On 9 July 2008 the House of Lords gave its first judgment on the freedom of information legislation. This decision has been hotly anticipated both north and south of the border. The case in question raised issues of the interaction between Freedom of Information legislation and Data Protection legislation. There is a natural tension between a piece of legislation that protects privacy (the Data Protection Act) and legislation which promotes openness – the Freedom of Information (Scotland) Act 2002 (FOISA) – and reconciling the two was never going to be easy.
The provisions of both FOISA and the UK Freedom of Information Act 2000 are in virtually identical terms on this point making this decision relevant to interpreting the UK legislation as well.
The case involved a request to the Common Services Agency (CSA) for details of the incidence of childhood leukaemia in Dumfries and Galloway from 1997 to 2003, broken down by postcode. The CSA refused to provide the information it held as it was covered by the exemption in the Act that prevents disclosure of personal data about third parties. The Scottish Information Commissioner (SIC) agreed that this was personal data but ordered that the CSA should respond to the request by manipulating the data to reduce the risk that providing the data would lead to the identification of individuals. This approach was upheld on appeal to the Court of Session but was appealed by the CSA to the House of Lords.
The House of Lords has allowed the appeal by the CSA and has referred the case back to the SIC for further consideration. The Lords agreed that the provision of the information originally requested is caught by the personal data exemption but focussed on the status of the manipulated data (referred to as “barnardised data”). The judgment focuses on whether the barnardised data still falls within the definition of “personal data” and indeed “sensitive personal data” – two issues which it is noted that the SIC did not address in his initial decision. Indeed, whilst it is acknowledged that the decision of the SIC in this case was an early one in the development of his thinking on this issue, the Court comments that there were a number of errors made in his approach. The SIC is criticised for not addressing the question of whether the barnardised data is personal data and instead referring to the fact that the manipulation would reduce the risk of identification. Understandably the House of Lords has made it clear that this is not what FOISA provides for.
There had been initial hopes that the House of Lords would take the opportunity to give definitive guidance on what constitutes “personal data” in terms of the Data Protection Act 1998. This has been a controversial subject since the decision in Durant v Financial Services Authority where the test laid down by the Court of Appeal arguably put the UK in breach of European law. However, this was not discussed as each of the judges in the House of Lords was of the view that the information being requested was personal data.
Since his appointment the SIC has adopted a campaigning strategy, seeking to push the release of information as far as possible. The Court of Session in this case agreed, saying that as the purpose of FOISA is the release of information it should be interpreted as widely as possible. This House of Lords decision has firmly applied the brakes, has criticised the SIC and emphasised the need to achieve balance.
For the SIC, the CSA and the requester (Mr Collie) this is not the end of the road. However, any future decision will be made in light of the issues identified by the House of Lords so it is now a question of examining the facts. We shall see whether balance can be achieved.