The UK Information Commissioner’s Office (ICO) recently issued guidance for organisations in the difficult area of responding to requests for access to information held in complaints files. The guidance helpfully sets out a number of practical examples concerning when information should and should not be provided in response to a complainant’s request, in particular acknowledging that complaints files often consist of a complex mixture of information including the complainant’s personal data and personal data relating to other individuals.
Some information within a complainant’s file will never be personal data, regardless of the context. The ICO explains that even where information is used to inform a decision about an individual, it does not automatically follow that the information is personal data. A corporate policy might, for example, be used to make a decision about an employee, but it does not qualify as the employee’s personal data because it does not “identify” or “relate to” that employee.
If you want to comment on this post, you need to login.