For the first time, the High Court has pronounced on the precise meaning of ‘personal data’ under data protection law and hence on pretty much the entire remit of the legislation. We report on this crucial case and its possible ramifications for the marketing industry at
Topic: Data protection
Who: Michael Durant and the Financial Services Authority
Where: The Court of Appeal, London
When: December 2003
For the very first time in the 20 year history of UK data protection law, we have an authoritative High Court judgement on the meaning of "personal data," and when an individual is entitled to "subject access" to that data in the hands of third parties.
Subject access request
The judgement arose out of a subject access request by one Michael Durant to the Financial Services Authority. Mr Durant had initially complained to the FSA about Barclays Bank's treatment of him as a customer. As a result of this, the FSA entered into correspondence with Barclays and having completed its investigation, closed the matter without informing Mr Durant of the outcome. This was due to its obligations of confidentiality under the Banking Act 1987.
Mr Durant then complained about this to the FSA Complaints Commissioner. He dismissed the Durant complaint, but, undaunted, Mr Durant then made two "subject access requests" to the FSA under the Data Protection Act 1998 ("the Act") in September/October 2001. The FSA supplied Mr Durant with copies of documents relating to him held in computerised form but it refused access to all the manual files on the matter on the basis that information sought was not "personal" and even if it was, it did not form part of a "relevant filing system."
Mr Durant appeals
Dissatisfied with this refusal, Mr Durant took the matter to court and the issues were eventually canvassed in July 2003 in front of the Court of Appeal. The appeal judges handed down their judgement in December 2003 and they took a robust view.
Referring back to the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of persona data and the 1995 EU Data Protection Directive, (which both underpin the Act) they did a reality check and looked at the fundamental purpose behind data protection law in Europe.
The court perceived this to be the protection of individuals' fundamental rights, notably the right to privacy and accuracy of their personal data held by others ("Data Controllers").
Personal data definition scrutinised
In the context of the Act's definition of "personal data," they focused on three particular aspects:
· the words "relate to" in the expression "data which relate to a living individual;"
· the words at the end of the "personal data" definition in the Act, namely "includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of that individual." The appeal court felt that the addition of these words supported a narrow construction of the phrase "relate to;"
· the phrase "relevant filing system" as it appears in the Act's definition of "data," which in turn features in the crucial term "personal data." "Data" is defined at Clause 1 (1) as data which is "recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system."
In essence, the judges said there were two aspects to the process of establishing if information is "personal data." First, determining whether the content of the information qualifies as data "relating to" the individual and secondly, establishing if the information is held in a "relevant filing system."
Two "personal data" concepts
On the first question, the Court of Appeal offers two concepts that might assist:
"The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the data subject's involvement in a matter or an event that has no personal connotations.
The second is one of focus. The information should have the data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest.
In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity."
Asking this question in the instant case, the Court of Appeal did not consider that papers relating to conduct on the part of Barclay's Bank about which Durant had complained readily fell within that category.
Subject access rights
In the context of the "subject access" right, the Court said the purpose of the Act was to enable an individual to check whether a data controller's processing of his personal data unlawfully infringes his privacy and, if so, to take steps to protect it. It is not an automatic key to all information, readily accessible or not, which mentions his name.
Looking at the "relevant filing system" question, in the Appeal Judges' view, the mere fact that a document was retrievable by reference to the data subject's name, did not entitle him to a copy of it under the Act. In essence, three questions had to be answered in the affirmative.
1. Is the material a set of information relating to an individual?
2. Is the material structured either by reference to individuals or by reference to criteria relating to individuals?
3. Is it structured in such a way that specific information relating to a particular individual is readily accessible?
In the instant case, the FSA's manual files did not satisfy these criteria because their indexes did not enable "ready location" of personal data or specific information about Durant unless a physical search of the files had been carried out.
So, Mr Durant's appeal was turned down and he came away empty-handed.
Why this matters:
In a statement released after the publication of this important judgement, the Information Commissioner's Office ("ICO") said it welcomed the extent to which this judgement provided firm guidance and greater clarity as to the meaning of "personal data" and "relevant filing systems."
Major ICO Guidance review begins
The Commissioner particularly welcomed the fact that the Court had reiterated the fundamental link between data protection and privacy rights. It also recognised that the interpretations suggested by the Appeal Judges were more restrictive than the approach adopted by the Commissioner to date. In the light of this, it promised that the Guidance previously issued by the Commissioner will be reviewed and amended to reflect this difference of approach.
Finally, and perhaps most importantly, the Commissioner stated, "All the Commissioner's responsibilities, including existing and future casework, will be carried out in accordance with this judgement."
Using people in advertising
In a marketing context, this judgement may well quickly put paid to the recently emerging theory that the use of visual or verbal references to individuals in advertising can in some way give rise to problems under the Act.
In the possession of the advertiser or its agency, it is unlikely that the personal data that is being used for this purpose is being held in a "relevant filing system." It is also even less likely that the mere holding of an individual's name or photograph for the purposes of its use in advertisements can be regarded, without some other biographical reference in the advertising, as processing information that is "biographical in significant sense," and thus falling within the "personal data" definition which the Court of Appeal have now established.
So what about mailing lists?
A far more important question for marketers is whether the new approach to what is "personal data" under the Act has any effect on whether marketing/contact databases are caught by the Act.
Of course, outside the Act, there are specific regulations imposing separate obligations on marketers as regards the use of an individual's contact details. These apply regardless of whether those details qualify as "personal data."
Examples include the recently introduced Privacy and Electronic Communications (EC Directive) Regulations 2003 which impact on the use of email addresses and mobile and land line telephone numbers for marketing.
However, the Act imposes a raft of obligations which only come into play if the information is "personal data".
These include restrictions on the transfer of "personal data" outside the EU to countries such as the US which are regarded as having "inadequate" data protection laws, having to notify the ICO in most instances where personal data is being processed, having to make certain disclosures at the time of capturing personal data, and having to stop using personal data for direct marketing purposes if the subject of the data requests this.
Clearly if the information held on a database about an individual extends beyond a mere name and address or an email address or telephone number, it is likely to quickly pass the "biographical" information test. But what about a database of the names and business addresses of UK solicitors? To what extent could this set of generally available information be described as "information that affects the relevant individuals' privacy, in their personal, family, business or professional capacity."?
We believe this judgment raises crucial questions that could potentially have far-reaching effects on the UK's marketing industry and their approach to data protection compliance. At present users, owners and compilers of databases containing limited information about individuals may wish to take advice on whether their activities in this regard continue to be caught by the Act at all. The release of the ICO's revised Guidance will also be keenly awaited, while the possibility of UK law in this area falling seriously out of step with that of other EU countries must also be on the cards.