InfoLawUpdate - What’s in a Name? “Personal Data”
Burnetts' information law solicitor Natalie Ruane highlights a recent case concerning personal data.
Section 40 of the Freedom of Information Act 2000 is one of the most used exemptions. It reads across directly to the provisions of the Data Protection Act 1998.
If you wish to use section 40 as an exemption, then the information that has been requested needs to be “personal data”.
Personal data is defined in section 1 of the Data Protection Act as
“Data which relate to a living individual who can be identified:
(a) from those data, or
(b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
What is personal data has again fallen under the spotlight in the case of Edem v Information Commissioner and Financial Services Authority. Mr Edem’s complaint concerned the decision of the Financial Services Authority to withhold the names of three junior FSA officials who had worked on Mr Edem’s complaint but had not corresponded with him. Therefore Mr Edem was not aware of their names. The FSA had considered those officials’ names to be personal data and so exempt under section 40.
Mr Edem’s complaint went up to the Court of Appeal. The Court were readily satisfied that the individuals’ names taken with the documents from the FSA showing what capacity they worked in meant that they were identifiable from that data. The real issue for the Court of Appeal was whether or not the names were “personal data”.
The Court of Appeal seemed surprised that it had to consider this point at all as it noted that the European Court of Justice had twice already held that names were personal data under the Data Protection Directive.
The Court of Appeal unanimously held that the information was “plainly concerned with those three individuals”. The Court also went on to approve the Information Commissioner’s Data Protection Technical Guidance. In that Guidance it is suggested that it is only necessary to consider biographical significance of information if it is not obviously about the individual or clearly linked to them.
This decision is a welcome application of common sense by the Court. It would be bizarre law if a person’s name was not that person’s personal data. It is difficult to imagine what is more biographically significant about somebody than their name.
What this decision does is to remind those who have to apply section 40 of the Freedom of Information Act and deal with requests under the Data Protection Act that the starting point should be common sense. Some commentary is concerned about how this case has broadened the scope of personal data. That is not correct: an individual’s name has always been “personal data”.
What we need to avoid is the complication whereby every email which includes the individual’s name is to be treated as their own personal data. Whilst it is correct that every email into which they have been copied will fall within the scope of a subject access request, it will only fall within that scope in that the person’s name itself will be the personal data that needs disclosing. It does not mean that the content of the entire email is also within that scope unless the content of the email is also to do with the individual.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Friday 8th August 2014
Categorised: Information Law