The Information Commissioner’s Office (ICO) urges organisations not to hide behind the Data Protection Act unnecessarily when dealing with requests from members of the public.
The ICO has dubbed these situations ‘Data Protection duck outs’ – situations arising from a belief by some organisations that data protection stops them giving out any personal information or prevents them from dealing with certain types of enquiries.
Examples of data protection duck outs include claims that parents aren’t allowed to take photos of their child at a nativity play (they can); that teachers are unable to promote the successes of pupils in the local media (they can) and that priests are prevented from praying for an ill person by name during mass (they aren’t).
The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.
Data Protection duck outs exposed
Superman duck out
In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.
Read the ICO Good Practice Note about giving information to a third party
Sports day duck out
Many cases have been reported of schools preventing parents from taking photos of their children in nativity plays or at school sports day. This seems to be largely as a result of misunderstanding and fear of breaking the law on the part of school staff, which the ICO has worked hard to clarify with guidance.
ICO view: The ICO advises a common-sense approach; photos for the family album are exempt from data protection.
Read the ICO Good Practice Note about taking photographs in schools (aimed at Local Education Authorities).
Prayer duck out
In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.
Claims form duck out
Insurance companies have blamed data protection rules for not being able to send out a claim form when someone other than the policy holder requests it.
ICO view: No personal information is released by the sending of a form, so rules are not infringed. Again, the ICO urges a common sense approach.
Exam grades duck out
In 2005 an examining board gave the Data Protection Act as the reason it could only release an exam result to the teacher, not the student or her parent.
ICO view: The Act does not prevent results being released to students or parents, and in fact the Data Protection Act gives students the right to ask for information held about them, including exam results. Posting the results to the student would have been fine and the student’s subject access request to get the results should not have been necessary.
Read the topic guide about individuals’ right of access to examination records