What in anyone’s name amounts to “personal data” after latest Court of Appeal ruling?

Efifiom Edem v Information Commissioner and Financial Services Authority, Court of Appeal
The Court of Appeal has ruled in a data protection case which could have massive implications for determining what amounts to personal data.  It has concluded that a person’s name is personal data within the Data Protection Act 1998 (DPA) unless it is such a common name that, without further information, a person would remain unidentifiable despite its disclosure.  However, of biggest note is the wide interpretation of personal data compared to the leading case of Durant v FSA from 2003.

In the 2003 case, the Court of Appeal gave a narrow interpretation of personal data, saying that data only qualified as personal data under the DPA if it was: biographical in a significant sense such that it went beyond the recording of the person’s involvement in a matter or event such that it had personal connotations so that his privacy could be said to be compromised; and the information should have the individual as its focus rather than being involved in some transaction or event in which he may have featured, such as in the Durant case an FSA investigation.  To amount to personal data, the data had to affect his personal or family life, business or professional capacity.

This latest case involved Mr Edem making a request under the Freedom of Information Act 2000 (FOIA) for information held by the Financial Services Authority about his compliant regarding the way in which Egg Plc had been regulated.  The FSA withheld the names of three junior employees. They were not responsible for making significant decisions, they were below the grade of manager and did not have public-facing roles.  The Court of Appeal decided that it was correct to withhold their names as they amounted to personal data, especially as the requester (Mr Edem) knew where they worked.  Disclosure would be unfair and contrary to their rights under the DPA, especially as it would not help Mr Edem with his complaint.

Although the names were not biographical in any significant sense nor were the individuals at the focus rather than merely featuring in the event, the Court decided that their names were personal data.  In doing so, it followed recent Information Commissioner Office guidance on how to interpret personal data.  This put the decision on a collision course with the Durant case.  The Court of Appeal tried to explain the difference by saying that it is not always necessary to consider the biographical significance to determine whether something is personal data, as many cases may be personal data simply because the content is “obviously about” an individual, or the data may be clearly “linked to” the individual because it is about his activities.  The Court said “biographical significance” only needed to be considered where information was not “obviously about” the individual or clearly “linked to” him.

The ICO has been hamstrung by a case decided at senior level (the Court of Appeal) which for 10 years has been the leading authority on interpreting personal data.  This has led to a narrower interpretation than the UK’s data protection regulator wanted.  Now that all appears to have been changed at a stroke.  It might well be that the reason was that, in the case of Durant, the Court saw the applicant as someone trying to find out information about himself; whereas, in this case, it was to stop the enquirer finding out information about other people.  Either way, on individual cases precedents are created, and now comes the difficult job of trying to reconcile these two different decisions when people want to know what constitutes personal data for the purposes of the DPA.