Right to make subject access requests is curtailed: Durant made an unsuccessful claim against his bank. Wishing to take it further, he made a subject access request under the Data Protection Act (DPA) to the Financial Services Authority (FSA) for disclosure of its manual or computer files regarding his complaints. It was only partially fulfilled, so he pursued the issue to the Court of Appeal.
It held that he was not entitled to disclosure of the FSA files and laid down detailed guidance on the meaning of ‘personal data’ and a ‘relevant filing system’ under the Data Protection Act (DPA).
The mere mention of a name in a document does not necessarily constitute ‘personal data’; this depends upon whether the context and information is connected to an individual and affects their privacy. Opinions about an individual or indications of intent, however, would constitute personal data.
Right of access to personal data in manual files depends upon the way in which a file is structured.
‘Searchers’ cannot be expected to leaf through manual files. ‘Relevant filing systems’ are structured to indicate whether they contain personal data and, if so, where.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
The mere fact that a document is retrievable by reference to an employee’s name does not entitle them to a copy of it under the DPA.
Durant could only show that the FSA held information about his complaints, not his “personal data”.
