Feeds

Hear that, Sigourney? Common names 'may not constitute personal data'

Court of Appeal: Floating free from family name is fine

Remote control for virtualized desktops

Common names of people may not, read alone, constitute "personal data", the Court of Appeal has said.

The Court said that only if common names were matched with other information would it be possible to identify the individuals to whom the names relate. Data protection laws only apply to the processing of personal data.

"A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure," Lord Justice Moses said in a judgment issued by the Court.

The judge, together with Lord Justice Beatson and Lord Justice Underhill, was ruling in a case involving the former City regulator the Financial Services Authority (FSA). In the case, the judges held that the names of individuals that a man sought disclosure of by the FSA under freedom of information (FOI) rules were clearly personal data. They rejected the man's bid to force the disclosure of those names.

Efifiom Edem had asked the FSA for a copy of information it held about him and about complaints he had made to the effect that the FSA had failed to regulate credit card company Egg Plc properly.

The regulator withheld the names of the junior staff who dealt with Edem's complaints on the grounds that the names constituted personal data. That decision was backed by the Information Commissioner's Office (ICO) following an appeal by Edem, but a first-tier Information Rights Tribunal backed Edem's bid to win disclosure following a subsequent appeal.

The Tribunal ordered disclosure of the three junior staff members' names after determining that the release of the information "did not adversely affect their privacy". The Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

However, an Upper Information Rights Tribunal overturned the lower Tribunal's judgment, ruling that the information was obviously personal data and that there were no legitimate interests in its disclosure. The Court of Appeal has now upheld that ruling. The first-tier Tribunal had been wrong to review whether the FSA employees' names had "biographical significance", it said. The biographical significance of information is one test set out in UK case law for determining whether that information constitutes personal data.

The Court of Appeal referred to guidance the ICO has issued as confirming that it is not always necessary for the 'biographical significance' of information to be assessed to determine whether it qualifies as personal data.

"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data," the ICO's guidance states. "In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."

Lord Justice Moses said that the FSA staff names Edem sought disclosure of "were obviously about those three individuals" and that no further testing of whether the information constituted personal data was therefore required.

"Judge Jacobs [at the Upper Tribunal] was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law," Lord Justice Moses said. "The [ICO's guide] sets out guidance on the circumstances in which personal data about public authority employees should or should not be disclosed. The refusal of the Financial Services Authority to disclose the names in this case properly followed that guidance. For those reasons I reject Mr Edem's submissions that the Upper Tier Tribunal was in error."

Under the Freedom of Information (FOI) Act individuals have a general 'right to know', which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. One absolute exemption in FOI laws allows bodies to refuse to disclose information they hold when the information amounts to personal data where to do so would be a breach of the Data Protection Act.

The Data Protection Act requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method in which they obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.

Unlike other exemptions to the FOI Act, there is no presumption in favour of the disclosure when a body seeks to use the data protection exemption. Instead, the legitimate interests of the public in the disclosure need to be balanced against the interests of the individual whose personal data would be disclosed.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.