Data protection may not be the most riveting of conversation pieces. However, the protection of employees' personal information is a paramount responsibility of every business. In a ruling dated 8 December 2003, (Durant v Financial Services Authority 2003 EWCA 1746) the Court of Appeal sought to clarify certain aspects of data protection legislation.
Readers will recall that the first Data Protection Act, passed in 1984, confined itself to the electronic processing of employees' personal information. Developments in the European Community resulted in the passing of Directive 95/46/EC. The primary objective of this Directive was to protect the fundamental rights of the individual, and in particular the right to the privacy and accuracy of their personal data, whether held in electronic processing or manual file format, whilst facilitating the free movement of such data between Member States of the European Union. The Data Protection Act 1998 was, in part passed to give effect to this Directive.
The Court of Appeal dealt with four issues. This article concentrates on two of these. Firstly, what actually constitutes a manual filing system (known as a "relevant filing system") for the purposes of the Act? Secondly, what makes "data", whether held in computerised or manual files, "personal" within the meaning of the term "personal data" in s.1(1) of the Act?
So far as regards the first of these issues, in general terms, the Court decided that information held on manual files is only capable of being considered as personal data if it forms part of a system which is so structured by reference to specific information about an individual as to make that information readily accessible.
That may seem like a circular argument. What it means in practice is that the same standard or sophistication of accessibility should apply to paper systems as to electronically processed records. If that was not the case, a dual standard between computer and manual records would result.
Taken further, the arrangement of manual data should be in a form similar to that which a computer would use to process the same information.
The result would seem to be that if personal information is held in a manual file and is ordered simply by, for example, the date of correspondence, it is not a relevant file for the purposes of the Act. If, on the other hand, employees are listed by departments, ages, dates of joining the business etc., then the file takes on the form of a structured file from which data can be easily abstracted, and which might be processed electronically without difficulty. Such a file would constitute a "relevant filing system". The key is how easily accessible is the data.
The second issue is what makes hard copy or electronic information "personal data" for the purposes of the Act ?
The Act is not necessarily helpful. It provides in s.1 that "personal data" means
"data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of , or is likely to come into the possession of the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".
The Court ruled that the purpose behind the legislation was to allow a person access to his or her personal information to enable him or her to check whether the data controller's processing of it unlawfully infringes that person's privacy. If that is the case, the Act provides the individual with a number of remedies.
Conversely, the individual has no automatic right to be given any information, whether it is readily accessible or not, about matters in which he or she is merely named or involved.
There are two key issues. Firstly, in any particular instance, is an individual's privacy compromised in a document? A list of dinner guests that happens to contain a particular person's name would generally, not compromise that person's privacy. A list containing notes of intentions about that person, and others, might be rather different.
Secondly, is the information focused on the individual himself/herself ? In the Durant case, Mr. Durant instigated complaints with the FSA about the conduct of Barclays Bank. The FSA prepared a file investigating that complaint. In neither case was the information generated by the complaint or the FSA considered to be Mr Durant's personal information to which the Courts would allow him access.
Even with the Court of Appeal's assistance, there are likely to be significant grey areas. We would be pleased to advise our readers about any aspect of data protection law.