Feeds

Hear that, Sigourney? Common names 'may not constitute personal data'

Court of Appeal: Floating free from family name is fine

Next gen security for virtualised datacentres

Common names of people may not, read alone, constitute "personal data", the Court of Appeal has said.

The Court said that only if common names were matched with other information would it be possible to identify the individuals to whom the names relate. Data protection laws only apply to the processing of personal data.

"A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure," Lord Justice Moses said in a judgment issued by the Court.

The judge, together with Lord Justice Beatson and Lord Justice Underhill, was ruling in a case involving the former City regulator the Financial Services Authority (FSA). In the case, the judges held that the names of individuals that a man sought disclosure of by the FSA under freedom of information (FOI) rules were clearly personal data. They rejected the man's bid to force the disclosure of those names.

Efifiom Edem had asked the FSA for a copy of information it held about him and about complaints he had made to the effect that the FSA had failed to regulate credit card company Egg Plc properly.

The regulator withheld the names of the junior staff who dealt with Edem's complaints on the grounds that the names constituted personal data. That decision was backed by the Information Commissioner's Office (ICO) following an appeal by Edem, but a first-tier Information Rights Tribunal backed Edem's bid to win disclosure following a subsequent appeal.

The Tribunal ordered disclosure of the three junior staff members' names after determining that the release of the information "did not adversely affect their privacy". The Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

However, an Upper Information Rights Tribunal overturned the lower Tribunal's judgment, ruling that the information was obviously personal data and that there were no legitimate interests in its disclosure. The Court of Appeal has now upheld that ruling. The first-tier Tribunal had been wrong to review whether the FSA employees' names had "biographical significance", it said. The biographical significance of information is one test set out in UK case law for determining whether that information constitutes personal data.

The Court of Appeal referred to guidance the ICO has issued as confirming that it is not always necessary for the 'biographical significance' of information to be assessed to determine whether it qualifies as personal data.

"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data," the ICO's guidance states. "In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."

Lord Justice Moses said that the FSA staff names Edem sought disclosure of "were obviously about those three individuals" and that no further testing of whether the information constituted personal data was therefore required.

"Judge Jacobs [at the Upper Tribunal] was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law," Lord Justice Moses said. "The [ICO's guide] sets out guidance on the circumstances in which personal data about public authority employees should or should not be disclosed. The refusal of the Financial Services Authority to disclose the names in this case properly followed that guidance. For those reasons I reject Mr Edem's submissions that the Upper Tier Tribunal was in error."

Under the Freedom of Information (FOI) Act individuals have a general 'right to know', which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. One absolute exemption in FOI laws allows bodies to refuse to disclose information they hold when the information amounts to personal data where to do so would be a breach of the Data Protection Act.

The Data Protection Act requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method in which they obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.

Unlike other exemptions to the FOI Act, there is no presumption in favour of the disclosure when a body seeks to use the data protection exemption. Instead, the legitimate interests of the public in the disclosure need to be balanced against the interests of the individual whose personal data would be disclosed.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The essential guide to IT transformation

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.