Privacy regulator criticises misuse of Data Protection Act

Out-Law News | 02 Sep 2008 | 4:01 pm | 1 min. read

Organisations must not use the Data Protection Act as a smokescreen for not giving out information, privacy regulator the Information Commissioner's Office (ICO) has warned.

The ICO has identified the most common data protection myths which it says are used to avoid transparency or that have just developed through ignorance of the actual law.

Deputy Commissioner David Smith said that organisations are too often refusing to release information under false cover of the Data Protection Act.

“All too often we hear of cases where organisations have not properly thought through whether they can respond to enquiries from individuals. They have simply said no and used data protection as a duck out," he said.

"The Data Protection Act does not impose a blanket ban on the release of personal information. What it does do is require a common sense approach," he said. "It should not be used as an excuse by those reluctant to take a balanced decision."

The ICO has published a list of common abuses of data protection legislation. It said, for example, that it is not true that insurance companies can only send information to policy holders.

"The Data Protection Act would not prevent an insurance company from sending out a claim form if it has been requested on behalf of the policy holder. We would expect staff working in the insurance company to take a common sense approach," said the ICO's guidance.

The ICO said that one mother had been unable to find out her daughter's flute exam results because the exams board would only send them to the person who had made the application to enter the exam, the girl's teacher.

The ICO said that this was the wrong approach. "The Act does not prevent the exam board from giving results to the student or her mother," said its guidance. "An exam board could ensure that the information is disclosed to the right person by sending it to the student’s home address. It is clearly unfair and unnecessary that the student’s mother in this case had to make a subject access request to discover her daughter’s exam results – but at least data protection access rights made sure she got the information to which she was entitled."

The ICO also criticised those who claim that the taking of photographs of children in school plays or other activities breaches their rights. This is only true if the photos are to be used commercially, it said.

Smith said that misinterpretations of the law by organisations could damage the effectiveness of the Data Protection Act itself. "The Act plays a very important role in protecting all our personal information that can be undermined when it is used in a way that defies common sense," he said.