The House of Lords ruling in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 addresses important questions about the interaction between provisions of the Data Protection Act 1998 on the one hand and provisions of the Freedom of Information (Scotland) Act 2002 on the other, and has a real impact on practice in these fields across the UK.
The judgment is likely to have wide ranging implications for all public authorities and businesses and other organisations which hold and process information personal data. In practice, this is likely to mean any organisation which is a ‘data controller’ in terms of the data protection legislation – from large commercial businesses through to charities and not for profit organisations. Organisations who issue statistics on health related issues may be especially affected. But individuals whose information may be held and disclosed by any of these authorities, businesses or organisations are also affected.
Laurence Eastham writes:
Not for the first time, an eagerly anticipated House of Lords judgment may well be considered something of a disappointment. It is narrower than one might have hoped. Moreover, the variations in reasoning, which are bearable on the facts and nevertheless lead to unanimity of view on the actual order in the case, have the potential to cause difficulties in the future. Nevertheless, this is a major judgment and demands to be read in full by all practitioners in this area.
For a an excellent account of the background to and judgments in the case, see the analysis from Grant Campbell of Brodies (www.brodies.co.uk) below.
Access the judgment here: http://www.bailii.org/uk/cases/UKHL/2008/47.html
Grant Campbell of Brodies writes:
The facts in brief
In 2005 Mr Michael Collie, a researcher working for a (then) Green Party MSP, submitted a request under the Freedom of Information (Scotland) Act 2002 (or “FOISA”) to the Common Services Agency (the “CSA”), a specialist health board in Scotland which collects statistical information from other health boards. In terms of his request he sought details of the recorded incidence of childhood leukaemia for certain years in the Dumfries and Galloway area of South West Scotland, broken down by census ward. It appears his interest lay in the suspected risk to public health arising from the MOD’s operations at its Dundrennan firing range, the decommissioned nuclear reactor at Chapelcross and the nuclear processing facilities at Sellafield.
The CSA refused to disclose the information requested, on the grounds that it was personal data the disclosure of which would breach the data protection principles. On application to the Scottish Information Commissioner (the “SIC”), the SIC ordered the CSA to disclose the information sought in a re-presented form using a technique called “barnardisation” which applies a process of random modification to statistics consisting of small numbers in order to substantially remove the risk that individual data subjects can be identified from them. The Inner House of the Court of Session subsequently upheld the SIC’s decision and the CSA appealed further to the House of Lords.
The case raised interesting and important questions as to the precise meaning of “personal data” in terms of the Data Protection Act 1998 (the “DPA”) and as to the interaction of the DPA and freedom of information legislation. Whilst their Lordships were required to consider certain provisions of FOISA for the purposes of disposing of the appeal, the corresponding provisions of the Freedom of Information Act 2000 are in materially the same terms and the judgment is therefore of relevance throughout the UK.
The key issues considered by the Court
The extent of a Scottish public authority’s duty under FOISA to provide information requested in a different form to that in which it holds it
The CSA argued that barnardisation of the information which Mr Collie requested would involve the creation of new information which it did not hold as at the date of its receipt of the request, and that nothing in FOISA required it to do that. However their Lordships were unanimous in finding that barnardisation did not constitute the creation of new information but instead, rather like redaction, simply involved doing something to information to allow its release in a form which does not infringe the rights of the individuals to whom it relates.
Lord Rodger went so far as to say that where disclosure of information requested under FOISA would breach the data protection principles, section 1(1) of FOISA obliged an authority to consider whether it could provide that information in another form without thereby breaching the DPA. Quite how far the authority is required to go in this respect is not clear, but Lord Rodger specifically pointed out that any such amendment or reworking of the information would be subject to the time and cost constraints which are built into freedom of information legislation.
The meaning of “personal data” in terms of the DPA
Undoubtedly of greatest interest to those awaiting the outcome of this case was their Lordships’ approach to determining whether or not the barnardised information was “personal data” within the meaning of the DPA. This issue has clear relevance to the creation and processing of statistical information.
Durant
Counsel for all parties had relied heavily on the Court of Appeal’s 2003 decision in Durant v Financial Services Authority for the purposes of determining whether the barnardised information could be said to “relate” to the children involved. However the House of Lords held unanimously that Durant was simply not relevant to the case under consideration.
Whilst no single, consistent reason for disregarding Durant can be found in their Lordships’ speeches, the judgment may nevertheless arguably be authority for the position which emerges from the Information Commissioner’s Technical Guidance Note of August 2007, to the effect that Durant is relevant to the question of whether data “relates” to a living individual only in difficult cases where the information in question is not “obviously about” someone. In this case their Lordships were apparently comfortable that, even in its barnardised form, statistical information about the incidence of childhood leukaemia was information about the health of the children concerned and as such that it related to them in the ordinary sense of that word. There was therefore no need to turn to Durant and its concepts of focus and significant biographical data, to decide whether this first requirement of the definition of “personal data” was satisfied.
Identification
If the barnardised information clearly related to the children concerned, their Lordships had more difficulty in dealing with the second leg of the definition of “personal data” – i.e. whether any of the children could be identified from the barnardised information (either alone or taken together with other information in the possession, or likely to come into the possession, of the CSA).
It was common ground between their Lordships that the fact that the CSA continued to hold “other information” which would ultimately have allowed it to “decode” the barnardised information to identify each of the children to whom it related, did not necessarily mean that the barnardised information was still personal data. However they did not all adopt the same reasoning in reaching that conclusion and in fact at least two quite different rationales can be identified from the judgment.
Lord Hope took the view that data can be “fully anonymised” in the hands of the data controller and thereby cease to be personal data, even where the data controller does have information which would theoretically allow it to unlock the identities of the subjects of that data, but did not explain exactly how or in what circumstances that anonymisation might be achieved. Lord Rodger thought that data would remain personal data in the hands of the data controller provided that the data controller could identify the subjects of that data using “reasonable means”. Again though, the practical implications of that reasoning are not clear. In marked contrast, Baroness Hale focused instead on the proposed recipient of the data, and whether he or should could identify the subject(s) of that data from that data alone (given that he or she would not have access to any of the “other information” in the hands of the disclosing data controller).
This lack of unanimity would seem to have arisen from the difficulty which their Lordships faced in reconciling the definition of “personal data” in the DPA with the spirit of Directive 95/46/EC (which the DPA transposed into UK law) and in particular with Recital 26 of the Directive which states that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable …”. In Baroness Hale’s words, whilst their Lordships would “all like the legal position to be that, if the risk of identification [of the children] can indeed be eliminated, the Agency is obliged to provide [the information requested]”, in line with the “expectation in Recital 26”, she had “much more difficulty in spelling out [that conclusion] from the definition of “personal data” in section 1(1) of the Act”.
The ultimate purpose of the judgment as it relates to this point is therefore clear. However what is not clear is exactly how the “identifiability” requirement of the statutory definition should be interpreted and applied going forward. The different approaches to this issue found in the judgment might in many cases produce the same answer. However this will not always be the case. Questions remain to be answered then as to precisely what factors are to be taken into account in determining when data can be said to be “fully anonymised” and as such no longer personal data.
Conclusion
The House of Lords’ judgment provides some clarification of the extent of public authorities’ obligations to amend or otherwise do anything to the information which they hold for the purposes of responding to a request for that information under freedom of information legislation, in particular where that information is personal data. It also may (on one interpretation at least) help to clarify the impact of the Court of Appeal’s judgment in Durant.
However what it does not do is to clearly address the question of the correct legal interpretation of the “identifiability” requirement of the UK’s statutory definition of “personal data”. Indeed arguably the judgment raises more questions in this regard than it answers.
Those questions will no doubt be mulled over at length by commentators in the coming weeks and months. Ultimately though what is apparent from their Lordships’ decision in this case is that they do not think that the words of the definition in the DPA, when given their plain meaning, sit easily with the corresponding provisions of Directive 95/46/EC. It is a matter of debate whether this can satisfactorily be resolved by further purposive construction or whether formal legislative amendment is required.