High Court gives guidance on personal data

Practical Law UK Legal Update Case Report 3-545-1585 (Approx. 11 pages)

High Court gives guidance on personal data

by Practical Law IP&IT

Background

The concept of personal data is central to this decision, in the context of information requests made under the Freedom of Information Act 2000 (FOIA) and data subject access requests (DSAR) under the Data Protection Act 1998 (DPA).

Data Protection Act 1998

"Data" is defined in section 1(1)(a) to (e) of the DPA. The relevant definitions in the context of this case are in sections 1(1)(c) and 1(1)(e). "Data" means information which:

(c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

(e) Is recorded information held by a public authority and does not fall within paragraphs (a) to (d).

Section 1(1) defines "personal data" as "data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".

There is also a category of data known as sensitive personal data which relates, for example, to the commission or alleged commission of an offence. Unless otherwise stated, any reference to personal data in this summary includes sensitive personal data.

The First data protection principle states that personal data shall not be processed unless one of the conditions in Schedule 2 is met. Sensitive personal data shall not be processed unless one of the conditions in each of Schedule 2 and 3 are met, for example the data subject has given their explicit consent or the processing is necessary for the administration of justice or in legal proceedings.

The DPA entitles an individual to make a DSAR for a copy of their personal data from a data controller who is responsible for their personal data (section 7, DPA).

Where a data controller cannot comply with a DSAR without also disclosing third-party personal data, it need not do so unless the third party consents to disclosure of their data, or unless it is reasonable in the circumstances to disclose the third-party data without such consent (sections 7(4), (5) and (6), DPA).

Certain exemptions in the DPA remove the requirement to comply with a DSAR (section 27, Part IV). For example where personal data is processed for the apprehension or prosecution of offenders (section 29(1)(b), DPA) or for the purposes of regulatory activity (section 31, DPA).

For further information see Practice notes, Data subject access requests and Overview of the UK data protection regime.

The meaning of personal data

The meaning of personal data can be found in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), the DPA, case law and guidance notes as follows:

Data Protection Directive.
DPA.
Durant v Financial Services Authority [2003] EWCA Civ 1746. The Court of Appeal gave a narrow interpretation of the meaning of personal data. The court held that the Financial Services Authority's investigation of Mr Durant's complaint against Barclays Bank did not amount to his personal data as it related to the complaint itself. Auld LJ established two notions for determining whether information is personal data, namely whether the information is biographical in a significant sense and whether the information has the putative data subject as its focus. Auld LJ commented: "The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity."
Article 29 Working Party opinion WP 136 (WPO) on the concept of personal data, which identifies three central concepts of how data may relate to an individual in a way which makes it persona data: purpose, content and result. Although not binding, it offers a wider interpretation of the meaning of "personal data" than Durant. (See Legal update, EC Working Party issues opinion on concept of personal data.
Information Commissioner's (IC) technical guidance note (TGN) on personal data, which reconciles the judgment in Durant and the WPO. (See, Legal update ICO publishes new guidance on personal data).

For further information on the meaning of "personal data", see Practice note, Overview of UK data protection regime: personal data

Freedom of Information Act 2000

The FOIA entitles individuals to be provided with information that is held by public authorities (section 1(1), FOIA), unless an exemption applies. Section 40 of the FOIA provides an exemption where the information sought is personal data, as follows:

Where the requester seeks information that amounts to their own personal data, there is an absolute exemption from disclosure under section 40(1), the DPA being the correct regime for such a request.
Where the request is for third-party data, there is a qualified exemption under section 40(2) of the FOIA if disclosure of the third-party data would breach the data protection principles or cause damage or distress or would be exempt from disclosure if made under section 7(1)(c) of the DPA.

For further information see, Checklist, FOI exemptions and EIR exceptions; Practice notes Freedom of Information and Freedom of Information: a quick guide

Appeals under the FOIA and DPA

Appeals under the FOIA

Since 18 January 2010, the former Information Tribunal has been subsumed into the First-tier Tribunal (Information Rights) (referred to collectively in this summary as the IT). The Upper Tribunal (Administrative Appeals Chamber) (UT) considers appeals against most decisions of the IT. A claimant wishing to appeal a decision of the UT refusing permission to appeal a decision of the IT must do so by way of judicial review, if it is not capable of being reviewed or appealed in any other way. The basis on which a UT permission refusal decision may be reviewed on judicial review was settled by a decision of the Supreme Court in Cart v The Upper Tribunal [2011] UKSC 28.

Appeals under the DPA

The correct recourse for an individual who seeks to appeal a response to their DSAR is via the county court or the High Court (section 7(9), DPA).

Facts

Dr Kelway was involved in protracted attempts to obtain disclosure of witness statements made by a district judge and two others (together referred to as the witness statement) during the course of an investigation by Northumbria Police. Dr Kelway alleged that the district judge had erased from a tape recording of court proceedings involving Dr Kelway, his assurance that a costs order in underlying litigation for £90,000 would not be effected. The order was subsequently given effect, shouldering Dr Kelway with costs of £90,000. The investigation found that the district judge was innocent of any wrongdoing and forensic evidence confirmed that the tape had not been tampered with. The investigation was later aborted.

Dr Kelway originally requested a copy of the witness statement on 23 November 2006, under the FOIA. The police refused disclosure under section 40(1) of the FOIA as the request related to his own personal data. The police advised him to apply for the same information under the DPA. On 4 December 2006, Dr Kelway re-submitted his FOIA request stating that the witness statement was not personal data but, following Durant, was information about a complaint and therefore it was information held by a public authority and disclosable under the FOIA. The police again refused the information under the FOIA, but this time under section 30 (information held for the purposes of a criminal investigation). On 17 January 2008, at the suggestion of the Information Commissioner (IC), Dr Kelway submitted a DSAR under section 7 of the DPA. The police sent Dr Kelway a limited number of documents in response, from which third-party data was redacted, but not the information that he sought specifically: the witness statement. The police provided no reason for non-disclosure.

At the judicial review proceedings, Dr Kelway gave evidence that he wanted the judge to be convicted of a criminal offence and it was clear that he was fully aware that this would destroy the district judge's career. Dr Kelway further said that he wanted to use the witness statement, once disclosed, to prove that the police had conspired with the court to prevent the exposure of a criminal act of a member of the judiciary.

Dr Kelway, still convinced that his request fell within the ambit of the FOIA, involved the IC and later brought proceedings in the IT where non-disclosure of the witness statement was upheld. The UT refused him permission to appeal the decision of the IT. By this time, the witness statement had become separated from the police file.

The High Court had to decide:

Whether Dr Kelway was entitled to permission to apply for judicial review of two UT decisions.
If permission was refused, whether Dr Kelway was entitled to an order from the court for disclosure of the witness statement by way of an appeal under section 7(9) of the DPA from the police's refusal decision or under the Civil Procedure Rules by way of disclosure in judicial review proceedings that Dr Kelway sought to bring against the Independent Police Complaints Commission or by way of non-party disclosure.

This case report focuses on:

Dr Kelway's legal challenge to the meaning of personal data in the DPA and, by incorporation, the FOIA.
Whether Dr Kelway was entitled to an order from the court by way of an appeal under section 7(9) of the DPA from the police's refusal decision to disclose the witness statement in response to his DSAR of 17 January 2008.

Decision

The High Court refused Dr Kelway permission to apply for judicial review of two UT decision on the grounds that the claim had no arguable prospect of success. The court accepted, however, that the UT decisions refusing permission to appeal were fundamentally flawed and could not stand. The court acknowledged that it had to consider what decision the UT should have reached. In so doing, it had to consider many issues afresh, including the IT's decision and the meaning of personal data.

DPA and FOIA overlap

The court notes that where the FOIA and DPA overlap, the FOIA is subordinate to the DPA. It states that an individual seeking disclosure of their personal data which is held by a public authority should do so under the DPA, as such a request is excluded from the ambit of the FOIA (section 40(1), FOIA). The DPA, its limitations and exemptions govern access to one's own personal data. This is also the case where the personal data sought is that of a third party, where such data cannot be disclosed by the public authority to either the applicant or the third party (section 40(2), FOIA). In all these cases, the request must be processed under the DPA.

Court guidance on applying the tests for determining whether information is personal data, where the answer is not clear cut or in exceptional cases

The court commented that it is not always easy to determine whether data, which includes recorded information held by a public authority (section 1(1)(e), DPA), is an individual's personal data since the statutory definition of personal data in the DPA can give rise to technical difficulties.

The court notes that, with regard to the definition in the DPA, in the context of this case, three questions must be answered in the affirmative for the material to be personal data, as follows:

Is the material data, namely information which is being processed or recorded or forms part of an accessible record or is recorded by a public authority in the ways defined in section 1, DPA?
Is it possible to identify a living individual from the data?
Does the data relate to that individual?

In answering questions 2 and 3 above, the court found it necessary to consider the data under each of the Durant, WPO, TGN and DPA tests, through a series of questions.

Does the data:
(i) Have personal connotations affecting the data subject’s privacy, being for this purpose his personal or family life or his business or professional capacity, rather than being purely biographical or factual with no personal connotations?
(ii) Contain biographical information in a significant sense rather than recording the data subject’s involvement in a matter or event with which the individual has no personal connections?
(iii) Have the data subject as its focus?
(iv) Fall in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree (the Durant test)?
Does the data "relate" to an individual in the sense that it is "about" that individual because of its:
(i) "Content" in referring to the identity, characteristics or behaviour of the individual?
(ii) "Purpose" in being used to determine or influence the way in which the individual is treated or evaluated?
(iii) "Result" in being likely to have an impact on the individual's rights and interests, taking into account all the circumstances surrounding the precise case (the WPO test)?
Are any of the eight questions provided by the TGN applicable? These questions are as follows:
(i) Can a living individual be identified from the data or from the data and other information in the possession of, or likely to come into the possession of, the data controller?
(ii) Does the data "relate to" the identifiable living individual, whether in personal or family life, or business or profession?
(iii) Is the data "obviously about" a particular individual?
(iv) Is the data "linked to" an individual so that it provides particular information about that individual?
(v) Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
(vi) Does the data have any biographical significance in relation to the individual?
(vii) Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
(viii) Does the data impact or have potential impact on an individual, whether in a personal or family or business or professional capacity (the TGN test)?
Does the data "relate" to the individual, including whether it includes an expression of opinion about the individual and/or an indication of the intention of the data controller or any other person in respect of that individual (the DPA, section 1(1), test)?

The court states that in the relatively rare case where the decision as to whether data or a document is or contains personal information, "any or all of the four separate but applicable tests" must be applied. In doing so, an attempt to give full effect to the relevant provisions of the Data Protection Directive must be made, thereby, providing a purposive test to the statutory phrase "personal data". In doing so, the court offered the following guidance:

The Directive is intended to provide protection to all information relating to an identified or identifiable natural person. The definition of personal data is therefore "a broad one that extends well beyond what would be regarded as personal information in an everyday context."
Durant does not, and was not intended to, provide a definitive guide to the meaning of personal data, as that phrase is used both in the DPA and by incorporation, the FOIA. It only relates to a particular type of information, not information that contains or refers to a "result" element. The court quotes at length from the WPO and TGN, stating that the "result" concept is of particular significance in this case. That is, where use of the data is likely to have an impact on an individual’s rights and interests, taking into account all of the circumstances surrounding the case.
The TGN tests cover the same ground as the WPO tests and are consistent with them, but are more extensive since they also incorporate the Durant tests (as accepted by the IT on evidence from the Assistant IC).

The court concludes that in a difficult or uncertain case, the procedure for determining whether the meaning of personal data is engaged is as follows:

The Durant test should firstly be applied.
The WPO test, coupled with the TGN test, should then be applied.
Having done so, apply the statutory tests to see whether the information is confirmed to be personal data.

The court held that in any but an exceptional case, information identified as personal data by the application of the Durant, WPO and TGN tests will also be identified as personal data by a straightforward application of the statutory test in the DPA, since the other three tests are intended to be no more than guidance as to the application of that test (paragraph 59).

Points arising from the IT Decision

Relevant filing system and/or recorded information

Dr Kelway contended that the IT had not considered whether the witness statement formed part of a relevant filing system since, unless it did, it could not be data to which the DPA applied. In fact the IT had concluded that even if it did not fall within sections 1(1)(a) to 1(1)(d) of the DPA, it fell within section 1(1)(e). The court concluded that, when the witness statement was part of the police investigation file, it formed part of a relevant filing system and was caught by section 1(1)(c) of the DPA as "data". Once the witness statement had become separated and isolated from that file, it was "recorded information" held by a public authority, again, bringing it firmly within the definition of "data".

Section 1(1), DPA: meaning of personal data

Dr Kelway said that the tests applied by the IT in interpreting the meaning of personal data were too wide. The court found that there was strong evidence that the information in the witness statement related to Dr Kelway. The "result" element in the WPO and TGN guidance was relevant as Dr Kelway's intended use of the information was likely to have an impact on his rights and interests, taking into account all of the circumstances of the case. The information sought concerned the district judge's actions and the outcome of the investigation into those actions, both of which directly affected Dr Kelway (including a liability to pay costs in the underlying litigation) and the district judge.

Further comment on Durant and guidance on applying the test for personal data

The court concluded that Dr Kelway's contentions that Durant contained a definitive explanation as to how the phrase "data which relate to a living individual" should be interpreted and applied, and that the post-Durant revised TGN was not to be followed insofar as it provides a wider or different interpretation, amounted to a significant misreading of Durant.

It held that the relevant passage of Auld LJ's judgment only applied to the factual context in Durant and did not cover any aspect of the "result" element, one of three potential ingredients of personal data identified in the WPO, which the court felt was significant in this case. The court criticises Auld LJ's reasoning as being expressed in "opaque" language and "not easy to apply, even to information containing a "content" or "purpose" element". The court stated that the Data Protection Directive, the WPO, the TGN and the Durant judgment must be read together and applied using a structured approach incorporating the relevant elements of all four sources.

It concluded that the IT had applied all four tests correctly and had reached a balanced and sustainable decision in refusing disclosure under section 40(1) of the FOIA and that both the IC and IT were correct in concluding that the witness statement should be considered only under the DPA.

Section 1(1), DPA: third party personal data

The court considered whether the witness statement was the personal data of the individual maker, or whether it included other third party personal data within the meaning of section 1(1) of the DPA. The court concluded that both the IC and the IT had reached the same very significant decision, that although the witness statement was Dr Kelway's personal data it was also the personal data of the district judge and in addition, it included personal data about other third parties.

Moreover, the district judge's witness statement was sensitive personal data because it related to the alleged commission of an offence by him. No explicit consent was given by the district judge that would allow for the processing (here, the disclosure) of sensitive personal data. Nor were any of the other conditions in Schedule 3 of the DPA satisfied that would have allowed for sensitive data to be released. The only other conditions that might have applied, were that the processing was necessary in connection with legal proceedings (Schedule 3, condition 6(a)) or for the administration of justice (Schedule 3, condition 7(1)(a)), but these were not applicable as no action was to be taken against the district judge.

In addition, the court considered that the exemption in section 29(1)(b) of the DPA (where disclosure is permitted for the apprehension or prosecution of offenders) did not apply, as the requirements in the first data protection principle (Schedules 2 and 3) were not met.

As the data was the joint personal data of Dr Kelway and the district judge, it could not be disclosed under the DPA. The court stated that for the same reasons disclosure would have been prevented under section 40(2) (third party personal data exemption) of the FOIA, had the police applied section 40(2) to Dr Kelway's FOIA request.

The court decided that Dr Kelway's proposed appeal to the UT had no prospect of success on the grounds that the UT has no jurisdiction to hear it. The IT's decision that Dr Kelway's information request had to be dealt with as a DSAR under the DPA was correct and an appeal against this decision, disclosed no arguable prospect of success.

Application for disclosure under section 7(9), DPA

The court then considered whether Dr Kelway was entitled to an order from the court by way of an appeal under section 7(9) of the DPA. The court relied on its judgment that the witness statement was not disclosable to Dr Kelway under the DPA as it was the joint personal data of both parties. Section 7(4)(a) of the DPA could not allow for disclosure of sensitive personal data of a third party (district judge), who had not given explicit consent to disclosure. Further, the court considered that it was unreasonable in all the circumstances to disclose the witness statement to Dr Kelway as it was given in confidence, the district judge had expressly refused disclosure and in the light of Dr Kelway's adamant wish to have the judge prosecuted and his refusal to accept the judge's innocence (sections 7(4)(b) and 7(c), DPA). The court therefore refused the application under the DPA since the police's refusal was in accordance with the law.

Comment

This judgment offers fresh input on how organisations should determine whether information constitutes personal data. However, the court's guidance suggests that the approach is only relevant in exceptional or rare cases, where it is difficult to determine whether information is easily caught by the DPA definition of personal data. The case is helpful in that it makes clear that Durant is important, but that it is limited to a particular factual scenario and is one of a number of tests which may be applied, rather than being the definitive test in the UK in all respects in terms of defining personal data.

The court states that the statutory provisions concerned with "personal data" are not clearly defined in plain English and that the inter-relationship between the personal data provisions in section 40 of the FOIA and section 7 of the DPA give rise to "a less than happy marriage which should be referred to the Law Commission as soon as possible". It will be interesting to see if such a development takes place.

The decision should provide assistance to organisations generally which handle requests for information, but in particular to public authorities, as it confirms that the public authority holding the information has the exclusive obligation to determine whether the application for disclosure should be dealt with under the DPA or the FOIA. It is not for the requester to decide which regime applies.

Case

R (on the application of) v The Upper Tribunal and Northumbria Police (Administrative Appeals Chamber) and R (Kelway) v Independent Police Complaints Commission [2013] EWHC 2575 (Admin) (20 August 2013).

High Court gives guidance on personal data | Practical Law