Getting personal

Durant v Financial Services Association [2003] EWCA Civ 1746

Working with the relatively complex Data Protection Act 1998 can be like wading through treacle.

Most welcome, therefore, is a recent Court of Appeal decision in Durant, which should provide clarity to the fundamental definition of 'personal data'.

The case will have implications in all areas where data is processed.

Moreover, it concludes with some wise words in a judicial warning to all those lawyers dealing with it.

So important is the decision that the Information Commissioner - whose office administers and enforces the legislation - had agreed to review and revise, as appropriate, the guidance issued out of his office.

In brief, the decision has clarified that the mere mention of an individual's name in a document does not amount to 'personal data' for the purposes of the Act.

This may have far- reaching implications for those seeking access to information that may name them, but that is not necessarily directly personal to them.

Its impact is likely to be felt from the employment context where employees seek documents from their employers, to the media legal world where individuals seek information from publishers and broadcasters.

The legislation was enacted, in part, to give effect to the 1995 EC Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

According to the Court of Appeal: 'The primary objective of the 1995 directive is to protect individuals' fundamental rights, notably to privacy and accuracy of their personal data held by others in computerised or similarly organised manual filing systems, while at the same time facilitating the free movement of such data between member states of the European Union.'

The tension in the directive between these opposing rights is mirrored domestically by the tension in the Act between those processing personal data and those seeking to obtain it, as well as third parties seeking to protect their privacy.

The Act regulates the use of computerised information and some paper records about living, identifiable individuals in the UK.

It imposes various obligations on parties who process personal information about others (data controllers), which includes compliance with the Act's eight principles of good information, regarding matters including fairness, accuracy and security of the data.

The Act also grants individuals rights in relation to the processing of their personal data, including the right to make a subject access request.

The scope of such requests, the rationale behind them, and the valid reasons for requesting the information, have all been clarified by this decision.

Mr Durant had been involved in an unsuccessful legal dispute with his former bank, Barclays.

He asked the Financial Services Authority (FSA) to investigate the bank's conduct which, as regulator for the UK financial services sector, it has the power to do (under the Financial Services and Markets Act 2000 from December 2001, and before that under the Banking Act 1987).

The FSA investigated, but for reasons of confidentiality imposed under the 1987 Act, it could not tell Mr Durant the outcome.

(A similar provision in the subsequent 2000 Act is overridden by the Data Protection Act in respect of 'personal data'.)

Mr Durant subsequently complained to the FSA commissioner, but this complaint also failed.

Accordingly, he sought to exercise his subject access rights against the FSA to ascertain what documents had been seen by the authority in relation to his complaint.

While it agreed to disclose computer files, it declined to disclose manual files on the basis that the information was not personal, and that in any event, they did not constitute a 'relevant filing system'.

He applied unsuccessfully to the court for further disclosure and then appealed to Judge Zeidman QC, of the Edmonton County Court where he was once again unsuccessful.

He then appealed to the Court of Appeal, represented by London-based law firm Masons.

The court's concern was to consider in this context and to define in general what is 'personal' data? In assessing this, it considered the rationale behind the Act, confirming that it is 'to enable an individual to obtain from a data controller's filing system, whether computerised or manual, his personal data that is information about himself'.

The purpose is to 'enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides...

to protect it'.

Importantly, the intention was 'not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved.

Nor is it to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties'.

No doubt the judges deliberately included these words as it would not be surprising were many subject access requests made for that very purpose.

The court considered that 'it is likely in most cases that only information that names or directly refers to him will qualify'.

But if Mr Durant were named in the documents, what was the problem? Lord Justice Auld's judgment confirms the position and was regarded by Lord Justice Buxton as a clear guide to be used in borderline cases: 'Not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act.

Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data.' Furthermore, 'the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act'.

Personal data had to have 'the putative data subject as its focus rather than some other person with whom he may have been involved'.

It had to be 'biographical in a significant sense' and be something that 'affects his privacy, whether in his personal or family life, business or professional capacity'.

Accordingly, neither the information about Mr Durant's complaint to the FSA about the bank's conduct, nor that about the FSA's own conduct, even though it may name him, was his personal data for the purposes of the Act.

The judges found that the as yet unsuccessful Mr Durant, still did not 'even get to first base in his claim'.

The Court of Appeal has made clear from what angle the Act should be regarded.

Its aims are protective rather than to provide free access to information; it is intended to enable parties to ensure that their personal data is being processed correctly and does not infringe their privacy rather providing disclosure for use, for example, in litigation.

In his conclusion, Lord Justice Buxton reiterated the point, quoting from the 1995 directive: 'The object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy.' He also sounded some stark words of warning to all those advising on the Act: 'In future, those contemplating such proceedings and those advising them must carefully scrutinise the guidance given in my Lord's judgment before going any further.

That process should prevent the wholly unjustifiable burden and expense that has been imposed on the data controller in this case.'

By Amber Melville-Brown, David Price Solicitors & Advocates, London