Cabinet Office Homepage

Data Protection Act 1998:

Standards and Best Practice Handbook for Government Departments

Annex J

Contingency Arrangements in the Event of a Campaign of Round-Robin Subject Access Requests Under the Data Protection Act 1998

Background

There has been one campaign to date and that was between June-August 2002 when up to 96 Conservative MPs made subject access requests under the Data Protection Act 1998 (DPA) to around 18 departments and the National Assembly for Wales.

2. The first request was from the Chairman of The Conservative Party to the Secretary of the Cabinet. This was on the basis that the Chairman was also Chairman of the Public Accounts Committee, which meant that personal data could have been processed across Whitehall and held by more than one department. The normal practice is for the data subject to make a requests through individual data controllers but on this occasion the Cabinet Office facilitated the Chairman’s request for assistance by copying his request to the relevant departments. This is not something that should be repeated by the Cabinet Office, or any other department, if it can possibly be avoided.

3. The overall aim is to ensure that a consistent approach is adopted and as far as possible to avoid one or more of the departments involved being open to criticism for disclosing different data from the others. The co-ordination process is not intended as a method of withholding data that should be disclosed under the DPA but more a means of handling a situation where departments operate in isolation and risk disclosing data that is not released by other departments.

Initial action

4. Other than sending an acknowledgement, and where necessary requesting proof of identity and requisite search fee where charges are made, departments should not reply to access requests which they suspect of being part of a campaign without first notifying the Cabinet Office. It will be for the Cabinet Office to use the Data Protection Practitioners’ Group (DPPG) network to establish whether other departments have received identical or similar access requests.

5. Where it is confirmed that there is a campaign of round-robin access requests the Cabinet Office will arrange a handling meeting within 3/5 working days of confirmation. Whether this needs to be a meeting of the full DPPG or confined to the departments directly concerned will have to be determined at the time on the basis of what would be more appropriate.

Handling meeting

6. Factors that need to be considered in adopting a consistent approach to a campaign of round-robin access requests include:

• whether sufficient proof had been provided to confirm the identity of the persons submitting the subject access requests or whether further evidence was required (section 7(3) of the DPA);
• whether it was necessary to seek clarification from the data subjects on the material being sought or the period covered by the request to narrow down the search (section 7(3) of the DPA);
• the period and areas to be covered by departmental searches and the possible need to include descriptors ie: job descriptions, post holders, as well as names;
• any use it was proposed to make of exemptions (section 28-36 and Schedule 7 of the DPA);
• line to be taken where another individual could be identified from the data that was potentially disclosable (section 7(4)-7(6) of the DPA);
• the approach to the inclusion of the names of Ministers and officials contained in data to be disclosed;
• preferred method of providing the data, eg a digest of extracts or a mixture of extracts and redacted material (section 7(1)(c)(1) of the DPA);
• whether there was likely to be any difficulty over the interpretation of what constituted a relevant filing system (section 1(1)(c) of the DPA);
• where departments were operating different charging regimes whether this was likely to cause a problem;
• where press summaries or Parliamentary Questions were involved whether there was a need to supply extracts or simply refer to their existence;
• liaison arrangements for those departments that would be disclosing data from material from or to other departments to ensue consistency of approach;
• the possible need for a model reply that departments could adapt to suit local circumstances, including any advice that might need to be given on the sign off process;
• the practicality of departments achieving the 40-day target for responses and whether further consideration is required of the implications if departments cannot meet the target (section 7(10) of the DPA);
• determination of any clearance process that might be necessary, including for covering letters;
• the possible need for “lines to take” should there be media interest in the campaign and Press Offices or Ministers be approached; and
• whether Permanent Secretaries, if they were not already aware, and possibly Ministers needed to be informed and kept in touch with developments.

7. Depending on the nature and complexity of the campaign there might be a need for additional handling meetings or meetings to check on progress. This would include monitoring progress in achieving the 40-day timescale for responding to access requests (section 7(10) of the DPA). Where a department found that it could not meet the statutory timescale, consideration should be given to disclosing as much data as can be released within the 40-day period.

8. The intention should be to circulate the note of any handling or progress meeting within 24 hours of the meeting taking place. In preparing notes of meetings it needed to be borne in mind that there had been examples of follow up access requests that were aimed at seeking disclosure of data on how the earlier request was handled.

Central guidance

9. The aim should be to issue any central guidance within 7 working days from it being confirmed that there was a campaign of round-robin access requests. When issuing guidance it should be made clear what elements were obligatory and where departments were free to reflect local circumstances. This would, however, need to be backed up by a consultation process through the Cabinet Office to ensure that what one department proposed to do did not create undue difficulty for other departments.

10. Where it was not a practical or sensible approach to issue early guidance the aim should be to ensure that the departments concerned were clear on what basis action should or should not be undertaken, particularly in relation to the undertaking of searches.

11. If it was considered there was a need to have accurate costings for the handling of a particular campaign of round-robin requests this should be determined at the outset and departments given a common basis on which to calculate the costs.

12. To give departments a wider picture as possible any guidance should indicate which departments received access requests and from whom the requests had been received. The aim would also be keep departments notified of any press articles there might be in relation to a particular campaign.

13. Whilst every effort should be made to meet the 40-day target there could be genuine reasons why it would not be possible to achieve the target in every instance. The Cabinet Office should, therefore, take a collective lead in determining the way forward if it looks likely that departments will have difficulty in achieving the 40-day target for responses.

14. Where a consultation was needed it would be necessary to ensure that any exchange of data complied with the conditions at Schedule 2 of the DPA, ie the conditions relevant to the first principle. One method of reducing the amount of data that might need to be exchanged would be to confine the process to contentious extracts.

Freedom of Information Act 2000 (FOIA)

15. Part VII of the FOIA gives the amendments to the DPA that will come into effect when the FOIA comes fully into force in January 2005. One of the amendments is to extend the right of access to unstructured personal data held by public authorities. Public authorities are, however, exempt from the obligation to supply unstructured personal data where the estimated cost “would exceed the appropriate limit”. The appropriate limit means an amount set by the Secretary of State in regulations and there is provision for it to differ depending on the circumstances.

16. The arrangements set out in paragraphs 4-15 above will need to be reviewed nearer the time to establish what changes might be required when the FOIA comes fully into force.

Summary

17. The main actions to be taken in the event of a campaign of round-robin subject access requests can be summarised as follows:

• departments will not reply, other than by an acknowledgement and where necessary requesting proof of identity and requisite search fee where charged,
  to subject access requests which they suspect of being part of a campaign without first notifying the Cabinet Office (see paragraph 4);
• the Cabinet Office will use the DPPG network to establish whether other departments have received identical or similar access requests (see paragraph 4);
• where it is confirmed that there is a campaign of round-robin access requests the Cabinet Office will arrange the initial handling meeting within 3/5 working days of confirmation (see paragraph 5);
• any central guidance will be issued within 7 working days from it being confirmed that there was a campaign of round-robin access requests. The guidance to make clear which elements were obligatory and where departments were free to reflect local circumstances (see paragraph 9);
• where it is not practical to issue early guidance it will be necessary to ensure that departments were clear on what basis action should or should not be taken (see paragraph 10);
• if accurate costings for a campaign are required this will to be determined at the outset and departments given a common basis on which to calculate the costs (see paragraph 11);
• any guidance will indicate which departments had received access requests and from whom the requests had been received (see paragraph 12);
• departments will be notified of any press articles there might be in relation to a particular campaign (see paragraph 12); and
• the Cabinet Office will take a collective lead in determining the way forward if it looks likely that departments will have difficulty in achieving the 40-day target for responses.

Data Protection Handbook [PDF, 710KB]

[Top]