09 July 2008

House of Lords Rules On Personal Data Case - Durant Left Intact  

“ ‘personal data’ means data which relate to a living individual who can be identified—  

(a) from those data, or  

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller...” (Section 1(1), Data Protection Act 1998)  

The House of Lords has today given its long awaited judgment in Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland) [2008] UKHL 47. The judgment leaves the narrow interpretation of personal data in Durant untouched. Further analysis is set out below.  

Background  

A request was made by Mr Collie to the Commons Services Agency for information on the incidence of childhood leukaemia in each census area in Dumfries and Galloway. This request was made under the Freedom of Information (Scotland) Act 2002 (“FOISA”) (the Scottish equivalent to the Freedom of Information Act 2000) and was a matter of great public interest given the presence of an MOD firing range and two nuclear reactors close to that region.  

The Commons Services Agency claimed this information was exempt from disclosure as it is personal data and its release would breach the data principles under the Data Protection Act 1998 (“DPA”). In particular, for a number of the census areas there were low incidents of leukaemia that could allow indirect identification of individuals.  

Mr Collie appealed to the Scottish Information Commissioner who ordered the Commons Services Agency to ‘barnardise’ the information and release it to Mr Collie. The process of ‘barnardisation’ adds a 0, 1 or -1 to values where the incidence is low in order to disguise that information. The Commons Services Agency appealed against that decision to the Court of Session and then to the House of Lords.  

To determine if the information is exempt from disclosure, the House of Lords had to decide firstly if the information was personal data and secondly, if it was, if its release is a breach of the data protection principles.  

Is it Personal Data? Durant Left Untouched  

The most important point is that the Court of Appeal’s judgment in Durant v Financial Services Authority [2003] EWCA Civ 1746 is left untouched.  

The fact an individual is suffering from leukaemia is clearly information that “relates to” that individual and affects their privacy. Therefore, the House of Lords felt there was no need to consider this point further.  

The retention of the pragmatic approach in Durant should please many in the business community, particularly when handling subject access requests. It will not, however, resolve the ongoing dispute between the UK and Europe on this point.  

Is it Personal Data? Identified Individuals  

The more contentious issue was whether the barnardised data on leukaemia incidence is about an identified individual. A number of divergent opinions were given on this subject and the effect of section 1(1)(b) of the DPA.  

Baroness Hale held that, in relation to the disclosure of the information to Mr Collie, that information would only be personal data if Mr Collie or persons to whom he might pass the data had, or were likely to come into possession of, information from which the relevant individuals might be identified. It was not necessary to consider the position of the data in the hands of the Commons Services Agency. This pragmatic view, which would enable more extensive disclosure under freedom of information, was not however the prevailing one.  

Lord Hope, with the support of Lord Hoffman, held that it was necessary to consider if any individuals could be identified from other information held by the Commons Services Agency (i.e. the body releasing the information). For example, if the Commons Services Agency released key coded information for which only it had the key, then it would still be a disclosure of personal data. This provides a much broader interpretation of personal data and therefore the barnardised information would only fall outside this definition if it was anonymous both in the hands of Mr Collie and the Commons Services Agency. This will make it harder to anonymise data for freedom of information purposes and increase the application of the personal data exemption to such requests.  

In any event, the Lords did not express a final view on this topic as a number of important issues of fact still needed to be clarified. As a result the Lords provided guidance only and referred the matter back to the Scottish Information Commissioner for further consideration.  

Breach of the Data Protection Principles - Processing Conditions  

If the information is personal data then it is also necessary to consider if the release would be a breach of the data protection principles and, in particular, the first data protection principle which requires personal data to be processed fairly and lawfully.  

The House of Lords held that it would be fair and lawful to disclose information in these circumstances but that it would also be necessary to satisfy a processing condition in Schedule 2 and, as the information relates to physical health, a sensitive personal data processing condition in Schedule 3.  

The two Schedule 2 conditions identified were:  

• processing necessary for the exercise of a function conferred on a person by an enactment (condition 5(b)). This applied as the Commons Services Agency was under a statutory obligation to collect and disseminate epidemiological data; or  

• processing necessary for the legitimate interests of the data controller or third party that is not unwarranted by reason of prejudice to the rights of data subjects (condition 6).  

However, the House of Lords again failed to decide this issue as again a number of important factual issues needed to be clarified. Instead, they referred these matters back to the Scottish Information Commissioner.  

A Stricter Approach to Sensitive Personal Data  

The House of Lords went on to consider if a sensitive personal data processing condition in Schedule 3 is satisfied. Their comments here are more interesting. Lord Hope recognised that these conditions are restrictive but commented that this “is not an appropriate context for the statutory language to be construed liberally in favour of the release of information…. If none of the conditions in Schedule 3 can be met, so be it.” This strict approach to processing sensitive personal data is somewhat at odds with the more pragmatic line taken by the Information Commissioner in some of his previous guidance.

The only relevant processing conditions identified are processing necessary for the exercise of a function conferred on a person by an enactment (as discussed above) or processing for research purposes under the Data Protection (Processing of Sensitive Personal Data) Order 2000. Again, the Lords declined to decide the issue and referred it back to the Scottish Information Commissioner.  

Freedom of Information Issues  

The House of Lords judgment also makes, or fails to make, a number of interesting points about FOISA.  

There was some speculation before the judgment that the House of Lords would end the principle that freedom of information requests are “motive blind” - i.e. the identity of the person requesting the information and the purposes of which they use it are irrelevant, disclosure is equivalent to a release to the general public. This issue was not touched on in the judgment so it appears this remains the correct approach.  

The House of Lords did however consider if public authorities might be required to manipulate data or create new data to respond to a request (for example, by barnardising data so it is anonymous). On this issue Lord Hope equated it to a redaction exercise and while there was no “hard and fast rule.. it may be reasonable to ask a public authority to … put the information which it holds in a form which will enable it to be released consistently with the data protection principles”.  

Conclusions  

The House of Lords judgment will be welcomed by many data controllers as leaving the pragmatic decision in Durant untouched.  

However, it seems less likely that the Scottish Information Commissioner will welcome the decision as many of the issues have been referred back to him. To reach a decision he will have to untangle the different approaches of the House of Lords on the question of identifiably, a task that may provide quite a challenge.  

Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland) [2008] UKHL 47 is available here ... 

For further information on this subject or any other TMT issues please contact:  

Richard Cumbley 020 7456 4681 (richard.cumbley@linklaters.com)  

Marly Didizian 020 7456 3258 (marly.didizian@linklaters.com)