Deciding whether information which arguably relates to an individual amounts to their ‘personal data’ for the purposes of s. 1(1) of the Data Protection Act 1998 is one of the more challenging aspects of the DPA regime. In making the judgment call in any particular case, data controllers have routinely looked to the guidance set out Auld LJ’s judgment in the well known case of Durant v Financial Services Act [2003] EWCA Civ 1746, [2011] 1 Info LR 1. In his judgment, Auld LJ indicated that there were two ‘notions’ likely to be of assistance when it came to determining whether particular data was sufficiently ‘personal’ that if tell within the scope of the DPA:
‘The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.’ (§28)
Auld LJ’s conclusion that the information must be something which affects the data subject’s privacy is of course unsurprising. As is made clear by the recitals to Directive 95/46/EC (from which the DPA is derived), the core aim of the Directive is to protect our fundamental right to privacy in the context of the management of our data. If particular data does not meaningfully touch on our privacy, then in a sense why should it fall within the ambit of the legislation at all?
So what then is the position in respect of data which records a person’s name? Is that information automatically ‘personal data’ because it is a name which both in a sense identifies and relates to a particular individual? Or does that data have to arise in some form of context whereby it tells you something informative about that individual beyond merely what their name is? This was precisely the issue which the Court of Appeal had to consider in the recent case of Edem v IC & Financial Services Authority [2014] EWCA Civ 92.
In Edem, Mr Edem had made a number of complaints to the FSA concerning its regulation of a particular company. Mr Edem then sought disclosure from the FSA of information about him and his complaints. The sole issue which the Court of Appeal had to consider was whether information amounting to the names of three individuals within the FSA who had worked on the complaints constituted their ‘personal data’ under s. 1(1) DPA. The individuals in question were all junior employees who did not have public facing roles.
The Court of Appeal came down firmly in favour of the conclusion that the names per se constituted ‘personal data’. Moses LJ, with whom Beaton LJ and Underhill LJ agreed, held that:
‘A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure’ (§20).
The Court of Appeal sought to reconcile this conclusion with the approach adopted by the Court of Appeal in Durant by saying that the Court of Appeal in Durant was looking at a different issue, namely whether information which did not on its face concern or name Mr Durant was still his personal data because it related to a complaint which he had made to the FSA (§§18-20). The Court went on to find that the ‘notions’ identified by Auld LJ in §28 of his judgment in Durant were of no relevance to a case where what was in issue was information comprising a person’s name, as that information was always intrinsically ‘personal data’, unless it was such a common name that considered on its own it had to be regarded as being effectively anonymous.
Importantly, the Court of Appeal went on to cite with approval the following extract from the Commissioner’s Technical Guidance on the definition of personal data:
‘“6. It is important to remember that it is not always necessary to consider ‘biographical significance’ to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual. Alternatively, data may be personal data because it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider ‘biographical significance’ only where information is not ‘obviously about’ an individual or clearly ‘linked to’ him.”
The judgment is important for a number of reasons. First, it suggests that the Durant guidance must not be treated as embodying golden rules of universal application. This is likely to trouble many data controllers who have in the past approached Durant as it if had biblical authority. Second, it marks a clear judicial endorsement of the fairly generous approach to the construction of the term ‘personal data’ embodied in the ICO’s guidance. What remains to be seen is how the judgment will be held to apply to cases which do not involve such patently identifying information.
Robin Hopkins represented the ICO. Jason Coppel QC represented the Financial Conduct Authority.
Anya Proops