Chapter 15Business propertyThere is a right of appeal against the issue of any
notice to the Information Tribunal.
The Commissioner can apply to a circuit judge for a
warrant to enter and search premises if there are reason-
able grounds for suspecting that an offence has been
committed or that the data protection principles are being
contravened.
Rights of data subjects
The DPA 1998 gives a number of rights to data subjects
in respect of the personal data held about them. The
corresponding duties of data controllers may give rise to
claims for compensation. Business organisations should
consider the possibility of obtaining insurance cover
against such risks. The rights are as follows:
1 Access to personal data.A data subject is entitled to
be informed of whether a data controller holds any data
about him or her and to be supplied with a copy of such
data in an intelligible form. The data controller may
insist on receiving a written request, checking the data
subject’s identity and the payment of a fee (subject to a
maximum fee of £10 in 2008). The information must be
available within 40 days. Obviously, business organisa-
tions must establish a clear procedure for dealing with
requests for access to data.
The Court of Appeal has provided useful guidance on
the scope of the right to obtain access to personal data in
the following case.
2 Right to prevent processing likely to cause damage
or distress.A data subject can ask a data controller to
stop, or not to begin, processing personal data relating
to him where it is causing or is likely to cause substantial
unwarranted damage or substantial distress to him or to
another person. There are situations where this right is
not available (e.g. where the data subject has previously
consented) and data controllers do not always have to
comply with the request.
3 The right to prevent processing for direct market-
ing.A data subject can ask a data controller to stop,
or not to begin, processing data relating to him for the
purposes of direct marketing. If the data controller does
not comply with such notice, the data subject can apply
for a court order to that effect.447Contracts for financial services
(2003)
Durant had been involved in unsuccessful litigation
against his bank. Subsequently, he sought disclosure of
documents which he believed might help him to re-open
the dispute. He had asked the Financial Services Author-
ity (FSA) to help him to obtain disclosure and he also
wanted to know what information the FSA had obtained
from the bank in its supervisory capacity. The FSA com-
pleted its investigations but, for reasons of confidentiality,
did not inform Durant of the outcome. Durant complained
to the FSA Complaints Commissioner but the complaints
were dismissed. Durant then made two subject access
requests under the DPA 1998, covering both electronic
and manual information. The FSA provided documents
about Durant held in computerised form but refused
access to manual files on the grounds that the informa-
tion was not personal and, if it was, it did not form partof a relevant filing system. The Court of Appeal upheld
the trial judge’s refusal to order the FSA to make further
disclosure. The mere mention of the data subject in a
document did not necessarily amount to ‘personal data’
under the DPA 1998. Whether it did so in any particular
case depended on where it falls in a ‘continuum of
relevance or proximity to the data subject as distinct,
say, from transaction or matters in which he may have
been involved to a greater or lesser degree’. Two factors
may assist in judging relevance or proximity: whether
the information was significantly biographical, and
whether the data subject was the focus of the information.
Moreover, the information must affect a person’s privacy
whether in his personal or family life, or his business or
professional capacity. On the question of the meaning of
a ‘relevant filing system’, the court concluded that the
DPA 1998, and the EC Directive on which it was based,
supported a restrictive interpretation. The protection is
provided for personal data not documents. A relevant fil-
ing system is a system ‘in which the files forming part of
it are structured or referenced in such a way as to clearly
indicate at the outset of the search whether specific
information capable of amounting to personal data of
an individual requesting it... is held within the system
and, if so, in which file or files it is held; and which has
as part of its own structure or referencing mechanism, a
sufficiently sophisticated and detailed means of readily
indicating whether or where an individual file or files and
specific criteria or information about the applicant can
be readily located.’
Comment.The Information Commissioner’s view is that,
following the Durantjudgment, ‘very few manual files will
be covered by the provisions of the DPA’.