The Information Commissioner's Office recently published guidance about access to information held in complaint files. The guidance is relevant to both subject access requests under the Data Protection Act and requests for information under the Freedom of Information Act.
It is notoriously difficult for organisations to comply properly with personal data requests as decisions about what data are personal data and what information can be shared are not always straightforward. The guidance details various methods by which organisations may lessen the burden of such requests, and on first glance appears to indicate that organisations that use these methods do not have to provide all the information stored in complaint files in order to comply with a personal data request. Whilst, however, such methods may be appropriate for basic requests, a data controller must still comply with all legal requirements.
To view the article in full, please see below:
The Information Commissioner's Office ("ICO") has issued new guidance which is designed to help all organisations that hold complaint files to deal with requests for access to personal information held in them. The guidance deals with the issues that arise when an individual makes a subject access request under the Data Protection Act ("DPA") for access to their own personal data. It also deals with the issues that arise when a third party makes a Freedom of Information Act ("FOIA") request to a public authority for access to data held in a complaint file.
The guidance is designed to help organisations: to decide whether information in a complaint file is personal data, and if so whose personal data it is; to decide who gets access to which data if a complaint file contains more than one person's personal data; and to decide how personal data held in a complaint file should be dealt with if a freedom of information request is made to a public authority.
The guidance also details three approaches which appear to make it easier for organisations to comply with such requests:
(1) Use the organisation's information management systems.
A high level approach may be possible, whereby each document is not separately considered, especially if organisations have good information management procedures in place. Reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is, and.