What is Personal Data?

 

The definition in the Act reads:

 

“personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;

 

A similar definition is contained in the Directive (95/46/EC):

 

“personal data”  shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

 

The definition is – deliberately - a very broad one.  In principle, it covers any information that relates to an identifiable, living individual.  However, it needs to be borne in mind that data may become personal from information that could likely come into the possession of a data controller.

 

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements such as physical characteristics, pseudonyms occupation, address etc.

 

The definition is also technology neutral.  It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc.

 

While the definition of personal data is very broad, an individual’s rights in relation to such data are subject to various qualifications.  For example, in relation to personal data contained in printed (as opposed to electronic) form, the right of access to such data only applies if the data is part of a relevant filing system .   Also, where a huge volume of personal data is involved, the data controller can refuse to provide a copy of all of the material involved on the grounds that this would involve disproportionate effort (but the data controller is still obliged to describe the data, including what it is used for, who it is disclosed to etc).

 

Often a case by case assessment must be made taking account of some of the above considerations as to whether data could be deemed to be personal.

 

What is Manual Data and what is a Relevant Filing System

 

The definitions in the Acts read:

 

manual data” means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

 

relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

 

The following are this office’s recommended tests / guidance that should be applied in determining if manual data is part of a “relevant filing system” and therefore subject to the Data Protection Acts 1988 & 2003.

 

(a) the personal data must be part of a set i.e. a regular filing system within a particular organisation which the organisation maintains for conducting its business. If the organisation maintains different Departments in different locations, the data subject should specify the subject matter and the department/office where s/he believes the file/data is located;

 

(b) the set must be structured by reference to individuals. If a file exists with a person’s name or ID number on it this meets the criterion. If the file does not have a name on it but has sub-divisions with a name or ID, and the file title indicates that it contains personal data e.g. record of sick absences then this would also meet the criterion.

 

(c) the data must be readily accessible. If files are archived and are not used for decision–making as part of the day to day operations of the organisation, and retrieval involves disproportionate effort (or perhaps even cost where a storage company is used), then the data could be said to be not readily accessible. In such a circumstance, the data subject would need to be able to identify particular data by file reference or date so that on a reasonable view of things the data could be said to be readily accessible;

 

(d) such access cannot be simply random but must be according to specific criteria. The data cannot be located in miscellaneous files. At the same time, the search criteria do not have to meet the standards inherent in a computer system. The more readily accessible the particular information is, the clearer it is that it will be.

 

Investigation procedures by the Office of the Data Protection Commissioner

 

For the sake of clarity the general procedures adopted by the Office and ultimately by the Commissioner when investigating complaints received under the Data Protection Acts 1988 and 2003 are as follows:

 

  • When a complaint is received it is initially reviewed as to whether it comes within the terms of the Acts. If it is decided that the matter merits investigation then it is the normal practice for office staff to investigate the content of the complaint on the Commissioner’s behalf – the desire of the Office and the Commissioner is to reach an amicable solution if possible before proceeding to a formal decision and in many instances a formal decision is not necessary.
  • The investigation will be carried out in a variety of ways whether by correspondence, discussion, inspection etc. The data protection issues involved are analysed during the course of the investigation. The staff then decides on initial conclusions and a report of what might constitute a decision, to be ultimately made by the Commissioner, is prepared by them and issued to the data controller concerned and the complainant. This report contains the following elements- case background, investigation of complaint, analysis of data protection issues, preliminary decision.
  • The sole purpose of the document is to confirm facts and to give both parties a further opportunity to furnish any additional comments they may wish to make for the Commissioner to consider before he makes the final formal decision- this is why the document is classed as a ‘draft decision’. The heading of the draft decision and the covering letter to both parties makes it clear that it is not the Commissioner’s decision but is a draft, which will be later submitted to him. The draft decision contains the following statement in a prominent position ‘The purpose of this Draft Decision is to ensure that the facts outlined are accurate and that the assessment of the data protection issues appropriately and adequately takes account of all relevant factors before it is submitted to the Data Protection Commissioner for his consideration. This Draft Decision is issued in strict confidence.’
  • If any further comments are received the staff will consider them also before the file is then referred to the Commissioner to make a decision on the complaint.
  • The Commissioner considers all the material before he makes the formal decision.

 

The foregoing process aims to ensure that the Commissioner is aware of all the facts that he has to consider before he makes the final decision. Either party can appeal the Commissioner’s decision to the Circuit Court

 

Guidance Material - Back-up systems

 

Back-up data are defined in the Data Protection Acts, 1988 & 2003 as being

 

 " data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged".

 

In order to come within the definition of 'back-up data', data cannot be part of a live system nor can they be used for any purpose other than replacing lost, destroyed or damaged data.

 

Address

Office Premises
Synergy House
10, Oakview Drive
Clonsilla
Dublin 15
Ireland

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927
Email: info@synergy.ie

Find Us