in this section

• Data protection: friend or foe?
• Making it clearer, making it simpler
• Small businesses: simple guidance and lots of advice
• Make data protection simpler!
• Raising public awareness
• Data protection and policing
• Auditing and inspecting
• Maintaining the register: another busy year
• Notification Department Statistics
• Blagging, investigation and prosecution
• Data protection in the global village
• The credit industry: another milestone in sight
• Privacy at work?
• Health records, child protection
• The end of spam and junk mail?
• Sending personal information overseas
• The scope of data protection law: the ‘Durant case’

Data protection: friend or foe?

During the year the Data Protection Act 1998 received an unprecedented amount of negative publicity. This emanated from ill-judged comments made in the context of two high profile and tragic cases; the Soham murders and the death of two pensioners who had their gas supply cut off. (The events of Soham are described in detail later in this Report.) The comments, which blamed the Data Protection Act for the destruction of intelligence about the Soham murderer and for an inability to share information on those at risk, were eventually retracted. However the publicity given to these original assertions has had a lingering detrimental effect. The Data Protection Act is not the most elegant or easily understood statute. It is not written for the casual reader. This is particularly regrettable given that the eight enforceable rules of good practice that lie at the heart of the legislation are simple, clear and attractive. We had already embarked upon our ‘Make Data Protection Simpler’ initiative long before the negative publicity referred to above. There have been few calls from our respondents to change the principles that lie at the heart of the legislation. They do though, quite understandably, want clearer, more focussed guidance on what they need to do to comply with the law. To this end we have embarked on a programme of producing a set of concise ‘Good Practice Notes’, and on revising our existing guidance, including our CCTV Code of Practice. We are committed to producing clear, straightforward, plain English guidance that readers of all levels of expertise can understand and convert into good practice. Hopefully this will help to prevent any recurrence of the tragic events referred to above.

We have some way to go to restore the reputation of the law that we are responsible for enforcing. Our achievements of the last 19 years can easily be overlooked. For instance, we now accept as a given that we have to be told how our personal details will be used, that we can stop unwanted junk mail, that we can have access to records about us and that our applications for credit should not be refused because of the bad payment record of a stranger who once lived at our address. The Data Protection Act and this office have played an instrumental role in all these positive developments. Similarly, when any initiative is undertaken that involves using personal information we now take it for granted that safeguards for protecting such information have to be built in. This is particularly important in the context of the Government’s proposal to introduce identity cards. To its credit the Government has recognised that putting data protection safeguards in place is an essential requirement if the scheme is to proceed. During the year we expressed our concerns about identity cards and the national population register underpinning them when we gave evidence to the Home Affairs Committee. As our reporting year closes the draft Bill has been published and we are in the process of examining this closely to assess whether our concerns about the Government’s proposals have been addressed. There is no doubt this will be a major topic of debate in the year to come. We are committed to ensuring that the need to safeguard information about individuals lies at the heart of the identity card debate.

Making it clearer, making it simpler
Our work on making ‘fair processing notices’ shorter and more intelligible to the general public is a key element in our initiative to simplify data protection. ‘Fair processing notices’, or ‘privacy statements’ as they are sometimes called, are meant to ensure that when a person is asked to provide personal information, the person knows what will happen to the information requested. Fair processing notices should be provided when a person fills in a standard application form or is asked to provide information over the phone or internet. This should provide for transparency and give individuals a degree of control over their personal information. In the finance industry, in particular, these statements are usually long and often complicated. Some organisations try to ensure they cover absolutely everything they do, or may do, with the information to ensure their compliance with the Data Protection Act 1998 is not in doubt. The length and the complexity of these fair processing notifications mean that often individuals don’t bother to read them. This is a situation that serves no one well.

We are routinely asked to advise organisations of all sorts about fair processing notices. We have acknowledged the difficulties many organisations face in providing notices that are comprehensive and data protection compliant, but which individuals will read and understand. We have encouraged organisations to develop simpler and less complicated notices. Work on ‘condensed privacy statements’ is also under way in the USA, across Europe and in other parts of the world, indicating that unnecessarily long and complicated fair processing notices are a widespread problem. At the 2003 International Data Protection Commissioners’ Conference, held in Sydney, it was resolved to look at providing information in more condensed, clearer and more effective ways. This work is being taken forward by an international working group drawn from industry, consumer groups and data protection authorities. Next year we intend to undertake a research project looking at fair processing notifications from the individual’s viewpoint. This will inform our future work on fair processing notices in the financial and other sectors.

Small businesses: simple guidance and lots of advice
The implications of mishandling personal information can be as serious for a small business as for a much bigger one. Larger organisations often have their own legal or compliance staff to turn to for advice and guidance. Smaller businesses are less likely to have this resource. The main message we have been trying to get across to small businesses this year is that we are available to offer free advice and assistance when there are data protection issues to resolve. The detail of data protection law may be complicated but for the most part we can explain how to comply in simple, clear and easy to understand terms.

We have done a great deal this year to promote awareness of personal information issues to small businesses, and to help them to comply with the law. We have:

• posted new guidance on our website – both as a moving sequence on our home page and as a straightforward paper for printing off and reading;
• produced additional advice about using CCTV;
• produced summary guidance on surveillance in the workplace;
• manned stands at various events held throughout the country at which our staff have given advice on any aspect of data protection compliance; and
• addressed the Federation of Small Business annual conference.

We have also provided advice to the Small Business Service as it developed materials of its own relating to data protection

Raising public awareness
This year we launched a national advertising campaign intended to generate and increase awareness of personal information rights amongst those groups of people who are generally least aware.

Our innovative campaign involved national press, magazine and bus bulkhead advertising. It took place during October and November 2003. We also ran a student campaign which involved distributing beer mats to bars and pubs in and around university campuses and direct marketing activity on campus. The theme of this campaign was inaccuracy of information and the consequent ‘mislabelling’ of people.

The research findings suggest that the campaign contributed to:

• an increase in confidence in existing laws and an increase in trust of business practice amongst those who saw the campaign;
• an increase in perceived control over the way personal information is handled;
• an increase in awareness of data protection law, particularly its right of access; and
• a decrease in the percentage of people indicating they didn’t know much about the Data Protection Act.

A report detailing the full evaluation of the campaign is available on our website.

Data protection and policing
The key event of the year in the police sector was Sir Michael Bichard’s Inquiry into the events surrounding the tragic Soham murders. The Report of the Inquiry was published in June. The Bichard Inquiry followed the conviction of Ian Huntley and the revelations that police checks had failed to disclose an extensive history of allegations of sexual offences. The Chief Constable of Humberside Police, David Westwood, in his press statement immediately following Huntley’s conviction, pointed the finger of blame at the Data Protection Act for his lack of searchable records. Although he subsequently accepted the Data Protection Act was not in fact to blame, his original statement did considerable damage to the reputation of data protection. The statement was widely reported in the media and we faced an uphill struggle to set the record straight. We still have some way to go. The main issue for us was the ability of the police to retain allegations of offences, particularly sexual offences, where there had been no conviction. The Act allows the police to keep such information where retention is justified by an ongoing policing need. There are many factors to be taken into account including the evidence to support the allegation, the nature of the allegation or the cumulative effect of a series of allegations. However, the detriment to individuals of the retention and potential disclosure of possibly unfounded or even malicious allegations, such as may be made by a pupil against a teacher, must be given due weight.

None of this would have dictated that Humberside Police should have deleted information with such obvious significance as that which, at one time, they held about Ian Huntley. We made several written submissions to the Bichard Inquiry and gave evidence in person. A difficult situation was not helped by a statement made by the Association of Chief Police Officers (ACPO) at the time of Huntley’s conviction, and repeated subsequently in their evidence to the Bichard Inquiry, that action we were taking in two separate data protection cases would ‘significantly undermine the ability of Criminal Records Bureau to help employers safeguard the interests of children in particular’. The issues raised in these cases are not the same as those in the Huntley case. They relate to the retention of conviction records on the Police National Computer (PNC). The Huntley case related to the retention of non-conviction information by a local police force.

ACPO have established rules to govern the removal of conviction records from the PNC. Many records, including those involving a crime of violence or a sentence of six months or more are retained for life. We have always taken the view that standard retention periods are not a problem and, indeed are inevitable given the number of records held on the PNC. But there must be a willingness to depart from them where the circumstances of a particular case warrant it. The two cases referred to by ACPO are examples of where the conviction details are so old, and lack any degree of seriousness, that it is hard to see any policing reason for continued retention. Indeed, none has been put forward to us. We issued preliminary enforcement notices against the police forces concerned, but at the request of ACPO, delayed the issue of final notices to enable them to re-examine their “weeding rules” to address our concerns. ACPO’s response, which they put to the Bichard Inquiry, has been to propose that all conviction records, even those that would previously have been weeded after say 10 or 20 years, should now be retained indefinitely. We will revisit this matter now that the Bichard Inquiry has reported and will decide if and how to take the preliminary notices forward.

The Bichard Inquiry also focused its attention on the data protection guidance available to police forces. In the light of failings in Humberside, the Home Office set up a Working Group to review the available guidance. We have taken an active role in this Working Group and support the direction of its work. We will take the conclusions of the Bichard Inquiry into account in taking this work forward.

More generally, we welcome the Bichard Inquiry’s rejection of ACPO’s suggestion that we had influenced individual police forces on occasions to the detriment of the Police Service and vulnerable members of the community. But we fully accept the Report’s conclusion that our relationship with ACPO is an especially important one if data protection is to be properly understood in the Police Service, and that there needs to be a close and constructive relationship if confusion and uncertainty are to be avoided.

Auditing and inspecting
We have appointed a Senior Inspections Manager, the first step in developing a dedicated audit and inspections function within our Office. Building on our experience of auditing Europol and the development of our audit manual we have, by invitation, conducted a number of data protection audits to assist in our objective of promoting good practice. Interest to date in this initiative has been predominantly from the public sector and has often resulted from a prior identification of non-compliance.

Whilst no major problems have been identified there have been recurrent themes relating to data protection awareness within decentralised organisations and the unnecessary retention of personal information. From a positive viewpoint many examples of good practice were also identified together with a general recognition that good information handling makes organisations more effective.

Feedback from participating organisations has been positive with recognised benefits including the opportunity to focus attention on personal information matters and to gain an independent view of the issues involved. From our Office’s perspective, the audits have also enabled us to gain a better insight into how these organisations operate. This knowledge should inform our compliance activity and the development of codes of practice and other guidance.

Maintaining the register: another busy year
Keeping the publicly available register of organisations that hold information about people continues to be a major administrative task for us, but we have provided an efficient service, eliminating the backlogs which arose from the activities of self-styled notification agencies. These bogus organisations send out misleading, official-sounding letters and charge excessive fees for notifying on behalf of others. Their activities have continued to generate considerable extra work for us. However, the number of calls from those who have received these ‘urgent’ notices is not as high as last year and the number of applications made via these ‘agencies’ has dropped, indicating that fewer businesses are being duped. Nevertheless nearly 43,000 of the 131,605 calls taken by the Notification Helpline related to these agencies.

Over the last year we have issued further press statements on this matter and have given a considerable number of radio and television interviews. We continue to work closely with the Office of Fair Trading (OFT), local trading standards departments and the police. The OFT has obtained undertakings from a number of individuals that they will not be involved in misleading advertising for data protection notification services. The OFT has obtained injunctions against Chris Yewdall, who was associated with the provision of such services under a number of trading names, and against the Data Processing Protection Corporation Ltd.

We have taken steps to minimise the risk of those who initially notify via an agency renewing their notifications at exorbitant cost. We now write to them to advise them that they can renew directly with us for £35 and remind them of this when renewal is due. We are also moving towards on-line notification. This will make it easier for those required to notify to deal directly with our Office. It will also be easier for the public to access an up-to-date version of the register.

Notification Department Statistics


Blagging, investigation and prosecution
The majority of the work we carry out is intended to promote compliance with the law through education, negotiation and dialogue. There is, though, an organised and systematic industry whose lifeblood is the unlawful obtaining of personal information through deception, bribery and other underhand tactics. This is known as ‘blagging’. It is the role of our Investigations Department to catch those who are involved in this activity. We are proud that our investigators have had significant success during the year under review. This success builds on last year’s BAIRD project, a joint initiative involving the Information Commissioner, Department of Works and Pensions and Inland Revenue. This led to the successful prosecution of a number of individuals and organisations who unlawfully obtained personal information for various clients, usually by deceiving employees of the organisations they targeted. Following the success of BAIRD, the Investigations Department focused its attention on employees of various organisations who were abusing their position of trust by corruptly obtaining and then unlawfully disclosing personal information, usually for payment. This was a particular problem in organisations including police forces, the Department of Works and Pensions, the Inland Revenue and the DVLA. Several of these organisations worked with us closely to investigate the problem. As a result, a number of their employees currently stand suspended from duty pending prosecution.

It is worrying that a number of those involved in these offences were civilians working in police support roles, or actual serving police officers. They had unlawfully obtained and disclosed personal information from the Police National Computer (PNC). The police forces involved obviously viewed such conduct very seriously. In addition to prosecutions brought under data protection legislation by the Information Commissioner, all the forces involved have instituted additional proceedings against their employees for offences of Misconduct in Public Office, an offence which carries a penalty of up to 5 years’ imprisonment. Not only have police employees been charged with this offence. Others identified in the chain, many of whom are private detectives who paid these employees to unlawfully obtain the information for their clients, have been charged with aiding, abetting, counselling or procuring the offence of Misconduct In Public Office. This too carries a maximum of 5 years’ imprisonment.

To date some fourteen individuals from three different police forces either stand charged or are still under investigation in relation to offences concerning Misconduct in Public Office. It should be noted that every police force involved in these investigations gave the Information Commissioner and his staff every assistance, as well as an assurance that any abuse of personal information held by the police would be treated as a matter of the utmost seriousness.

Data protection in the global village
Data protection hit the headlines around the world when the United States and other governments started requiring airlines flying to their country, including European ones, to provide detailed passenger information (known as ‘PNR’). Clearly it is legitimate for governments to put in place effective measures to prevent international terrorism. We accept that it is possible for governments to put in place adequate data protection safeguards whilst pursuing their objective of protecting citizens from the terrorist threat. However, the extent of the information, its lengthy retention and the range of organisations it could be passed on to contributed to concern that the safeguards in place to protect ‘innocent’ passengers would be insufficient to ensure compliance with international data protection standards.

The Article 29 Working Party, a forum of European data protection authorities in which we participate, considered the Unites States’ requirements. Its conclusion was that there would not be an adequate level of protection for information about individual passengers. The European Commission’s decision that the arrangements are adequate has been questioned by the European Parliament and referred to the European Court of Justice. Interestingly, the Article 29 Working Party considers that the arrangements put in place by the Australian government strike a proper balance between effective counter-terrorism and the protection of personal information. We fully support the European Commission’s objective of finding a global solution to this difficult problem.

Outside Europe various countries and international bodies have been involved in initiatives to develop and implement data protection law. In some cases this may be motivated by a desire to facilitate the transfer of personal information to and from Europe. We have no doubt though that there is a realisation in many parts of the world that an effective data protection regime can provide valuable rights and protections for individuals and can bolster fledgling democracies. We have been particularly pleased to co-operate with the Commonwealth Secretariat on its work on privacy and access to information law.

After September 2001, there has been an understandable emphasis on ways of tightening international travel security. We have continued to support the work of the Organisation for Economic Co-operation and Development and the International Civil Aviation Organisation on the privacy implications of biometric travel documents. We hope that this work, and that carried out by other bodies such as the Council of Europe and the European Commission, will lead to a consistent body of useful guidance on the deployment of biometric identifiers in travel documents. We have also supported the OECD’s work on the ‘Economics of Trust’, especially the privacy aspects of trust in e-commerce. We hope that some robust ideas about what individuals want and how to measure that will emerge, as well as information on the supply of privacy-enhancing products.
We have also supported work carried out by the Initiative for Privacy Standardisation in Europe, working under the auspices of the European Commission, on the role of standards work in contributing to the implementation of the data protection directives. This will look at contract clauses, best practice, audit, technological solutions and raising awareness. We have been very supportive of this work which is a way of helping those dealing with personal information to find robust and widely applicable solutions to data protection compliance problems in practical business circumstances.

The credit industry: another milestone in sight
When you apply for credit how do you expect the lender to decide whether to give credit to you? Perhaps you think the decision will be based on:

• your current commitments;
• how you have repaid loans in the past;
• how you and your financial partner(s) have repaid loans in the past;
• how you and your family have repaid loans in the past, or
• a combination of these approaches.

Different lenders will make decisions in different ways, so there is no one answer. However, most lenders will use information provided by credit reference agencies when considering your application. This can include information about other people, usually ones with the same surname living at the same, or last previous, address at the same time as you in the same household. Many people object on privacy grounds to information about anyone except the person applying for credit being used in the decision whether to approve a credit application. We receive many complaints and queries about this. People object because of the principle involved. They also object because when they apply for their credit file they see information about the individuals linked to them. The situation also applies in reverse. On the industry side lenders have argued that the information about others linked to the person applying for credit is predictive and so valuable to them.

We have had concerns about this issue from the earliest days of the Office. Enforcement action and a data protection Tribunal decision in the early 1990’s led to the current arrangements, which are an improvement on what had gone before. Yet our concerns and individuals’ concerns about this issue remained. In late 2000 the credit industry proposed new processing arrangements to address these concerns and to ensure that individuals were protected from over-commitment and fraud by enabling the industry to continue to use certain aspects of others’ information. Elizabeth France, the Information Commissioner at the time, commented that ‘this is a ‘win-win’ situation for the individual and the credit industry.’

Since then we have monitored progress towards the implementation of these proposals and more recently have asked the industry to set a firm date for their industry-wide implementation. The industry has now announced that from October 31 this year the vast majority of lenders will be processing in line with the new proposals.

Once the new proposals are in place, when you apply for credit the credit reference agencies will only give the lender information about you and your financial partners. In some cases the lender may offer you the opportunity to ‘opt –out’ of this standard arrangement and to be assessed in your own right, subject to certain conditions.

The practical implementation of the new proposals is another milestone in bringing credit industry practices closer to individuals’ legitimate expectations of privacy. This outcome has been achieved principally by co-operation rather than coercion. We will continue to work with the industry in this way as other credit-related issues come to the fore.

Privacy at work?
Shortly before the publication of our last Annual Report we issued Part 3 of our Employment Practices Data Protection Code, ‘Monitoring at Work’. The first two parts of the Code were criticised for being too long, detailed and complex for small businesses, in particular, to use. We tried to make Part 3 of the Code more accessible and user-friendly. In particular, we tried to translate the language of data protection into terms and concepts that the human resources professional, our primary target audience, would be familiar with. We were confident that the changes we made, including the provision of a summary document for small businesses, would address these concerns without losing the essential messages the Code was seeking to convey. It is encouraging that experience has confirmed that our confidence was justified. Part 3 of the Code has generally been well received, and we hope it will serve as a model for other guidance to be issued by us.

We have now drafted Part 4 of the Code. This deals with information about workers’ health, including such issues as drug and alcohol testing in the workplace. We are using the same structure as Part 3 and put the draft version out for public consultation. We have now finished analysing the 100 plus responses, and generally they are favourable. The extent to which data protection requirements appear to be consistent with the professional standards of those working in the field of occupational health is particularly encouraging.

It now remains for us to publish the final version of Part 4, restructure Part 1 on ‘Recruitment and Selection’ and Part 2 on ‘Employment Records’ in the new format and publish a combined volume. We hope next year to be able to report that this task has been completed.

Health records, child protection
Given the sensitivity of health information, many individuals are keen to exercise their right of access to their health records. We have ensured that where this is the case, individuals are given the degree of access to which they are entitled by law. We have also supported and advised health professionals in making difficult decisions about whether or not the release of information would be likely to cause serious harm to the patient or to another individual. Our approach continues to be one which encourages the health sector to allow as much access to personal health information as possible.

For most individuals, the accuracy of their health record is an issue of great concern. We have conducted a number of assessments over the past year where the damage that could have been caused by an inaccurate record has been avoided by the record holder agreeing to correct the inaccuracy.

Towards the end of the year proposals for the NHS National Programme for IT emerged. This will provide for a nationally accessible form of all our health records. NHS officials have started to articulate the day to day working arrangements of the new system, and we have devoted a great deal of attention to this. These are early days for this significant development and we are committed to working with representatives from the programme to support them in developing realistic and sustainable data protection practices.

Elsewhere, public sector policy issues over the year included the development of a response to the Green Paper ‘Every Child Matters’, in which the Government detailed its policy response to the Victoria Climbié inquiry. The legislative proposals resulting from the Green Paper are now being taken forward in the Children Bill which was presented to the House of Lords in March 2004.

The end of spam and junk mail?
The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11 December 2003. The Regulations expressly cover unsolicited marketing emails, and SMS messages, and include provisions regarding mobile phone location services.

Our experience in taking enforcement action in connection with unsolicited marketing faxes has convinced us that our existing enforcement powers are inappropriate. They do not allow us to take decisive action against those who continue to send unsolicited marketing material. The Department of Trade and Industry (DTI) is committed to reviewing our existing powers and continues to explore the possibility of providing us with some form of injunctive power which will enable us to take swift effective action.

The Regulations do not apply to emails sent to a corporate subscriber. This means that whilst an unsolicited marketing message sent to an individual’s mobile phone or email address is covered, exactly the same message sent to a company-provided mobile phone or workplace computer will not be. Not surprisingly many find this difficult to understand.

The restrictions on unsolicited emails should ensure that reputable UK and EU based companies do not continue to send unwanted marketing material to individuals. It seems though that some major companies have difficulty in swiftly and efficiently ensuring suppression. Much ‘spam’ comes from outside the EU, giving rise to obvious jurisdictional problems which rule out any imminent end to the spam problem. However, the wide recognition of the problem has led to increased cooperation between industry, regulators and governments. We are committed to cooperating with DTI and the Office of Fair Trading, and with appropriate bodies outside the UK. However, we appreciate that formal regulation can be only part of the solution and recognise the efforts being made by industry in this area.

Sending personal information overseas
The UK’s data protection law, and the laws in place in the other EC countries, regulate the circumstances in which personal information can be transferred outside the European Economic Area. This is intended to prevent data protection rules being circumvented by sending information to places where it will have no legal protection. This has been a particular issue recently in the context of companies outsourcing call-centres and similar operations to countries in Asia and elsewhere.

There are various ways in which an overseas transfer can be legitimised. However many companies find the existing options complex and onerous. Therefore the Article 29 working party, a group representing data protection authorities across the EC, agreed a working document in June 2003 aimed at providing a mechanism to enable multinational companies to transfer personal information throughout their organisation, even though this could involve sending information outside the European Economic Area. The idea is that the multinational organisation will establish a corporate-wide code of conduct for internal international transfers, binding upon all parts of the organisation. This should provide effective protection for individuals and permit appropriate supervision by national data protection authorities.

The ultimate intention is to simplify the approval process so that an application for approval of a set of such ‘Binding Corporate Rules’ is only made to one national data protection supervisory authority, usually in the country where the organisation has its EU headquarters. This supervisory authority then, in turn, seeks the view of the other national data protection authorities where the organisation has an interest in establishing the approval of all the authorities concerned. This is intended to reduce the burden on multinational organisations by removing the need to address the requirements of each EU Data Protection Authority separately.

We are keen to promote awareness and development of the binding corporate rules concept and have been working with organisations within the UK that are interested in this approach. We have also worked with other supervisory authorities with a view to developing a pan-European cooperation procedure.

The scope of data protection law: the ‘Durant case’
An important development this year was the judgment of the Court of Appeal in the case of Durant v the Financial Services Authority (FSA).

Mr. Durant was a customer of Barclays Bank plc. There was litigation between them which Mr. Durant lost in 1993. Since then he has sought disclosure of records in connection with the dispute which he believes may assist him to re-open claims against Barclays. In 2000 he asked the FSA to help him obtain disclosure. In addition, he wanted to know what documents the FSA had obtained from Barclays in its supervisory role. The FSA completed its investigation against Barclays and closed the investigation without informing Mr. Durant of the outcome due to its obligation of confidentiality under the Banking Act 1987. Mr. Durant complained about that to the FSA Complaints Commissioner who dismissed his complaint. In September/October 2001 Mr. Durant made two subject access requests under the Data Protection Act 1998 to the FSA. In October 2001 the FSA provided copies of documents relating to him held in computerised form, some redacted so as not to disclose the names of others. However, it refused access to all its manual files on the basis that the information sought was not “personal” and even if it was, it did not form part of a “relevant filing system”.

The Court considered four important issues of law concerning the right of access to personal data.

• What makes ‘data’ ‘personal’ within the meaning of ‘personal data’?
• What is meant by a ‘relevant filing system’?
• When is it ‘reasonable in all the circumstances’, within the meaning of section 7(4)(b) of the Data Protection Act 1998, to comply with a request for access to personal data even though the personal data include information about another person who has not consented to disclosure?
• How much discretion does the court have to order compliance with a request if it finds the data controller has wrongly refused a request under section 7(4)?

We have issued guidance on what we consider to be the two most important issues considered by the Court.

• What makes ‘data’ ‘personal’ within the meaning of ‘personal data’?
• What is meant by a ‘relevant filing system’?

In this case the Court of Appeal did not consider the issue of the identifiability of an individual in the definition of ‘personal data’ set out in section 1(1) of the Data Protection Act. Instead, the Court of Appeal concentrated on the meaning of ‘relate to’ in that definition, identifiability not being an issue in the case.

The Court of Appeal concluded that ‘personal data’ is information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity’. In situations where it is not immediately apparent what is meant by ‘relates to’, the Court offered some notions to assist in determining whether information is information which affects a person’s privacy.

‘The first is whether the information is biographical in a significant sense, that is, going beyond the recording of [the individual’s] involvement in a matter or an event which has no personal connotations…’

The second concerns focus. ‘The information should have the [individual] as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest …’

In relation to relevant filing systems the judgment concluded that:

‘a‘relevant filing system’ for the purposes of the Act, is limited to a system:

1) in which the files forming part of it are structured or referenced in such a way as to clearly indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held; and

2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.’

A case summary and the Commissioner’s comments on the impact of the case on the interpretation of the Data Protection Act 1998 can be found on our website.