Much ado about nothing?
The media spotlight fell on the Data Protection Act 1998 with a vengeance at the turn of the year. Humberside Police were lambasted – most memorably by Jeremy Paxman on Newsnight – for their perceived failure to retain records of prior allegations against Ian Huntley that might have short-circuited enquiries into events at Soham, and ensured that Huntley could never have obtained employment at a school. British Gas was similarly pilloried for its supposed failure to have the DSS informed automatically about disconnection of an elderly couple’s gas supply. The police had deleted information about mere unproven allegations, because they felt the ACPO guidelines in respect of the Data Protection Act required them to do this. The gas company resisted the automatic transfer of personal information to social services because it claimed this was not permitted by the Act. Was either view correct?
Personal information kept about an individual must be adequate, relevant, not excessive, and not kept for longer than is necessary. Richard Thomas, the Information Commissioner, who oversees the Act, has in fact issued no formal instructions to any police force on the retention of “personal data”. The Act similarly does not set time limits for the destruction of particular types of information. Further, section 29 of the Act exempts personal data that is processed for the prevention or detection of crime from the “fair and lawful processing” test. Processing without consent is allowed where necessary for the administration of justice or for the exercise of functions of a public nature and in the public interest. The Information Commissioner is now to provide further guidance.
The Data Protection Act normally prevents automatic notification of domestic gas and electricity disconnection to a third party organisation. This is not perhaps surprising: inability to pay one’s bills should be a private matter. However, in relation to elderly or infirm consumers, disclosure of data without consent is allowed, where it is necessary to protect the “vital interests” of the data subject. Disclosure without consent is also allowed where necessary for “legitimate interests” pursued by businesses or the DSS.
Subject access – the new Durant case
The Act is supplemented by more than 20 sets of regulations. If even the largest and best-resourced organisations have difficulty in interpreting the laws, how can small to medium sized businesses be sure of their ground when someone demands to see their personal data? There are a number of exemptions in the Act, which can be used to decline subject access requests, but a degree of boldness is often required before invoking them. A Court of Appeal decision issued on 9 December 2003, Durant v Financial Services Authority [2003] EWCA Civ 1746 has now made it harder to extract data from companies, though most organisations should still take advice before declining a request.
Mr Durant had complained to the Financial Services Authority. The FSA investigated his complaint but closed its file without telling Mr Durant the result, citing obligations of confidentiality. Mr Durant issued a subject access request to the FSA under section 7 of the Act. He asked for four files, which admittedly contained references to Mr Durant. Two even contained sub-files marked with his name. Some documents were provided. Some had been blanked out to hide names of others. The FSA refused to hand over any of its manual files. The Court of Appeal provided guidance in four important areas.
(1) “Personal data”. The court said not all information retrieved from a computer search against a name is personal data. Mere mention of someone’s name in a document does not necessarily amount to “his” personal data. The court asked (a) whether the information was biographical in a significant sense, going beyond the recording of Mr Durant’s involvement in a matter that had no personal connotations; and (b) did the document have him as its focus, rather than another person with whom he had been involved, or an event in which he had figured or had an interest. The court said that “personal data” affects an individual’s privacy, whether in his personal or family life, business or professional capacity.
(2) “Relevant filing system”. The court held that a relevant filing system was limited to a system (1) where files were structured or referenced so as clearly to indicate at the outset of a search whether specific information capable of amounting to personal data is held in them and where it is held; and (2) which has a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about a person can be readily located.
(3) Blanking out (“redaction”) of third party data. Here there was a balancing test: the data subject’s interest in finding out what information was held about him, versus the protection of the privacy of the other individual named in that data. The court’s test was whether or not the information about a third party was “necessarily” part of the personal data Mr Durant had requested. The balancing exercise only arises if the information relating to the other person formed part of the “personal data” of Mr Durant. However the court declined to set down any general principles.
(4) Discretion. The court asked itself: by what principles should a court be guided in exercising its discretion under section 7(9) of the Act, to order a data controller who has wrongly refused a request for information under section 7(1), to comply with the request? The court agreed with observations of Munby J in R (Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin) at para 160, that the discretion conferred is general and untrammelled, a view supported by the observations of the European Court in Criminal Proceedings against Lindquist, Case C-101/01 (6 November 2003), in which the court also held, at para 27, that “personal data” covered a person’s name or identification of him by some other means, for instance by giving his telephone number or information regarding his working conditions or hobbies.
Summary
The Durant decision is an extremely narrow interpretation of key provisions in the Act. The Information Commissioner is reviewing his guidance in the light of the decision. He has stated:
“These have always been complex issues and any jurisprudence in this area is helpful. All the commissioner’s responsibilities, including existing and future casework, will be carried out in accordance with this judgment.”
Overall, while Durant may have reined in the scope for abuses of the Act, particularly as a surrogate form of litigation document recovery not subject to the supervision of the court, data protection remains a complex area of the law, and the decision that a file labelled with the name of an individual is not in itself a sufficiently “structured filing system” will surprise many.
Paul Motion, Partner, Ledingham Chalmers, Edinburgh
In this issue
- It's a funny old world
- Making the ends of justice meet
- Training for growth
- All the grocer's grandchildren
- Radical change or a lie in law?
- Costing the job
- Are you listening?
- Much ado about nothing?
- Demergers and continuing cover
- Bond with the audience
- Many roles, one team
- Fee sharing: making the rules work
- On sentencing
- Credit reform by instalments
- Scottish Solicitors' Discipline Tribunal
- Show us the evidence!
- A new era for farm tenancy law
- Fathers' rights: a new UK postcode lottery?
- Parallel imports: putting on the brakes
- Website reviews
- Book reviews
- SDLT 1: Over the obstacle course
- SDLT 2: Personal presentation
- The new law of real burdens
- Housing Improvement Task Force
Additional
