Hear that, Sigourney? Common names 'may not constitute personal data'
Court of Appeal: Floating free from family name is fine
Common names of people may not, read alone, constitute "personal data", the Court of Appeal has said.
The Court said that only if common names were matched with other information would it be possible to identify the individuals to whom the names relate. Data protection laws only apply to the processing of personal data.
"A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure," Lord Justice Moses said in a judgment issued by the Court.
The judge, together with Lord Justice Beatson and Lord Justice Underhill, was ruling in a case involving the former City regulator the Financial Services Authority (FSA). In the case, the judges held that the names of individuals that a man sought disclosure of by the FSA under freedom of information (FOI) rules were clearly personal data. They rejected the man's bid to force the disclosure of those names.
Efifiom Edem had asked the FSA for a copy of information it held about him and about complaints he had made to the effect that the FSA had failed to regulate credit card company Egg Plc properly.
The regulator withheld the names of the junior staff who dealt with Edem's complaints on the grounds that the names constituted personal data. That decision was backed by the Information Commissioner's Office (ICO) following an appeal by Edem, but a first-tier Information Rights Tribunal backed Edem's bid to win disclosure following a subsequent appeal.
The Tribunal ordered disclosure of the three junior staff members' names after determining that the release of the information "did not adversely affect their privacy". The Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".
However, an Upper Information Rights Tribunal overturned the lower Tribunal's judgment, ruling that the information was obviously personal data and that there were no legitimate interests in its disclosure. The Court of Appeal has now upheld that ruling. The first-tier Tribunal had been wrong to review whether the FSA employees' names had "biographical significance", it said. The biographical significance of information is one test set out in UK case law for determining whether that information constitutes personal data.
The Court of Appeal referred to guidance the ICO has issued as confirming that it is not always necessary for the 'biographical significance' of information to be assessed to determine whether it qualifies as personal data.
"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data," the ICO's guidance states. "In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."
Lord Justice Moses said that the FSA staff names Edem sought disclosure of "were obviously about those three individuals" and that no further testing of whether the information constituted personal data was therefore required.
"Judge Jacobs [at the Upper Tribunal] was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law," Lord Justice Moses said. "The [ICO's guide] sets out guidance on the circumstances in which personal data about public authority employees should or should not be disclosed. The refusal of the Financial Services Authority to disclose the names in this case properly followed that guidance. For those reasons I reject Mr Edem's submissions that the Upper Tier Tribunal was in error."
Under the Freedom of Information (FOI) Act individuals have a general 'right to know', which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. One absolute exemption in FOI laws allows bodies to refuse to disclose information they hold when the information amounts to personal data where to do so would be a breach of the Data Protection Act.
The Data Protection Act requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method in which they obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.
Unlike other exemptions to the FOI Act, there is no presumption in favour of the disclosure when a body seeks to use the data protection exemption. Instead, the legitimate interests of the public in the disclosure need to be balanced against the interests of the individual whose personal data would be disclosed.
Copyright © 2014, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Benefits from the lessons learned in HPC