The  UK  Court  of  Appeal  held  that  an  individual’s  name constitutes personal data under the Data Protection Act, unless it is so common that, without  further information, the name alone fails to identify a particular individual.

BACKGROUND

Mr Edem made an information request to the Financial Services Authority (FSA) for a copy of all of  the information the FSA held on him and the complaints he made to them about a particular company.  The FSA provided information to him that included documents and e-mails in which the names of three  junior case workers had been redacted.

Mr Edem complained to the Information Commissioner’s Office (ICO), which declined to order the  disclosure of the names on the basis that they constituted personal data under the Data Protection  Act (the Act) and thus were exempt from disclosure. The ICO further opined that the employees would  not expect that their names would be released into the public domain.

The issue eventually reached the Court of Appeal.

DECISION

The issue for the Court was whether or not a name alone constitutes personal data where it is  capable of identifying an individual, or if further biographical information was needed for it to  be personal data.

Mr Edem argued that the names of the three employees did not constitute personal data as it was not  possible to identify them from the documents disclosed. The Court disagreed, finding that the  individuals could be identified from their names given the context of the documents released by the  FSA. It further held that personal data is information that relates to a living individual who can  be identified, regardless of whether they can be traced or contacted. 

The Court considered the application of Durant v FSA [2003] EWCA Civ 1746, which delineates two principles to assist in defining personal data: first, data  should be “biographical in a significant sense”; and second, the data should “focus” on a  particular individual and be about them. It held that these principles apply to the test of whether  or not information relates to a living individual and not to whether or not it identifies them.

The Court clarified that personal data need not always have biographical significance. It approved  the ICO’s Data Protection Technical Guidance which states that, in certain cases, information may  constitute personal data because its content is obviously about an individual or the information is  clearly linked to an individual because it is about his or her activities. Biographical  significance becomes a relevant factor where the information is not obviously about an individual  or clearly linked to them.

In this case, the redacted names were evidently about those three individuals and so application of  the Durant principles was unnecessary.

The Court of Appeal held that the names did constitute personal data and their disclosure in these  circumstances would amount to a breach of the Act:

A name is personal data unless it is so common that without further information, such as its use in  a work context, a person would remain unidentifiable despite its disclosure.

COMMENT

This decision should not come as a surprise. The Court commented that a relatively simple issue had  been complicated by an incorrect application of the Durant principles of “biographical  significance” and “focus”.

This case illustrates the limits of Durant and is a reminder to data controllers not to follow the  Durant principles without sufficient consideration of the context in which data might be processed.  Durant is just one of a number of factors that should be considered when assessing whether or not  information constitutes personal data.