K-Zine

Data Protection - important guidelines issued by the Data Protection Commissioner on "Personal Data" and "Relevant Filing Systems"

In our March 04 issue we wrote about the implications for persons making, or organisations responding to access requests for details of Personal Data of a recent decision of the English Court of Appeal in the case of Durant -v- Financial Services Authority.

On the 5th July the Data Protection Commissioner published guidelines notes on his website ("Guidelines") on two very important issues that were at the heart of the Durant case; namely what is meant by "Personal Data" and what constitutes a "Relevant Filing System" in the context of "Manual Data".

The relevant Irish legislation is the Data Protection Acts 1988 - 2003 ("the Acts").

The Acts define "Personal Data" as follows:

"Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller".

Recommended tests of the Data Protection Commissioner to apply in deciding what data is Personal Data.

The Guidelines state that a broad interpretation of the following should be applied in seeking to decide what data is Personal Data:

Is the information about the individual concerned (Data Subject)?
Is the Data Subject the focus or the main focus of the data?
Where does the data fall in a "continuum of relevance" or proximity to that individual?
Is the data of such a nature that it is required in order for the Data Subject to check that its use does not unlawfully infringe that individual's privacy?
Is the data different in some respect because of the Data Subject's involvement? In other words is it generic or specific to the Data Subject. If generic then it is not Personal Data.
The simple fact that the data can be retrieved with reference to the individual's name or identifier does not necessarily constitute such data as that individual's Personal Data.

Some examples to expand on the Guidelines.

1. Documents authored by an employee in the course of his/her work.

Where the author is not the subject of the documents it is unlikely that the documents would constitute his/her Personal Data. That said, documents authored by an employee relating to; personnel, HR or disciplinary issues are most likely to contain Personal Data.

In our view - in looking at these guidelines - it would be prudent for all employers to regard such data as being potentially the subject of a legitimate access request from the individual employees to whom it relates.

2. E-mails sent or received in the course of the employee's work

In the view of the Data Protection Commissioner only those emails that are personal in nature could constitute Personal Data. Certain emails generated in relation to HR matters could also constitute Personal Data.

3. CCTV Images

Information in the control of the Data Controller that would allow him to identify an individual on a CCTV image would constitute Personal Data. This information could be a combination of the time of the recording together with a record of the individual's transaction made at a particular location which in turn can, for example be related to that individual's account through their loyalty card or ATM card.

If the Data Controller does not have the information to link the CCTV image to the individual but, as part of the individual's access request, the Data Controller receives such information from that individual then the images would be regarded as Personal Data if the Data Controller can readily co-relate both sets if information.

Data Controllers should be mindful that CCTV images that identify other individuals cannot be disclosed without their consent and in the absence of which these images must be blanked out when dealing with an access request.

What constitutes Manual Data and what is a Relevant Filing System?

The Acts contain the following definitions;

"Manual Data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system."

"Relevant Filing System means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instruction given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible."

The Guidelines set out a number of recommended tests that should be applied in determining if Manual Data is part of a "Relevant Filing System" within the meaning of the Acts.

The Personal Data must be part of a regular filing system or set maintained by the Data Controller for the purpose of conducting its business. If the organisation concerned maintains different departments in different locations then the person making the access request must specify the subject matter and the specific department and/or location where that individual believes the file or data to be located.
The set must be structured by reference to individual's. For example if a file is maintained with reference to an individuals name or ID number this would meet the test. If the file is not so identified but contains sub-files with such identification information and the file title indicated that it contains Personal Data then this too would meet the test.

The data must be readily accessible, so if the files are not required for day to day operations and are archived and retrieval would involve disproportionate effort (including retrieval costs) then it could not be said to be readily accessible. However if the individual making the access request can identify particular data by file reference or date then on a reasonable view of the matter it could be said to be readily accessible.

Access to such files must be by reference to specific criteria - so for example the data to be readily accessible cannot be located on miscellaneous files. The search criteria do not have to meet the standards required for computerised files. The more readily accessible the information is the more probable that it will meet the test of being readily accessible.

Conclusions

Employers need to be mindful of this guidance. If information is being circulated within the organisation which relates to an individual employee - especially in the context of HR or disciplinary matters such information or data could constitute that employee's Personal Data.

Employers should also bear this guidance in mind when drafting or reviewing email usage policies to ensure that these policies properly reflect the rights of employees to their privacy in respect of personal emails.

These Guidelines should also be considered in the preparation or review of any policies or procedures dealing with access requests.