That ruling,
issued in December 2003, restricted both the definition of personal
data and the circumstances under which structured manual files
could be caught by the Data Protection Act 1988.
The Data Protection Act covers the use by ‘data controllers’ of
‘personal data’ held in manual files which are organised into a
‘relevant filing system’. Everything from employee files to
customer lists may be covered by this law. The Act also includes a
right for individuals, subject to conditions, to receive a copy of
"the information constituting the personal data of which that
individual is the data subject".
The case in question concerned Michael Durant, who has been
seeking access to certain information for many years. His dispute
began when Barclays Bank claimed the repayment of a loan that Mr
Durant maintains he never received. He believes he was the victim
of a fraud but Barclays successfully sued him for the missing
£120,000 in 1993.
Mr Durant has been seeking access to documents that would prove
his claim ever since. However, the Financial Services Authority
backed Barclays' refusal to give him access to an internal case
file: it was confidential, they argued. And they maintain that Mr
Durant has been given access to everything to which he is entitled
within the limits of the Data Protection Act.
The Court of Appeal upheld that view, in a ruling that
effectively narrowed the right of subject access available to
individuals. Mr Durant sought leave to appeal, but his request was
refused in December last year, allowing the Court of Appeal ruling
to stand.
Mr Durant is expected to apply for a hearing before the European
Court of Human Rights, where he will argue that he has suffered a
breach of Article 8 of the European Convention on Human
Rights, which provides that "everyone has the right to respect for
his private and family life, his home and his correspondence."
In the meantime, Data Protection watchdog the Information
Commissioner has updated his guidance on how the case impacts on
the Data Protection Act. The guidance focuses on two key issues
considered by the Court:
- What makes 'data' 'personal' within the meaning of personal
data?
- What is meant by a 'relevant filing system'?
'Personal'
If data is not 'personal', then it is not covered by the Act and
therefore individuals have no automatic right to have access to it.
The 1998 Act contains a definition of 'personal data', which forms
a two-strand test:
- a living individual must be able to be identified from the data
in question. In the Durant case, the Court of Appeal did not focus
on this element of the definition; and
- the data must 'relate to' the individual identified. It is this
issue with which the Court was most concerned, explaining ‘relate
to’ as “information that affects [a person’s] privacy, whether in
his personal or family life, business or professional
capacity”.
According to the Commissioner, “where it is not clear whether
information relates to an individual you should take into account
whether or not the information in question is capable of having an
adverse impact on the individual.”
This includes an assessment of whether the information is
significantly biographical and whether the information has the
individual as its focus or focuses instead upon another person or
event in which he might have been involved.
The guidance explains, giving examples:
“Where an individual’s name appears in
information the name will only be ‘personal data’ where its
inclusion in the information affects the named individual’s
privacy. Simply because an individual’s name appears on a document,
the information contained in that document will not necessarily be
personal data about the named individual. It is more likely that an
individual’s name will be ‘personal data’ where the name appears
together with other information about the named individual such as
address, telephone number or information regarding his
hobbies”.
'Relevant filing system'
To fall under the Act personal data held manually must be
organised into a 'relevant filing system'. The Court of Appeal
considered that manual files would only be held in 'a relevant
filing system' if "they are of sufficient sophistication to provide
the same or similar ready accessibility as a computerised filing
system".
The guidance discusses the definition in some detail, but in
general, to come under the scope of the Act, the manual files must
be organised so that recipients of the request either:
- “know that there is a system in place which will allow the
retrieval of file/s in the name of an individual (if such file/s
exists); and know that the file/s will contain the category of
personal data requested (if such data exists);” or
- “know that there is a system in place which will allow the
retrieval of file/s covering topics about individuals (e.g.
personnel type topics such as leave, sick notes, contracts etc);
and know that the file/s are indexed/structured to allow the
retrieval of information about a specific individual (if such
information exists)(e.g. the topic file is subdivided in
alphabetical order of individuals’ names).”
To fall within the definition, says the guidance, the content of
manual files must be either sub-divided so that the searcher can
retrieve the information from the correct category without
searching manually, or indexed to allow a searcher to directly find
the relevant page.
According to the Commissioner, “personnel files and other manual
files using individuals’ names or unique identifiers as the file
names, which are sub-divided/indexed to allow retrieval of personal
data without a manual search (such as, sickness, absence, contact
details etc.), are likely to be held in a ‘relevant filing system’
for the purposes of the” Act.
But in his view the Durant judgment means that very few manual
files will be covered by the Act, and information held by
individuals on these files will largely fall outwith the data
protection regime.
