data subject where:
(a) the supply of such
a copy is not possible or would involve disproportionate effort, or
(b) The data subject
agrees otherwise.
There is no definition
of 'disproportionate effort' in the Act but it is likely to
require more than mere inconvenience. It should be remembered that,
even where a copy of the data does not have to be supplied (due to
e.g. disproportionate effort), the remaining requirements to provide
appropriate descriptions, the logic behind automated decisions and
information as to the data source still remain.
A data controller is
permitted to make alterations or deletions to personal data after the
date of the subject access request, but before the compliance date,
where to do so is within the normal course of his business. Such an
alteration or deletion must have been one that would have been made
regardless of the receipt of an access request.
The requirement on
data controllers to disclose the source of the personal data is not
accompanied in the legislation by a parallel obligation to keep
records of the source. Of course, it is possible that the latter
obligation will be inferred, either by the Office of the Information
Commissioner, or the court, from the presence of the requirement to
disclose. Data controllers should be prepared for this.
It is not clear how a
data controller is to comply with its obligation to disclose the 'logic'
behind automated decisions - presumably this will entail providing the
data subject with a basic analysis of the operation of the relevant
software. By virtue of regulations made under the legislation, a
request by a data subject for such 'logic' is not to be treated as
a request for any of the other rights under section 7. Similarly, a
request for data subject access that does not specify the inclusion of
a specific request for such logic, may be treated as if it is not a
request for such logic.
Data controllers must
be prepared to comply with a subject access request within a period of
40 days, commencing on the day that the request was received. In most
cases, compliance will be by way of supplying copies of all the
personal data held by the data controller.
In order to thwart
those nuisance applicants who make repeated subject access requests, a
data controller is relieved from the obligation to comply with a
second or subsequent request from the same data controller where a 'reasonable
time' has not elapsed since the last request.
Credit Reference
Agencies
Where the data
controller is a credit reference agency, the controller is entitled to
assume (unless the data subject specifies otherwise) that any data
subject access request it receives relates solely to the financial
standing of the data subject. The fee for the request in this event
must not exceed £2 and the time limit for compliance is seven working
days.
Third Party Data
There will be
circumstances when compliance with a data subject access request would
lead to the disclosure of another individual's personal information.
In these circumstances, the data controller has the option to withhold
such data.
However, the data
controller will be acting unlawfully in refusing to disclose third
party data where either:
-
the third party has
consented to the disclosure, or
-
it is reasonable in
the circumstances to make the disclosure.
Where an employee (or
ex-employee) requests to see her file, the question arises as to
whether the employee is entitled to see her 'appraisal' documents.
In one argument the employee would not be entitled to see such
documents as they disclose third party data (the name and opinions of
the person who carried out the appraisal). The other argument is that
the employee already knows the identity of the appraiser (as she was
presumably present at the appraisal) and so it would be reasonable to
make the disclosure.
In exercising its
option to withhold data, it is not clear whether the controller should
keep back the whole document on which third party data appears, or
whether the controller should disclose the document with the third
party data blocked out.
Exceptions
There are a number of
exceptions to the right to make a data subject access request. In the case of
confidential references given by a current or old employer to a
prospective employer it should be noted that only the giver of the
reference is exempt from the requirement to disclose the reference.
Conclusion
Given that the Office
of the Information Commissioner is planning to further publicise data
subjects' rights under the Act, we will continue to see an increase
in the number of data subject access requests.
UK businesses must be
ready to comply with such requests and must remember that paper-based
records will become available to data subjects from 24th October 2001.
-
|
