The spectre of Durant has haunted and stalked data protection officers for more than a decade; however, a case taken under the FOI Act has just exorcised this particular ghost. That is my conclusion from reading of the Court of Appeal decision that was published earlier this week (Edem v The Information Commissioner [2014] EWCA Civ 92).
As Durant is now not the demon it was, it is important to trace the history (from Durant to Edem) to explain what has happened and why?
Durant has always been a problem for data protection practitioners because Appeal Court’s “helpful” notions of “biographical significance” and “focus” were, in practice, far from “helpful”. These Durant notions, hand down by a superior court, have been slavishly followed by the lower Courts, irrespective of the issue before them, raising all sorts of curious decisions – of which Edem was just one.
The problem in a nutshell: Durant’s “notions” applied to the content of personal data and ignored the context that always needs to be considered whenever any personal data are processed.
However, our journey starts with Mr. Edem’s FOI request which became subject to a Decision Notice (dated 26 May 2011) when the Information Commissioner declined to order the disclosure of the names of three members of the staff of the Financial Services Authority. At the Information Tribunal, Mr Edem argued that the names of those who were identified in his FOI request were not personal data.
Following Durant like an automaton, the Tribunal concluded that "In our view the Disputed Information (these are the names of employees) is not biographical in any significant sense" and that in this case "The information does not go beyond the recording of the data subjects' involvement in a matter that has no personal connotations. It simply concerns a transaction or matter in which the individuals in question were involved".
It is important to understand how the Tribunal came to this conclusion by following Durant. I have commented on Auld LJ (at paragraph 28 of Durant) where he said:
" ….It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised.” {CP comment: with respect to the name of an official in a work capacity, the Edem Tribunal accepted that there was little “going beyond… an event that has no personal connotations” nor a “privacy” issue}.
Auld LJ continued (at para 28 also):
“…The second (notion) is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated….{CP comment: in the Edem Tribunal, the official in a work capacity was deemed to be the equivalent of “some other person” as mentioned above}.
So there we have it; the Tribunal concluded that a recorded name held by a public authority is not personal data. Completely bonkers in my view - but there you are.
However, a name is hardly ever without a context. For instance, when I was a student (an apprentice quantum mechanic, no less!), there was a lecturer in the University called “John Smith”. Is a record of this name, personal data? However, the name of this “John Smith” (content of the data) cannot be separated from the context (i.e. this particular lecturer worked at a specific university chemistry department (the context)). This context allows this “John Smith” to be distinguished from the John Smith who was (another context follows) the leader of the Labour Party in the 1990s.
The Upper Tribunal Judge recognised that the content of the requested data had to be considered in context. That is why the Judge concluded:- "I've seen the name of officials and their names are not unique. But they can be identified from their names taken together with the contextual information of their grades and dates of employment. No one argued otherwise." (my emphasis).
So, Mr Edem had his victory reversed at the Upper Tribunal (a level below the Appeal Court). Fortunately, Mr Edem had another go; hence we arrive at the hearing in the Court of Appeal which then fettered the almost universal application of Durant.
It is pretty clear, that the Court of Appeal came to conclusion that the Upper Tribunal was correct and that recorded names were personal data. In its judgment, Moses LJ said:
- “It seems to me beyond question that those living individuals could be identified from a combination of their names and the documents emanating from the Financial Services Authority which show that they were working there ….”
- “In Criminal Proceedings against Lindqvist” (C-101/01, [2003] ECR 1-12971) the Court stated” that “the term personal data …. undoubtedly covers the name of a person in conjunction with his telephone co-ordinates or information about his working condition or hobbies."
- In “Commission v Bavarian Lager”(C-28/08 [2010] ECR 1-6055,) the Court “the definition of the concept of single 'personal data', correctly held that surnames and forenames may be regarded as personal data."
The real problem the Court had to address, therefore, was not dismissing Mr Edem’s claim (which “misunderstands the concept of an identifiable natural person”) but rather to avoid following Durant into the abyss.
The Court did this by picking up a comment from Buxton LJ (another Durant Judge) who agreed with everything which "had fallen from my Lord" (i.e. Auld LJ) adding that "The notions suggested by my Lord in his para. 28 will, with respect, provide a clear guide in borderline cases".(My emphasis)
However, the Appeal Court concluded that Edem was not a borderline case. There is no issue of “whether the information is biographical or sufficiently focussed upon a particular named individual” because “A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure”.
The Court then went on to unequivocally give its blessing to the Information Commissioner's Technical Guidance to assist in determining "What Is Personal Data". This, according to the Court,“accurately sets out the effects of the statutory scheme” and“You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him". (CP comment: I have put this in bold italics because it is so important).
Following this advice, the Court concluded “the three names referred to in the e-mails were obviously about those three individuals and no further enquiry was needed. Judge Jacobs was right to reject the approach of the First-Tier Tribunal which was wrong as a matter of law”. Put simply, there is no need to apply the Durant tests when it is obvious you have personal data.
So there you have it. I think Durant has been marginalised and its “helpful notions” are only needed (i.e. resurrected) when it is not clear from the content or context or both whether the data are personal data or not.
The only regrettable aspect is that it has taken an FOI case, taken by a persistent litigant in person, to get there. This is because the data protection regime was designed to have few cases going to the Tribunal, whilst those on the DP/FOI interface (and considered under FOIA) are almost ten a penny.
Also, whereas in data protection circles, Durant has almost become a term of abuse, the name Edem will become revered (perhaps as in “Welcome to the Garden of Edem”).
References
Edem v The Information Commissioner & Anor [2014] EWCA Civ 92 (http://www.bailii.org/ew/cases/EWCA/Civ/2014/92.html)
Hopefully, I will no longer be writing blogs such as:
Durant strikes again! The names of those investigating complaints are not personal data. http://amberhawk.typepad.com/amberhawk/2012/04/durant-strikes-again-the-names-of-those-investigating-complaints-are-not-personal-data.html (This is my blog on the Edem case at the Tribunal).
CCTV images are accessible on subject access (or is it Durant misses the Dublin Bus?) http://amberhawk.typepad.com/amberhawk/2011/10/cctv-images-are-accessible-on-subject-access-or-is-it-durant-misses-the-dublin-bus.html (Another Durant classic)
A bizarre tale from the data protection/FOI interface: http://amberhawk.typepad.com/amberhawk/2010/02/a-bizarre-tale-from-the-data-protectionfoi-interface.html (yes - truly bizarre!)