The Information Commissioner’s Office decreed that a list of delegates attending a conference was “personal data” and therefore protected by the Data Protection Act. But the case went to appeal. What did the Information Tribunal have to say? Phil Lee investigates.
Topic: Privacy
Who: Information Tribunal / Information Commissioner
When: 3 January 2008
Where: UK
Law stated as at: 5 February 2008
What happened:
It's not often that the Information Commissioner gets it wrong, but that's exactly what happened according to a recently reported ruling by the Information Tribunal (the body which hears appeals against decisions of the Information Commissioner).
The ruling centres around a freedom of information request made by Mr Harcup to Yorkshire Forward ("YF"). YF is described as "a public authority whose duties include promoting business in Yorkshire," to which end "it organises a number of training events and seminars, and provides corporate hospitality on occasion".
Back in 2005, Mr. Harcup submitted a request under the Freedom of Information Act 2000 ("FOIA") for information: "relating to Yorkshire Forward's corporate hospitality, events and entertainment of potential clients, members of the business community, politicians and other guests from 2003 to date: including, but not restricted to dinners, lunches, breakfasts, drinks receptions, awards ceremonies, and the use of hospitality boxes or tickets for sporting or other events. I would like to see the amount spent, broken down per event and lists of guests attending (including which organisation they represented, if any), again broken down by event. I would also like to see any reports relating to any such event in particular or to corporate hospitality in general" (our emphasis).
Yorkshire Forward does not come forward
Perhaps unsurprisingly, YF replied that it was unable to supply details of attendees to its events "as this is against the Data Protection Act" (s.40 FOIA permits public authorities to withhold information if disclosing it would disclose "personal data" within the meaning of the Data Protection Act 1998).
It did, however, provide most of the other information requested by Mr. Harcup, save for information which would have cost YF more than the statutory limit of £450 to collate and disclose (s.12 FOIA). Mr. Harcup remained unhappy, his "major complaint" being that YF had used the s.40 FOIA exemption to withhold delegate details. Consequently, he complained to the Information Commissioner's Office ("ICO").
Despite finding some minor procedural breaches of FOIA by YF, the ICO upheld YF's decision not to disclose delegate details. The ICO did hold, however, that this exemption did not allow YF to refuse to provide details of the organisations represented, so long as no individual attendees were named. Mr. Harcup still remained unsatisfied, and complained to the Information Tribunal.
Information Tribunal does not toe ICO line
In a move which surprised many commentators, the Information Tribunal overturned the ICO's decision on this point, holding that a list of attendee names did not, in itself, constitute personal data.
In reaching this decision, the Information Tribunal noted several key points:
(i) attendees from a significant number of organisations attended events organised by YF over the period concerned (the list of organisations ran to some 72 pages and listed over 3000 names) and, as such, it was very unlikely that a record of an individual's attendance at an event could be said to be "biographical in a significant sense" or to have the individual as its "focus", both features of "personal data" according to the Court of Appeal;
(ii) delegate lists were already disclosed to other event attendees and events were also attended by the press, making an expectation of privacy on the part of the attendees unlikely; and
(iii) YF's attendee lists were not matched to the organisations represented by those attendees, making it "impossible to correlate individual names to organisations" (the Information Tribunal did accept, however, that releasing attendee names which were correlated to the organisations they represented "would be to release significant personal data").
However, notwithstanding this ruling, the Information Tribunal assessed that the disclosure of this information would certainly exceed the statutory cost limit imposed by FOIA. YF was therefore still not obliged to disclose this information to Mr. Harcup.
Why this matters:
Ever since the Court of Appeal handed down its decision in Durant v FSA, there has been considerable speculation about what information is, and is not, personal data. This is crucial because if data falls outside "personal data" it is not protected by the Data Protection Act 1998.
By way of reminder, the Court of Appeal ruled in Durant that, in order for information to be personal data within the scope of the Data Protection Act, it had both to have the individual as its "focus" and be "biographical in a significant sense" about that individual. What this has meant in practice is that a simple recording of an individual's attendance at a meeting or an event – as in the case of Yorkshire Forward – is, on its own, unlikely to constitute personal data.
However, some commentators have leapt on the bandwagon to suggest that Yorkshire Forward sets a precedent that delegate lists are never personal data, and this is simply one step too far. The Information Tribunal itself noted that "we are not attempting to lay down some general principle about attendance at events". Indeed, by noting that a list of attendee names will not constitute personal data if "names of individuals and the organisations they represented … could not be correlated", the case seems to be a precedent for exactly the opposite proposition: that delegate lists will nearly always be personal data.
So, the message for marketers is this: when organising conferences or events, collecting name and organisation details from attendees will generally fall within the ambit of data protection law. Consequently, it is important for you to inform attendees how their details may be used (whether for disclosure for networking purposes to other attendees, for future marketing activities or otherwise) and to ensure that you have a legal basis to use their details in this way (for example, by collecting their consent on delegate sign up forms). Failure to do this could expose you (or the clients you represent) to data protection risk.