THE RIGHT OF ACCESS TO PERSONAL DATA

The right of access to personal data is probably the most important and controversial of the transparency provisions. Unlike the others, the right of access is within the control of data subjects, the people most incentivized to protect their own personal data.

In brief, the right of access gives the data subject the right to information about the data controller and its data processing activities, information that has to be provided within a short timeframe and for a nominal fee. In theory, the right of access gives the data subject a route to the very heart of government, public sector and business activity. However, there are many important exemptions to the right of access.

According to the Data Protection Directive the right of access exists to enable the data subject to verify the accuracy of the data and the lawfulness of the processing (Recital 41). In the case of Durant v. Financial Services Authority,⁷⁹ Lord Justice Auld described the purpose of the right of access in the following terms:

In conformity with the 1981 Convention and the Directive, the purpose of [the right of access], in entitling an individual to have access to information in the form of his ‘personal data’ is to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties.

The right of access within the DPA and the sixth data protection principle

The right of access is contained section 7 of the DPA. Section 7 is supplemented by section 8. Section 9 applies the right of access to situations where the data controller is a credit reference agency. Section 9A deals with the right of access where it concerns unstructured personal data held by public authorities.

Compliance with the right of access is elevated in importance by the sixth data protection principle, which says that ‘personal data shall be processed in accordance with the rights of data subjects under this Act’. The interpretation within Schedule 1, Part II of the DPA says that the sixth data protection principle will be contravened if the data controller ‘contravenes section 7 by failing to supply information in accordance with that section’.

The core entitlements

The right of access actually consists of a series of rights, identified in section 7(1) of the DPA. The first right, set out in section 7(1)(a), entitles the data subject ‘to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller’. This initial entitlement may be regarded as a duty to confirm or deny the fact of data processing, which means that a data controller receiving an access request should always reply, even if it is only to deny that it is processing the data subject’s personal data.

If the data controller confirms that it is processing the data subject’s personal data then the other rights are engaged, which may be said to fall within two categories. In broad terms, these may be described as (1) a right to various descriptions and (2) a right to have information communicated.

The descriptions

If the data controller is processing the data subject’s personal data, then it must describe those data, the purposes for which they are being processed and the recipients, or classes of recipients, to whom they are or may be disclosed. These rights are contained in section 7(1)(b)(i)–(iii) of the DPA. The DPA does not provide any assistance with the level of detail that is required in the descriptions.

A useful exercise might be to return to the topic of notification, as it will be seen that the descriptions mirror closely some of the key requirements within the registrable particulars. This close connection in subject matter suggests an equally close connection in terms of the detail to be provided and it has already been explained that during the notification process the Information Commissioner seeks only a ‘general description of the processing of personal data being carried out’;⁸⁰ indeed, he positively discourages the data controller from going into too much detail.

The best answer, which may not be a satisfactory answer, must be that the detail that is required will be determined by the circumstances of the particular case. Unusual or non-obvious processing purposes or recipients are likely to require more description than the more ordinary or routine.

The communication of information

The information to be communicated, if the data controller is processing the data subject’s personal data, is identified in section 7(c)(i)–(ii) of the DPA. The information identified is:

• the information constituting the data subject’s personal data (section 7(1)(c)(i) DPA);

• any information available to the data controller as to the source of the information (section 7(1)(c)(ii) DPA).

Both pieces of information must be communicated to the data subject ‘in an intelligible form’. The data subject’s right to receive the personal data in an intelligible form involves two elements, set out in section 8(2) of the DPA. The first is that a copy of the information must be provided in permanent form, unless that is not possible or would involve disproportionate effort, or unless the data subject agrees not to receive a permanent copy. Second, if the copy of the information contains terms that are not intelligible, it must be accompanied by an explanation of the terms, also in permanent form.

Concerning ‘disproportionate effort’ the Information Commissioner provides the following assistance:⁸¹

‘Disproportionate effort’ is not defined in the Act. Accordingly, it will be a question of fact in each case as to whether the supply of information in permanent form amounts to disproportionate effort. Matters to be taken into account by the Commissioner may be the cost of provision of the information, the length of time it may take to provide the information, how difficult or otherwise it may be for the data controller to provide the information and also the size of the organisation of which the request has been made. Such matters will always be balanced against the effect on the data subject.

The data subject’s right to a copy of the information in permanent form does not oblige the data controller to provide a print out of the electronic file, or photocopies of the documents within a relevant filing system. Instead, the data controller may create a new document, electronic or manual, and may send that to the data subject. Provided that the new document contains an accurate copy of the personal data in the documents existing at the date of receipt of the access request, this approach is valid. The key to understanding why this is the case turns on understanding the difference between information and a carrier of information.

EXAMPLE A relevant filing system houses an important manual document that contains information about the data subject that seriously affects their privacy. The data subject makes a request for access to their personal data under section 7. When preparing its response the data controller creates an electronic file on a PC in which it accurately summarizes the information contained in the manual document. The data controller then prints out the electronic summary and sends it to the data subject within the 40-day prescribed period. In this scenario the data controller’s actions are perfectly consistent with the DPA, because the right of access is a right of access to information, not documents. The manual document in the relevant filing system is merely a carrier for the information within it.

This distinction between information and documents was touched upon in Durant v. Financial Services Authority.⁸² Lord Justice Auld explained:

In September and October 2001, Mr Durant made two requests to the FSA under section 7 of the Act, seeking disclosure of personal data held by it, both electronically and in manual files. In October 2001 the FSA provided Mr Durant with copies of documents relating to him that it held in computerised form, disclosure that went beyond his entitlement under the Act, which is to have communicated to him in an intelligible form ‘information constituting any personal data’ of which he was the subject.

The communication of the logic of automated decisions

Section 7(1)(d) contains an additional right to information in certain cases where a data controller uses automated equipment to take decisions about the data subject. These decisions must be completely automated and they must be ones that significantly affect the data subject. The decisions falling within this section must be for the purpose of evaluating matters relating to the data subject and some examples are given in the section, namely the evaluation of the data subject’s performance at work, their creditworthiness, their reliability or their conduct.

In these cases section 7(1)(d) requires the data controller to communicate to the data subject the ‘logic involved’ in the decision taking. However, section 8(5) of the DPA sets out an exemption from this obligation, which applies if the logic involved in any decision taking is a trade secret. This exemption is commonly used by data controllers who provide credit to their customers, to avoid giving information about their credit scoring systems.

The information to be provided

The general rule set out in section 8(6) of the DPA is that the information to be provided in response to an access request is the information in existence at the date of receipt of the request. This was examined in the first trial in Smith v. Lloyds TSB Bank Plc,⁸³ where the claimant sought to enforce his rights under section 7 through an application made under section 7(9).

In Smith one of the biggest problems faced by the claimant was the fact that by the time he made his access request the defendant no longer possessed any electronic files, only manual files. According to the claimant’s barrister, if these manual files were printed from electronic files the ‘once processed always processed’ argument would cause the manual files to be treated as part of the original automated processing so that the information contained within them would be discloseable under section 7, despite the fact that the manual files were not part of a relevant filing system. The judge, Mr Justice Laddie, rejected this argument, pointing to section 8(6) of the DPA, which restricts the data subject’s right of access to the information being processed at the date of receipt of the access request.

Of course, the reality in many cases is that the data subject’s personal data might be subject to continual processing with the result that amendment or deletions may occur after receipt of the access request. In these situations the DPA does not require the data controller to stop processing. Instead it may take account of the amendment or deletion and provide the information in existence at the date of the response, not the information in existence at the date of receipt of the access request.

Conversely, the data controller may not amend or delete personal data following receipt of an access request if the amendment or deletion is merely a response to the access request, perhaps to avoid supplying information. To do so would amount to a breach of the access regime.

The formalities of a valid access request

The DPA prescribes a number of formal requirements for the making of a valid request for personal data. These are:

• The request must be made in writing. A request made electronically, such as by email, will count as a written request.

• The written request must be accompanied by the fee, if one is charged.

• The data subject must supply any further information that is reasonably required by the data controller to enable it to be satisfied of the data subject’s identity and to enable it to locate the information sought. Of course, the data controller must notify the data subject that it requires this additional information.

Extent of the request

In summary the rights granted to data subjects under section 7 of the DPA are as follows:

• a right to be told whether or not their personal data are being processed by or on behalf of the data controller (section 7(1)(a));

• if their data are being processed, a right to a description of the personal data being processed, a right to a description of the processing purposes and a right to a description of the recipients, or classes of recipient, to whom the data are, or may be, disclosed (sections 7(1)(b)(i)–(iii));

• if their data are being processed, a right to have the personal data communicated in an intelligible form and a right to have communicated any information available to the data controller about the source of the data (section 7(1)(c));

• where the processing is by automatic means for the purpose evaluating matters relating to the data subject and it has constituted or is likely to constitute the sole basis of any decision significantly affecting the data subject, a right to be informed of the logic involved in the decision taking (section 7(1)(d)).

Data subjects may choose to limit their requests to specific information that is described in the request (section 7(7) of the DPA), but if they wish to do this they must make this clear and the fact that a data subject may have merely referred to only one of the rights in section 7 does not entitle the data controller to limit the response.⁸⁴ The current Regulations⁸⁵ say that a request for information under any provision of sections 7(1)(a),(b) or (c) of the DPA is to be treated as extending also to all other provisions of sections 7(1)(a), (b) and (c).

Conversely, a request under any provision of section 7(1) of the DPA is to be treated as extending to information under section 7(1)(d) only where the request shows an express intention to that effect and a request under section 7(1)(d) is to be treated as extending also to information under any other provision of section 7(1) only where the request shows an express intention to that effect.

Repeated requests

The DPA contains a very important rule against the making of repeated requests. Section 8(3) says that where a data controller has previously complied with a request it is not obliged to comply with a subsequent identical or similar request unless a reasonable period has elapsed between compliance with the previous request and the making of the current request. Section 8(4) identifies the relevant considerations for determining whether a reasonable period has elapsed between requests. It says that ‘regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered’.

Fees

The data controller is not obliged to charge a fee for responding to requests for access to personal data, but where a fee is charged the data controller must make this fact known. The maximum fee that can be charged is currently £10, unless the request is made to a credit reference agency or where the request is for an educational record. For requests made to credit reference agencies the maximum fee is currently £2 and for educational records the maximum fee is currently £50.⁸⁶

The time for responding

The DPA requires data controllers to comply with requests promptly and, in any event, ‘before the end of the prescribed period beginning with the relevant day’ (section 7(8) DPA).

The prescribed period

The prescribed period for responding to an access request is 40 days (section 7(10) DPA), unless the data controller is a credit reference agency, or unless the request is for an educational record. Where the data controller is a credit reference agency the prescribed period is seven working days and where the request is for an educational record the prescribed period is 15 school days.⁸⁷

There is a modification for the period for responding where the request concerns examination marks and the request is received before the announcement of the examination results.

The relevant day

For the purpose of calculating the time for responding, the relevant day is a vital component. The relevant day is described in section 7(9) as:

the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

The reference to subsection (3) is a reference to the data controller’s right to request any further information that is reasonably required to enable it to be satisfied of the data subject’s identity and to enable it to locate the information sought.

Requests involving third-party data

The DPA makes provision for the situation where an access request, if complied with, would involve the disclosure of information relating to a third party. The starting position, contained in section 7(4) of the DPA, is that the data controller does not have to comply with an access request if compliance would require it to disclose information relating to another identified or identifiable individual. Indeed, in the case of Durant v. Financial Services Authority⁸⁸ the Court of Appeal said that section 7(4) creates a presumption against the disclosure of information relating to an identified or identifiable third party. The reason for this exemption is to ensure protection of the third party’s privacy.

The presumption against disclosure is a rebuttable one, however, meaning that there are circumstances where disclosure of third-party information is allowed.

References merely identifying third party as the source

The third-party information protected by the exemption includes information that merely identifies the third party as the source of the information sought by the data subject, in distinction to information that has the third party as its focus. In these cases the data controller will not be excused from complying with the access request if the information sought can be communicated without identifying the third party, perhaps by editing out the information identifying the third party (section 7(5) DPA).

EXAMPLE A data subject delivers a written access request to their employer asking for disclosure of the information within their personnel file. The personnel file includes a letter of complaint about the data subject written by a co-worker who signed it at the bottom. Apart from the co-worker’s signature the letter of complaint contains no other information relating to the co-worker. In this example the exemption protecting third-party information extends to the co-worker’s signature, as this identifies the co-worker as the source of the complaint. However, as the employer can easily remove any evidence of the co-worker’s name, the prohibition in section 7(4) DPA does not excuse the data controller from complying with the access request.

Cases where the exemption does not apply

The exemption within section 7(4) does not apply in three cases. These are:

• The third party has consented to the disclosure to the data subject of information that identifies the third party (section 7(4)(a) DPA).

• It is reasonable in all the circumstances to comply with the access request without the consent of the third party (section 7(4)(b) DPA).

• The third-party information is contained in a health record and the third party is a health professional who has compiled, or contributed to, a health record relating to the data subject, or who has been involved in the care of the data subject in their capacity as a health professional (section 7(4)(c) DPA).

As regards the second case, disclosure of the information relating to the third party without consent, the data controller is required to balance the interests of the data subject against the interests of the third party. In performing this balancing exercise section 7(6) of the DPA identifies a series of factors that are to be considered by the data controller. These are:

• any duty of confidence owed to the third party;

• the steps taken by the data controller with a view to seeking the consent of the third party;

• whether the third party is capable of giving consent;

• any express refusal of consent by the third party.

In Durant v. Financial Services Authority the Court of Appeal was cautious to emphasize that on an examination of the data controller’s decision it is not the Court’s role to ‘second-guess’ the data controller. In addition, the Court of Appeal declined the opportunity to lay down any general principles for the performance of the balancing exercise, although it was willing to identify the process that data controllers must adopt when considering whether it is reasonable in all the circumstances to disclose without consent the information relating to a third party.

The first step for the data controller is to consider whether the information relating to the third party forms part of the data subject’s personal data. If it does not, no question arises under section 7(4) and the data controller does not need to disclose the information. If the information relating to the third party does form part of the data subject’s personal data, the second step is the carrying out of the balancing exercise itself. The Court of Appeal said that when carrying out the balancing exercise much will depend upon the criticality of the third-party information to the protection of the data subject’s privacy, which is then balanced against any obligations of confidence owed to the third party and the sensitivity of the third-party information.

Access requests where the data controller is a credit reference agency

Section 9 of the DPA modified section 7 to address the situation where the data controller is a credit reference agency. The starting position is that the data subject is taken to have limited their access requests to personal data relevant to their financial standing, unless the access request shows a contrary intention. Section 7 is also modified to require the data controller to provide the data subject with a statement in a prescribed format of their rights under section 159 of the Consumer Credit Act 1974. In summary, section 159 of the Consumer Credit Act requires the individual to be informed of their rights to make objections to inaccurate information within their credit files. The prescribed format for the giving of this statement is contained in Schedule 1 to the Consumer Credit (Credit Reference Agency) Regulations 2000.⁸⁹

The credit reference agency must provide its file within seven working days. The maximum fee that may be charged for provision of the file is currently £2.

Access requests for unstructured manual data held by public authorities

It will be recalled that the fifth category of data is recorded information held by a public authority that is manual data. There are two kinds of data within this category: data that is structured to a lesser extent than a relevant filing system and data that is unstructured. Section 9A modifies the right of access in respect of unstructured data. This section was inserted into the DPA by section 69(2) of the Freedom of Information Act 2000.

The starting point is that a public authority is not obliged to comply with an access request relating to unstructured personal data unless the request contains a description of the data. If the request does contain a description of the data, the public authority is still not obliged to comply with the duty to confirm or deny within section 7(1)(a) if the cost of complying with that duty would exceed ‘the appropriate limit’. The appropriate limit is defined in Regulations.⁹⁰ In the case of government departments, the Houses of Parliament, the Northern Ireland and Welsh Assemblies and most of the armed forces, the appropriate limit is currently £600. For all other public authorities the appropriate limit is currently £450.

Court applications to order compliance

The data subject may enforce the right of access in court by making an application under section 7(9) of the DPA. The court will only make an order if the data subject satisfies it that the data controller has failed to comply in contravention of section 7.

In many cases the court may need to see the information that is processed by the data controller before it can determine whether or not there has been a contravention of section 7. Therefore, section 15(2) gives the court the power to order the data controller to deliver the data to it, so that it may examine it. However, pending determination of the matter in the data subject’s favour the court may not allow the data subject to have access to the data.

The case of Durant v. Financial Services Authority was brought under section 7(9). In determination of the dispute the court used its powers under section 15(2) to view the disputed data. Of course, Mr Durant was not allowed to see the data.

The right of access and the relationship with litigation disclosure

Parties involved in civil litigation are obliged to give disclosure of documents that are relevant to the issues in the case, including documents that will assist the opponent. In England and Wales litigation disclosure is governed by the Civil Procedure Rules 1999.

Although subject access is about access to information, not documents, there is clearly an overlap between this area and litigation disclosure, but it should not be thought that the focus is the same. Indeed, in Durant v. Financial Services Authority Lord Justice Auld pointed out that the right of access ‘is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is it to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties.’

The relationship between subject access and litigation disclosure was explored further in Johnson v. Medical Defence Union,⁹¹ at the second preliminary trial. On this occasion Mr Johnson sought disclosure under the Civil Procedure Rules of the very same documents that he failed to secure access to at the first preliminary trial. The defendant again resisted Mr Johnson’s application, arguing that the DPA prevented access to the documents sought. This time Mr Justice Laddie was against the defendant:

It follows that Mr Johnson’s application for disclosure in relation to his claims for breaches by the MDU of the data protection principles is not disposed of by the fact that he failed on his claim under s 7(9). The fact that, in determining the latter application, I looked at documents which, because of s 15(2), Mr Johnson and his lawyers were not allowed to see, does not mean that if some of those documents are relevant to his claims under ss 10, 13 and 14, Mr Johnson cannot seek disclosure of them.

Exemptions in Part IV of the DPA

There are many exemptions to the right of access. These are discussed in the section ‘Part IV exemptions’, below.