The UK Court of Appeal held that an individual’s name constitutes personal data under the Data Protection Act, unless it is so common that, without further information, the name alone fails to identify a particular individual.
Mr Edem made an information request to the Financial Services Authority (FSA) for a copy of all of the information the FSA held on him and the complaints he made to them about a particular company. The FSA provided information to him that included documents and e-mails in which the names of three junior case workers had been redacted.
Mr Edem complained to the Information Commissioner’s Office (ICO), which declined to order the disclosure of the names on the basis that they constituted personal data under the Data Protection Act (the Act) and thus were exempt from disclosure. The ICO further opined that the employees would not expect that their names would be released into the public domain.
The issue eventually reached the Court of Appeal.
The issue for the Court was whether or not a name alone constitutes personal data where it is capable of identifying an individual, or if further biographical information was needed for it to be personal data.
Mr Edem argued that the names of the three employees did not constitute personal data as it was not possible to identify them from the documents disclosed. The Court disagreed, finding that the individuals could be identified from their names given the context of the documents released by the FSA. It further held that personal data is information that relates to a living individual who can be identified, regardless of whether they can be traced or contacted.
The Court considered the application of Durant v FSA  EWCA Civ 1746, which delineates two principles to assist in defining personal data: first, data should be “biographical in a significant sense”; and second, the data should “focus” on a particular individual and be about them. It held that these principles apply to the test of whether or not information relates to a living individual and not to whether or not it identifies them.
The Court clarified that personal data need not always have biographical significance. It approved the ICO’s Data Protection Technical Guidance which states that, in certain cases, information may constitute personal data because its content is obviously about an individual or the information is clearly linked to an individual because it is about his or her activities. Biographical significance becomes a relevant factor where the information is not obviously about an individual or clearly linked to them.
In this case, the redacted names were evidently about those three individuals and so application of the Durant principles was unnecessary.
The Court of Appeal held that the names did constitute personal data and their disclosure in these circumstances would amount to a breach of the Act:
A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure.
This decision should not come as a surprise. The Court commented that a relatively simple issue had been complicated by an incorrect application of the Durant principles of “biographical significance” and “focus”.
This case illustrates the limits of Durant and is a reminder to data controllers not to follow the Durant principles without sufficient consideration of the context in which data might be processed. Durant is just one of a number of factors that should be considered when assessing whether or not information constitutes personal data.