Cabinet Office Homepage

Cabinet Office website
|

Main navigation

In section navigation

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

10. Manual Records

Issue

Section 1(1) of the DPA defines “data” to include:

“Relevant filing system” is defined as:

2. There are two elements to the definition. Firstly, it must be relatively easy to locate the relevant file, and secondly, there must be an internal structure to the file to allow specific information relating to an individual to be easily located. The first element requires a file series which is ordered in alphabetical (or other logical) order. Where the name of the individual (or a reference number or other identifier uniquely identifying him) is clearly contained in the title of the file, so that references to the individual can be easily located, a file would clearly satisfy the first element. However, even if a file were to bear a subject title such as “disciplinary proceedings” rather than the name of an individual, but within that file separate folders were held on particular individuals, that file would probably come within the scope of the Act, making personal information held on it potentially disclosable. Any set of files may constitute a filing system; they need not be registered files.

3. To fulfil the second element – possessing an internal structure - the contents of a file must be ordered in such a way that specific information about the data subject can be readily extracted. This would exclude many files where the contents are simply filed in chronological order. There must be greater organisation, such as dividers separating different subject areas within the file or an index or logical sequence. If either of these elements is not fulfilled, the filing system will not come within the scope of the Act, and need not be searched. Do not assume, simply because you know where a particular document is filed, that the information is “readily accessible”. The important question is whether a person unfamiliar with your filing system could locate the information easily.

Standards

4. Departments will assess whether a filing system can be regarded as a “relevant filing system” before disclosing any data from it, seeking legal advice if appropriate. If data are disclosed from a filing system which clearly does not fall within the definition, it should be made clear that the data are being disclosed voluntarily and not because there is any obligation to disclose them under the Act.

Recommended best practice

5. The definition of “personal data filing system” contained in Article 2(c) of the EC Data Protection Directive 95/46/EC refers to a “structured set of personal data that are accessible according to specific criteria”. During debates on the DP Bill in 1998 the government stated that its purpose in the definition of relevant filing systems in section 1(1) had been to cover all manual records that the directive requires member states to cover, but to go no further than the directive requires. Recital 27 to the EC Directive also emphasises that it is not intended to cover all manual records and that only files structured according to specific criteria are to be included within the scope of the Directive.

6. The EC Directive therefore supports a relatively restrictive interpretation of the meaning of “relevant filing system”, such that manual records must not only be structured by reference to individuals or criteria relating to them, but must also be structured internally so that specific information relating to a particular individual is readily accessible. This interpretation is in accordance with the government’s intention, which was to focus on highly structured files, and which led to an amendment to change the term “particular information” to “specific information” during the passage of the DPA.

7. A personnel file with a name on the front, but which is arranged only chronologically will probably not constitute a relevant filing system within the meaning of the DPA, since specific information about that individual is unlikely to be readily accessible. In the Information Commissioner’s Introduction to the DPA she suggested a cautious approach, which assumed that a set or sets of manual information which are referenced to individuals (or criteria relating to individuals), and where the information is specific to an individual, would be caught by the DPA if generally accessible on a day-to-day basis. However, our legal advice suggests that the definition of a relevant filing system in the DPA and the relevant provisions in the EC Directive do not support such an approach.

8. If files are not named by reference to a particular individual but nonetheless are structured by reference to criteria relating to individuals in such a way that specific information relating to individuals is readily accessible, they will fall within the definition of a “relevant filing system”. The structuring of the files must in some way make it clear that information on a particular individual is held on those files so that the information can be said to be readily accessible.

9. Neither the EC Directive nor the DPA contain any obligation on anyone holding manual records to carry out an operation to organise those files to satisfy the test of a “relevant filing system”.

10. In time the definition of “data” will be amended by section 68 of the Freedom of Information Act to cover manual data held by a public authority which is not held on relevant filing systems, subject to certain exceptions, including one for personnel matters (section 70 of the FOI Act). The intention is that the relevant provisions of the FOI Act will come into force in January 2005 to coincide with the general right of access under the FOI Act.

Data Protection Handbook [PDF, 710KB]

[Top]

In section navigation