The Data Protection Act - an absolute right to ask but a qualified right to receive

Maureen H FalconerSenior Policy Officer, ICO

CELCIS, Scottish University Insight Institute 23 September 2013

The Right of Subject Access

Section 7

Provides the right to find out:

what personal information is held about you by an organisation;

why it is being held; and

to whom it is, or is likely to be, disclosed.

What is personal data?

Personal data relate to a living individual who can be identified from those data and/or other information and includes opinions and intentions of the data controller or any other person in respect of the individual.

What is sensitive personal data?

Sensitive personal data relate to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life and criminal activity.

Making a subject access request

Must be made in writing (recordable format);

Must provide proof of identity;

May be charged a fee;

May be asked for more information

Receiving a subject access request

Must be made in writing (recordable format);

Must verify identity;

May charge a fee;

May ask for more information;

Must respond within 40 calendar days;

May redact third party information;

May rely on specific exemption(s).

Subject Access & Third Party Data

Section 7(4)

Where an organisation cannot comply with a request without disclosing information relating to another individual who can be identified from that data, there is no obligation to comply with the request unless:

The other individual has consented to the disclosure; or

It is reasonable in all the circumstances to comply with the request without the consent of the other individual; or

The other individual is an appointed Safeguarder, the Principal Reporter or a social worker engaged in the case.

When is it reasonable in all the circumstances?

Section 7(6)Provides a non exhaustive list of factors for organisations to consider:

Any duty of confidence owed to the individualAny steps taken to obtain consentWhether the individual is capable of giving consentAny express refusal of consent.

Confidentiality:Arises where information which is not generally available to the public is provided with the expectation that it will be kept confidential: Solicitor/Client, Doctor/Patient, Social Worker/Client, etc.

Reasonable in the circumstances – other factors

Information already known to the requestor:

Is the information already known by the person making the request, is it generally available to the public or has it previously been made available to the person making the request?

Circumstances of the request:

Regard should be had to the importance of the information to the individual against the importance of maintaining the confidentiality of the third party.

Redaction of third party informationSection 7(5)

Third parties include information relating to another individual which identifies that individual as the source of the information.

It does not excuse an organisation from providing as much information as possible without disclosing third party data, whether by redaction of identifying information or other means; e.g. summarising the personal data.

The individual making the request is entitled to the personal data held - not necessarily the document in which it is held.

SI 2000/415 exemption

Applies to:

Data processed by a local authority in connection with its social work and education welfare functions and health boards to whom such data are passed;

Data processed by a local authority which has been supplied by the Principal Reporter of Scottish Children’s Reporter Administration; and

Data processed by the Children’s Hearing system where the information may be withheld by the Hearing in whole or in part.

SI 2000/415 exemption

Subject access - to the extent to which release of the data would be likely to prejudice the carrying out of social work if it is likely to cause serious harm to anyone’s physical or mental health;

Specific exemptions:

In relation to social work reports supplied to Children’s Hearings - fair processing and subject access unless Hearing allows;

In relation to the Principal Reporter - subject access unless (s)he allows;

In relation to parents/guardians/court appointee acting on behalf of a child/young person - subject access to the extent that the child/young person would not expect, or has expressly forbade, the data to be disclosed.

Subject Access & Category (e) DataSection 9A

Unstructured data – not automated, with a view to being automated, a relevant filing system or none of the above but forms part of a social work record.

Requester must provide a description of the data requested;

Public Authority need not comply if the estimated cost to do so would exceed £600

Subject Access & DisproportionateEffort

Section 8(2):The obligation to respond to a subject access request must be complied with by supplying the data subject with a copy of the information in permanent form unless –

The supply of such a copy is not possible or would involve disproportionate effort, orThe individual agrees otherwise.

Note: it does not apply to searching for the data.

Even where providing the information in permanent form may involve disproportionate effort – the data controller should still try and comply with the request in some other way.

The right of subject access is central to the DPA.

www.twitter.com/iconews

Keep in touchScotland Office:

45 Melville StreetEdinburghEH3 7HL

T: 0131 244 9001 E: Scotland@ico.gsi.gov.uk

Subscribe to our e-newsletter at www.ico.gov.uk

or find us on…