|
|
Law - Effects of Durant
In a landmark ruling brought by Masons the Court
of Appeal has held that the mere mention of a data subject
in a document did not amount to "personal data"
within the meaning of the Data Protection Act 1998 (the "Act").
This will significantly curtail the right of employees to
demand information by means of a data protection request.
In Durant v Financial Services Authority [2003] EWCA Civ 1746,
following an unsuccessful dispute with his former bank, Mr
Durant asked the Financial Services Authority (FSA) to investigate
the bank's conduct. The FSA carried out an investigation after
which Mr Durant wished to obtain a copy of a particular document
from the FSA which would have assisted his case against the
bank.
The meaning of "personal data"
The Court of Appeal held that the investigations by the FSA
related to Mr Durant's complaint against the bank and not
to Mr Durant himself and thus was not "personal data"
under the Act. The court ruled that "the 1998 Act would
only be engaged if, in the course of investigating this complaint,
the FSA expressed an opinion about Mr Durant personally, as
opposed to an opinion about his complaint".
The Court went on to say that information will not constitute
personal data simply because it is retrieved from a computer
search against an individual's name. Instead, the information
must be relevant or proximate to the data subject as distinct
from matters which he may have been involved in and affect
the individual's privacy, whether in his personal or family
life, business or professional capacity. Thus the mere fact
that a document is retrievable by reference to an individual's
name does not entitle him to a copy of it under the Act.
The court of first instance and the Court of Appeal have now
confirmed that the narrow interpretation of a "relevant
filing system" is a correct one. There are 2 tests in
the Act for a relevant filing system, namely:
1. Does the file form part of a structured set? - i.e. does
it have the individual's name on the cover or some other characteristic
relating to the individual, and if so
2. Is the file sufficiently internally structured so that
specific information about a particular individual is readily
accessible?
Accordingly the following guidance emerges. A relevant filing
system is limited to a system:
in which the files are structured or referenced so as to clearly
indicate whether the information contained within is capable
of amounting to personal data of an individual; and
which has a sufficiently detailed means of readily indicating
whether the file contains information relating to an individual
and where in that file, the information is held.
The ruling will have an impact on an employee's right to receive
copies of information such as personnel files, e-mails and
other records unless the document is 'personal' and directly
refers to that individual.
An employee's right to gain access to information is also
drastically restricted if the information is held in manual
files. If the documents are not structured by reference to
the individual then the disclosure provisions of the Act are
not triggered. Similarly, a manual filing system which requires
an individual to sort through the documents to look for the
personal data falls outside of the scope of the Act.
Finally, this case greatly curtails an employee's ability
to indulge in fishing expeditions prior to litigation by making
subject requests under the Act.
Code of Practice to change after personal data gets redefined
Durant v Financial Services Authority
Court of Appeal restricts scope of Data Protection Rules
* * * * * This is a hugely important decision on the scope
and application of the Data Protection Act 1998 (the DPA).
The case followed a subject access request made by Mr Durant
against the Financial Services Authority (FSA). The FSA investigated
Durant's complaint against Barclays but closed its investigation
without informing Durant of its outcome, acting under statutory
confidentiality obligations.
The FSA refused Durant access to its investigation documents
and papers disclosed to it by Barclays. The Court of Appeal
upheld the County Court ruling that Durant was not entitled
to access to the documents under the DPA.Ê
The Court of Appeal ruled on two key issues under the DPA:
the definition of 'personal data'; and the extent to which
manual filing systems are covered by the 1998 Act.
'Personal data' is the most important concept in the DPA,
as the obligations on data controllers, and the rights of
data subjects (including the right to obtain access to data),
apply only to personal data. The Court of Appeal's restrictive
approach reduces the whole scope of the DPA.
Uncertainty around the interpretation of this term previously
led many data controllers to take a cautious approach, in
some cases going so far as to class as 'personal data' any
document that refers to an individual by name. Such an approach
increased the burdens imposed by the DPA, in particular the
burden of responding to data subject access requests.
The Court of Appeal rejected the argument that a document
contains personal data merely because an individual is named
in it. The information has to be biographical to a significant
extent and the data subject must be the focus of the information.
On this view, the information held by the FSA on Durant's
complaint was not personal data, and access did not have to
be provided.
The 1998 Act extended previous legislation to cover manual
as opposed to simply electronic filing systems. According
to the Court of Appeal, manual records are caught only if
they are of sufficient sophistication to provide the same
or similar ready accessibility as a computerised filing system.
The appropriate test for determining whether manual records
fall under the DPA is whether:
- they contain files that are structured and referenced in
such a way as to clearly indicate at the outset of a search
whether specific information capable of amounting to personal
data on the data subject is held within the system, and, if
so, in which file or files it is held;
- and which has, as part of its own structure or referencing
mechanism, a sufficiently sophisticated and detailed means
of readily indicating whether and where in an individual file
or files specific criteria or information about the applicant
can be readily located.
The Court of Appeal urged a 'sensible and practical' interpretation
of the DPA, which minimised the time and cost associated with
data access requests.
In this case, while the FSA's files contained folders bearing
Durant's name, they were structured in date order and contained
a range of documentation, some of which was clearly not personal
data. Any personal data could only be identified by a manual
trawl through the files.
The requirement to leaf through a number of files to see what
and whether information qualifying as personal data is contained
in the files exceeded the scope of the DPA.
What you should do
- Make sure your data protection officers and HR staff are
aware of this important ruling
- Review your data protection policy, especially any definition
of personal data, and your internal guidance on responding
to data protection requests
- Consider whether your manual filing systems fall within
the scope of this ruling. You may wish to ensure that documents
that clearly contain personal data are held in specific files
or parts of files.
While this may mean that the documents are disclosable, it
will be easier to respond to access requests; watch out for
the Information Commissioner's Codes of Practice being revised
in light of this decision.
|
