Personal Data in UK Law

In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it.

It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act.

There are two basic points to make about the scheme of sections 7(4)-(6), and 8(7), for balancing the interests of the data subject seeking access to his personal data and those of another individual who may be identified in such data. The first is that the balancing exercise only arises if the information relating to the other person forms part of the "personal data" of the data subject, as defined in section 1(1) of the Act.

In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. To take a simple example: everyone knows their own name and date of birth. Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion.

Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the " categories of data concerned".

But in my opinion the fact that the Agency has access to this information does not disable it from processing it in such a way, consistently with recital 26 of the Directive, that it becomes data from which a living individual can no longer be identified.

For this purpose, the rules need not be statutory, provided that they operate within a framework of law and that there are effective means of enforcing them. Their application, including the manner in which any discretion will be exercised, should be reasonably predictable, if necessary with the assistance of expert advice. It is enough that it lays down principles which are capable of being predictably applied to any situation.