Court of Appeal endorses Information Commissioner Office Guidance on meaning of personal data
Publications
29 May 2014
Related people
Headlines in this article
Related news and insights
Publications: 04 April 2024
Blog Post: 04 April 2024
Achieving gender parity in the UK’s top companies: a mixed picture
Publications: 26 March 2024
Publications: 25 March 2024
In Efifiom Edem v Information Commissioner and Financial Services Authority [2014] EWCA Civ 92, 7 February 2014, the Court of Appeal ruled that third party names requested under the Freedom of Information Act 2000 (FOIA) could be withheld on data protection grounds. More significant is the court's acceptance that "personal data" should be interpreted in accordance with Information Commissioner Office (ICO) Guidance and that its landmark Durant ruling should be confined only to limited cases. This ruling has wider implications for employers handling data subject access requests under the Data Protection Act 1998 (DPA).
Data subject access requests: challenges in practice
Under s7(1) of the DPA, individuals (data subjects) can request access to personal data which an organisation (data controller) holds about them on payment of a maximum GBP 10 fee. Data subject access requests are often used by lawyers acting for employees as a nuisance tactic, to obtain information earlier than required by litigation disclosure, to conduct a "fishing expedition" to explore potential claims, or simply to put pressure on employers who must respond to requests within 40 calendar days.
In Durant v Financial Services Authority [2003] EWCA Civ 1746, the Court of Appeal appeared to narrow what should have to be disclosed in response to an "everything naming me" request. The Court of Appeal's view was that an employer should only have to disclose data which is of biographical significance (eg going beyond a mere mention of an individual's name in a matter which has no personal connotations, such as a meeting request e-mail) and which has the individual as its focus, being information that affects his or her privacy, whether in a personal or business capacity.
However, the EU's data protection advisory committee (the "Article 29 Working Party") issued an opinion on the concept of personal data1protected under the Data Protection Directive (95/46/EC) in 2007. This identifies three central concepts of how data may relate to an individual in a way which makes it personal data – purpose, content and result – and endorses a broad interpretation of personal data in clear contrast to the restrictive interpretation in Durant. Although the Working Party's opinion is not binding, it provides a basis for the interpretation of the Directive by data controllers and national data protection authorities. The ICO then issued its own Technical Guidance2which essentially follows the opinion and advises that Durant should only be considered where data is not "obviously about" an individual or clearly "linked to" them.
This has left employers grappling with case law and stricter ICO Guidance when deciding how robustly to push back on broad employee requests where data is not about an individual. The Court of Appeal has helpfully revisited this subject in Edem clarifying how they should be reconciled going forward.
Edem: It's all in the name
Under s1(1) of the FOIA, individuals can request access to information that is held by UK public authorities, unless an exemption applies. Third party personal data is exempt from disclosure under s40(2) of the FOIA if its disclosure would contravene any of the data protection principles in the DPA.
The case concerned Mr Edem's FOIA request for information to the (then) Financial Services Authority (FSA) about the handling of his earlier complaint that it had failed correctly to regulate Egg PLC. The FSA provided some information but refused to provide the names of three junior employees who had worked on the complaint because they were personal data and so were exempt from disclosure.
The First Tier Tribunal (Information Rights) (FTT) ordered disclosure of the names, concluding that they were not personal data because the way in which they were used did not satisfy the Durant biographical significance or focus tests. This decision was reversed by the Upper Tribunal (Administrative Appeals Chamber) and by the Court of Appeal.
The Court of Appeal had no difficulty in finding that the names were personal data, on the basis that a name is always personal data provided that the context in which it appears is sufficient to identify the named individual. Here, the context – the individuals' employment in a particular capacity by the FSA at the relevant time – was sufficient to identify them. In contrast, the request in Durant had been for documents in which Mr Durant was merely mentioned by name.
Importantly, the court confirmed the approach in ICO Guidance that the biographical significance and focus tests should be confined to particular factual scenarios like Durant where information requested is not "obviously about" an individual or clearly "linked to" them. On the facts in question, it was straightforward that the names were personal data, and the FTT had wrongly applied the tests when there was no reason to do so.
Impact
The court's endorsement of the broader ICO interpretation of personal data may mean that, in practice, FOIA applications involving disclosure of third party information are less likely to succeed. However, the ruling does not mean that references to a third party name will automatically be personal data – context is key. In Edem, the names were not referred to in isolation. They revealed the positions of the employees within the FSA and this had a bearing on how Mr Edem's complaint was dealt with. In contrast, where someone is simply copied on an email which gives no other information about them, this is unlikely to constitute their personal data.
This ruling also has wider implications for employers and other data controllers handling data subject access requests. Tribunals and courts are less likely to accept a broad application of Durant as a justification for narrowing the scope of disclosure. This is in line with the ICO's position that Durant should be considered only in limited cases. Employers should take the DPA and ICO Guidance as their starting point when identifying what information must be disclosed. If information is "obviously about" someone (such as their name) or clearly "linked to" them, it is personal data and they cannot look to Durant to push back on requests. They can, however, rely on Durant in borderline cases to justify withholding information which is not "obviously about" someone or clearly "linked to" them.
Allen & Overy's iPad App "Access Assist" is designed to help users assess and respond to subject access requests (in England and Wales). The App has recently been updated to reflect recent ICO guidance and case law, including Edem, and is available for download free of charge.
Footnotes
1 WP 136: Opinion 4/2007 on the concept of personal data
2 Determining what is personal data: