Requesting Personal Information Under the Data Protection Act 1998 for Data Held by Copfs

REQUESTING PERSONAL INFORMATION UNDER THE DATA PROTECTION ACT 1998 (DPA) FOR DATA HELD BY COPFS ABOUT CRIMINAL CASES – CASE STUDY

If you have requested information about a case you were involved in, you may wish to note that:

·  prosecution case papers are often held in distinct formats, and while each set may contain some duplication of material, they may also include different information for their respective purposes

·  there is no means of conducting a search to identify the information held within those papers to identify only the personal data relating to one individual. There is no index which could be used to identify the information because the papers are structured in a manner which allows the effective prosecution of a case in court and not so that the personal data relating to an individual can be specifically identified

·  such material is often unstructured personal data within the meaning of section 9A of the DPA

·  even where we can identify the information and even if it contains the personal data of the requester, where it is held for criminal prosecutions, it may be exempt from release under s29(1)(a) and (b) and section 7(4) of the DPA.

COPFS recently received a subject access request (SAR) under the Data Protection Act 1998 (DPA) from an individual who requested “all data you hold about me”.

COPFS held a significant amount of information about this individual in a number of different areas of business and therefore advised that the information requested was likely to amount to unstructured personal data within the meaning of section 9A of the DPA.

The information held by COPFS was complex, and significant proportions of it were not the personal information of the requester. COPFS asked the requester to submit a description of the specific data required to progress the request. The response received did not provide the specific description required.

In addition COPFS considered some of the material held to be exempt from release in terms of sections 7(4) and 29(1) of the DPA.

The requester appealed to the Information Commissioner’s Office (ICO). The ICO agreed that it was likely that COPFS had complied with the requirements of the DPA in this instance.

In particular, the ICO stated:

Section 9A of the DPA related to unstructured data held by public authorities, and if an individual has made a SAR for completely unstructured data, then for it to be caught by the SAR, the SAR must actually describe it (i.e. it must specifically ask for that information).

Section 7(4) – (6) of the Data Protection Act relates to third party information involved in a subject access request. It dictates that considerations are whether a duty of confidence is owed to the third party, whether the information can be anonymised, and whether the third party has consented to the disclosure of their information.

In this, case, while witness statements might include some mention of the requester, that did not automatically entitle the person to a copy of the information. The ICO accepted that in this case that it was not possible to redact third party information in a manner would allow its release.

The ICO was also satisfied that the exemption at section 29 had been applied appropriately and concluded that COPFS had provided all the personal data it was obliged to provide in this case.