The Court of Appeal confirms the scope of its ruling in the (seminal) Durant case and says an individual's name constitutes their personal data.
The case of Edem v Information Commissioner concerned Mr Edem's unsuccessful application under the Freedom of Information Act 2000 (FOIA) for the then Financial Services Authority (FSA) to disclose the names of three employees involved in the handling of his complaint (that the FSA had failed to correctly regulate Egg PLC).
The Court of Appeal had to decide whether the employees' names constituted personal data. If the names did constitute personal data, disclosure could be withheld under section 40 of FOIA.
The Court had no difficulty in finding that the names of the employees constituted their personal data. Although the Court noted that a name may not constitute an individual's personal data where the name is so common that without further information (such as its use in a work context) a person would remain unidentifiable.
The Court identified that part of the reason for the appeal was the incorrect application of its previous decision in Durant v FSA by the First-Tier Tribunal who originally heard the case. That decision has been used as authority for the principles to be applied in determining whether data is personal data (ie the data must:
- be biographical in a significant sense; and
- have the data subject as its focus.
However, context is key with Durant. Mr Durant had requested access to documents in which he was merely mentioned by name on the basis that these documents constituted his personal data. The above principles were applied by the Court to explain why the documents requested were not Mr Durant's personal data; the principles were only ever intended to be relevant to borderline cases.
In Edem, the Court found that the principles in Durant were not relevant because the employee names were clearly personal data. Significantly, the Court also sought to reconcile the approach in Durant with the ICO's technical guidance on determining what is personal data and endorsed the approach advocated by the ICO in the following passage of the ICO's guidance:
"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."
The Court of Appeal's finding that an individual's name constitutes their personal data is not surprising; however, the value of this decision is the confirmation provided by the Court on the scope of its own decision in Durant and reconciling the approach in Durant with the ICO's technical guidance. Organisations should be aware that tribunals and courts are now (even) less likely to accept a broad application of Durant as a basis for narrowing the scope of what constitutes personal data (for example, in determining what data should be disclosed pursuant to a subject access request).
In other (data protection) news…
- Christopher Graham has been reappointed as the Information Commissioner for a further two years from 28 June 2014; this will bring Christopher Graham's total tenure to seven years.
- Following on from its consultation, the ICO published (on 25 February 2014) an updated version of its privacy impact code of practice.
- The ICO has imposed a monetary penalty of £185,000 on the Department of Justice Northern Ireland after a filing cabinet that contained personal information relating to victims of a terrorist incident was sold to a member of the public at an auction.
- The ICO has imposed a monetary penalty of £200,000 on the British Pregnancy Advice Service after security vulnerabilities in their website revealed thousands of individuals' details to a malicious hacker.