I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.
Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.
The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.
As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.
The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.
The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.
As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.
Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”
The Tribunal did not agree with that ‘linking’ argument. It said this:
“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”
Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.
The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.
On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.
This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.
11KBW’s Tom Cross appeared for the ICO in Oates.
Robin Hopkins @hopkinsrobin