Jump to content

Bevan Brittan

New guidance on personal data

September 2007

In this article...

There has been much uncertainty as to what information amounts to an employee’s “personal data” under the Data Protection Act 1998. Sara Woffenden examines new guidance issued by the Information Commissioner, which departs from the narrow interpretation previously applied by the Court of Appeal.

The Data Protection Act

The Data Protection Act 1998 (DPA) covers personal data held in computerised form, and also manual (i.e. paper-based) personal data held as part of a relevant filing system. For information (either computerised or paper-based) to be “personal data”, it must relate to an identifiable living individual.

Employees enjoy a number of rights under the DPA in relation to their personal data. In particular, the employer must comply with the data protection principles, which provide – amongst other things – that personal data must be processed fairly and lawfully.

The Act also allows an individual to obtain a copy of his or her personal data by making a written request to the organisation which holds it – known as a “subject access request”. Such requests are sometimes made by disgruntled employees to find out what information is held about them with a view to lodging a grievance or bringing an employment tribunal claim.

Back to top

The Durant ruling

In Durant v Financial Services Authority the Court of Appeal took a restrictive view of what amounts to “personal data”. The Court held that the mere mention of a person’s name in a document does not bring the information within the scope of the DPA. For the Act to apply, the information must be biographical in a significant sense and have the individual as its focus.

Although the Durant decision did not arise in the employment context, it had important implications for employers faced with subject access requests. In particular, the case was relied on to resist “fishing expeditions”, whereby employees issue a subject access request for disclosure of any internal documents in which their name crops up, including minutes of meetings and e-mail correspondence.

There have been indications, however, that the narrow interpretation of “personal data” adopted in Durant does not accord with the EC Data Protection Directive. In July 2004 the European Commission issued a formal letter to the UK government raising five areas of concern over the UK’s implementation of the Directive; one of these is understood to have related to the UK’s interpretation of “personal data”.

More recently, in June 2007, the EC Article 29 Working Party, a European advisory committee on data protection, issued an opinion on the concept of personal data which was at odds with the Court of Appeal’s judgment in Durant.

Back to top

The new ICO guidance

The Information Commissioner’s Office (ICO) has recently published a document entitled “Data protection technical guidance – determining what is personal data”, which attempts to resolve some of the confusion. The guidance is in the form of a flowchart of eight questions, supplemented by a number of practical examples.

The questions are as follows:


1. Can a living individual be identified from the data, or from the data and other information in the possession of, or likely to come into the possession of, the data controller (meaning, in this context, the employer)? If yes, go to the next question; if no, the data is not personal data.
2. Does the data “relate to” the identifiable living individual, whether in his or her personal or family life, business or profession? If yes, the data is personal data; if no, it is not; if unsure, consider questions three to eight below. If the answer to any one of questions three to eight is “yes”, the data is (or, in the case of questions six and seven, is likely to be) personal data.
3. is the data “obviously about” a particular individual, e.g. a record of a particular individual’s performance at work?
4. Is the data “linked to” an individual so that it provides particular information about him or her? For example, information about the salary for a particular job will not amount to personal data if it is simply included in a job advertisement. However, where the vacancy has been filled and there is a single named individual in post, the salary information will be personal data relating to that employee.
5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
6. Does the data have any biographical significance in relation to the individual? What matters is whether the data goes beyond recording the individual’s casual connection with a matter or event which has no personal connotations for him or her. Data may have personal connotations for an individual if it provides information about an individual’s whereabouts or actions at a particular time.
7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event? This may assist when deciding whether the minutes of a meeting are personal data about those attending the meeting or about any individuals who are discussed.
8. Does the data impact, or have the potential to impact, on an individual, whether in a personal, family, business or professional capacity?

 

Back to top

What does this mean for me?

The new ICO guidance is significant because it suggests that – contrary to the decision in Durant – data does not need to have biographical significance or focus on the individual in order to fall within the scope of the DPA. These considerations become relevant only if the information is not obviously about or clearly linked to the individual.

The guidance deals in some detail with minutes of meetings. Where an individual is listed as an attendee in the minutes, this will amount to personal data about that individual because it will record his or her whereabouts at a particular time. This does not mean, however, that everything in the minutes is personal data about each of the attendees. Whether the content of the minutes includes any additional personal data, beyond attendance data, may be determined by the focus of the minutes.

The Information Commissioner considers that information about objects may sometimes amount to personal data. For example, an employer may record information about the operation of a piece of machinery. If the purpose of the information is to monitor the efficiency of the machine, it is unlikely to be personal data. If, however, its purpose is to monitor the productivity of the employee who operates the machine with a view to determining his or her entitlement to an annual bonus, it will be personal data about that individual.

The ICO guidance does not deal with another point that arose in Durant concerning the meaning of a “relevant filing system” for the purposes of the DPA. The Commissioner intends to publish separate guidance on that point in the near future.

Back to top

Sara Woffenden
Partner
sara.woffenden @bevanbrittan.com

We value your comments, please click here with your feedback/suggestions

Forward to a colleague

This update is intended to give general information about legal topics and is not intended to apply to specific circumstances. Its contents should not, therefore, be regarded as constituting legal advice and should not be relied on as such. In relation to any particular problem that you may have you are advised to seek specific legal advice.

Bevan Brittan LLP is a limited liability partnership registered in England and Wales: Number OC309219. Registered office: Kings Orchard, 1 Queen Street, Bristol, BS2 0HQ. A list of members is available from our principal offices. Offices in London, Bristol and Birmingham. Regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to Bevan Brittan LLP means a member, consultant or employee of Bevan Brittan LLP.

Back to top