Thursday, August 19, 2010

Personal Data

In an earlier post we disclosed a previously redacted paragraph from the Met Police (Specialist Crime Unit) case assessment report – to which we had recently gained access care of the Information Commissioner’s Office (ICO).

The report in question had been, as you can see from our post of 10 of May 2009, almost entirely redacted by the Met who claimed that: "the majority of information contained within the report has been redacted as it is exempt by virtue of Section 40(1)&(2) of the Act."
Section 40(1) of the Freedom of Information Act refers to the personal data of the subject data applicant, whereas Section 40(2) refers to the personal data of other people .[*]
Thus, the Met implied, over 80% of their assessment of the Gaul RFI consisted of biographic detail … (!?) although in their response to our FOI request for information regarding any witnesses/ parties questioned by detectives during their assessment process, the police indicated there were none.

The Met also advised that, should we wish to request the redacted information in respect of Section 40(1) (i.e. personal data about ourselves), which is contained in that report, we would have to complete a Subject Access Request (SAR) application.
We did complete two SAR forms and paid the associated fees. The response we got, however, was the release of another few lines from their case assessment report (these, except for our names, did not contain any other personal data, but only the allegations we had made about the shortcomings of the Gaul RFI).
The rest still remained concealed. That is a big chunk of the report – paragraphs 8 to 18 – remained redacted, purportedly, under the provisions of Section 40(2) of the Freedom of Information Act, which relates to third parties’ personal data.

Now, if we take another look at the redacted report, we can see that paragraph 19 states that the case officer "reviewed the materials described at paragraphs 10 to 18" in order to assess the validity of our complaint about the undisclosed design faults of the Gaul. The materials should, therefore, have contained technical rather than personal information. For, anyway, what personal information could they have contained and about whom? Under the 1998 Data Protection Act (DPA), personal data is clearly defined as data about a living individual, who can be identified from those data.
It may be that the documents referred to in the police assessment report did, in effect, contain information relating to technical matters, but - based on the fact that those materials had an author who, by necessity, must have been a living person, and judging that any expressed opinions reveal the insights of a person’s mind - the Met may have gone as far as to conclude that disclosure of such insights were prone to lead to undue intimacy and breach, therefore, the author’s rights under the Data Protection Act.

Thus, the Met have conveniently missed the fact that personal data is information about a person, not information a originating from a person – otherwise, except that produced by non-human species, all information would be exempt.
Also, as we have already contended in our reply to the Met, a witness statement is not considered personal data under the provisions of the 1998 Data Protection Act, unless the witness himself is the focus of that information. Just because a document contains the name of a person does not mean that it is about that person.
All opinion has an author, but if the opinion is not about the author himself and his personal life, then that opinion should be able to be passed on. Besides, the Data Protection Act itself suggests the means by which information can be conveyed without revealing its source: i.e. the omission of names or other identity details.

Unfortunately, by choosing not to disclose the requested information, the Metropolitan Police have now left room for suspecting that the content of their case assessment report is either embarrassing or untrue.

[*](1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
(2) Any information to which a request for information relates is also exempt information if-
(a) it constitutes personal data which do not fall within subsection (1), and
(b) either the first or the second condition below is satisfied. [etc]

No comments: