Data Protection Act UK exemptions
Data controllers can withhold certain kinds of exempt information from you - the main exemptions are set out below. One of the weaknesses of the DPA is that you need not be told whether exempt information has been withheld. You have no right to be told whether you have been given access to the full file or only an edited version. You may even get a deliberately ambiguous reply to your request, such as ‘We hold no data on you, which we are required to disclose to you.’ This could mean that no information is held on you, or that there is a file, but everything in it is regarded as exempt.
Nevertheless, it is worth asking if anything has been held back: it may be difficult for the person involved to evade a direct question. If you suspect you have been refused access to information that is not genuinely exempt you can ask the Information Commissioner to investigate.
The main exemptions apply to:
Personal Information about Someone Else
This will not normally be released to you without that person’s consent. However, the DPA does allow such information to be disclosed without consent if this is reasonable in all the circumstances. In deciding whether it is reasonable, the controller must consider in particular whether a duty of confidentiality is owed to the other person, what efforts have been made to obtain the person’s consent, and whether the person is capable of giving consent or has expressly refused it.
If the information can be disclosed to you in a way that does not identify the individual - for example, by deleting the name of the individual or other identifying features - then you are entitled to it.
Information Identifying Someone who has Supplied Information about You
It is not enough for the data controller to suspect that you might be able to identify the individual concerned. The information must itself be enough to identity the person. The information someone else supplies about you is not exempt - unless its disclosure would in itself identify who had supplied it.
Only identifiable individuals, not organisations, are protected. Thus information that would reveal that a former employer had supplied information about you would not be exempt unless you would be able to identify the particular individual - for example, a particular manager. This exemption does not protect the identity of a health professional, social worker or teacher who has provided information that is recorded on your health, social work or educational record. This is discussed further below.
Personal data held for the purpose of preventing or detecting crime, apprehending or prosecuting offenders, or assessing and collecting any tax or duty are exempt if disclosure would prejudice one of those purposes.
The exemption is not restricted to bodies such as the police or Inland Revenue. So, information about suspected fraud held by a bank or a social security officer could also be covered.
You might also like
The Political Meaning of Election 2001by justyouraveragecitizen
The Political Meaning of Bush v. Gore
In the early afternoon of December 8, 2000five weeks into the national debate about who had won the presidential election and four days before the United States Supreme Court settled the matterSan Francisco's 24 Divisidero bus was making its way along its cross-town route. On the surface, everything seemed normal on that busthe passengers isolated in their passive roles, staring blankly straight ahead or looking aimlessly out of their windows, each avoiding eye contact with the other, proceeding along on the conveyor belt of social alienation that has imprisoned so many of us so much of the time for the last twenty years.
Then suddenly a big guy in a brown leather jacket got on the bus at Haight Street and shouted, 'The Florida Supreme Court decided for Gore 43!' Instantly…
The Emergence of Personal Data Protection as a Fundamental Right of the EU (Law, Governance and Technology Series / Issues in Privacy and Data Protection)
FedScoop reported earlier this week that VA has known for more than a year of serious weaknesses in VistA's identity and access management controls, as well as the scheduling module's overall integration into the enterprise electronic health record system.
Beyond Data Protection: Strategic Case Studies and Practical Guidance
Current Developments in Monetary and Financial Law, Vol. 5
eBooks (INTERNATIONAL MONETARY FUND)