Feeds

Hear that, Sigourney? Common names 'may not constitute personal data'

Court of Appeal: Floating free from family name is fine

Security for virtualized datacentres

Common names of people may not, read alone, constitute "personal data", the Court of Appeal has said.

The Court said that only if common names were matched with other information would it be possible to identify the individuals to whom the names relate. Data protection laws only apply to the processing of personal data.

"A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure," Lord Justice Moses said in a judgment issued by the Court.

The judge, together with Lord Justice Beatson and Lord Justice Underhill, was ruling in a case involving the former City regulator the Financial Services Authority (FSA). In the case, the judges held that the names of individuals that a man sought disclosure of by the FSA under freedom of information (FOI) rules were clearly personal data. They rejected the man's bid to force the disclosure of those names.

Efifiom Edem had asked the FSA for a copy of information it held about him and about complaints he had made to the effect that the FSA had failed to regulate credit card company Egg Plc properly.

The regulator withheld the names of the junior staff who dealt with Edem's complaints on the grounds that the names constituted personal data. That decision was backed by the Information Commissioner's Office (ICO) following an appeal by Edem, but a first-tier Information Rights Tribunal backed Edem's bid to win disclosure following a subsequent appeal.

The Tribunal ordered disclosure of the three junior staff members' names after determining that the release of the information "did not adversely affect their privacy". The Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

However, an Upper Information Rights Tribunal overturned the lower Tribunal's judgment, ruling that the information was obviously personal data and that there were no legitimate interests in its disclosure. The Court of Appeal has now upheld that ruling. The first-tier Tribunal had been wrong to review whether the FSA employees' names had "biographical significance", it said. The biographical significance of information is one test set out in UK case law for determining whether that information constitutes personal data.

The Court of Appeal referred to guidance the ICO has issued as confirming that it is not always necessary for the 'biographical significance' of information to be assessed to determine whether it qualifies as personal data.

"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data," the ICO's guidance states. "In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."

Lord Justice Moses said that the FSA staff names Edem sought disclosure of "were obviously about those three individuals" and that no further testing of whether the information constituted personal data was therefore required.

"Judge Jacobs [at the Upper Tribunal] was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law," Lord Justice Moses said. "The [ICO's guide] sets out guidance on the circumstances in which personal data about public authority employees should or should not be disclosed. The refusal of the Financial Services Authority to disclose the names in this case properly followed that guidance. For those reasons I reject Mr Edem's submissions that the Upper Tier Tribunal was in error."

Under the Freedom of Information (FOI) Act individuals have a general 'right to know', which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. One absolute exemption in FOI laws allows bodies to refuse to disclose information they hold when the information amounts to personal data where to do so would be a breach of the Data Protection Act.

The Data Protection Act requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method in which they obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.

Unlike other exemptions to the FOI Act, there is no presumption in favour of the disclosure when a body seeks to use the data protection exemption. Instead, the legitimate interests of the public in the disclosure need to be balanced against the interests of the individual whose personal data would be disclosed.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
DVLA website GOES TITSUP on day paper car tax discs retire
Welcome to GOV.UK - digital by de ... FAULT
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.