In its judgment of 7 February 2014 in the case of Edem v The Information Commissioner and The Financial Services Authority  EWCA Civ 92, the UK Court of Appeal held that a person’s name alone is likely to be considered “personal data” under Section 1(1) of the Data Protection Act 1998 (DPA).
The case concerned the Appellant, Mr Edem, who had made a number of complaints to the FSA regarding the regulation of a particular company and followed these with a Freedom of Information Act 2000 (“FOIA”) request to determine how the complaints had been handled. Mr Edem sought to obtain the names of three employees at the Financial Services Authority (“FSA”) who had been handling his complaints, since these names had been redacted from the FSA’s response to his FOIA request. The Information Commissioner (“ICO”) had previously dismissed Mr Edem’s complaint that the names of the FSA employees had not been provided, on the basis the individuals were not in public facing roles and were below the level of manager and so would have had no expectation that their names would be released.
Therefore, the sole issue for the Court of Appeal to determine was whether information regarding the names of the FSA employees who had handled Mr Edem’s complaints amounted to ‘personal data’ under S.1(1) DPA. The definition of ‘personal data’ under Section 1(1) DPA is a common issue for debate and data controllers often refer to the “notions” from Auld LJ’s judgment in Durant v Financial Services Authority EWCA Civ 1746 . The “notions” test was the principle that you should consider whether information is significantly biographical, and whether it is focused on the putative data subject, in deciding whether it is personal data.
The First Tier Tribunal (“FTT”) disagreed with the ICO, and applied the two “notions” of Auld LJ in Durant finding that the names of the FSA employees did not constitute ‘personal data’ under S.1(1) DPA. Further to the FTT decision, had it not been overturned, the names of the FSA employees would have been disclosable to Mr Edem. However, the Upper Tribunal reversed the FTT’s decision, ruling that an individual’s name would always be ‘personal data’ under S1. DPA if it was possible to identify the individual from the context in which it was provided.
The decision was appealed again, and the UK Court of Appeal affirmed the decision of the Upper Tribunal, finding that the FTT had erred in its application of Durant in particular in applying Auld LJ’s “notions” as the appropriate test as to whether information is ‘personal data’ under S. 1 DPA. Instead, the Court of Appeal decided that “A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure.” Combining this with the ICO’s Technical Guidance on data protection, the Court of Appeal found that the names of the FSA Employees did amount to ‘personal data’ under S1. DPA and should not therefore be disclosed. In particular, the Court of Appeal cited an extract from the Commissioner’s Technical Guidance on the definition of personal data which provided that “In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual. Alternatively, data may be personal data because it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated.”
In the light of this judgment, S1(1) DPA should be read to include an individual’s name in the definition of ‘personal data’ unless it is so common that without further information the individual would remain unidentifiable. Further, this decision confirms that Auld LJ’s “notions” are not to be used as a universally applicable test to determine whether information constitutes ‘personal data’ under S.1 DPA and that instead they apply only where the case in question closely reflects the facts present inDurant.