The High Court was forced to re-examine the concept of ‘personal data’ in R (Kelway) v The Upper Tribunal, Northumbria Police and the Information Commissioner [2013] EWHC 2575 (Admin). The case involved an application for judicial review by Dr Kelway against two decisions of the Upper Tribunal refusing a request for disclosure of information by Northumbria Police, who were investigating a complaint by Dr Kelway that a district judge had committed a serious criminal offence by arranging for a tape of court proceedings to be tampered with. Dr Kelway had requested information from the district judge’s statement given to police officers investigating the alleged criminal offence. Dr Kelway challenge was to the effect that any references to the district judge in the statement were not biological and did not have him as their focus, and therefore were not personal data and should be disclosed without the consent of the district judge. In determining to refuse the grant of the application for disclosure, HHJ Thornton was forced to examine the concept of personal data in circumstances where the answer is not clear.
Section 1(1) of the Data Protection Act 1998 defines personal data as ‘data which relate to a living individual who can be identified from those data, or from those data and other data which is in the possession of or is likely to come into the possession of the data controller and includes any expression of opinion about the individual..’
The EU Article 29 Data Protection Working Party added in their 2007 ‘Opinion on the Concept of Personal Data’ that, in addition to considering the content of the data, the result of the use of the data on the individual must also be considered to determine if that data is personal.
The Court of Appeal previously held in the case of Durant v Financial Services Authority [2003] EWCA Civ 1746 that in order for data to be personal data within the meaning of the DPA, ‘the data must go beyond the mere mention of an individual’s involvement in a matter that has no personal connotations… the data should have the individual as its focus, rather than some other person with whom they may have been involved or some transaction or event in which the individual may have had an interest.’
In this case, HHJ Thornton analysed the existing ‘tests’ to determine if data is personal data, and concluded that three questions must be answered affirmatively:
1. Is the data information which is being processed or recorded or forms part of an accessible record?
2. Is it possible to identify a living individual from the data?
3. Does the data relate to an individual?
HHJ Thornton recognised that to be able to answer questions 2 and 3, the following considerations are relevant:
- Does the data contain biographical information rather than just record the data subject’s mere involvement in a matter or event
- Does the data have the data subject at its focus (The Durant Test)
- Does the data relate to the individual in the sense that it is about the individual because its content refers to their identity and characteristics, and is the use of that data likely to have an impact on the individual’s rights and interests (The Working Party Test)
- Can a living individual be identified from the data and is that data obviously about a particular individual; or is that information used in a way to influence decisions affecting that individual; and does that data focus on the individual as the central theme with the potential to impact that individual (The ICO Guidance Test)
HHJ Thornton concluded that the impact of the use of the data on the individual must be considered, in addition to whether the data has the individual as its focus. He therefore refused to grant Dr Kelway the application for disclosure of the information without the consent of the district judge on the grounds that the information constituted personal data, given the impact disclosure would have on the district judge.
This judgment confirms that the Durant Test is therefore only part of the test that must be applied to consider if data is personal data within the meaning of the DPA.
Cynthia O’Donoghue is a partner at Reed Smith and co-head of the Data Privacy, Security and Management group.