CASE STUDY 4/99
State agency - subject access request - whether word-processed documents retained on computer constitute "data"
The complainant had dealings with a State agency. He made an access request under section 4 of the Data Protection Act to be provided with a copy of all data held by the agency relating to him. The agency responded by providing him with some records. The complainant was engaged in legal action against the agency, and in that context he had obtained an order of discovery against the agency. Arising from this order, the complainant had reason to believe that some data relating to him had not been supplied to him by the agency, and he complained to my Office.
I took the matter up with the State agency, which was happy to co-operate with my enquiries. I drew the agency’s attention to the apparent existence of some records held on computer relating to the complainant, which had not been included in the agency’s response to the access request. The agency expressed surprise at this apparent discrepancy, and undertook to re-examine their response to the complainant’s original access request.
Having looked into the matter, the agency established that a significant number of word-processed records, the contents of which related to the complainant, were kept in different units throughout the organisation, and that some of these records were kept on computer. Because these records were not readily accessible by the central administrative office that had handled the original access request, they had not been considered for release in response to the complainant’s access request. Moreover, the agency questioned whether these word-processed records constituted "data" for the purposes of the Act, and whether there was any requirement to include these records in responding to the access request. In support of their case the agency cited the definitions set out in section 1(1) of the Act as follows —
"data" means information in a form in which it can be processed
"processing" means performing automatically logical or arithmetical operations on data and includes —
(a) extracting any information constituting the data, and
(b) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller,
but does not include an operation performed solely for the purpose of preparing the text of documents.
The State agency suggested that the definition of "processing", from which the operation of text-preparation is specifically excluded, put computer records of word-processed documents outside the scope of the Act, since such records did not constitute information in a form in which it could be "processed".
I did not accept the agency’s argument on this point. In the first place, I explained that the definition of "processing" specifically includes the process of "extracting any information constituting the data". As the information in question had been retrieved from the word-processed records, this process of extraction had obviously been performed. Second, I noted that "preparing the text of documents" is a finite process, which concludes once, say, a letter has issued, or the note of a meeting has been finalised, as the case may be. If subsequently any processing operation can be performed upon the word-processed record, such an operation cannot be "solely for the purpose of preparing the text of documents", whatever else the purpose may be. Accordingly, I was of the opinion that word-processed records, which were kept on computer or on computer media after the document in question had been finalised, constituted "data" for the purposes of the Data Protection Act and therefore must be considered when responding to an access request from a data subject. The State agency in question agreed to provide the word-processed records to the complainant.
In my view, this case illustrates the significant implications that may arise for a data controller in the absence of a clear policy regarding the retention and deletion of computer records, including word-processed documents, from computer systems. Data controllers who do not delete word-processed documents from a computer once "preparation" is completed should be aware that they are keeping computer data which may well be accessible by a data subject. Indeed, Directive 95/46/EC makes no exemption for "text preparation", nor distinguishes in principle between manual files kept in a "structured" (or organised) filing system and computer records; and accordingly such exemptions and distinctions will become irrelevant, for data protection purposes, over time.
» Permanent Link