Occasionally, organisations hear from people who feel very strongly
that their rights have not been fully respected. Less frequently, they embark
on a course of behaviour that causes the organisation to consider what steps
should be taken to protect the legitimate rights of their employer. Much less
frequently, a call needs to be made as to whether there is a statutory obligation
to disclose what has been requested.
The Information Rights Tribunal has recently issued more
guidance on vexatious requests. While the behaviour at hand related to Freedom
of Information legislation, I’ve wondered whether such guidance might also be
relevant when dealing with Subject Access Requests.
According to the
Tribunal: “The ICO has
published a series of criteria which public authorities are invited to apply
when considering this issue. Such guidance is undoubtedly helpful but,
as the guidance itself recognises, a judgement as to whether a request is
vexatious must not become a box – ticking exercise. Plainly, “vexatious” does
not mean annoying. It represents conduct, here a request or requests for
information, which bear no sensible proportion to the supposed objective. The
proper objective of a FOIA request is the obtaining of reasonably accessible
information of public importance. It is not to force the authority to change
its policy through an unending battery of interrogation, to which the answers
are irrelevant, in the sense that they will never stem the flow of requests."
How might this apply to Subject Access Requests?
Well, the current law remains what was said in the Royal
Courts of Justice back in December 2003. Yes, the Durant case. The anoraks will be able to recite paragraphs
26-31 by heart. The highlights are: “The intention of the Directive, faithfully reproduced in the Act, is to
enable an individual to obtain from a data controller’s filing system ... his
personal data, that is, information about himself ... to enable him to check whether the data
controller’s processing of it unlawfully infringes his privacy and, if so, to
take such steps to protect it. It is not an automatic key to any information,
readily accessible or not, of matters in which he may be named or involved. Nor
is to assist him, for example, to obtain discovery of documents that may assist
him in litigation or complaints against third parties. As a matter of
practicality and given the focus of the Act on ready accessibility of the
information - whether from a computerised or comparably sophisticated
non-computerised system - it is likely in most cases that only information that
names or directly refers to him will qualify.
It follows
from what I have said that not all information retrieved from a computer search
against an individual’s name or unique identifier is personal data. Mere
mention of the data subject in a document held by a data controller does not
necessarily amount to his personal data.
Looking at
the facts of this case, I do not consider that the information of which Mr.
Durant seeks further disclosure - whether about his complaint to the FSA about
the conduct of Barclays Bank or about the FSA’s own conduct in investigating
that complaint – is "personal data" .. . Just because the FSA’s
investigation of the matter emanated from a complaint by him does not, it seems
to me, render information obtained or generated by that investigation, without
more, his personal data. For the same reason, either on the issue as to
whether a document contains "personal data" or as to whether it is
part of a "relevant filing system", the mere fact that a document is
retrievable by reference to his name does not entitle him to a copy of it ...
It cannot have been the intention of Parliament that ... any document held by
the FSA generated by and/or arising out of the FSA’s investigation of such a
complaint should itself be disclosable. .....
In short,
Mr. Durant does not get to first base in his claim against the FSA because most
of the further information he sought ... is not his "personal data"...
It is information about his complaints and the objects of them, Barclays Bank
and the FSA respectively. His claim is a misguided attempt to use the machinery
of the Act as a proxy for third party discovery with a view to litigation or
further investigation, an exercise, moreover, seemingly unrestricted by
considerations of relevance."
The ICO covers this matter in the latest draft Subject Access Code of Practice, currently under consultation, using language which is very different to that of the
Durant judgment. While the document does not offer much guidance on what
personal data actually is, there is guidance on deciding what should be
supplied: “Documents or
files may contain a mixture of information that is the requester’s personal data,
personal data about other people and information that is not personal data at all. This means
that sometimes
you will need to consider each document within a file separately, and even the
content of a particular document, to assess the content of the information they contain.
It may be easier (and
will be more helpful) to give a requester a mixture of all the personal data
and ordinary information relevant to their request, rather than to look at
every document in a file to decide whether or not it is their personal data – this approach is
likely to be appropriate where none of the information is particularly sensitive
or contentious.”
According to the ICO: “If a requester asks for ‘all the information
you hold’ about them, they are entitled to do that. You may ask them to provide
information about the context in which information about them may have been processed, and about the likely
dates when processing occurred, if this will help you deal with the request.
It may be particularly difficult to find information to which a SAR relates
if that information is contained in emails which have been archived and removed
from your ‘live’ systems. Nevertheless, the right of subject access is not
limited to the personal data to which it would be ‘reasonable’ for you to
provide access. Subject to certain exemptions, you must provide subject access
to all personal data you hold, regardless of how difficult it is to find. You
may, of course, ask the requester to provide you with contextual information to
help you find the personal data they have requested."
This is going to be fun. I expect an interesting debate between
applicants who want to see material because it has their name on it, and
organisations that insist the material be withheld because there is no legal
obligation to make it available.
Sources:
Appeal No: EA/2012/0163
Neutral
Citation No: [2003] EWCA Civ 1746
Image credit:
http://www.nymomsworld.com/blog/wp-content/uploads/2012/09/Angry-Person-at-Computer.jpeg
.