On Wednesday 9 July, the House of Lords handed down its decision in the case of Common Services Agency v Scottish Information Commissioner. It had been widely hoped that the case would consider the conflict between the narrow UK interpretation of “personal data” following the case of Durant v Financial Services Authority and the broader view followed elsewhere in Europe. Although the case does not consider this head-on, or in detail, its comments on Durant seem to support a less restrictive approach to the definition of personal data. As a result, although this is a Scots freedom of information case, it has relevance across the United Kingdom.
The Common Services Agency is a Scottish public authority whose duties include collation and publication of epidemiological information. In January 2005, it received a request under the Freedom of Information (Scotland) Act 2002 (“FOISA 2002”) to disclose all incidents of childhood leukaemia by year from 1990 to 2003 in the Dumfries and Galloway postal area, broken down by census ward.
The CSA did not hold all of the information. To the extent that it did hold the information, it declined to provide it on the basis that the information was personal data and was exempt under FOISA 2002, as disclosure would breach the Data Protection Act 1998 (“DPA 1998”). The applicant appealed to the Scottish Information Commissioner, who held that, although the precise information requested would be exempt on this basis, to comply with its duty under the FOISA to advise and assist the applicant, the CSA should have provided the information in “barnardised” form. Barnardised information is information in a format which has been manipulated so as to reduce the likelihood of identification of individuals. The CSA appealed on the basis that the barnardised data would still amount to personal data and so would be exempt.
Although the case relates to a request under the FOISA 2002, there is a substantially identical exemption under the Freedom of Information Act 2000, so the case is of relevance across the UK.
The judgment in a nutshell
The House of Lords did not answer the question as to whether or not the barnardised data was personal data: this was remitted to the Scottish Information Commissioner for him to determine as a question of fact. Although the Scottish Information Commissioner had ordered the CSA to release the barnardised data, his decision notice did not address the question as to whether this data would be personal, or whether it could lawfully be released under the DPA 1998.
The House of Lords set out that the key questions for the Scottish Information Commissioner to consider:
Would the barnardised data still be “personal” data?
If barnardised data was not personal data, then it should be released.
However, if the barnardised data was personal data, then, would its release satisfy the requirements of the DPA 1998?
In particular, would it:
be fair and lawful; and
meet one of the conditions set out in Schedule 2 of the DPA 1998; and
meet one of the conditions set out in Schedule 3 of the DPA 1998 (as this would also be sensitive data)?
Detailed comments in the judgment
The judgment also gives guidance on the following questions:
when is a person “identifiable”?
what is the status of anonymous and pseudonymous data under the DPA 1998?
what is the status of the Durant decision?
is there an obligation to “create” data to meet freedom of information obligations?
In addition, both Lord Hope and Lord Rodger emphasise the need for balance between FOISA 2002 and the DPA 1998, stating that “there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down” (Lord Hodge, paragraph 7).
When is a person identifiable?
S.1(1) of the Data Protection Act provides that data will be “personal” if it relates to a living individual who can be identified “(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”.
“Data” is in turn defined as information which is processed automatically; is recorded in a “relevant filing system” (i.e. a highly structured paper file); is recorded with the intent that it will be processed automatically or held in a relevant filing system; is part of an “accessible record” (health records, and educational, social services and local authority housing records held by certain public bodies); or is unstructured information held by a public authority which is subject to freedom of information legislation.
Lord Rodger of Earlsferry suggests that it is significant that the draftsman refers to “information” in the second limb of the definition of personal data, instead of the defined term “data”. He suggests that this means that personal data will only be identifiable if the individual is identifiable either directly from the personal data itself, or from that data taken together with other information which does not fall within the definition of “data”. Lord Rodger gives the example of a key held in a single piece of paper – which, presumably, would not amount to a relevant filing system, so which would be “information” but not “data”. For public authorities, this interpretation is not significant – as the final element of the definition of personal data means that all information held by such authorities is “data”, irrespective of how it is filed. However, if this interpretation were applied to private organisations it would have surprising consequences: an organisation could hold information about individuals on computer, but would use unique codes to identify individuals instead of names. On Lord Rodger’s analysis, if the look-up code was held in an unstructured paper file, the information would be personal data; however, if the information was held in a more useful format, in a structured paper file, or in a separate database on computer, then it would not be covered by the DPA 1998.
This approach is not followed by any of the other Law Lords: Lord Hope (who delivers the leading judgment), follows the traditional approach that data will be personal if an individual can be identified by the data itself, or by any other data or information held by the data controller – in other words, the form of this additional identifying information is not significant. Lord Mance expressly prefers this section of Lord Hope’s judgment over that of Lord Rodger. Lord Hoffmann approves Lord Hope’s judgment in full, although he does not comment on it.
What is the status of anonymous and pseudonymous data under the DPA 1998?
Recital 26 to the Data Protection Directive provides that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”.
The judgment is unanimous in confirming that truly anonymous data falls outside the DPA 1998 – and that it will be a question of fact whether barnardised data is actually anonymous.
Lord Hope (at paragraph 27) states that the relevant test is whether the information is identifiable in the hands of the organisation disclosing the data:
“..If it was impossible for the recipient of the barnardised data to identify those individuals, the information would not constitute “personal data” in his hands. But we are concerned in this case with its status while it is still in the hands of the data controller, as the question is whether it is or is not exempt from the duty of disclosure that FOISA says must be observed by him”.
Baroness Hale of Richmond (at paragraph 92) takes a different approach, noting that:
“…the Agency may well have the key which links those data back to the individual patients. The Agency therefore could identify them and remains bound by data protection principles when processing the data internally. But the recipient of the information will not be able to identify the individuals either from the data themselves, or from the data plus any other information held by the Agency, because the recipient will not have access to that other information. For the purpose of this particular act of processing, therefore, which is disclosure of these data in this form to these people, no living individual to whom they relate is identifiable…”
It is usual to distinguish between information which no-one can identify (anonymous information) and information where identities are masked, but where an individual could be re-identified (pseudonymous information). Baroness Hale’s judgment suggests that pseudonymous information may be disclosed like anonymous information so long as the key to the re-identification is only held by the discloser. This may be of considerable significance to those in the health sector, who often need access to uniquely coded data for research purposes, but where the recipient of the information does not need access to the code.
The status of Durant
The judgment looks at the Court of Appeal decision of Durant v Financial Services Authority  ECA Civ 1746. However, it does this only briefly and does not address in any detail the (controversial) comments in that judgment as to when information will “relate” to an individual.
In Durant, Auld LJ stated that not all data which mentions an individual can be said to “relate” to him. Auld LJ suggested two tests which may assist in determining if data “relate” to an individual: the first is whether the information is biographical in a significant sense; the second, whether the individual is the focus of the information.
Considerable concern has been expressed at these comments, which seem to suggest a narrower definition of personal data than applies elsewhere in the EU: in particular, by comparison with the definition of personal data set out in the paper issued by the Article 29 Working Party (WP136), the body set up under Article 29 of the Directive to give guidance on interpretation of the Directive.
The House of Lords does not consider Durant in any length: it does not need to do so; if the information here (incidents of leukaemia) is identifiable it is clearly personal, with enormous biographical significance for those concerned.
As the judgment does not consider the arguments in favour of a broader definition, it may be tempting to conclude that this suggests that the House of Lords approves of Durant. In the absence of detailed consideration of the point, it is dangerous to speculate on the House of Lords’ views either way. However, there are two paragraphs of Lord Hope’s judgment which suggest that he interprets Durant in a less restrictive way than many commentators. Lord Hope notes that:
“… [Durant] was a case where the person seeking disclosure was the data subject… Part II DPA 1998 contains provisions which are designed, on certain conditions, to enable the data subject to obtain access to .. information. Among these provisions are sections 7(4) and section 8(7), which enable the data controller to refuse to disclose the information if the data subject would be able to identify another person from the information… It was in that context that Auld LJ said … that mere mention of the data subject in a document… did not necessarily amount to his personal data and suggested two notions that might be of assistance in determining whether it did. One of these was whether the information was biographical in a significant sense. The other was one of focus.
The Lord President, applying the second of these two guidelines, said in para 23 that the effect of barnardisation was to move the focus of the information away from the individual children to the incidence of disease in particular wards in particular years. It may indeed have this effect. But this does not resolve the question whether or not it is “personal data” within the meaning of DPA 1998…”
Lord Hope clearly indicates that biographical significance and focus are not definitive. They may be of assistance, in subject access cases, but are not the test as to whether or not data are personal.
Is there an obligation to “create” data for FoI purposes?
The CSA did not “hold” the barnardised data; it held the underlying personal data from which barnardised data could be generated. The obligation under freedom of information legislation is to provide information “held” by a public authority; would this extend to manipulating information which is held, in order to create requested information which was not held? This is a point which is of frequent concern to public authorities and on which the Secretary of State for Justice intervened in the proceedings.
Lord Hope noted that this provision of the FOISA should be “construed in as liberal a manner as possible” and that therefore the CSA should barnardise the information which it held. The effect of barnardisation would be to apply a disguise to the information: it would be a similar process to redaction and would not amount to requiring the CSA to carry out research or create new information. In any event, authorities had protection against unreasonable demands on their resources from this type of request via the cost limits set out in the FOISA 2002.
If you have any further questions about this judgment, please contact Ruth Boardman (firstname.lastname@example.org) or Hazel Grant (email@example.com) in our Data Protection team.