Law Lords to rule on clash of data protection and FOI laws

Out-Law News | 03 Apr 2008 | 5:05 pm | 4 min. read

EXCLUSIVE: A landmark case on the compatibility of data protection and freedom of information laws was heard by the House of Lords this week. The outcome could have profound implications, according to one expert.

The case focuses on an NHS agency's refusal of a Freedom of Information (FOI) request for statistics about childhood leukaemia. The agency feared that the information could identify individual children and breach their privacy, and having lost its case in the Scottish courts,  appealed to the House of Lords.

Law Lords heard arguments in the case on Tuesday and Wednesday this week. They have indicated that it if someone makes an FOI request for personal data, it might be justifiable to ask why they want the data before deciding whether to fulfil or reject the request.

The original FOI request was from Michael Collie, a researcher acting on behalf of a Member of the Scottish Parliament. Collie asked for "details of all incidents of leukaemia for both sexes in the age range 0–14 by year from 1990–2003 for all the DG [Dumfries and Galloway] postal area by census ward". The purpose of the request was to establish whether a nearby nuclear power station and military firing range had an effect on incidences of cancer.

NHS agency the Common Services Agency (CSA) refused, saying that the numbers were so small that releasing the data could identify patients. It said that the vast majority of wards contained no case of leukemia whilst other wards were associated with one case, or very occasionally two cases.

The CSA argued that the publication of such data linked to a precise geographical area would give rise to a significant risk of indirect identification of living individuals.

The Scottish Information Commissioner (SIC) accepted this argument but determined that the information could be released if the data were 'barnardised'. This is a method designed by a statistician, Professor George Barnard, that helps to disguise people's identities when cells of information contain low numbers.

The CSA challenged the SIC's view in the Court of Session in Edinburgh but that court supported the Commissioner's stance. It stated that the barnardised data were not personal data and should be released. So the CSA appealed to the House of Lords.

By contrast, it was determined early in the first day of argument before the House of Lords that the barnardised data were personal data and that the CSA's arguments on this point would prevail. This was because it emerged that the barnardisation technique was far from perfect where most of the cells contain zero and where, in some cases, the barnardised data were exactly the same as the raw data. Barnardisation simply adds in a random way zero, plus one, or minus one to the numbers two, three and four; and adds zero or one to the number one, when they appear in a database. Zeros are left at zero.

At the end of the second day, lawyers for both sides recommended that the House of Lords should remit the FOI request back to the Scottish Information Commissioner, so that he could reconsider the data protection elements of the original request.

In coming to this conclusion, the House of Lords indicated that a key data protection ruling of 2003, the case of Michael Durant against the Financial Services Authority, did not need to be reviewed for the purposes of deciding the current case. That view, if confirmed in the final judgment, could dash the hopes of those in the data protection community who see Durant as a flawed judgment.

Lord Hoffman, one of the five Law Lords who heard the case, commented that in the CSA case, the key factor appeared to be whether an individual could be identified from the barnardised data and other information in the possession of the CSA. If that individual could be identified then the barnardised data had to be health personal data. It then followed that any data that revealed the status of an individual's health must "relate to" that individual in a biographical way. Lord Hoffman thus suggested that it was therefore not relevant to consider whether the barnardised data "related to" an individual, the key element explored by the Durant judgment.

The second important element debated at the hearing concerned the assumption that the purpose behind an FOI request is not relevant to deciding whether the information should be provided to the requestor

The Law Lords acknowledged that the publishing of personal data via an FOI request required a balance of interests to be considered. The public interest of accessing information through an FOI request had to be balanced against the interests of the individual in preserving the privacy of his personal data.

In arguments, their Lordships asked whether, in order to assess this balance of interests, it was justifiable to inquire why the FOI requestor would want the personal data. The response from the barrister for the UK Information Commissioner was that, in many cases, a public authority would be able to identify the requestor's purpose without asking, but conceded that in some cases, this step might be necessary. The UK Information Commissioner became involved because the outcome of the case will affect data protection and freedom of information law across the UK.

Dr. Chris Pounder, an information law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, and editor of Data Protection Quarterly, said: "If this conclusion is reached in the final judgment then it is likely to upset the assumption that all FOI requests are purpose blind".

"The problem is that if this conclusion is reached, it cannot be challenged. It becomes the law of the land as the conclusion has been made by the highest court in the UK," he added.

The judgment from the House of Lords is expected before August.

Learn more: The case of Common Services Agency v Scottish Information Commissioner will be discussed in detail at Pinsent Masons' data protection update sessions this month.

Global Term