The Information Commissioner’s Office (ICO) has issued revised guidance on the meaning of ‘personal data’. This directly affects the information employees can legitimately request about themselves in a subject access request.
In recent years, employers have been able to take a robust approach to these requests. They have been able to fend off requests for ‘everything about me’ where the focus of the data was not about the employee. The new guidance, however, gives a wider interpretation of ‘personal data’: employees will be entitled to see more information, although the guidance will not require every document in which an individual’s name is mentioned to be disclosed.
Why the change of direction?
In 2003, in the landmark case of Durant v Financial Services Authority, the Court of Appeal (CA) marked the boundaries of an individual’s right to access their personal data to give a ‘sensible and practical effect’ to the Data Protection Act 1998 (DPA). It was a welcome decision, which eased the administrative task of employers who were faced with such a request. The CA decided that not all information that mentions an individual’s name has to be disclosed under a subject access request. Information should be biographical (eg, it goes beyond a passing reference to his or her name in a matter that has no personal connotations, such as a meeting request e-mail). The data must also have the individual as its focus, being information that affects his or her privacy, whether in a personal or business capacity.
Many practitioners and experts thought this was an unduly restrictive approach to the European Data Protection Directive, implemented by the DPA. So the Article 29 Working Party, the European data protection advisory committee, looked into the concept of personal data. In contrast to the Durant decision, the committee issued an opinion which gave personal data a wide interpretation under which employees would be entitled to see more information. The ICO revised its previous guidelines in response to that opinion and it essentially followed the opinion.
In most cases it will be fairly clear whether an employee is entitled to a document or not. What has changed is that the guidance has provided examples in a number of the grey areas when employers might previously have been able to resist a request for disclosure.
The guidance now says that you only consider ‘biographical significance’ if the data is not obviously about an individual or clearly linked to them. This is different to the Durant position, which said the mere mention of a name does not make it personal data. It gives the example of an individual listed as an attendee in the minutes of a meeting. Previously, if the minutes were not about the employee, then there was no need to disclose them because they were not biographical. Now the guidance states that the minutes do have biographical significance because they record the individual’s whereabouts at a particular time, although the disclosure may only be limited to the list of attendees, depending on the content of the meeting.
- Step-by-step guidance The guidance sets out a series of questions that should be considered when deciding whether a particular document has to be disclosed following a subject access request. These look at factors such as:
whether data is linked to an individual so that it provides information about that person
- whether the data can be used to inform or influence a decision about an individual
- whether the data focuses or concentrates on the individual as its central theme rather than some other person, object or transaction
- whether the data has the potential to impact on the individual.
Biographical significance is still an important factor in analysing whether materials have to be disclosed as the focus of data, but consideration now has to go beyond this.
What should employers do?
The guidance is extensive, but it should be read by all HR practitioners, particularly those who are involved with subject access requests. Should employers change their practices? Each subject access request must be looked at individually. There will be circumstances where it will be harder to justify not disclosing some documents and these will have to be dealt with on a case-by-case basis.
Relevant filing system
The Durant case also looked at the issue of what amounts to ‘a relevant filing system’, and the ICO’s previous guidance covered this aspect too. This included the ‘temp test’ to help organisations decide whether they hold information within a relevant filing system. The ICO has not amended this part of its guidance but intends to do so at some time in the future.