ICO guidance on access to information held in complaint files

Updated November 2011

The Information Commissioner's Office (ICO) has recently published new guidance to assist organisations in responding to requests for access to information held in complaint files. The guidance relates to both subject access requests (SAR) under the Data Protection Act (DPA) and requests for information under the Freedom of Information Act (FOIA). (See the guidance under Related links).

The guidance is designed to help organisations:

• to decide whether information in a complaint file is personal data and who that personal data belongs to;
• to work out who is entitled to access data where a complaint file holds personal data relating to more than one party and a subject access request is made; and
• how to deal with personal data held in a complaint file if a FOIA request is made to a public authority.

The guidance makes it clear that it is unlikely that all data held in a complaint file will be the complainant's personal data but acknowledges that making this assessment is not always straightforward. In some cases it will be clear that information, such as a company's disciplinary policy, is not personal data. However, in other cases, such as in relation to a person's opinion, the decision as to what information qualifies as personal data may "call for careful judgment based on the nature of the information, the context in which it is held and the purpose for which it is used". The guidance also highlights that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The guidance is informative in helping organisations gain a general understanding of the law and gives illustrative examples which may enable organisations to deal with basic requests. It does not, however, address all the other exemptions that might be relevant when a request is received for access to information held in a complaint file, therefore care should be taken when using the guidance to ensure that all relevant issues are taking into consideration, not solely those set out in the guidance.

As we have mentioned in previous updates the ICO has stepped up monitoring and enforcement action in relation to FOIA obligation and has amended its procedures to deal with complaints relating to SARs more effectively (see Related publications).

Should you require assistance in responding to a SAR or a FOIA request please contact Alison Deighton, head of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.