Cabinet Office Homepage

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

3. Disclosable Information and Exemptions

Issue

Any mention of the data subject is potentially disclosable in response to a subject access request. Apart from exemptions specified in the DPA, a much wider range of material is disclosable than under the 1984 DPA. Unlike the Freedom of Information Act 2000, the DPA has no exemptions for policy advice or internal discussion so, in theory, sensitive or embarrassing material may be disclosable. Any material held electronically is caught by the DPA, whose remit extends much wider than traditional databases.

2. Any personal data held on a personal computer, including emails, files, letters, minutes, address lists, diary entries etc are caught by the DPA. So, too, is footage of individuals held on closed circuit television (CCTV). Even material in Cabinet minutes is potentially disclosable if it contains personal data. There are a number of exemptions, for instance for national security, crime and taxation, legal professional privilege and processing for research purposes. Any protective marking that may appear on a document has no relevance in relation to what can be disclosed under the DPA. Unless a relevant exemption can be invoked, personal data from such documents may have to be disclosed.

3. The requirements in the DPA in relation to the disclosure of “eligible manual data” are set out in the guidance on “Manual Records”.

Standards

4. Ensure that all relevant areas (i.e. those which, in the light of information provided by the data subject, appear likely to contain the information sought) are searched for personal data. Do not overlook less obvious areas, such as electronically held diaries, staff annual reports, personal telephone lists etc.

5. When a subject access request generates large amounts of material, ensure that it is properly labelled and arranged for ease of future reference.

6. Ensure that where data is withheld under an exemption, the reasons are documented for future reference in case of challenge.

7. The work units which provided the material should usually see the reply before it is sent. They will be aware of any sensitivities which may need to be taken into account. In cases of doubt, clear the reply with lawyers.

8. Replies to the data subject should be sent promptly. The maximum period of 40 days prescribed in the DPA should be regarded as an absolute limit, not a target..

Recommended best practice

9. Personal data must be disclosed in response to a subject access request unless specifically covered by one of the exemptions in the DPA. The Information Commissioner's guidance on emails and CCTV makes clear her understanding that they are information being processed by "equipment operating automatically" and are therefore caught by the DPA.

10. Each subject access request needs to be handled on its merits. Departments should do what they can to be helpful. However, in determining their response they should clearly identify what is being disclosed under the DPA and what, if anything, is being disclosed as a matter of departmental policy.

11. Under Section 7(1)(c)(i) of the DPA, an individual is entitled, in response to his subject access request, to have communicated to him in intelligible form “the information constituting any personal data of which that individual is the data subject”. The right of access is therefore to the personal data, not to the document in which the data is contained. Departments are required to disclose only that information specified in the Act. Where appropriate, full use should be made of the exemptions in the Act, i.e. sections 28-39 of the DPA and Schedule 7 to the DPA. Care should be taken however to check the precise terms of the exemption before seeking to rely on it.

12. Most of the exemptions in the Act, in sections 28-39 and Schedule 7, provide for an exemption from the right of access to personal data. The use made by departments of exemptions is likely to vary depending on the types of material they hold. Exemptions which have been invoked by departments include

• national security (section 28) (see also section 12 of this handbook on Ministerial Certificates);
• crime and taxation (section 29);
• health, education and social work (section 30);
• research history and statistics (section 33) – which can apply to superseded drafts of documents and material on which decisions are no longer based (see also the discussion of s33 in the Lord Chancellor’s Department guidance at Annex A);
• judicial appointments and honours (paragraph 3 of Schedule 7);
• negotiations (paragraph 7 of Schedule 7); and
• legal professional privilege (paragraph 10 of Schedule 7) - which can cover any legal advice, including where legal advice from a lawyer is referred to by a third party who is not a lawyer.

Data Protection Handbook [PDF, 710KB]