Changing your name and gender: the data protection implications

By Steve Wood, Head of Policy Delivery.

Names are an essential part of our identity. We use them every day, from conversation with friends to official transactions. They are perhaps the archetypal article of ‘personal data’ and can provide information about other aspects of your life such as ethnic background, religion or gender. So, the decision to change them is normally not taken lightly.

The reasons we do so are varied and can range from personal preference, marriage and divorce to personal safety. For a transgender person, changing his or her name can be one of the earliest steps in the process of transitioning to a different gender and is often one of the first indications to the wider world of this change. Changing a name, and for trans* people, gender can bring up a number of data protection issues that organisations should be careful to get right.

How do you change a name or gender?

There is no single legal procedure if you want to start using a new name and you can change your name at any time as long as you do not intend to defraud or deceive others.  Although you could just start using a new name, you may want evidence of that change for official purposes, for example, amending official documents like a passport or driving licence. You can do this through deed poll or by statutory declaration which are both legal documents evidencing the change of name.

Many trans* people consider applying for a Gender Recognition Certificate, but this can only be done at the end of the transition process which includes having fully lived in the acquired gender for at least two years. By the time they make an application they will already have had to change a number of official and unofficial documents and records indicating not just the change of name, but also of gender. However, it must be noted that many trans* people choose not to apply for a GRC and, unless legally required, organisations should not ask for a GRC simply to change the record of a person’s gender upon their request.

People’s attitudes once they have changed names or genders can differ. Some want to demonstrate continuity, for example Jane Smith being known as Jane Smith-Jones after marriage. This could be personal or financial, for example keeping credit records and utility bill trails. Others might prefer it if no-one kept a record of them in their former name and, in the case of trans* people, the gender they were assigned at birth.

Once you have changed your name or gender the next stage of getting organisations to amend their records can be difficult. Even in 2014 there is a significant variation in what is required by organisations to authorise a change, and inconsistency in their practice.

There is still more to be done to raise awareness of the issues and organisations, in both the public and private sector, will need to learn how to improve their procedures over time, ensuring they effectively reflect and uphold data protection rights.

What is the role of the Data Protection Act and the ICO in all this?

Many aspects of this issue clearly interact with the Data Protection Act 1998. The ICO has responsibility for the Act and promoting data privacy. The focus of the Act is personal data; in this context this will mean information held in organisations’ records.

The Act is clear that personal data must be accurate and relevant. The Fourth Principle in the Act states: “Personal data shall be accurate and, where necessary, kept up to date”. So in relation to a person’s name and gender this means that organisations should provide an efficient means for an individual to amend his or her details in their records. Our view has always been that records of personal information should accurately reflect a person’s current details. What is the practical benefit to an organisation of continuing to use an out of date name for customer A when that customer’s name is now B?

Organisations should also consider carefully whether they really do need to keep old records of a person’s former name and gender, since the Third Principle states: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”. This is particularly relevant to gender, which is sometimes collected when it has no bearing on the application process in question.

Attention also needs to be given to the confidentiality and security of any procedures across organisations for individuals to change their personal details, whether they are customers or employees: this clearly interacts with many of the data protection principles in the Act. Organisations should ensure that any sharing of information across the organisation, as part of the procedure, is proportionate and necessary.

As mentioned above, it is important that organisations review their policies and procedures to ensure that they can provide an easy and effective method for individuals to assert their data protection rights related to amending their name and other relevant details. If an organisation refuses to amend an individual’s record it is good practice to provide a clear reason and justification as to why, and reconsider if further representations are made.

The impact of organisations failing to update records following a change of name or gender could cause damage and distress. It is important that organisations get these issues “right first time”.

Footnote
In this area there are broader legal issues, beyond the DPA, that ICO does not have responsibility for. There is a distinction between the right to have a record amended under the DPA and broader legal issues, including human rights, about the right to have new identity documents issued. For more information about Human Rights please see the Equality and Human Rights Commission website.

*For a guide to terminology please go to: http://www.equalityhumanrights.com/your-rights/equal-rights/transgender/understanding-terms-are-used

Last updated 7/10/2014 11:59

Steve WoodSteve Wood‘s department develops the outputs that explain the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
This entry was posted in Steve Wood and tagged , , , , , . Bookmark the permalink.

7 Responses to Changing your name and gender: the data protection implications

  1. Pingback: Changing your name and gender: the data protection implications - IT Policy

  2. This is a really useful article, thank you!

    I think it’s also useful to recognize that some trans people do not consider themselves to be either male or female. For these people, any record that only allows categories of “male” and “female” (and doesn’t at the very least allow the data to be omitted) will inherently be recording inaccurate data, and thus in breach of the DPA.

    The EHRC has produced a booklet with detailed guidance at http://www.equalityhumanrights.com/sites/default/files/documents/technical_note_final.pdf, with different options depending on the level of detail required.

    At a bare minimum, records about gender should have an “other” option (possibly with a free-text detail field), and ideally the option to decline to answer unless it’s strictly necessary.

  3. Debby Lewis says:

    I agree this was a useful article. However, what if, for safety reasons, we need to retain the historical information about the person i.e. within the persons health records? We are struggling with this issue, as are other health providers and would welcome some advise. Thank you

    • icocomms says:

      In response to your query, there are a number of points for you to consider.

      • As stated in the blog, the Third Principle of the Data Protection Act (DPA) requires that personal data should be adequate, relevant and not excessive. If an individual’s historical personal data is still relevant for the purpose of their health records, then an organisation may decide it can lawfully retain it under the DPA.

      • The First Principle of the DPA requires an organisation to process personal data fairly and lawfully. As part of this, the organisation must satisfy one of the conditions in Schedule 2 – which could be, for example, that the person has given their consent to the processing, or where the processing is necessary for the purpose of the legitimate interests of the organisation. In general this means being transparent about how an individual’s information will be used and considering how it will affect the interests of the individual concerned. Organisations should have a clear policy in place explaining what records they need to keep and why.

      • Since this information is sensitive personal data, the organisation must also satisfy one of the conditions of Schedule 3. This could be the consent of the person, or because the processing is necessary for medical purposes as defined in Schedule 3.

      In the circumstances you describe, it is for the health provider to justify for itself, based on the DPA criteria set out above, whether it may retain historical information within a person’s health record.

      However please note that there is additional legislation outside the DPA in relation to transgender individuals that will be relevant to personal data in their health records. We recommend that you check this with the Department of Health since it is not within the remit of the ICO.

  4. Debby: The test, as quoted above, is whether the data is “adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”. Storing someone’s medical history is obviously useful to be able to offer health care, and, depending on the sorts of treatment you’re providing, that may well include their gender history, if that’s something that would be relevant to the treatments you offer.

    I can’t see any circumstance in which having a record of their previous names would be relevant.

  5. Matthew James says:

    “you can change your name at any time as long as you do not intend to defraud or deceive others.” I think an individual is still able to change their name even if they have the intention of defrauding others, but obviously they would then be committing offences when undertaking the fraud or deceit. I don’t think an organization would know, at the point the individual was changing their name, that there might be a future intention to defraud.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s