Whether the Information Commissioner's new guidance following the Durant case makes data subject rights any clearer for lawyers as advisers, employers and business owners
Lawyers advising on data protection, and more specifically an individual’s right of access to information held in manual files, should be aware of the recent revised guidance from the Information Commissioner (www.informationcommissioner. gov.uk) further to the Court of Appeal decision of December 2003, Durant v Financial Services Authority  EWCA Civ 1746.
This decision and the Commissioner’s guidance have the effect of substantially decreasing the burden for data controllers of complying with subject access requests. The case has prompted a major rethink on the interpretation of certain aspects of data protection law, with its narrow interpretation of the Data Protection Act 1998 (“the DPA”). The judgment has been criticised. It appears to reduce the burden on companies and organisations whilst restricting individuals’ rights of access to information held in certain manual files. Arguably the UK’s data protection regime now falls short of the Data Protection Directive, so that nationals in other member states have greater subject access rights than those in the UK, and the burden of compliance imposed on businesses is comparatively less onerous.
The facts of Durant were set out in the article “Much Ado about Nothing?” (Journal, February 2004, page 32). Very briefly, Mr Durant lost a claim against Barclays Bank, subsequently complained to the FSA, and attempted to invoke the DPA when the FSA declined to disclose details of its findings or provide copies of certain manual records, with the exception of certain blanked-out (“redacted”) items. The present article focuses on the two main areas where the Information Commissioner considered guidance necessary – what makes data “personal” within the meaning of “personal data”; and what is a “relevant filing system”?
Making it personal
Whilst some of the FSA files did contain information referring to Mr Durant, reference to him was identified by specific dividers within the file, which also contained correspondence with Mr Durant as well as with Barclays Bank and other individuals, copies of notes from telephone calls, transcripts of judgments, handwritten notes, internal memos and a report of a forensic examination. The FSA maintained that this information did not constitute personal data.
The DPA applies only to “personal data”, which the Court of Appeal defined as “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. The court felt that the information should be biographical and have the individual as its focus, and concentrated on the meaning of when data “relate to” an individual (in terms of the section 1 definition), instead of the traditional issue of “identifiability” which is normally considered.
With the concept of privacy obviously fundamental to this interpretation of “personal data”, the Commissioner considers that in determining whether something is personal data, and therefore within the scope of the Act, account should be taken of whether the information in question is capable of having an adverse impact on the individual.
Prior to Durant, the commonly understood position was that the mere mention of a name, even in an email address, could constitute personal data. However, the effect of the judgment, now accepted by the Commissioner, is that the appearance in information of an individual’s name will only be “personal data” where its inclusion affects the individual’s privacy.
The Commissioner suggests that it is more likely that an individual’s name will be “personal data” where it appears together with other information such as the individual’s address, telephone number or hobbies. This reasoning arises from Lindqvist v Kammaraklagaren (C-101/01), 6 November 2003, referred to by the court in Durant.
The Commissioner states that information that has as its focus something other than the individual, such as information relating to a property (e.g. a survey) or the performance of an office department, will not be “personal data”. If it includes information “about” an individual, where the focus is something other than the individual, such information will not “relate to” the individual and therefore will not be “personal data”.
However, as the Commissioner points out, there could be circumstances where information, for example about a house or a car, will be personal data because that information is directly linked to an individual. One example he gives is of a house valuation used to determine a spouse’s assets in a matrimonial dispute, or even if details of a car photographed by a speed camera are used to direct a notice of intention to prosecute to the registered keeper. Both these examples would relate directly to the individual and constitute “personal data”. Whether a data subject has a right of access in the latter case is a moot point: see DPA, section 29(1)(a) and (b).
Manual files and relevant systems
In terms of the Act, a manual filing system only constitutes a relevant filing system when the files are structured, either by reference to individuals or by criteria relating to individuals in such a way that specific information relating to particular individuals is readily accessible.
One of the questions the court faced was whether or not the FSA’s manual files which held information about Mr Durant’s case, constituted a relevant filing system. The court took the view that the Act was intended to cover manual files “only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system”. It went on to say that any manual filing system which, for example, requires the searcher “to leaf through files, … to see whether it or they contain information relating to the person requesting information and whether that information is data within the Act bears … no resemblance to a computerised search”.
The Court of Appeal concluded that for the purposes of the DPA, a “relevant filing system” is restricted to a system:
“(1) in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held; and
“(2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located”.
The Information Commissioner’s view is that when a subject access request is received for information held in manual files other than information contained in an “accessible record” (i.e. records relating to health, education and certain other accessible public records: DPA, section 68 and schedule 12), the statutory right of access to personal data will only apply if the filing system is structured as a relevant filing system. To constitute such a system, the manual files should be structured to enable the searcher to go straight to the correct category and retrieve the information without a manual search, or should be indexed to allow the searcher to go directly to the relevant page(s).
The Commissioner gives the example of a set of legal files containing files divided into sections for legal aid, pleadings, orders, correspondence by year, instructions to counsel and counsel’s advice, which will not be a relevant filing system because the divisions/referencing do not assist a searcher in retrieving the required personal information without the need to leaf through the file contents.
The result of the Durant decision is that files structured purely in chronological order will not be a relevant filing system as the files are not appropriately structured or referenced to allow the retrieval of personal data without leafing through the file, whereas manual files using individuals’ names or unique identifiers such as the file names, which are indexed to allow retrieval without a manual search, are likely to be held in a relevant filing system.
Open to deletion
Subsequent to the Commissioner’s guidance dated 2 February 2004, there has been further interpretation of the subject access provisions in the DPA from the decision in Johnston v Medical Defence Union (20 February 2004). In this case, the MDU had, in response to a subject access request, provided Johnston with a number of heavily redacted documents in which references to third parties had been deleted. As a result, Johnston alleged that the MDU had withheld some information relating to him.
The court held that the DPA gives the data controller discretion whether to disclose amendments or deletions to the data made between the time the request was received and the time the information was supplied, where these would have been made regardless of the request. The data controller was only obliged to search through the data it had when the subject access request was received.
The court also held that before editing or amending documents to hide the identity of a third party, it must be shown that the person whose identity is withheld is either the source or the recipient of the information; and also that that it is proper for the data controller to ask what, if any, legitimate interest the requesting individual has in receiving documents containing third party information.
Many organisations whose staff, such as call centre operators, receptionists or secretaries, process information about data subjects and may have been regarded as the source of the data, will find the judgment helpful. Faced with a subject access request, the usual practice is to obscure staff names, and this practice has now been held acceptable as such staff are no longer viewed as the source and their identities can be withheld or redacted from the documentation.
Good news for data holders
The guidance from the Information Commissioner further to Durant is welcome to businesses and advisers alike. The Commissioner considers that in light of the decision, it is likely that very few manual files will be covered by the DPA, taking most information about individuals held in manual form outwith the data protection regime and making it less accessible to those about whom it refers.
Businesses can take comfort in the narrow interpretation of the Act in relation to subject access requests for manual files, although the subject access rights of individuals have been reduced. Data protection experts have however expressed shock at the severity of the judgment and envisage that data controllers will use it to block access to the majority of subject access requests to manual files. A useful flow chart that can help you decide what is or is not a manual file can be accessed via www.informationcommissioner.gov.uk/eventual.aspx?id=5152.
Paul Motion of Ledingham Chalmers and Laura Gordon of Boyds are members of the Law Society of Scotland’s E-Commerce Committee