Law Problem Question Example Answer
P R I C E P R I O R
68-70 Red Lion Street London WC1R 4NY
Tel: 020 7430 2304 Fax: 020 7404 1389 DX 35719
Our Ref: SM/56757
Mr H Peterson, Operations Manager
Insuracar Limited, 80-85 New Road, Manchester, M1 1AD
27 April 2018
Dear Mr Peterson
RE: Insuracar Limited
I write further to our recent telephone conversation in which you asked for advice on the extent of Insuracar Limited’s (‘HP’) duty to disclose all of the information that HP holds about its broker, Andrew Lane (‘AL’).
You explained that HP currently holds the following records about AL:
- AL’s hard copy employee records (personnel records of all employees at Insuracar are held together, ordered chronologically rather than by reference to a particular individual);
- a confidential reference given by Insuracar about AL regarding a potential secondment he might do in Ireland;
- minutes of a board meeting in which, at one stage, AL and his secondment are discussed. The rest of the minutes relate to discussions which are not relevant to AL; and
- a complaint about AL by one of his colleagues. The complaint was never progressed and the complainant refused to give permission for it to be discussed with AL.
Data Protection Act 1998
The Data Protection Act 1998 (“DPA”) protects personal data. Personal data is information from which an individual can be identified.
Subject Access Request
The DPA gives individuals a right of access to the personal data which organisations hold about them via a subject access request (“SAR”). For a subject access request to be valid, it should be made in writing. Here, AL walked into the office without making a written request and so his SAR is not valid. Should AL make a valid request in writing, we should proceed to deal with the below issues.
A 4) complaint about AL by one of his colleagues and 1) hard copy employee records
According to DPA (c.29) s.7 (4) if you cannot comply with the request without disclosing information relating to another individual who can be identified from that information, you are not obliged to comply with the request unless (a) other individual consented, or (b) disclosure can be made without revealing other person’s identity. According to (6) consideration must be given whether it is reasonable in all the circumstances to comply with the request “without the consent of the other individual concerned”. Factors include “any duty of confidentiality owed to the other individual” and “any express refusal of consent by the other individual” is a factor in evaluating this reasonableness.
You told us that you hold AL’s hard copy employee records together with personnel records of all employees at Insuracar ordered chronologically rather than by reference to a particular individual. According to DPA s.7 (4), the other employees whose records are contained within the employee records have not consented and it appears to be unreasonable in all the circumstances to comply with the request without the consent of the other individuals. According to DB v General Medical Council, when a lawful request is made under the subject access request, a “lawful balancing exercise” must be carried out. In your case, these records contain “inextricably mixed private information”. As was held in this case, you may only disclose only a “summary” of these employment records identifying only AL to the extent of the balancing act.
You further told us that you hold information about 4) a complaint about AL by one of his colleagues. You said that complainant refused to give permission for it to be discussed with AL which constitutes a factor within DPA (6) (d) for refusing to disclose information. Therefore, according to the above provisions, you are under a duty to protect the data protection rights of the complainant. It appears that you may not be able to release data relating to AL because doing so would also reveal information about the complainant who expressly refused to give permission to their data being released. You can therefore withhold this complaint about AL and provide the above reason for doing so.
3) Minutes of a board meeting
When confronted with SAR, you will need to carry out a search to ascertain whether you are processing personal data relating to the data subject and, if so, to identify the data and determine whether they are to any extent exempt from subject access. An obligation to search is by necessary implication an aspect of your duty under DPA s 7(1). However, this implied obligation is not absolute. It is not a duty to find all personal data. Your obligation to carry out a search is limited to what is reasonable and proportionate (Holyoake v Candy  EWHC 52 (QB) and Ezsias v Welsh Ministers  All ER (D) 65.)
You told us that AL and his secondment are discussed in the minutes of a board meeting. The rest of the minutes relate to discussions which are not relevant to AL. Therefore, according to the above case law, the principle of proportionality may dictate that AL’s records are not disclosed since he was only briefly mentioned at the board meeting, the purpose of which is to deal with top-level company issues rather than individual employees.
The DPA is relevant to employment references. Under sch.7 to the DPA, if an employer provides a confidential employment reference about an employee or ex-employee to a prospective new employer, the employer is permitted to refuse to disclose that reference to the employee if he or she requests to see it.
AL made an invalid SAR as he walked into the office and demanded his records to be disclosed to him. You are not required to disclose any records to AL. Should AL make a valid SAR in writing the following will apply. It appears that you are within your legal right not to disclose a confidential reference given by Insuracar about AL regarding a potential secondment he might do in Ireland. You may not disclose a complaint about AL by one of his colleagues because doing so would also reveal information about the complainant who expressly refused to give permission to their data being released. Applying the proportionality argument, it is unlikely that you will have to disclose the minutes of a board meeting that makes a general reference to AL. According to the case law, you will need to disclose AL’s hard copy employee records but you will need to redact the records to remove all other employees in order to protect their privacy.
I hope this answers your questions. If there is anything you would like to discuss, please do not hesitate to contact me.