The UK Court of Appeal has ruled that a person’s name constitutes personal data for the purposes of the Data Protection Act 1998 (“DPA”) unless the name is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure. In doing so the Court has provided welcome clarification on this fundamental principle of data protection law and supported the stance adopted by the Information Commissioner.
In this case, Efifiom Edem v Information Commissioner and Financial Services Authority, Mr Edem made a request made under the Freedom of Information Act 2000 (“FOIA”) to obtain details of a complaint he had made to the FSA about the way the FSA had regulated Egg plc, an internet bank. As part of this request Mr Edem sought the disclosure of the names of three junior staff involved with the matter but which had been redacted from emails supplied to him by the FSA on the basis that the names were personal data and could not therefore be disclosed under the FOIA.
Mr Edem appealed to the Information Commissioner, arguing that the names were not personal data and therefore disclosure could not be withheld under the FOIA. However, the Information Commissioner would not order the names of the staff to be disclosed on the basis that the names were personal data and that the individuals involved would have no reasonable expectation that their names would be publicly disclosed. The First-Tier Tribunal (“FTT”) reversed the decision, holding that the names were not personal data when considered in light of Auld LJ’s ruling in Durant v FSA  EWCA Civ 1746,  and that the names should therefore be disclosed by the FSA. Both the FSA and the Information Commissioner appealed to the Upper Tribunal, where Judge Jacobs overruled the FTT’s decision to find that the names were personal data (and should therefore not be disclosed by the FSA) stating that "I've seen the name of officials and their names are not unique. But they can be identified from their names taken together with the contextual information of their grades and dates of employment." Mr Edem subsequently appealed to the Court of Appeal.
According to s.1(1)(a) of the DPA (which implements the EU Data Protection Directive 95/46/EC in the UK), “personal data” means “data which relate to a living individual who can be identified—(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.
In this case the Court of Appeal found that the three individuals’ names, when combined with information about their positions at the FSA, would be sufficient to identify them and was therefore personal data under the DPA and should not be disclosed under the FOIA.
The reason that this case, which should have been straightforward, reached the Court of Appeal was, in the view of Moses LJ, that the FTT had incorrectly applied the ‘notions’ provided as guidance by Auld LJ in the Durant case. In Durant, Auld LJ had stated that not all data about an individual was personal data and that in borderline cases it was necessary to look at whether the data was (i) biographical in a ‘significant sense’ in relation to the individual and (ii) focused on the individual, as opposed to merely naming them as having been involved with a matter (such as a “transaction or event”) but which did not affect that individual’s privacy.
The Court of Appeal held that Auld LJ’s ‘notions’ in Durant had been misapplied by the FTT. Here the email correspondence was plainly concerned with the individuals in question and it was not a borderline case as envisaged by Auld LJ in Durant. In examining whether or not the information was biographical the FTT had been wrong to apply the Auld notions in this case and had erred in holding that the information was not personal data on that basis. The Court found that the Information Commissioner and Judge Jacobs had both been correct to hold that the names were personal data and to decline Mr Edem’s FOIA request for disclosure of those names.
It might seem obvious that a person’s name, which is used to identify them, should necessarily constitute personal data. However, following Auld LJ’s decision in Durant there has often been confusion as to the circumstances in which data which only mentions a person’s name will not constitute personal data for the purposes of the DPA. This confusion has been exacerbated by the conflict between Auld’s notions in Durant and the Information Commissioner’s own technical guidance on what is personal data, which states that an individual is 'identified' if you have distinguished that individual from other members of a group and that in most cases an individual’s name together with some other information will be sufficient to identify them.
By further limiting the application of Auld LJ’s ruling in Durant, and clarifying the circumstances in which Durant is applicable, the decision of the Court of Appeal provides welcome clarification on this fundamental principle of data protection law as well as supporting the Information Commissioner’s position.