28 February 2014 #Employment
An individual (data subject) has the right to access personal data about them from anyone who may hold this (data controller) and can write to the data controller to request sight of this data. This can be done as a data subject access request or, where the request is made of a public authority, a freedom of information request.
Personal data is defined as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of the data controller.
In Durant v Financial Services Authority (2003) it was held that the mere mention of an individual in a document does not necessarily amount to personal data and that the information should be informative (biographical) in a significant sense and/or the individual should be the focus of the information. However in the recent case of Edem v Information Commissioner and Financial Services Authority (2014) the Court of Appeal held that a person’s name on its own is personal data unless the name is so common that without further information that person would remain unidentifiable.
When complying with a personal data request, a data controller has the often onerous task of sifting through information to ensure that they are providing the data subject with their personal data but also that they are protecting any personal data belonging to third parties which may be interwoven with that of the data subject. A third party’s personal data should not be disclosed without their consent (unless it is reasonable in all the circumstances to do so). In practice, data controllers will usually either extract the data subject’s personal data from documents and put it into a separate document or redact any third party personal data from the document before supplying it. This task would seem to be even more cumbersome now in light of the decision in Edem which has demonstrated that the narrower interpretation of personal data applied in Durham should not be adopted and that the mere mention of a person’s name is likely to constitute their personal data. This poses significant problems with documents such as emails which will always feature at least two names.