Meeting minutes

Background 
A member of the public (the complainant) attended a meeting at an organisation. The meeting consisted of three people; the meeting facilitator, another attendee and the complainant. The three people discussed matters of a private and sensitive nature. The meeting facilitator provided no details about how they may collect, record, or use the personal information discussed at the meeting. 

The discussion focused on the two attendees. Many months after the meeting, the complainant wanted detail of the discussion as they were concerned about data security and confidentiality. They made a data subject access request (DSAR) to the organisation for meeting notes and other processing details. 

The organisation responded by saying that it would not provide any data, citing that it owed a duty of confidentiality to the other attendee.

A complaint was made to the Office of the Data Protection Authority (ODPA) and the organisation sought consent from the other attendee and provided details around the way in which the complainant’s data was used, stored, and protected. 

Learning point
Had both attendees been given detailed information about how the organisation handled personal data, including the rights they had under the law, it is unlikely that a complaint would have been made in the first place. Individuals must be informed at the outset and prior to an organisation processing their data, how their information will be collected, what will happen to it and how it will be used. This then gives the individual the choice whether they wish to proceed or not. 
In addition, reference to third parties in data being requested does not automatically mean that the data cannot be provided.