Cabinet Office Homepage

Cabinet Office website
|

Main navigation

In section navigation

Data Protection Act 1998: Guidance for Cabinet Office Staff

Cabinet Office Policy in a Nutshell

1. Any subject access request received from an individual asking what information is held about them by the Cabinet Office should be passed immediately to the FOI Team. Full details are at the end of this guidance. The FOI Team will co-ordinate the reply, including arranging for the search, analysing the information found and drafting the final reply. Cabinet Office staff should not attempt to reply to an access request without consulting the Openness team.

The basics

2. The Data Protection Act 1998 (the Act) came into force in March 2000. The Act requires that organisations which use personal data must use them responsibly and within the law, so that individuals retain some control over how organisations use personal data about them. Personal data is defined in the Act in such a way as to cover virtually all information about a living identifiable individual, referred to in the Act as a “data subject”.

3. Under the Act, all personal data must be processed (which means doing anything with data, including simply holding it) in accordance with the eight data protection principles. In brief, the principles lay down that personal data must be:

4. The Act does not only cover personal data held in files where a particular individual is the subject of the file, such as personnel or case files. It covers any reference to a person, no matter where it occurs, including references held electronically. This could, for example, include a passing reference to an individual in an email, a letter, a submission, a list of staff, a copy list, or the minutes of a meeting. Since the definition of personal data includes data processed electronically, it means that CCTV footage and audio tape material are covered by the Act. Personal data is also caught by the Act if an individual is referred to by a reference number, code name, or any other cryptic way of identifying that individual. Personal data held by the Cabinet Office will include information about, for example, departmental staff (past and present), members of the public who’ve corresponded with the Department, people in public life, contractors, lists of contacts etc.

5. Personal data may only be processed where one of the following conditions applies. They are, broadly, where:

What it means for Cabinet Office staff

6. The implications of the Act are that wherever staff mention in writing (whether on paper or electronically) the name of an identifiable living individual they must ensure that:

Subject access rights

7. As well as laying obligations on the data controllers, i.e. the bodies which handle the personal data, the Act also gives rights to those who are the subjects of the personal data. The most important right they have is that of being told whether data about them are held, and if so, to be told what they are; which effectively means being given a copy of the personal data.

8. If a request is received from a data subject for details of what information is held about them by the Cabinet Office, it should be passed to the FOI Team, details of which are given at the end of this guidance. The FOI Team will co-ordinate the reply, including arranging for the search, scrutiny of any material found, and drafting the final reply. Cabinet Office staff should not attempt to reply to a subject access request without consulting the FOI Team.

9. There are some exemptions where personal data on an individual do not have to be disclosed to him or her. The exemptions which are most relevant to the Cabinet Office concern;

10. The FOI Team will advise on whether an exemption might apply in any particular case. Note that, unlike in the Code of Practice on access to Government Information and the Freedom of Information Act, there is no exemption specifically for internal discussion and policy advice, so advice given to Ministers about an individual, or which mentions an individual is likely to be disclosable.

Other data subject rights

11. A data subject also has the right to ask a data controller to stop processing personal data where it is causing or is likely to cause damage or distress to themselves or anyone else. A data subject can also claim compensation from a data controller for damage or distress caused by any breach of the Act. He can ask the Commissioner to investigate whether any of the principles of the Act has been contravened, and the Commissioner may serve an enforcement notice on the data controller, requiring him to comply with the Act. In certain circumstances, proceedings may be instituted and courts may impose fines on the data controller.

Sensitive personal data

12. “Sensitive personal data”, as defined in the Act concern information about:

13. Sensitive data can only be processed if a specified condition applies. The conditions include where:

14. If staff intend to process any such data, they should ensure that there is a genuine business need to record it. In many cases the information will have been made public by the data subject (e.g. the political opinions of MPs). If in doubt, consult the FOI Team.

Notification with the Information Commissioner

15. Oversight of the Act is the responsibility of the Information Commissioner, who is independent of government. Data controllers must notify to the Commissioner the purposes for which they process data, and this information is made public on the Commissioner’s website. The purposes for which the Cabinet Office processes personal data and which it has notified to the Commissioner are:

16. The Information Commissioner has said that the purposes should be interpreted broadly, and that the notification should be kept at a general level, with only sufficient detail to give an overall picture of the processing. If staff believe that personal data they process, or a database they work on, might not be included in one of the categories above, they should contact the FOI Team for advice.

Who to contact for help

17. The following should be contacted for guidance on any queries about the Act.

Jan Kiso
020 7276 1378
He is based in:

FOI Team
Cabinet Office
Room 118
70 Whitehall
London
SW1A 2AS

Data Protection Act 1998

Frequently Asked Questions

Q1. Surely I can’t be expected to obtain the permission of everybody I mention in a letter or submission?

A. Obtaining a person’s consent is only one of the conditions under which personal data may be processed. If it is necessary for, for example, any of the functions of a government department, or it is necessary for the Department’s legitimate interests, that could be sufficient justification.

Q2. If someone has only ever written one letter to the Cabinet Office, how long should we keep it?

A. It should be retained for as long as there is a business need for it. Depending on the circumstances, it might be reasonable to destroy it almost immediately after receipt, or it may be necessary to retain it for some time if it seems likely that there may be further correspondence, further action may be required, or it should be retained as part of the corporate record. An initial judgement must be made as to the period of retention, but there must be a review mechanism so that the papers can be deleted when they no longer serve a useful purpose.

Q3. We hold lists of people who we sometimes contact because they have an interest in our subject area. How long can we keep their names and contact details?

A. You can keep the data for as long as you think they will be useful. You must delete them if you believe they may no longer be accurate or relevant. You should have a mechanism for reviewing them so that they can be deleted when appropriate.

Q4. I keep copies indefinitely of everything I create electronically. Does the Act really expect me to go through all my documents and emails and delete old material?

A. Even if you have grounds for retaining material at present, you must have a review procedure for deciding what needs to be retained. The Information Commissioner will, quite rightly, criticise any organisation which does not have procedures in place for reviewing personal data.

Q5. I use emails as personal and ephemeral means of communication. Surely they can’t be covered by the Act?

A. Anything committed to record in the Department is subject to the Act – including emails. So think twice before you make any throwaway comments. Can you justify the comment? Would you be happy to see it quoted on the front page of a national newspaper?

Q6. The Data Protection Act says we should delete information and the Public Record Acts say we should preserve records. Which one should I follow?

A. If a record is likely to be required for preservation under the Public Record Acts, there are conditions in the Data Protection Act which would allow retention of the data. There is no conflict between the two sets of legislation.

Q7. If I record my views about somebody, isn’t that information about me rather than about him?

A. The definition of “personal data” in the Act includes any expression of opinion about a person, and also any indication of intention towards the person. So virtually any mention of a person’s name is likely to constitute personal data about him.

Q8. If I mention a public figure in a document I write and I quote newspaper reports about him, how can I be expected to verify whether what is said in the newspaper is true?

A. If you write something about a person which may not be true, you could be in breach of the Act’s requirement to be accurate. If however when you quote information provided by a third party you make it clear that you are merely reporting what they said, rather than expressing your own views, you will be complying with the accuracy principle.

Q9. If I think I’ve got a valid reason for recording information about someone but he disagrees, what happens?

A. A data subject has the right to complain to the Information Commissioner if he believes that anyone has breached his legal rights. In the final analysis, it will be for the Commissioner (or the courts in certain cases) to make a judgement.

Q10. My unit processes personal data to produce anonymised statistics. Are these covered by the Act?

A. Data only becomes personal where the individual can be identified. Anonymised or aggregate data would not be personal as no individuals could be identified. But care should be taken when referring to small numbers. For instance, a statement about Permanent Secretaries in the Cabinet Office would not be genuinely anonymous because of the small numbers involved.

Q11. We hold data on individuals but we only use reference numbers, rather than actual names. Is this covered by the Act?

A. It would not be covered by the Act if the Department has no means of linking the reference numbers to the individuals. But, for instance, data about departmental staff using National Insurance numbers rather than names would constitute personal data if the Department held personnel records which would permit NINOs to be linked with names of individual staff, even if the two sets of records were held in different parts of the Department.

Q12. My unit uses an outside contractor to carry out certain functions, which requires us to pass personal data to the contractor. Is this allowed?

A. This is permissible under the Act, but the contractor must sign a contract agreeing to act only on instructions from the Department, and to provide appropriate security measures. A specimen contract is available from the FOI Team.

Q13. If someone wants to know what paper records we hold on him, how can we be expected to search through all our files for any passing reference to him?

A. At present, we are only required to search for paper records which held on highly structured files, such as files containing papers on a named individual, and where there is a high degree of internal organisation of the file. From January 2005, all paper records held by government departments will be caught by the Act, including unstructured files and where there is only a passing reference to an individual. There will however be a provision which exempts us for searching for material where the cost of doing so would exceed a certain limit. Guidance will be issued when sections are asked to carry out searches.

Q14. If someone asks for the information we hold on him and some of it will be embarrassing to Ministers, can we withhold it?

A. There is no exemption for such a situation. Unless another exemption applies, the personal data must be disclosed. The embarrassment in such material often lies in the way in which it is expressed, rather than the actual content. The test when writing anything is to ask yourself whether you would be happy to see those personal comments quoted on the front page of a newspaper.

Q15. If someone asks for the information we hold on him, what’s to stop me deleting it to stop him being given it?

A. Information relating to an individual can be deleted after receipt of a subject access request from him only if it would have been deleted at that point in accordance with existing records management policies and procedures. From January 2005, anyone who destroys information with the intention of preventing its disclosure in response to a request will be personally guilty of an offence and, on conviction, may be fined.

Q16. How often can someone make a request for the information we hold on him?

A. We are not required to respond unless a “reasonable interval” has elapsed since his last request. What is reasonable will depend on the circumstances. For instance, if there has been a lot of correspondence since the last request, it will be more reasonable to respond than if it has only been a short time and little data has been created about him.

Q17. What happens if a person makes a request for the information we hold on him and says he wants everyone in the Department to search their records?

A. The Act requires individuals making subject access request to provide enough information to enable the personal data on him to be identified. If an individual cannot provide us with that information, such as giving us details about who in the Department he has been corresponding with, we can decline to carry out a search. Only if he has provided us with enough information to enable us to narrow down the search will we begin a trawl for the data in the areas of the Department most likely to hold them.

Q18. What do I do if I want to transfer personal data outside the European Economic Area, such as to the USA?

A. Before you do anything, consult the FOI Team.

Q19. If personal data is exempt from disclosure, do we have to search for it in response to a subject access request?

A. Whether an exemption applies will be a matter of judgement in each case and it may not be possible to decide until the material in question has been examined, possibly by lawyers. Individual units should not make decisions on the applicability of exemptions without consulting the FOI Team.

Q20. If a reference is made to someone only by reference to his position or title, e.g. the Prime Minister, or the Minister for the Cabinet Office, is he covered by the Act?

A. If it is obvious who the individual is, or his identity could be discovered through research, then he is covered by the Act, and any information we hold on him, even if it does not refer to him by name, must comply with the Act and would be disclosable if he were to make a subject access request.

Q21. Does the Act only apply to British subjects?

A. Anyone can make a subject access request under the Act, regardless of their nationality and regardless of where they are in the world.

In section navigation