Previously on marketinglaw we reported on potentially seismic implications for direct marketers of a recent Court of Appeal judgement on the meaning of ‘personal data.’ The Information Commission has now produced detailed ‘new guidance’ based on the case.
Topic: Data Protection
Who: The Information Commissioner's Office
Where: Wilmslow, Cheshire
When: February 2004
In January 2004 we reported on the apparently significant implications for marketers trying to comply with data protection law of a recent Court of Appeal decision in the case of Michael Durant v the Financial Services Authority.
We reported then the acceptance by the Information Commissioner's Office ("ICO") that the case was important and its promise to review urgently its relevant guidelines. It has now done this and helpfully published a paper entitled "The Durant Case and its impact on the interpretation of the Data Protection Act 1998."
The ICO focuses straight away on the Court of Appeal's conclusion as to what the phrase "personal data" actually covers. The ICO admits that this is crucial, as the Data Protection Act only applies to "personal data."
The ICO cites the Court of Appeal's conclusion in Durant that "personal data" is information that affects [a person's] "privacy, whether in his personal or family life, business or professional capacity."
The ICO comments here that clearly the concept of privacy is central to the definition of personal data. In other words, when assessing whether any particular set of information is "personal data," you should take into account whether or not the information in question is capable of having an adverse impact on the individual.
In this connection, the ICO reminds us that in the Durant judgement, the Court of Appeal had identified two notions that may assist in determining whether information "affects [an individual's] privacy":
"the first is whether information is biographical in a significant sense, that is, going beyond the recording of [the individual's] involvement in a matter or an event which has no personal connotations…"
The second concerns focus. "The information should have the [individual] as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest…"
What does all this mean in practice? The ICO says that simply because an individual's name appears on a document, the information contained in that document will not necessarily be "personal data" about the named individual. But it is "more likely" that an individual's name will be "personal data" where the name appears together with other information about the named individual, such as address, telephone number or information regarding his hobbies.
Does this mean that in the ICO's view, a mere name and address or name and telephone number is still "personal data"? The ICO steps back from stating this in words of one syllable, although it does indicate that such information is "more likely" to be so regarded.
But this "likelihood" might be said to be somewhat reduced by two factors.
Is a name and address "personal data?"
First of all, the ICO paper cites in support of its assertion that a mere name and address or name and telephone number is "more likely" to be regarded as "personal data", a recent European Court of Justice decision in the Swedish "Lindqvist" case. This was recently reported on marketinglaw, but the context there was somewhat different to a mere name and address or name and telephone number in a mailing list.
In that case, the names and details were on the defendant's website in a list of individuals who were seeking confirmation in the local church and included references to various other aspects of their personal lives, such as hobbies.
A second factor is the ICO's own new guidelines, which cite five examples of information which they would regard as "personal data". These are the following:-
· information about the medical history of an individual;
· an individual's salary details;
· information concerning an individual's tax liabilities;
· information comprising an individual's bank statements; and
· information about an individual's spending preferences.
Again, all of these are in a dimension that is quite different to, for example, a list of employees in a target company or a list of individuals living in a certain area or doing a particular job.
Why this matters:
In our previous marketinglaw report on the Durant v FSA case, we suggested that the Court of Appeal's definition of "personal data" could have a significant impact on whether data protection law did in fact apply to a healthy percentage of mailing lists and databases currently being used for marketing purposes in the UK. This new guidance from the ICO is clearly very reluctant to make that bold assertion, but it still shrinks from reasserting its previous position, which was clearly that a mere name and address was indeed personal data in all cases.
As a matter of best practice and maximum prudence, those compiling and using mailings lists and databases for marketing purposes may decide that on a default basis they should continue to regard such data as falling within the Data Protection Act. Others, however, might well legitimately seek advice on whether they are unnecessarily restricting or limiting their marketing use of data because of an over-zealous interpretation of the ambit of data protection law, a syndrome which has recently attained notoriety in a number of other instances in recent months.