Data Protection Act 1998: Guidance for Cabinet Office Staff
Standards and Best Practice Handbook for Government Departments
13. Personal Data Held In Case of Potential Disputes
Issue
Departments must consider whether they are entitled to maintain records in
relation to individuals, such as former members of staff, where they are
concerned that the individual may at some stage instigate proceedings
against the department. Where such records include information which
constitutes personal data, it may only be processed if one of the
conditions set out in Schedule 2 to the DPA is fulfilled. It is also possible that
some information contained within employment records could constitute
sensitive personal data as defined in section 2 of the DPA, eg if they
consisted of information as to the racial or ethnic origin of the data
subject or his political opinions. Schedule 3 to the DPA establishes a set
of further conditions, one or more of which must be satisfied in order to
legitimise the processing of sensitive personal data.
2. Departments also need to consider how long they should keep personal
data which have been gathered for the purposes of responding to a subject
access request in case of a dispute arising in relation to that request.
3. There is the further issue of whether the subject access provisions
allow data subjects to obtain information prior to or during legal
proceedings against the data controller even where access to such
information has been previously denied in an application for disclosure
under the Civil Procedure Rules. Disclosure in accordance with the CPR and
disclosure pursuant to a DPA subject access request are separate regimes
covered by their own rules. An unsuccessful application for disclosure of
material in civil proceedings would not necessarily preclude a successful
application for the same material under the device of a subject access
request.
Standards
4. Documents used in responding to a subject access request should be
retained for the minimum period that the department considers necessary.
Recommended best practice
5. Where a department retains records relating to individuals, such as
former members of staff, in anticipation of possible proceedings, if those
records contain personal data as defined in the Act, they may be liable to
a subject access request under section 7 of the DPA unless the data
controller can rely on one of the DPA exemptions. Departments should
therefore bear this in mind where they are concerned that an individual may
at some stage institute proceedings against the department. They should
also ensure that whatever is recorded in such records conforms to the
requirements of the DPA.
6. It is not possible to give firm guidance on how long a department should
retain personal data gathered for the purpose of responding to a subject
access request. Departments will have to determine the retention period for
each subject access request, taking account of the circumstances relating
to the access request concerned.
7. Where legal proceedings are current or imminent between the data subject
and the department, there is no right to refuse a subject access request on
the grounds of current or imminent proceedings and/or an unsuccessful
application under CPR. Personal data may only be withheld where another
exemption applies. The exemptions relating to negotiations (Schedule 7
paragraph 7) and legal professional privilege (Schedule 7 paragraph 10) may
be relevant.
Data Protection Handbook [PDF, 710KB]
[Top]
