What do FOIA and the EIR say about requests for personal information?
Part one: Is the request for personal data?
-
- What is personal data?
- Can people be identified?
- Do you hold it as unstructured manual data?
- Is the requested information the requester’s own personal data?
- Is the requested information the requester and other individuals' personal data?
- Is the requested information someone else’s personal data (ie third-party personal data?)
Part two: Can you confirm or deny holding the requested information?
-
- What is the duty to confirm or deny?
- Is the requested information personal data, or would it be if you held it?
- Is it the requester’s personal data, or would it be if you held it?
- Is it third-party personal data, or would it be if you held it?
- First condition: would confirming or denying contravene the data protection principles?
- Second condition: would confirming or denying contravene the right to object?
- Third condition: would confirmation be exempt from the right of access under data protection legislation?
Part three: The first condition – Would disclosure contravene the data protection principles?
Part four: The second condition – Would disclosure contravene the right to object?
Part five: The third condition – Would the requested third-party personal data be exempt from the right of access?
Part six: Issuing a refusal notice
What are some common scenarios and what should you include in your refusal notice?