Holding Personal Data

This checklist will help your business understand how to respond to a request for access to personal information held in a complaint file.

What is personal data?

Personal data is any information about an individual held on a computer or in an organised filing system that could identify the individual, either on its own or together with other information your business or a third party holds. It needs to be protected and kept secure. This information includes:

  • Name
  • E-mail address
  • Telephone numbers
  • Date of birth
  • Notes written about someone (for example, an annual performance review).

What is a subject access request?

  • A subject access request is a mechanism that gives an individual the right to access information about themselves
  • They do not have a right to access information about anyone else, unless they are a parent acting on behalf of a child, for example.

How to approach a complaint file

  • Complaint files are often complex and may include a mixture of:
    • information that is the individual’s personal data;
    • third party personal data; or
    • information that is not personal data at all.
  • Sometimes you may need to consider each document within a complaint file separately to assess the status of the information they contain.

Good practice points for your business

  • Establishing good information management procedures will enable your business to improve the way it responds to a request for information. For example, you should consider creating:
    • reliable indexes;
    • contents pages; and
    • descriptions of documents.
  • Putting these measures in place will make it easier to locate personal data, decide whose personal data it is and make a decision about its disclosure
  • Your business should be as helpful as possible when an individual makes an access request
  • It may often be easier to provide an applicant with a mixture of all the personal data and ordinary information relevant to their request, rather than to look at every document to decide whether or not it is personal data
  • This might be an acceptable way to progress a case where none of the information is particularly sensitive or contentious (for example, a file relating to a customer’s complaint about a routine consumer protection issue)
  • However, your business must make it clear that you are providing the information on a discretionary basis and you are under no legal obligation to provide it.

Identifying personal data within a complaint file

  • Identifying the dividing line between personal and non-personal data is often difficult
  • A complaint file will typically start off with information that can be easily classed as personal data (for example, an exchange of personal views about an issue)
  • As an investigation progresses, more general information may be included in the file (for example, geographical information about the place where an incident occurred). This type of information may not be personal data, even though it is contained in a complainant’s file and may be relevant to the complaint
  • Remember that the context in which information is held, and the way it is used, can have a bearing on whether it is classed as personal data
  • However, some information in a complaint file will never be personal data, regardless of the context in which it is held and the way it is used (for example, a company’s disciplinary policy).

Third party personal data

  • Difficulties may arise if an individual makes a request for information and the personal data of another individual falls within its scope. Third party personal data cannot be disclosed if it would be unfair to do so
  • In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity, than about a private citizen.

More information

If you have any queries about the content of this checklist, please contact Philippa Spratley.