CASE STUDY 3/00
Mobile telephone company – subject access request – commercially sensitive information
The complainant in this case had difficulty when he attempted to purchase a mobile telephone from a shop. The shop took his details on a sign-up form, and telephoned the mobile phone company to activate the service, which was to operate on a contract basis. The mobile telephone company declined to accept the complainant as a customer, and refused to give reasons. When the complainant pressed the matter, the mobile telephone company said they would only provide a service if he made a deposit of ?100.
The complainant made an access request under section 4 of the Data Protection Act, asking to see a copy of everything held on computer about him by the mobile telephone company. The company responded by giving him a summary of the types of information they kept about him, and assuring him that the only details they kept were those which the individual had provided on the sign-up form. They indicated that these details had been subject to an assessment procedure known as "credit scoring", and this was the reason for the requirement that he pay a deposit. The individual was not satisfied to receive summary information, rather than a full copy of the computer data relating to him, and so he complained to my Office.
It was agreed that my staff should visit the premises of the mobile telephone company to see exactly what personal data were held. The company's computer system was shown to my staff. The company explained that printing off a copy of the information which they held on computer would identify the software package in question, and this was in the company's view commercially sensitive information. In response, my Office pointed out that the company was free to take any reasonable steps to hide the identity of the software package. However, the individual had a clear legal right to see a copy of all the information relating to him. The exceptions to the right of access, set out in section 5 of the Act, did not include any reference to "commercially sensitive information". The point was also made that, just because the complainant might already have the details in question, this was no ground for refusing to comply with a valid access request. After consideration, the company agreed to forward a full copy of the personal data to the complainant.