Durant v Financial Services Authority
A Court of Appeal decision on 8 December 2003 (Durant v Financial Services Authority) has dramatically cut down the scope of the Data Protection Act 1998. The Court of Appeal has sought to prevent an “unjustifiable burden and expense” being imposed on organisations processing personal data. The decision restricts what information is protected by the Act and its application to paper records. In particular, the decision attempts to impose limitations on access to personal data (i.e. subject access requests).
Background to the case
Mr Durant was a former customer of Barclays Bank plc and had been involved in litigation with the bank. After losing his case in 1993 Mr Durant sought disclosure by the Financial Services Authority of records relating to the dispute which he believed could assist him in reopening his claim against Barclays or secure an investigation of its conduct. The FSA investigated Mr Durant’s claim against Barclays but closed the investigation without disclosing its outcome or any documents.
Mr Durant then made two access requests to the FSA under the Act seeking disclosure of personal data held by it, both electronically and in manual files. The FSA provided copies of documents which it held in computerised form, some of which were redacted so as not to disclose the names of others. However the FSA refused to provide Mr Durant with copies of documents held on manual files on the ground that the information was not “personal data” and, that even if it was personal data, it was not sufficiently structured as to be covered by the Act.
Mr Durant’s subsequent application for a court order requiring further disclosure from the FSA was dismissed.
The meaning of personal data
An individual has a right of access to their data under the Act if that data is “personal data”. This means “data which relate to [the] … individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller, and includes any expression of opinion about the individual, any indication of the intentions of the data controller or any other person in respect of the individual.”
The Court of Appeal concluded that the Act would not apply just because there was a mere mention of the individual in a document. Instead the data must “relate to” the individual in a meaningful way. The Court suggested two relevant considerations:
1. whether the information is biographical in a significant sense, that is, “going beyond the [individual’s] involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised”; and
2. whether the information has the individual as its focus, “rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest.”
The Court of Appeal summarised this as information affecting a person’s privacy, whether in his personal or family life, business or professional capacity.
In this case, the Court concluded that the information held by the FSA, although it identified Mr Durant, actually related to a complaint against Barclays Bank, albeit that Mr Durant had made the original complaint.
The implications of this are far-reaching. If a customer or an employee makes a complaint an organisation would, it now seems, be entitled to proceed on the basis that information relating to the investigation of this complaint falls completely outside the Act – the information would not need to be revealed in response to an access request, nor would it be subject to the data protection principles (e.g. it could be retained indefinitely and would not need to be processed fairly).
The Information Commissioner’s Office has promised guidance on the implications of Durant. This is now urgently needed. It is difficult to apply the tests set out in the case - at what point does information about an individual stop “relating” to him? The test is particularly difficult as it focuses on what affects an individual’s privacy – yet English law has no agreed concept of privacy.
Paper records covered by the Act
The Court of Appeal also considered which paper records are covered by the Act. The Act applies to paper records if they form part of a “relevant filing system”. The Court of Appeal concluded that the focus of the DPA is on computerised data, “and it is only to the extent that manual filing systems are broadly equivalent to computerised systems in ready accessibility to relevant information that they are within the system of data protection”.
The Court of Appeal concluded that a “relevant filing system” is a system:
1. “in which the files forming part of it are structured or referenced in such a way as to clearly indicate at the outset of the search [emphasis added] whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held”; and
2. “which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.”
The Court of Appeal held that the FSA’s filing did not satisfy these two requirements and so Mr Durant did not have a right of access to manual records in this case.
This restrictive interpretation will be of use to HR departments and to customer-facing organisations (such as insurers and banks) which hold large amounts of loosely structured data. Such organisations are now likely to have to release substantially less information in response to an access request. Organisations that have already drawn up subject access policies and procedures (and other data protection policies covering paper records) should review them with a view to narrowing their scope.
This case, together with cases such as Wozencroft and Relf, show that the courts are keen to reign back data protection and privacy – especially when it is used as a means to further another, unconnected dispute. The Act has, hitherto, caused substantial problems for data controllers when faced with vexatious or serial complainants: Durant is a welcome development here. However, the restrictive approach of the Court in Durant seems out-of-step with approaches to data protection elsewhere in Europe, at the European Commission and the European Court of Human Rights. It is, therefore, possible that the case may be challenged at some point in the future. In the meantime, data controllers should look out for guidance on the case promised by the Information Commissioner’s Office.
For more information on this decision or data protection law, please contact Ruth Boardman on +44 (0) 20 7415 6000.