Since the decision in Durant v FSA in December 2003 (see our earlier Bulletin for details) UK businesses, lawyers and even the Information Commissioner's Office (the ICO) have struggled to define what characteristics make data "personal data", such that it is regulated by the Data Protection Act 1998.
That uncertainty has been compounded by the fact the EU has told the UK it has serious concerns about whether the Durant decision's very narrow interpretation of personal data is consistent with the EU Data Protection Directive upon which the UK Act is based. More recently, at the end of June 2007 the EU issued Guidance in the form of a non-binding Article 29 Committee Working Party Paper. It gave an extraordinarily broad interpretation on the meaning of personal data and hence potentially also broadened the scope of all European data protection laws. It also makes it even more difficult to reconcile Durant's case with the EU view.
At the end of August 2007 the UK ICO issued its own Guidance interpreting the meaning of "personal data". Its approach is similar to the Working Party Paper and makes it clear that whether or not data is personal data will largely depend on why it is being processed. Conceptually this may appear to be a satisfactory test. In practice it will mean that a business will need to consider every use it makes of the data to determine if, and when, the Act applies. It may find that even internally the same data may be personal data in the hands of one area of the business but not in another area.
Also, even though Durant's case continues to be binding law in the UK, there has been no attempt to reconcile the ICO Guidance with Durant's case. As a result of this clear conflict and the difficulty in applying the ICO Guidance in practice the uncertainty over when the Act applies in the UK looks set to grow.