Out-Law News | 11 Dec 2003 | 12:00 am | 2 min. read
The case focuses on a right in the Data Protection Act of 1998 that lets an individual access information held by an organisation that refers to him by name.
The Court has said that this right is much more limited than is suggested by a literal reading of the Act. For businesses, following the Court's reasoning could make their obligations under the Act easier to fulfil.
The case was brought by Michael Durant, a former customer of Barclays Bank. Following an unsuccessful dispute with his bank he asked the Financial Services Authority to investigate the bank's conduct. The FSA did so, but did not tell Mr Durant the result, citing reasons of confidentiality.
When a complaint to the FSA Complaints Commissioner failed, Mr Durant tried to exercise his access rights under the Data Protection Act.
The Data Protection Act of 1998 covers the use by “data controllers” of “personal data” held in a “relevant filing system”. Everything from employee files to customer lists are covered by this law. It also includes a right for individuals, subject to conditions, to receive a copy of "the information constituting the personal data of which that individual is the data subject", known as the right of access.
Mr Durant asked the FSA to disclose manual and electronic documents containing his personal data, in a search for information with which to reopen the original case against Barclays.
The FSA complied with the request as it related to electronic files, but refused to provide paper documents because, it argued, they did not form part of a relevant filing system , albeit the documents could have been provided with ease. Mr Durant took the matter to court, with the case hinging on the meaning of "relevant filing system".
He lost his case in the District Court and the County Court and, after four months of deliberation, he lost again in the Court of Appeal. The opinion of the Court was published on Monday.
According to Lord Justice Auld: "Mr Durant's letter of complaint to the FSA and the FSA's investigation of that complaint did not relate to Mr Durant but to his complaint". The Court of Appeal decided the case not on the meaning of a relevant filing system but on the meaning of "personal data".
It followed that the FSA's investigation into Mr Durant's complaint could not be personal data concerning Mr Durant because, "the 1998 Act would only be engaged if, in the course of investigating this complaint, the FSA expressed an opinion about Mr Durant personally, as opposed to an opinion about his complaint."
Lord Justice Auld effectively looked behind the wording of the Act. He looked at the purpose of the wording, which was effectively to protect privacy. It was not, he reasoned, to provide a general right of access to information.
He said of the access right:
"It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties."
"It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree."