Fiona Mulvaney- Waterford Technologies
The Data Protection Commissioner defines Personal Data as: “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller
There is often confusion regarding what constitutes Personal Data, I read a blog recently by Mason Hayes and Curran about a ruling by The Court of Justice of the European Union (CJEU)which helps to clarify further what is deemed to be Personal Data.
“The CJEU ruled in the joined cases of YS, M, and S v Minister for Immigratie, Integratie en Asiel that the legal analysis contained in an internal document as part of an internal process is not personal data. The decision came following a request for a preliminary ruling by the Dutch courts. The decision is also notable as it clarifies the form in which personal data may be provided to a person pursuant to a subject access request.
This case involved applications from third country nationals for residency in the Netherlands. Applications are made to the Dutch Immigration and Naturalisation Service (“INS”). In this instance, individual applications for lawful residence were made by YS, M and S. Both M and S were granted residence permits. However, YS’ application failed and was ultimately rejected.
When the INS processes these applications, the application is initially reviewed by a case officer. As part of the internal process, the case officer completed an internal administrative document in which he outlines the reasons for a particular decision or draft decision. This document is referred to as “the minute”.
The minute generally contains a variety of information including data relating to the applicant, details of the statements made by the applicant and the documents submitted in the application. It also contains an assessment of this information in the light of the relevant legal provisions (the “legal analysis”). The length of the legal analysis can range from a few sentences to a few pages. The case officer addresses the credibility of the statements made by the applicant and outlines why s/he thinks that the application should succeed or not. It may otherwise be as concise as a reference to the application of a particular line of policy.
From a data controller’s perspective, the CJEU’s decision further clarifies what constitutes personal data at European law. The case highlights that while the definition of personal data may appear broad, it does have limitations – not all records concerning a subject are required to be released under a subject access request. This may provide room to manoeuvre when responding to an access request.
The decision also helpfully clarifies that the CJEU considers it sufficient to provide a full summary of the relevant data in an intelligible form. This means that provided proper access is granted to the personal data, controllers may no longer be required to provide redacted copies of original documents. “
In this case the data was deemed not to be personal data but it does go to show that if you are holding personal data that someone can make a request and take it as far as court proceedings to obtain this data. If you had to go to court do you have eDiscovery software that would give you all of the details you would need to a hearing?