The increasing public awareness of the existence of the Data Protection (Jersey) Law 2005 ("Law") and various rights afforded to individuals thereunder has led to an increase in queries and complaints in respect of the control of "personal data". This article provides a brief overview as to the rights of an individual to information which is held about them by an individual or an organisation and some practical advice as to how organisations should deal with requests for information.The increasing public awareness of the existence of the Data Protection (Jersey) Law 2005 ("the Law") and various rights afforded to individuals thereunder has led to an increase in queries and complaints in respect of the control of "personal data". This article provides a brief overview as to the rights of an individual to information which is held about them by an individual or an organisation and some practical advice as to how organisations should deal with requests for information.
The most important principles underlying the Law are:
1. That anyone who records and uses personal information has to be open about how this information is used and must follow eight principles of good information handling; and
2. All individuals have certain rights under the Law, which includes the right to request sight of information held about them and to have it corrected if it is wrong.
The Law places certain obligations on those organisations that are responsible for processing information. Article 7(1) of the Law gives living individuals the right to access their personal data. This is generally called a "subject access request". By making a written request and paying a fee, an individual (the data subject ("the subject")) is entitled to:
1. a copy of the information in permanent form;
2. an explanation of any technical or complicated terms;
3. any information the organisation has about the derivation of the information;
4. a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and
5. the logic involved in any automated decisions (if specifically requested)
The appropriate fee payable by the subject is £10 and this is regardless of the amount of the information to be disclosed. The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify the subject. The controller is entitled to ask the subject for further information to enable him to locate the information which that person seeks.
The next question to consider is what is meant by personal data. In the English case of Durant v Financial Services Authority  EWCA Civ 1746 the Court emphasised the need for the data concerned to relate to the subject and was of the view that information did not become personal data merely because it mentioned the data subject by name. In order to clarify this further, the Court suggested a two limbed test:
1. The information had to be significantly biographical rather than merely recording an individual's involvement in an event; and
2. The subject had to be the focus of the information.
In summary, the Court's view was that the rights afforded under the English Data Protection Act (very similar to those under the Law) were intended to protect personal privacy rather than be used as a fishing expedition prior to litigation. Potential conflict may arise between an individual's right of access and a third party's rights to privacy or confidentiality. For example, when a response to a request involves
disclosing information relating to a third party who may be identified from that information.
Controllers therefore need to consider the right of the subject against the rights of the third party to respect for his/her private life before deciding whether to disclose third party information.
Under Article 7(4) of the Law, where it would not be possible to comply with a request without disclosing a third party's data than a controller does not have to comply with the request.
In considering whether to disclose, the Data Protection Commissioner suggests the following three step test:
1. Does the request require the disclosure of information that relates to a third party?
2. Has the third party consented?
3. Would it be reasonable in all the circumstances to disclose without consent?
The controller should consider to what extent it is possible to comply with the request but without disclosing any third party information and should give as much information as possible to the subject without revealing the identity of the third party. The controller should also consider whether it is possible to redact/edit the information to remove either names or other identifying details. Controllers should bear in mind that if disclosure is made without consent then this may expose the controller to complaint or action by the third party either to the Commissioner or via the Courts and it would therefore be prudent for a controller to keep a record of the course of action and the reasons for the decision.
There are other exemptions under the Law where a request does not have to be complied with, such as for the prevention or detection of crime or the protection of national security; where negotiations are taking place with the subject which could be prejudiced; or where legal professional privilege applies to a document. If a controller fails to comply with a lawful request then the subject may request the Data Protection Commissioner to make an assessment as to whether or not the failure to comply with the subject access request is in compliance with the Law.
The Commissioner's guidance note on this subject (GD9) says that this review may involve an assessment by the Commissioner in reviewing the controller's decision. If she decides that withholding the information was not justified then she may take enforcement action against the controller requiring that the information is provided.
An individual may also seek an order for disclosure from the Courts and if the individual suffers damage and/or distress as a result of the non-disclosure, then that individual may seek compensation from the controller.
The following are practical tips for a controller faced with a subject access request:
1. Personal information can be located/recorded in a variety of mediums (e.g. email/photo/CCTV) as well as in hard copy or electronic files. Establish with the subject exactly what information they are seeking and how they would like it be provided as it may be that the request can be limited to certain documents or that the subject will agree to receive the information via email/on memory stick thus saving considerable time and expense;
2. Keep a record of the decision making process, particularly if deciding whether or not to disclose third party information;
3. Keep a copy of the information disclosed;
4. If in doubt, seek legal advice!
Originally published in Resolution - Spring 2013
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.