Data, personal data and statistics

On 9 July the House of Lords delivered judgment in the appeal Common Services Agency v Scottish Information Commissioner [2008] UKHL 47. It was the first freedom of information (FOI) case from anywhere in the UK to be considered by the Lords. But those looking for easy answers in their Lordships’ ruling are likely to be disappointed.

They say good things come to those who wait. Well, it looks like Michael Collie, one time researcher for the former Green MSP Chris Ballance, will have to wait at least a little while longer for a response to his FOI request, made in 2005, to the Common Services Agency (CSA). Even then it is still uncertain whether the information he requested will be provided in full, or at all.

The CSA is the statistical arm of the NHS in Scotland. Mr Collie made his request to the CSA under the Freedom of Information (Scotland) Act 2002 (FOISA), seeking figures for the incidence of childhood leukaemia in the years 1990-2003 in the Dumfries and Galloway postal district, broken down by census ward. There had been concern in the area about the possible effects on the health of the local population of the presence of an MOD weapons testing range, a decommissioned nuclear power station and a nuclear reprocessing plant nearby.

The Lords’ ruling was eagerly awaited, because it was hoped it would provide authoritative and useful guidance on certain key aspects of how FOI operates, in particular how FOISA interacts with the Data Protection Act 1998 (DPA), which provides individuals with a right to access information held about them, . But, as sometimes happens, it turned out to be a bit of an anticlimax.

Status of barnardised data

In a unanimous judgment, the five Law Lords decided to remit the central elements of the case back to the Commissioner and directed him to reconsider his earlier decision in the light of their ruling. In the leading opinion Lord Hope sets out six questions which he thinks the case requires the House of Lords to address. However, he only conclusively answers the first of these – whether the information which the Commissioner ordered the CSA to release in “barnardised” form (i.e. disguised by statistical manipulation) to the requester was actually “held” by the CSA at the time of Mr Collie’s request (as required by FOISA). Lord Hope, affirming the Court of Session, says that it was: obliging the CSA to modify or re-format the tabular data which it held in this manner did not put it in the position of having to conduct research or create new information on behalf of requesters, but rather allowed it to camouflage information it already held.

He then goes on to compare the barnardisation process to that of redaction, or editing, of information in the form in which it was held so that parts of it which are private or confidential are not released. Another of the judges, Lord Rodger, agrees, describing barnardisation as the introduction of “statistical noise” into the tables, but holding that they contain no new information as a result. This is the part of the judgment which will possibly be of most practical use to data controllers, especially those public authorities subject to FOI and engaged in the processing of statistical information.

The second of Lord Hope’s questions – would information in this form constitute personal data? – he does not answer definitively, but he could be giving the Commissioner a broad hint when he writes: “there is no doubt that the respondent’s task will be greatly simplified if he is able to satisfy himself that the process of barnardisation will enable the data to be sufficiently anonymised”. However, Lord Rodger seems to take an opposing view: “The First Division accepted that argument [that barnardisation was adequate protection against identification]”, he writes. “I would reject it.”

Issues of fact

Because this second of Lord Hope’s six questions is not answered by the court, the other four (which depend on information still being personal data even after barnardisation) go unanswered too. This is unfortunate, because one of the topics which it was expected the Lords might consider was the interpretation in this context of the DPA’s first “data protection principle”, which states that personal data must be processed fairly and lawfully. In particular this principle requires that personal data shall not be processed unless at least one of the conditions in sched 2 to the Act is met (for example, the data subject has consented to the processing); and, in the case of sensitive personal data (such as health information), one of the conditions in sched 3 is satisfied as well.

Before the ruling some commentators speculated that in their judgment the Lords might give data controllers, such as the CSA, guidance on the application of one of the sched 2 conditions in particular, condition 6(1). This permits the processing of personal data (in this case its disclosure without the consent of the person to whom the data relate) if it is “necessary for the purposes of legitimate interests” pursued by the data controller, or by the person or persons to whom the data are disclosed, except where such processing is unwarranted due to prejudice to the rights and freedoms or legitimate interests of

the data subject.

Their Lordships give no substantive guidance on how the CSA could have managed this balancing act between the “legitimate interests” of the recipient of any personal data disclosed by it, and the rights and freedoms or legitimate interests of the subjects of that personal data. Such guidance would have been valuable to all data controllers, not just public authorities. Instead, Lord Hope states: “Striking the right balance between these two considerations would raise issues of fact as to which no findings have been made and which only the Commissioner is in a position to determine.” Indeed, it is notable how often in their judgment their Lordships refer to matters as being questions of fact on which they are unable to rule, and which the Commissioner requires to decide.

Legal thicket

The ruling also does nothing for the reputation of the DPA, a complex piece of legislation which has been variously described by leading legal figures as “a thicket” and “almost incomprehensible”. As one of the other judges in the case, Baroness Hale, ruefully observes in her opinion, quoting the words of EC Directive 95/46 on which the DPA is based, “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. It would have been so much easier if this had been clearly stated in the Data Protection Act 1998”. She later describes the matter as “this… confusing case”.

However, it could be said that in another aspect of their ruling the Lords have added to that confusion. It concerns a prong of the definition of personal data contained in s 1(1) of the DPA. Section 1(1) states:

“ ‘personal data’ means data which relate to a living individual who can be identified… (b) from those data and other information which is in the possession of… the data controller”.

In other words, where data is held in such a form that the link with an identifiable living individual is broken – where it is “de-personalised”, you might say – but the data controller (note: not the applicant requesting the data) also holds a key to that data which is capable of re-establishing that link, then s 1(1)(b) says the anonymous data counts as personal data. That engages sched 2 (or sched 3, as appropriate) and all the other restrictions on disclosure and use derived from the Act’s other data protection principles, even in the hands of a recipient who does not have such a key. This apparent anomaly – the DPA’s concern to treat as “personal”, data which is only actually “personal” in the hands of the data controller, and which therefore does not infringe the privacy of individuals if it is disclosed solely in anonymised form – had not been considered by the courts before.

The Lords squared this circle by returning to first principles and considering the underlying directive (which refers several times to “the right to privacy”, while the DPA on the other hand in all its 75 sections and 16 schedules does not mention “privacy” once). By applying a purposive construction to its terms, specifically its recital 26 (the one cited by Baroness Hale above), the Lords effectively set s 1(1)(b) to one side. This overriding of one of the fundamental elements of the definition of personal data throws the status of s 1(1)(b) into doubt, and until some clarification on this point is forthcoming either from the courts or the UK Information Commissioner’s Office (which oversees the DPA), it poses a problem for those who have to advise clients on its applicability.

The Lords have handed the Commissioner a road map with a start point clearly marked “You are here”. Which route he decides to take through the thicket, and his ultimate destination, are now up to him.

Stuart Skelly is a senior solicitor in the Corporate Department at HBJ Gateley Wareing