Out-Law News | 22 Oct 2013 | 12:00 pm | 3 min. read
Anthony Thornton QC, sitting as a High Court judge, said that in most cases organisations should be able to determine whether information is personal data by assessing the data in the context of how 'personal data' is defined under the Data Protection Act (DPA). Rules set out under the DPA only apply to personal data, making the definition of the term and how it should be interpreted of importance to UK organisations.
In "exceptional" cases, where it is hard to determine whether information qualifies as being personal data, organisations should use the test set out by the Court of Appeal in a case involving bank customer Michael Durant, together with guidance issued by EU and UK privacy watchdogs, the judge said, to come to a provisional conclusion on the matter.
Before reaching a final verdict in those cases, organisations should assess whether the data would be considered to be 'personal' as defined by the DPA, he added.
"In a difficult or uncertain case, the decision-maker should apply first the Durrant test and then the [Article 29 Working Party opinion] test coupled with the [Information Commissioner's guidance] test," Thornton QC said. "Having done so, the decision-maker should see whether the information in question is confirmed to be personal data by an application of the statutory tests."
"In any but an exceptional case, information identified as personal data by the application of the Durant, [Working Party opinion] and [Information Commissioner guidance] tests will also be identified as personal data by a straightforward application of the statutory test since the other three tests are intended to be no more than guidance as to the application of that test," he said.
Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should always "err on the side of caution" if trying to determine whether the DPA applies to data they hold.
"The judge in this case has suggested that organisations should ask themselves 19 questions about the information they store to establish whether it constitutes 'personal data' in cases where it may not be immediately obvious," Wynn said. "A more practical and less burdensome activity would be for organisations to treat such information as being personal data and put in place robust systems and controls that can ensure compliance with the Data Protection Act, and the correct handling of subject access requests."
"With EU data protection reforms on the near-horizon, the Durant case, with its narrower definition of 'personal data', is set to become redundant to this whole issue anyway. Indeed, the general direction of travel envisages a widening of the definition of personal data under the planned General Data Protection Regulation. This is prompted by technological advancements which make granular profiling of individuals possible and true anonymisation harder to achieve," she said.
"You no longer need to obtain traditional personal identifiers, such as people's names, addresses and dates of birth, to identify someone. The mountain of other data that exists that can be related to individuals, such as geolocation data, consumption data, details of web browsing habits and credit scoring information, for example, can be linked to individuals too. The advent of 'big data' technology makes this process easier, and makes more distinct the possibility of re-identifying individuals whose data may have been anonymised," Wynn added.
The Durant case focused on the meaning of 'personal data' under the DPA. It concerned Michael Durant's failed bid to force former City regulator the Financial Services Authority (FSA) to disclose a confidential report it produced about his bank's handling of a complaint he had raised. Durant sought access to the report under the DPA, arguing that as it contained his personal data he was entitled to see it.
However, in his judgment, Lord Justice Auld ruled that the DPA did not apply to the FSA's report. This was because the regulator had not "expressed an opinion about Mr Durant personally" within the report but that it had only expressed an "opinion about his complaint".
Thornton QC outlined extensive guidelines, building on the Article 29 Working Party's opinion, guidance issued by the Information Commissioner's Office and the Durant test, that he said businesses should follow when determining whether information they hold is 'personal data'.
He said that the Durant case "did not, and was not intended to, provide a definitive guide to the meaning of 'personal data'".
The judge formed his view in a case concerning a dispute between Northumbria Police and Dr Peter Stuart Kelway, the basis for which was Northumbria Police's refusal to disclose certain information Dr Kelway had requested access to. The case considered, in part, whether the information Dr Kelway sought was his personal data, or that of others', and whether it was disclosable either under the DPA or Freedom of Information Act.
Under the Data Protection Act 'personal data' is defined as "data which relate to a living individual" who can either be identified solely from that data or by combining that data with "other information" data controllers possess or are "likely to come into the possession of" and "includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".