Data protection : How to discover what data an organisation keeps about you

You have the right to find out if an organisation is using or storing your personal information. This is called the ‘right of access’.  You can exercise this right by asking for a copy of the information, which is commonly known as making a ‘subject access request’.

Personal information means any information relating to a living, natural person who can be directly or indirectly identified.  Examples of personal information could include but are not limited to; CCTV recordings, images, voice recordings, biometric, genetic information, names, addresses, numbers such as passport numbers etc.

Do I have to make a request for my personal information in writing?

A request can take many forms. That is why it is important that organisations, charities and businesses (known as the ‘Data Controllers’) know how to recognise a request when it comes in.

The request can be in writing which can include an email or website request. It can also be verbal either in person over the phone. It does not even need to include the words ‘the right of access’ or ‘subject access request’ or similar. It may be as open as, ‘I want the information you hold about me.’ This will include any personal data held electronically as well as contained within any hard copy documents, as long as they are held as part of a structured filing system.  Therefore, it is important for all organisations to know what personal data they hold and where/how it is stored.

Having good knowledge of what personal data is held and how to access it, is not only a requirement of the law but will also make dealing with matters such as subject access requests much easier.

If personal information held by a business includes identifiable information of a third party, can the business decline to disclose that data and mine?

It depends on the nature of the data and who the third party is.  It should not be seen as an opportunity not to disclose something just because someone else may be mentioned in that information.  A simple redaction (blocking it out) may resolve the issue but sometimes that won’t solve the problem because the third party could still be identifiable from the rest of the information. If the third party can still be identified then you are not obliged to provide the information unless the third party has consented or it is reasonable in all the circumstances to do so without consent.

If asked, the person concerned may give their consent for the document including their name or identifying details to be disclosed. However, even if the third party withholds their consent you may still decide that it is reasonable to disclose this information. When considering whether to disclose information involving third parties you should take the following points into account:

• any duty of confidentiality owed to the other individual;
• any steps taken by the controller to seek the consent of the other individual;
• whether the other individual is capable of giving consent; and
• any express refusal of consent by the other individual.

How should the information be provided?

The Data Protection (Jersey) Law 2018 provides that the personal data should be provided to the data subject in an ‘intelligible form’ this means that it should be in clear and plain language and in a medium which is accessible to the requestor i.e. via electronic files.  Please remember though that it is a right to information, not simply to be provided with original copy documentation.

Once the Controller has decided which personal data to disclose to the individual (the Data Subject), they should also provide the following information (as stated under Article 28 of the Data Protection (Jersey) Law 2018).

The data subject should be advised firstly whether their data is being processed by the controller and, if so;

• The reasons they are being used/processed.
• The type of data held/processed.
• Who if anyone outside of the organisation that data may be shared with and why.
• Where possible how long the data will be kept and for what reason(s).
• The fact that the data subject can request the controller to rectify or remove any inaccurate data.
• Where the data was collected from if not directly from the data subject.
• If the data is subjected to any form of automated decision making.
• The fact that the data subject has the right to make a complaint about the handling of their data to the JOIC.

Click here for more information on accessing your personal information.  This content is provided by the Jersey Office of the Information Commissioner.

Contacting the Jersey Office of the Information Commissioner (JOIC)

Explore the resources and guidance available on the JOIC’s website or call the office on 01534 716530 to speak to a member of the team.

Do you have a question about Data Protection that you would like answered?  Drop us an email to [email protected]