Further guidance on the personal data flowchart

More detailed guidance on common sticking points in the personal data flowchart

The extent to which personal data has already been made public

It is not always easy to determine the extent to which personal data is in the public domain and whether this has been made public by the individual, or whether informed consent was granted to a third-party, or whether a third-party has made the data public without consent.

We use our judgement to decide, based on the following considerations:

Has an individual deliberately participated in making their data public?
What were the circumstances around the individual making their data public and thus can the information be made available by us?
To what extent has the information previously been made public by other individuals or bodies and what were the circumstances around this? Who was the intended audience?
Have the circumstances since changed in a way which might suggest that disclosure could have a detrimental effect on the individual?
If personal data is public, is it the same level of detail as is in the material ?

Once a judgement has been made, other standard considerations then apply: i.e. the level of sensitivity, the surrounding context (e.g. was the material made in a clinical setting or as part of a personal pursuit?), the age of the material, and the degree to which it is structured

Examples

Personal data recorded in a clinical context forming part of a medical record, not made public by an individual, but made public to a limited audience (such as medical professionals) by a third party.

Limited personal data, lowering the risk of identification (i.e. just a name) = restricted

Additional personal data present, such as case histories or faces = closed

Personal data documented in a clinical setting but not as part of a medical record or for diagnosis. Not made public by an individual, but made public to a general audience by third parties for approximately 15 years without issue

Limited personal data lowering the risk of identification (i.e. just a name) = open

Additional personal data present, such as medical details = restricted

Closed versus restricted access

It is not always clear whether material should be closed or restricted. In many cases it is a judgement call that should be made after considering various factors, including those listed below.

Logic behind restricted as an access status

The Data Protection Act applies to data that identifies a living individual and is held in a filing system that allows for ready access to information about specific individuals (i.e. a relevant filing system).

Restricted was introduced as an access status to prevent damage or distress to individuals whose personal data is not covered by the Act, namely that it is not held in a relevant filing system.

Considerations

These three areas should be considered together and not in isolation.

Relevance

How relevant is the automated/manual filing system to the personal data found?

Does the nature of the filing system make the personal data easier to find, or is the personal data totally incidental?

The full filing system does not necessarily need to be present in the archive, in order for a single file to count as being in a filing system. For instance, a single clinical case file containing structured personal data would count as a manual filing system, as would a run of several clinical case files.

Quantity

What proportion of the material is sensitive? Is it one document in a large file, or are there repeated instances spread across a file?

Sensitivity

How sensitive is the information? Is it personal data? Does it identify a vulnerable person or someone in a vulnerable position?

How identifiable is the personal data? For instance, is it just a first name, or a full name and date or birth? (Don't forget to consider this in relation to information accessible in surrounding material).

If the personal data is highly sensitive, but a very small and incidental part of the material, is redaction an option? For more details about this, see 3.1.2 Redaction

Examples

Incidental personal data forming a minor part of a file that is not easily findable from the catalogue metadata and is unlikely to cause serious damage or distress if disclosed

SA/BMA/C.121: Fees for medical examination of school teachers under Teachers Superannuation Act, 1918-1948

Mainly administrative file comprises meeting minutes, correspondence and extracts. Includes incidental references to a teacher attending medical appointments for a named issue.

Restricted until 2033

Incidental personal data that is likely to cause damage or distress if disclosed and is present in several instances within the file

SA/CAS/E/2/16: "CU correspondence", 1997-2002

Correspondence between members of Casualties Union on a variety of matters concerning the running and activities of the Union. Several letters contain critical remarks about various senior members and their (mis)management of Casualties Union.

Closed until 2063

Personal data provides different degrees of identification

PP/RSI/B/1/6/5/7: Child psychiatry - "Mental Health Needs Good Neighbours" (artwork)

A drawing by a child psychiatric patient with their full name and address written on the back, 1960s-1997

Closed until 2093

PP/RSI/B/2/7/15: A cowboy in an orange and pink outfit (artwork)

A drawing by a patient at a social psychotherapy centre with their initial and surname on the back, c.1941

Restricted until 2026

Sensitive material removed from a file and catalogued separately

PP/SAB/B/1/1/4: "Miscellaneous"

A file concerning Abram's cannabis research and law reform campaign activities with some pieces of correspondence included. Two letters do not appear to have any relevance to the rest of the file and contain sensitive medical information and details about a person's drug taking. These were removed and catalogued as PP/SAB/B/1/1/5: "Miscellaneous": closed material

PreviousUndertaking sensitivity review NextRestriction and closure periods

Last updated 9 months ago

Was this helpful?