A landmark court ruling on data disclosure has benefited employers by
lessening the number of obligations placed upon them by the Data Protection Act
Over the past few years, employers have had to get to grips with data
protection laws and codes of practice which seem to put considerable strain on
them if they are to be fully compliant. Lawyers have also used these laws as
part of their litigation strategy, by requiring employers to find and disclose
reams of documents that refer to their clients.
The ‘data protection industry’ seemed to have no end and added to the woes
of HR professionals – that is, until the refreshingly common sense decision by
the Court of Appeal in Durant v FSA (8 December 2003).
The court decided that ‘personal data’ does not extend to all information in
which the data subject (ie, the person making the data protection access
request) is mentioned. There must be sufficient proximity of the data subject
to the information in question. That means it is insufficient if the person is
merely copied on an e-mail or memo, or only forms part of the background of an
event or matter in which they are not the main focus.
In short, to constitute ‘personal data’, the relevant information must
affect the individual’s privacy – in their personal or family life, their
business or in a professional capacity.
The upshot is that when a data request is received, employers do not have to
disclose every document in which the individual is mentioned, but only those
where they are the focus of it, or where it affects their privacy rights.
The Data Protection Act (DPA) only applies to data stored in computerised
systems or in a ‘relevant filing system’ for hard copies. In practice, where
the data is in hard-copy format, this has resulted in some employers spending
hours trawling through paper files trying to track down the data. On this
point, the court decided that the DPA only gives data subjects access to
personal data, not documents.
In addition, employers do not have to go through extensive trawling
exercises unless the hard copy data is held in readily accessible files or
sub-files. So it is only to the extent that manual filing systems are broadly
equivalent to computerised systems in ready accessibility that they fall within
the DPA. This should lessen some of the searching obligations that are placed
upon employers.
The third area where the Court of Appeal has helped employers is in respect
of documents supplied in an appropriately edited form (ie, only personal
data)response to a data request. The DPA recognises that if an employer
discloses a document to Mr A in response to his data protection request, it may
be infringing the data privacy rights of Mr B as a result. Section 7(4) of the
DPA says the employer does not have to disclose that document unless Mr B has
consented to it, or it is in respect of certain health records, or it is
reasonable in all the circumstances for the request not to be complied with in
respect of that piece of information.
The court held that the reasonableness of certain data not being disclosed
is not one which should be second-guessed by the courts. In other words, there
is a kind of ‘range of reasonable decisions’ test.
The court went on to state that unless the details about Mr B are
necessarily part of the personal data of Mr A, the employer can select the
relevant parts from the document.
It is only where the details are a necessary part of the personal data
sought that the reasonableness test applies – ie, where it is not reasonable to
expect the employer to supply it.
Although this case does not sweep away all the Data Protection Act
obligations placed upon employers, it certainly creates some light for them at
the end of the tunnel.
By Fraser Younson, Life vice-president, Employment Lawyers Association
