Policy and performance

The Data Protection Act 1998

The Data Protection Act 1998 (DPA 1998) contains eight principles which affect the processing of personal data.

“Personal data” is defined in the DPA 1998 and is, in brief, information relating to a living individual who can be identified from that information.

When a person requests the disclosure of personal data concerning himself or herself, that is dealt with under the DPA 1998 (a subject access request). The FOIA 2000 extends the definition of personal data under the DPA 1998 so as to include unstructured personal information held in manual form by a public authority.

When a person requests the disclosure of personal data about a third party (a third party request) the request is dealt with under the FOIA 2000 but:

• should be refused if disclosure would breach one of the data protection principles;
• may be refused where disclosure would contravene a notice served under s10 of the DPA 1998. Under s10, a person is entitled to serve a notice requiring the data processor to cease processing personal data in respect of which he is the data subject on the grounds that processing is causing or is likely to cause substantial damage or substantial distress;
• may be refused where (if a subject access request had been made) the information would have been exempt from disclosure under any of the exemptions set out in Part IV of the DPA 1998 (e.g. the prevention and detection of crime).

The data protection principles are that personal data should be:

• fairly and lawfully processed,
• processed for limited purposes,
• adequate, relevant and not excessive,
• accurate,
• not kept for longer than is necessary,
• processed in line with the rights of the data subject,
• secure and
• not transferred to countries outside the European Union without adequate protection.

The main issues in dealing with a third party request under the FOIA 2000 will be whether disclosure of information in response to a third party request would breach the first principle, to process data fairly and lawfully.

Disclosure would be unlawful if there would be an actionable breach of confidence. This could happen where sensitive information had been provided to the public authority under an expectation that it would not be disclosed, e.g. medical records or personal financial details. Disclosure would also be unlawful where there is a law preventing disclosure, e.g. the Official Secrets Act.

Disclosure could be unfair in many different circumstances, including:

• where disclosure would cause unnecessary or unjustified damage or distress to the data subject,
• where the data subject had been led to believe that the information would not be disclosed,
• where the data subject has expressly refused consent to disclose the information.

A distinction is drawn in the Information Commissioner’s guidance between information concerning a person’s private life (e.g. home, family, personal finances) and his or her public life (e.g. information concerning a person acting in the course of his or her work or an official capacity), disclosure of the former type of information being more likely to breach one of the data protection principles.

Where:

• a person makes a subject access request – there is an absolute exemption and the request must be dealt with under the DPA 1998;
• a person makes a third party request but disclosure of the information would breach one of the data protection principles – there is an absolute exemption and the public authority can refuse to disclose the information;
• a person makes a third party request and the disclosure of the information would not breach one of the data protection principles but would contravene a s10 notice – there is a qualified exemption and the public authority needs to ensure that the s10 notice is valid and then apply the public interest test and withhold or disclose as appropriate;

^ (back to top)