Feeds

Hear that, Sigourney? Common names 'may not constitute personal data'

Court of Appeal: Floating free from family name is fine

Secure remote control for conventional and virtual desktops

Common names of people may not, read alone, constitute "personal data", the Court of Appeal has said.

The Court said that only if common names were matched with other information would it be possible to identify the individuals to whom the names relate. Data protection laws only apply to the processing of personal data.

"A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure," Lord Justice Moses said in a judgment issued by the Court.

The judge, together with Lord Justice Beatson and Lord Justice Underhill, was ruling in a case involving the former City regulator the Financial Services Authority (FSA). In the case, the judges held that the names of individuals that a man sought disclosure of by the FSA under freedom of information (FOI) rules were clearly personal data. They rejected the man's bid to force the disclosure of those names.

Efifiom Edem had asked the FSA for a copy of information it held about him and about complaints he had made to the effect that the FSA had failed to regulate credit card company Egg Plc properly.

The regulator withheld the names of the junior staff who dealt with Edem's complaints on the grounds that the names constituted personal data. That decision was backed by the Information Commissioner's Office (ICO) following an appeal by Edem, but a first-tier Information Rights Tribunal backed Edem's bid to win disclosure following a subsequent appeal.

The Tribunal ordered disclosure of the three junior staff members' names after determining that the release of the information "did not adversely affect their privacy". The Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

However, an Upper Information Rights Tribunal overturned the lower Tribunal's judgment, ruling that the information was obviously personal data and that there were no legitimate interests in its disclosure. The Court of Appeal has now upheld that ruling. The first-tier Tribunal had been wrong to review whether the FSA employees' names had "biographical significance", it said. The biographical significance of information is one test set out in UK case law for determining whether that information constitutes personal data.

The Court of Appeal referred to guidance the ICO has issued as confirming that it is not always necessary for the 'biographical significance' of information to be assessed to determine whether it qualifies as personal data.

"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data," the ICO's guidance states. "In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."

Lord Justice Moses said that the FSA staff names Edem sought disclosure of "were obviously about those three individuals" and that no further testing of whether the information constituted personal data was therefore required.

"Judge Jacobs [at the Upper Tribunal] was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law," Lord Justice Moses said. "The [ICO's guide] sets out guidance on the circumstances in which personal data about public authority employees should or should not be disclosed. The refusal of the Financial Services Authority to disclose the names in this case properly followed that guidance. For those reasons I reject Mr Edem's submissions that the Upper Tier Tribunal was in error."

Under the Freedom of Information (FOI) Act individuals have a general 'right to know', which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. One absolute exemption in FOI laws allows bodies to refuse to disclose information they hold when the information amounts to personal data where to do so would be a breach of the Data Protection Act.

The Data Protection Act requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method in which they obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.

Unlike other exemptions to the FOI Act, there is no presumption in favour of the disclosure when a body seeks to use the data protection exemption. Instead, the legitimate interests of the public in the disclosure need to be balanced against the interests of the individual whose personal data would be disclosed.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Remote control for virtualized desktops

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.