Data Protection Commissioner
Data Protection Commissioner


Government Department - issue of request for tenders - inclusion of some personal data - whether data disclosed within meaning of the Act

A Government Department issued a request for tenders in connection with the administration of an official scheme. Included with the documentation issued by the Department was an extract from an administration database, giving a list of names of individuals who had benefited from the scheme, the county where each individual lived, and the amounts of money received by each individual. One of the persons who received the documentation was concerned about the data protection implications involved, and brought the matter to my attention for investigation. As this person was not an individual directly affected by the apparent disclosure of personal data by the data controller, I was not obliged to investigate the matter as provided for under section 10(1)(b)(i) of the Data Protection Act. However, I exercised my discretion under section 10(1)(a) to investigate the matter, as I was "otherwise of opinion" that a contravention of the Act might be involved if the alleged improper disclosure of personal data had in fact taken place.

My Office contacted the Department in question asking for their observations on the matter, having regard to section 2 of the Act, which provides inter alia that personal data held by a data controller -

(i) shall be kept only for one or more specified and lawful purposes, [and]

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

The Department responded by admitting that its tender documentation did include the names of scheme beneficiaries, including the amounts of money received by those individuals. However, the Department argued that, since the individuals' addresses had not been made available, the individuals' identities could not have been determined by the tenderers.

Section 1(1) of the Act, in the definition of "disclosure", provides that -

... where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.

In the terms of the Act, therefore, the Government Department was arguing that the individuals could not be fully identified because only their names and county of residence, and not their addresses, had been made available; and since the individuals could not be fully identified, there was no "disclosure" as defined in the Act.

After some consideration, I was unable to accept the argument put forward by the Government Department. The first question I considered was what is normally meant when one speaks of "identifying" someone. To my mind, "identification" involves the process of distinguishing one particular person from another person, or from people generally. In everyday life, the chief method of distinguishing one person from another is by name. I am therefore most reluctant to accept that a data controller can release people's names and other data relating to those people, and still maintain that it has not disclosed personal data within the meaning of the Act. Moreover, since named individuals in this case were classified according to their county of residence, and since many of the names were uncommon, I was satisfied that a disclosure had clearly taken place. I also adjudged that the disclosure was not compatible with the purpose for which the Department had obtained the personal data, and accordingly I concluded that the Department had indeed contravened the Data Protection Act.

Data controllers in both the public and private sectors should be aware that, unless they have good grounds for making their customers' names available to third parties, they are likely to be in contravention of the Data Protection Act by doing so. Where, as in this case, a data controller can achieve its legitimate purposes without disclosing personal data, then in my view, the only prudent approach is to avoid the unnecessary disclosure.