BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Upper Tribunal (Administrative Appeals Chamber)


You are here: BAILII >> Databases >> Upper Tribunal (Administrative Appeals Chamber) >> Information Commissioner v Magherafelt District Council [2012] UKUT 263 (AAC) (14 June 2012)
URL: http://www.bailii.org/uk/cases/UKUT/AAC/2012/263.html
Cite as: [2013] AACR 14, [2012] UKUT 263 (AAC)

[New search] [Printable RTF version] [Help]


Information Commissioner v Magherafelt District Council [2012] UKUT 263 (AAC) (14 June 2012)
Information rights
Freedom of information - right of access

 

 

 

 

 

 


IN THE UPPER TRIBUNAL

(ADMINISTRATIVE APPEALS CHAMBER)

 

Upper Tribunal Case No: GIA/731/2010

 

 

PARTIES

 

 

The Information Commissioner (Appellant)

 

and

 

Magherafelt District Council

 

 

APPEAL AGAINST A DECISION OF A TRIBUNAL

 

 

 

DECISION OF THE UPPER TRIBUNAL

 

JUDGE MULLAN

 

 

 

 

DECISION BY THE UPPER TRIBUNAL

(ADMINISTRATIVE APPEALS CHAMBER)

 

 

The DECISION of the Upper Tribunal is to dismiss the appeal by the appellant.

 

The decision of the First-tier Tribunal (General Regulatory Chamber) (Information Rights) dated 3 February 2010 under file reference EA/2009/0047 does not involve an error on a point of law.  The appeal is dismissed.

 

This decision is given under section 11 of the Tribunals, Courts and Enforcement Act 2007.

 

 

REASONS

 

Introduction

 

1. In this case the Appellant is the Information Commissioner and the Respondent is Magherafelt District Council.

 

2. On 31 March 2010 the registrar wrote to the individual who had originally sought disclosure of the information which is the subject of the appeal to the Upper Tribunal, providing details of the appeal and indicating that it was open to that individual, under rule 9(3) of the Tribunal Procedure (Upper Tribunal) Rules 2008 to apply to be added as a party to the appeal, and if that course was to be adopted, setting out the requirements for application and service of response. There was no formal response by the Complainant to this invitation and to a further reminder issued on 21 June 2010. On 20 July 2010 the registrar spoke to the individual in a telephone conversation and provided details of the procedural aspects of the appeal to the Upper Tribunal. The individual confirmed that he did not wish, at that stage, to be added as a party to the proceedings.

 

Background to the appeal to the First-tier Tribunal

 

3. The background to the appeal to the First-tier Tribunal was set out in paragraphs 2 to 14 of the Tribunal’s decision, as follows:

 

‘2. By email dated 22 February 2008 the complainant, a local journalist, made a request for information to the Council in the following terms –

 

“How many members of council staff have been disciplined in the last three years?

 

Give details of the discipline.

 

How many members of council staff have been suspended from their posts in the last three years?

 

List the reasons why the person was suspended.

 

How many members of staff have been dismissed from their posts in the last three years?

 

Give reasons why the person was dismissed.

 

Personal information about any individual is not required. ”

 

3. The Council replied to the requester by email dated 19 March 2008 as follows –

“1. 15 members of staff, currently employed, were disciplined during the period 1 April 2003 – 31 March 2007.

 

3. No members of staff were suspended during the above period.

 

5. 3 members were dismissed.”

 

4. The Council further advised the requester that it would not disclose details of the disciplinary action taken against the 15 members of staff or the reasons for the 3 dismissals in accordance with section 40 FOIA (absolute exemption with regard to personal data).

 

5. The requester asked for an internal review of the Council’s decision by email dated 19 March 2008. The Council responded on 16 April 2008 upholding its decision to withhold the disputed information under section 40(2) FOIA. In addition, the Council asserted that the disputed information was also exempt under section 38 FOIA (qualified exemption in relation to health & safety).

 

The complaint to the IC

 

6. The requester complained to the Respondent, the IC, by email dated 5 June 2008.

 

7. By letter dated 13 November 2008 the Council provided the IC with a document consisting of details of the disciplinary action taken against the 15 employees. This is referred to in the Decision Notice and throughout this Tribunal’s decision as “the original schedule”. The original schedule contained the following information: the date of the disciplinary action; the gender, job title and department of the employee concerned; the penalty issued and the reason for the action taken.

 

8. Shortly afterwards, the Council provided the IC with a revised schedule containing details of the disciplinary action taken against the 15 employees which, at that time, it said it was prepared to release to the requester. This schedule is referred to in the Decision Notice and throughout this Tribunal’s decision as “the summarised schedule”. The summarised schedule contained only the penalty issued and reason for the action taken. It did not include the date of the disciplinary action or the gender, job title and department of the employee concerned.

 

9. Shortly thereafter the Council became aware of a House of Lords authority, Common Services Agency v Scottish Information IC [2008] UKHL 47; [2008] 1 WLR 1550 (“the CSA case”) and, after taking legal advice and in light of this case, it decided that it was no longer prepared to release the summarised schedule.

 

10. The IC served a Decision Notice dated 19 May 2009 in accordance with section 50 FOIA. The IC decided that the information contained in the original schedule was personal data. Further, the IC considered that disclosure of the original schedule would contravene the First Data Protection principle and that it was therefore exempt under section 40(2) FOIA.

 

11. However, the IC decided that the information contained in the summarised schedule was “fully anonymous” and did not therefore amount to personal data. He therefore found that the summarised schedule was not exempt under section 40(2) FOIA.

 

12. The IC went on to consider whether the summarised schedule was exempt under section 38(1) FOIA; he concluded that it was not.

 

13. In addition the IC found that in failing to cite the specific subsection of section 40 FOIA relied upon or to explain why the exemption applied the Council had contravened sections 17(1)(b) and 17(1)(c) FOIA respectively. Further, in failing to cite section 38 FOIA in its refusal notice, the Council had contravened section 10(1) FOIA.

 

14. In light of the above, the IC ordered the Council to disclose a copy of the summarised schedule to the requester.’

 

The appeal to the First-tier Tribunal

 

4. The Council’s grounds of appeal were summarised by the First-tier Tribunal as follows:

‘1. The IC erred in deciding that the summarised schedule did not contain personal data.

 

2. The summarised schedule did not fall within the scope of the request.

 

3. The IC erred in criticising the Council for failing to disclose the summarised schedule by way of informal resolution.

 

4. The IC erred in deciding that the Council had contravened section 17 FOIA by failing to specify which subsection of section 40 FOIA it relied upon.

 

5. The IC erred in deciding that the Council had contravened section 17(1) FOIA by failing to cite section 38 FOIA in its refusal notice.

 

6. The IC erred in concluding that the Council had contravened section 10(1) FOIA.’

 

5. The First-tier Tribunal adopted these grounds as representing issues which it was required to address ‘…adding only that, if it decided under ground 1 that the summarised schedule did contain personal data, it would need to proceed to consider whether disclosure would breach the Data Protection Principles and thereby fall within the absolute exemption in section 40(2) of FOIA.’

 

What did the First-tier Tribunal decide?

 

The evidence before the First-tier Tribunal

 

6. The First-tier Tribunal summarised the evidence which was before it at paragraphs 22 to 26 of its decision, as follows:

 

‘22. The documentary evidence before the Tribunal consisted of the original and the summarised schedules, the correspondence between the parties and a witness statement from Mr Tohill, the Director of Finance and Administration of the Council. The summarised schedule, being the disputed information, was not part of the open bundle or considered in the public part of the hearing. Mr Tohill gave his evidence in public, save for the parts in which he was questioned on the contents of the disputed information.

 

23. Mr Tohill told the Tribunal that the Council was a small authority with only 150 employees. All staff were known to each other and, he said, to a significant proportion of the local population. Magherafelt District Council has a population of 39,500.

 

24. Mr Tohill told the Tribunal that staff were generally aware of what disciplinary action was being taken and against whom, such that it would be easy for a journalist armed with the summarised schedule to approach employees and former employees, to ask questions with a view to identifying the people who committed the disciplinary offences on the list in the summarised schedule. The nature of some of the offences on the list would be such as to lead to an easy identification given the restricted number of persons carrying out each role in the authority.

 

25. Whilst the individuals themselves would be unlikely to divulge the information that they had been disciplined, it was likely that close working colleagues would be aware of a sanction where this involved a removal or temporary suspension from duties. In some circumstances, the person being disciplined would have asked a work colleague to support them through the process.

 

26. He claimed that as a result of the small size of the Council, there was a high level of knowledge amongst staff as to each others’ affairs. He likened it to a ‘family’. In such a small working environment, Mr Tohill claimed, it would be easy for a journalist, such as the requester, to make enquiries based on the summarised schedule and to find out the identities of the individuals involved.’

 

The conclusions of the First-tier Tribunal on the issues relevant to this appeal

 

7. The First-tier Tribunal considered each of the issues which had been raised by the appeal. Nonetheless, I have concentrated on the appeal tribunal’s conclusions in respect of two questions which are relevant to the present appeal:

 

(i)    whether the summarised schedule consisted of ‘personal data’; and

 

(ii)   would disclosure of the summarised schedule contravene any of the Data Protection Principles?

8. In connection with (i), the First-tier Tribunal began by noting that ‘… both parties drew support from the CSA case claiming that their interpretation was the true effect of this House of Lords [sic] authority.’

 

9. The ‘CSA’ case is Common Services Agency v Scottish IC ([2008] UKHL 47; [2008] 1 WLR 1550). It is appropriate, at this stage, to set out something of the background detail to the case.

 

10. The Common Services Agency was a special health board regulated by the Scottish Parliament, whose functions included the collection and dissemination of epidemiological information from other health boards. C, acting on behalf of a member of the Scottish Parliament, requested that the agency supply him with details of all incidents of child leukaemia by year for the Dumfries and Galloway postal area by census ward. The agency refused the request on the basis, inter alia, that there was a significant risk of the indirect identification of living individuals due to the low numbers resulting from the combination of the rare diagnosis, the specified age group and the small geographic area, and accordingly that it was 'personal data' within the meaning of section 1(1)(a)  of the Data Protection Act 1998 and was exempt information for the purposes of the Freedom of Information (Scotland) Act 2002. C applied to the Scottish Information Commissioner under the 2002 Act for a decision whether his request for information had been dealt with in accordance with Part I of the 2002 Act. Whilst the Commissioner was satisfied that (i) a living individual could be identified from the data at census ward level; (ii) that it constituted 'personal data' as defined by section 1(1); (iii) that the disclosure of the information would breach the first principle within Schedule I of the 1998 Act and should not be released as its release could be unlawful if it could constitute a breach of confidence and unfair as a person would not expect their diagnosis of leukaemia to be placed in the public domain and would expect it to remain confidential, the Commissioner determined that the agency could have offered the information in an alternative form using a disclosure control method known as 'barnardisation' which protected against potential identification of individuals and ordered the agency to do so. The agency appealed to the Court of Session, where the First Division refused the appeal, holding (i) that a table setting out the census ward data, banardised, would not constitute personal data of any of the children resident in the area who had in a relevant year been diagnosed with leukaemia; (ii) that it was information held by the agency at the time which the request had been received; and (iii) the Commissioner had been entitled to require the agency to provide that data in the exercise of his supervisory powers under the Act. The agency appealed to the House of Lords.

 

11. The First-tier Tribunal in the instant case found itself in agreement with the decision of a differently-constituted First-tier Tribunal in the case of Department of Health v Information Commissioner ([EA/2008/0074). More particularly, the First-tier Tribunal agreed with the approach taken by the Tribunal in the Department of Health case as to the proper interpretation of the decision of the House of Lords in Common Services Agency. Adopting the findings and conclusions of the differently-constituted tribunal in the Department of Health case, this meant that the First-tier Tribunal concluded (i) that Lord Hope, who delivered the leading speech in the decision, concluded that the Scottish Information Commissioner had not asked himself whether the barnadised data would be personal data within the meaning of section 1(1) of the 1998 Act and, if so, whether its disclosure would satisfy the disclosure principles; (ii) that the Scottish Information Commissioner had made an error of law in ordering the disclosure in barnadised form; (iii) a data controller cannot exclude personal data from the duty to comply with the Data Protection Principles ‘… simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual.’ Paragraph (b) of the definition of “personal data” prevented this. It required account to be taken of other information which is in, or is likely to come into, the possession of the data controller; (iv) the reliance by the Information Commissioner on paragraphs 24 and 25 of the speech of Lord Hope for the submission that ‘…rendering the disputed information anonymous to a third party would enable the information to be released without having to apply the data protection principles …’ was ill-founded since the scenarios set out by Lord Hope in the relevant paragraphs did not apply in the instant case; (v) the reliance by the Information Commissioner on the comments made by Lord Hope, in paragraph 25 of his speech, on the relationship between the Data Protection Act 1998 and  Council Directive (EC) 95/46, and the extent to which section 1 of the 1998 Act gave effect to the Directive, was authority for the release of information which is anonymised in the hands of a third party without recourse to the 1998 Act, was also ill-founded.

 

12. In the view of the First-tier Tribunal the question which had been remitted back to the Scottish Information Commissioner in Common Services Agency was ‘…  whether Barnadisation would render it impossible for the Common Services Agency, subsequently, to identify the individuals to which the statistics related, even when read with other information held by the Agency.’ This conclusion as to the finding of fact remitted back to the Scottish IC was consistent with the broader interpretation of limb (b) of the definition of “personal data” being argued for by the Council in this case. Further, the consequences which would flow from the submitted interpretation of personal data put forward by the Information Commissioner were potentially absurd, The Freedom of Information Act 2000 did not create a presumption in favour of disclosure when dealing with the personal data of individuals.

 

13. In conclusion on this first question, the First-tier Tribunal, on the basis that the Data Protection Act 1998 was implementing an EC Directive aimed at the protection of the privacy of data subjects’ personal information, found that it was appropriate to adopt a purposive approach to construction. Adopting such a purposive approach and following the authority of Common Services Agency (presumably as interpreted in the accepted decision of the differently constituted tribunal in the Department of Health case) ‘…the Tribunal concluded that the summarised schedule did consist of “personal data” in the hands of the Council under limb (b) of the definition. As the IC had found to the contrary in the Decision Notice, it followed that, in the Tribunal’s view, it had not been in accordance with law.’

 

14. It is worth, at this stage, setting out the First-tier’s Tribunal’s conclusions in paragraph 39 of its decision, as this will be discussed in more detail below:

 

‘The Council argued that if the Tribunal was not minded to find the summarised schedule to be “personal data” under limb (b) of the definition, it should, in the alternative, so find on account of the direct identifiability of the individual employees from that document alone. In other words the summarised schedule was “personal data” under limb (a) of the definition. The Tribunal was of the view however that no individual could be identified by members of the public from the limited information in the summarised schedule alone. It would need to be linked with other information. There was no evidence before the Tribunal that any of the disciplinary offences referred to in the summarised schedule and which might have amounted to criminal offences had led to convictions in the courts (let alone any evidence that there had been any publicity following any such conviction). Nor was there any evidence before the Tribunal of any other wide spread public knowledge of particular disciplinary offences such that identification of the individuals to which the summarised schedule related would be possible. Whilst individual employees of the Council and indeed members of the public (e.g. friends and family of the disciplined staff) may have sufficient private knowledge to enable identification, the Tribunal was of the view that this was not the correct way to approach this issue. The information in the summarised schedule had to be viewed in the light of widespread public knowledge. In the absence of any evidence other than conjecture on the part of Mr Tohill as to the ease by which further investigations would uncover the identities, the Tribunal did not find itself able to find that there was a direct risk of identifiability from the summarised schedule alone. It followed that, in the Tribunal’s view, limb (a) of the definition of “personal data” did not apply.’

 

15. Having decided that the summarised schedule was personal data and was within the scope of the request, the First-tier Tribunal went on to consider whether disclosure of the schedule would contravene any of the Data Protection Principles.

 

16. The Council had argued that the two Data Protection Principles which were relevant to this issue were the first and second. In relation to the first principle, which provided that personal data must be processed fairly and lawfully and must not be processed, inter alia, unless at least one of the conditions set out in Schedule 2 to the Data Protection Act 1998 applied, both parties had agreed that the only relevant condition in Schedule 2 was that provided for in paragraph 6(1). As the issue will form part of the further analysis below, it is worth setting out the conclusions of the First-tier Tribunal on the fairness of disclosure, in full:

 

‘47. In considering first whether the disclosure would be fair, the Tribunal had regard to the expectations of the employees who were subject to the disciplinary processes. Mr Tohill had told the Tribunal that the Council employees and indeed the Council would have had an expectation that their disciplinary record details would be kept confidential. Integral to the question whether disclosure despite this expectation was fair, was the related question whether there was a real risk of identification by the public if the summarised schedule were to be disclosed. If not, then despite the reasonable expectation that disciplinary details would remain confidential, it might have been fair to disclose the summarised schedule.

 

48. It was argued by the Council that it would be easy for a journalist, speaking to other members of the Council’s staff, to identify the individuals referred to in the summarised schedule. The Tribunal, whilst clear that read on its own the summarised schedule would not identify particular individuals, did accept (given the small size of the authority and indeed the local population) that it would not be hard for a journalist to take steps to identify the individuals in question. This could then lead to wide spread publication of the names of the individuals, the disciplinary offences they had committed and the sanctions received. This was not the same as concluding that the summarised schedule on its own enabled identification (which would bring the information within limb (a) of the definition of “personal data”). Further investigative steps would need to be taken, but given that these did not appear to be onerous or unlikely, it would be artificial for the Tribunal to ignore what appeared to be a very real risk.

 

49. The Tribunal concluded therefore that public disclosure of the summarised schedule would be unfair to the data subjects (the employees in question) such that disclosure would be in breach of the First Data Protection Principle …’

 

17. The First-tier Tribunal then considered, although it did not have to do so, whether the conditions for processing set out in paragraph 6 of Schedule 2 to the Data Protection Act 1998, would be met. It concluded that it ‘…was not “necessary” within the terms of paragraph 6 of Schedule 2 for there to be disclosure of the summarised schedule. The legitimate interests in disclosure of information about disciplinary offences, such as they were, had already been met by a means that interfered less with the data subjects’ interests, that is, by the previous release of information about numbers and types of offences and sanctions.’ It was not necessary for the Tribunal to consider the second limb of the test in paragraph 6 of Schedule 2; whether disclosure would be in breach of the Second Data Principle; or whether the information contained within the summarised schedule was ‘sensitive personal data’.

 

The First-tier Tribunal’s substituted decision

 

18. The First-tier Tribunal substituted a decision to the following effect:

 

‘The Substituted Decision

 

For the reasons set out in the Tribunal’s determination, the substituted decision is as follows.

 

a) The disputed information consisting of the summarised schedule constitutes personal data pursuant to section 1(1)(b) of the Data Protection Act 1998.

 

b) The summarised schedule is exempt from disclosure under section 40(2) of the Freedom of Information Act 2000 (FOIA) on the grounds that disclosure would breach the First Data Protection Principle of the Data Protection Act 1998.

 

c) The Magherafelt District Council was not in breach of section 17 FOIA in failing to cite section 38 FOIA as an applicable exemption in the letter of refusal.

 

d) The Council was however in breach of section 17 FOIA in failing to explain why the section 40(2) FOIA exemption applied to the summarised schedule.’

 

The appeal to the Upper Tribunal

 

19. On 2 March 2010 an application for permission to appeal to the Upper Tribunal (Administrative Appeals Chamber) against the decision of the First-tier Tribunal was lodged by the Information Commissioner. On 4 March 2010 the Judge of the First-tier Tribunal, following consideration of the application, decided that the First-tier Tribunal should not review its decision; that permission would be given to the Information Commissioner to appeal to the Upper Tribunal (Administrative Appeals Chamber); and that any application for the appeal to be stayed should be made to the Upper Tribunal (Administrative Appeals Chamber) itself.

 

20. On 15 March 2010 the appeal was received in the Office of the Upper Tribunal (Administrative Appeals Chamber) in Belfast. The grounds of appeal will be set out in greater detail below but the appeal as received in the Upper Tribunal also included an application for a stay of the appeal pending the further appeal to the High Court from the decision of the First-tier Tribunal in the case of Department of Health v Information Commissioner

 

21. On 31 March 2010 the registrar wrote to the requester providing details of the appeal and indicating that it was open to the requester, under rule 9(3) of the Tribunal Procedure (Upper Tribunal) Rules 2008 to apply to be added as a party to the appeal, and if that course was to be adopted, setting out the requirements for application and service of response. There was no formal response by the requester to this invitation and to a further reminder issued on 21 June 2010.  

 

22. On 16 April 2010 another Judge of the Upper Tribunal (Administrative Appeals Chamber) issued initial Case Management Directions which included a direction to the Respondent to provide a response to the appeal within one month, such response to address the substantive issues raised by the appeal, any observations as to whether the appeal should be stayed and an indication as to whether an oral hearing of the appeal was desired.

 

23. On 19 May 2010 the Respondent forwarded the required response to the appeal to the Office of the Upper Tribunal in London. The response indicated agreement to the application for a stay of the appeal pending the further proceedings in the Department of Health case.

 

24. On 9 July 2010 I determined that the appeal should be stayed pending the decision of the High Court in England and Wales in Department of Health v Information Commissioner.

 

25. On 8 July 2011 and following the promulgation of the decision of Cranston J in R (on the application of the Department of Health) v Information Commissioner ([2011] EWHC  1430), I directed that the appellant provide a written submission on the applicability of the decisions of the Administrative Court in the Department of Health case and of the Three Judge Panel of the Upper Tribunal (Administrative Appeals Chamber) in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner and the Ministry of Defence on the issues arising in the present appeal and provided that the Respondent would have a month in which to reply to the Appellant’s further submission.

 

26. The further submission from the Appellant was received on 8 August 2011 having been shared by the Respondent with the Appellant on the same date. Further correspondence was received from the Appellant on 26 August 2011 in which it was indicated that the Appellant did not seek an oral hearing of the appeal. On 6 September 2011 a further response was received from the Respondent. In this further response, the Respondent noted the Appellant’s further submission had been filed a day after the expiry of the time for service of the response, as set out in my Case Management Directions of 8 July 2011. More significantly, the Respondent submitted that the further submissions went ‘… well beyond that which was directed by the Tribunal. They are not merely a submission on the impact of the Department of Health and APPGER cases but appear to constitute the ICO’s full submissions on the appeal.’ The Respondent then made further general submissions on the issues arising in the appeal and concluded that:

 

‘The Council would be content not to have an oral hearing of the appeal and would invite the Tribunal to fix a date for its consideration of the appeal on the papers, and to direct the service of full submissions on the appeal (or skeleton arguments), and an agreed bundle of authorities, in advance of that consideration.’

 

27. On 28 October 2011 the registrar wrote to both the Appellant and the Respondent explaining that as neither party had requested an oral hearing of the appeal then the matter would be dealt with by me on the papers alone. Further, both parties were given a further opportunity to prepare a final written submission. Through e-mail correspondence received on 3 November 2011, the Appellant indicated that the Information Commissioner was content to rely on the submissions already made and did not propose to lodge and serve any final appeal submission. A further written submission was received from the Respondent on 23 November 2011.

 

Errors of law

 

28. A decision of an appeal tribunal may only be set aside by the Upper Tribunal on the basis that it is in error of law. The Upper Tribunal has tended to follow the example of the former Social Security Commissioners in Great Britain in referring to the judgment of the Court of Appeal for England and Wales in R(Iran) v Secretary of State for the Home Department ([2005] EWCA Civ 982), which outlined examples of commonly encountered errors of law in terms that can apply equally to appellate legal tribunals. As set out at paragraph 30 of the decision of the Tribunal of Commissioners in R(I) 2/06 these are:

 

“(i) making perverse or irrational findings on a matter or matters that were material to the outcome (‘material matters’);

(ii) failing to give reasons or any adequate reasons for findings on material matters;

(iii) failing to take into account and/or resolve conflicts of fact or opinion on material matters;

(iv) giving weight to immaterial matters;

(v) making a material misdirection of law on any material matter;

(vi) committing or permitting a procedural or other irregularity capable of making a material difference to the outcome or the fairness of proceedings; …

 

Each of these grounds for detecting any error of law contains the word ‘material’ (or ‘immaterial’). Errors of law of which it can be said that they would have made no difference to the outcome do not matter.”

 

Was the decision of the First-tier Tribunal in the instant case in error of law?

 

The initial submissions of the parties

 

29. In the original application for leave to appeal, the Appellant submitted that the decision of the First-tier Tribunal was in error of law on the basis of its conclusion that ‘… the disputed information was personal data in the hands of the Council.’ More particularly, the Appellant noted that the First-tier Tribunal considered that the disputed information was personal data falling within the definition of personal data set out in section 1(1)(b) of the Data Protection Act 1998 ‘… because the Council held both the disputed information, the original schedule and personnel records; and with the assistance of those other documents, the Council would be able to identify the individuals to whom the information relates.’ The Appellant submitted that despite the fact that the Council held the original schedule and the personnel records and that it would be able, from the schedule and records to identify the individuals to whom the disputed information related, that did not disable the Council from processing the relevant information in such a way that it becomes data from which a living individual could no longer be identified. In turn, if that could be done then the information would no longer be personal data. Paragraph 27 of the decision in Common Services Agency v Scottish Information Commissioner was cited in support of that submission.

 

30. It was submitted that in Common Services Agency the House of Lords did not consider that the barnardised information would necessarily constitute personal data. Whether or not that was so would depend on whether it was information from which a living individual could no longer be identified. The First-tier Tribunal, in identifying that the question of fact that was remitted to the Scottish Information Commissioner by the House of Lords was whether the data could be processed in such a way that it could not be reconstituted to its individual form by the data controller, has mis-directed itself. The real question of fact was whether the barnardised information was information from which a living individual could no longer be identified.

 

‘This was the question that the Tribunal was required to address in the present case, in relation to the summarised schedule that constituted the disputed information. The answer was that the summarised schedule was not information from which a living individual could be identified, and thus did not constitute personal data …’

 

31. In its response to the appeal, the Respondent submitted that the First-tier Tribunal was correct to find that the information in the summarised schedule constituted personal data on the grounds that the individuals could be identified from that information when put together with other information in the hands of the Respondent. The Respondent supported the reasons given by the First-tier Tribunal for that conclusion and, more particularly, its acceptance of the reasoning of the parallel First-tier Tribunal in the Department of Health case. The Respondent, in agreeing that the instant appeal should be stayed pending the outcome of the further appeal to the High Court in the Department of Health case, made a further submission that:

 

‘… the Respondent maintains that, contrary to the findings of the FTT in [paragraph] 39 of its decision, the information contained in the summarised schedule constituted personal data within s. 1(1)(b) DPA for the alternative reason that individuals could be identified from that information taken together with other information which is in, or could fall into, the hands of a third party, such as an investigative journalist. (It was common ground before the Tribunal that s. 1(1)(b) should be read consistently with recital (26) to the EC Data protection Directive, 95/46/EC, so as to extend to information which is identifiable having regard to the means likely to be available to a third party).’

 

The further submissions of the parties

 

32. Following the issue of my further Case Management Directions on 8 July 2011, the Appellant produced an additional submission on the applicability of the decisions of the Administrative Court in the Department of Health case and of the Three Judge Panel of the Upper Tribunal (Administrative Appeals Chamber) in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner and the Ministry of Defence on the issues arising in the present appeal.

 

33. The Appellant began by arguing that in light of the decision of the Administrative Court in the Department of Health case and, more particularly, in light of the Court’s interpretation of the decision of the House of Lords in Common Services Agency, the First-tier Tribunal had erred in reaching the conclusion that the disputed information (in the summarised schedule) was personal data:

 

‘The Department of Health (‘DOH’) argued that the statistics constituted personal data within section 1(1)(b) DPA (from those data and other information which is in the possession of the data controller) because patients and doctors could be identified from the statistics taken together with the other information in the DOH s possession, in other words from the forms from which the statistics were compiled. The Commissioner argued that, as the DOH always held the key to identify the individual doctors and patients, the statistics would remain personal data in the hands of the DOH, as data controller, though, on disclosure, provided that the information was sufficiently anonymised, the information would no longer amount to personal data in the hands of the recipient.

 

The decision of the High Court also turned on the interpretation of the House of Lords decision in the CSA case. The High Court concluded as follows:-

 

a. The court did not accept the submissions of the DOH that the key factual issue in CSA was whether barnardisation would render data fully anonymous even to the data controller and that that was the issue that Lord Hope ordered to be referred back to the Scottish Information Commissioner (para 50).

 

b. The judge was of the view that “the only interpretation open of Lord Hope s order is that it recognised that although the Agency held the information as to the identities of the children to whom the requested information related, it did not follow from that that the information, sufficiently anonymised would still be personal data when publicly disclosed. All members of the House of Lords agreed with Lord Hope’s order demonstrating, in my view their shared understanding that anonymised data which does not lead to the identification of a living individual does not constitute personal data.” (emphasis added) (para 51).

 

c. The above conclusion reflected the third part of recital 26 of Directive 95/46/EC which states that the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable (para 53).

 

The decision of the High Court indicates that, in deciding whether purportedly anonymised information to be disclosed in response to a request for information under the Act, is personal data (that may only be disclosed in compliance the data protection principles) consideration must be given to whether the requested information would be personal data in the hands of the recipient.

 

The Upper Tribunal in the APPGER had previously reached the same conclusion. The Hon Mr Justice Blake concluded that, again interpreting the decision of the House of Lords in the CSA case, “the best analysis if that disclosure of fully anonymised information is not a breach of the protection of the Act because at the moment of disclosure the information loses its character as personal data. It remains personal data in the hands of the data controller, because the controller holds the key, but it is not personal data in the hands of the recipients, because the public cannot identify any individual from it” (paragraph 128).

 

Following this reasoning, it is submitted that the disputed information in this case remains personal data in the hands of the Council as the Council holds other information which would enable it to identify the individuals who are the subject of the summarised schedule but on disclosure if the information is truly anonymised in the hands of the recipient, it would no longer amount to personal data. Whilst the Commissioner accepts that the Upper Tribunal is not bound by the decision of the Upper Tribunal in the case of APPGER, the Upper Tribunal is bound by the High Courts decision in the England & Wales Department of Health case and is invited to follow this decision for the purposes of this appeal.’ 

 

34. For the instant case, the Appellant submitted that the question which emerges from this analysis is whether a recipient of the disputed information could identify the individuals to whom the purportedly anonymised information relates. The Appellant submitted that as:  

 

‘… the Act is ‘applicant blind’ … the public authority must therefore consider whether the information to be disclosed would be personal data not in the hands of the particular party who has made [the disclosure] request but in the hands of the general public.’

 

35. Could, therefore, and on an application of the principles in the Department of Health case, the public identify the individuals to whom the summarised schedule relates? The Appellant submitted that there was no evidence of any other information existing in the public domain which was in the possession, or might be likely to come into the possession of the public, which would permit the public to identify the individuals to whom the requested information related. The First-tier Tribunal, albeit in the context of deciding whether the summarised schedule amounted to personal data for the purposes of section 1(1)(a) of the Data Protection Act 1998, found no evidence to suggest that there was information in the public domain that would enable a member of the public to identify an individual from the summarised data alone. Those who were already aware of the information could reasonably be discounted. Further, local knowledge or speculation that the person to whom the information relates is one of a small group of people is not sufficient and evidence would be required as to the nature and extent of other information in the public domain and to the likelihood that that information would enable identification. The First-tier Tribunal’s approach to this issue was consistent with the approach of the Court of Session in Craigdale Housing Association and others v Information Commissioner ([2010] CSIH 43).

 

36. The Appellant conceded that in light of the decision of the Administrative Court in the Department of Health case, it would have been appropriate for the First-tier Tribunal to have considered the factor of the risk of identification in assessing whether the summarised schedule amounted to personal data. The First-tier Tribunal had addressed the issue of the risk of identification but in the context of whether disclosure would be fair in compliance with the first Data Protection Principle.

 

37. The Appellant submitted that the decision of the parallel First-tier Tribunal in the Department of Health had alluded to the concepts of the ‘motivated intruder’ and the ‘motivated defender’. A ‘motivated intruder’ was ‘… a person who starts without any prior knowledge but who wishes to identify the individual or individuals referred to in the purportedly anonymised information and will take all reasonable steps to do so.’. The question was then one of assessment by a public authority as to ‘… whether, taking account of the nature of the information, there would be likely to be a motivated intruder within the public at large who would be able to identify the individuals to whom the disclosed information relates.’

 

38. The Appellant accepted that a journalist, interested in publishing a story around the withheld information could be such a ‘motivated intruder’. Nonetheless, the evidence which was provided to the First-tier Tribunal by the Respondent was insufficient for the Tribunal to reach its conclusion that there was a ‘very real’ risk of identification. Further, the First-tier Tribunal’s conclusions, at paragraph 48 of its decision, concerning the ‘very real’ risk of identification was in direct conflict with one of its earlier conclusions at paragraph 39.

 

39. A ‘motivated defender’ was described in the following context by the Appellant:

 

‘People who hold other information (which may have been passed to them in confidence) that may assist a motivated intruder to identify an individual or at least narrow down the likely individuals to a group of people may be under social (loyalty to friends and family) or professional (legal confidentiality) obligations which would preclude them from sharing what they know. Such individuals may be described as motivated defenders of individuals’ identities.’

 

40. The Appellant submitted that there would be a reasonable expectation on the part of the individuals to whom the summarised schedule related that information voluntarily shared with work colleagues would be kept confidential and that such information would not be passed to a third party. The First-tier Tribunal had erred in failing to consider whether, on the facts of the case the other members of staff would be a ‘motivated defender’ who would be likely to prevent information within the Council being passed on to others who have not been confided in by the individuals to which the disputed information related.

 

41. The Respondent began their own response by repeating its submission that the First-tier Tribunal was correct in its conclusion that the Council was entitled to resist disclosure of the summarised schedule on the grounds that the information contained within that schedule was exempt pursuant to section 40(1) FOIA, on account of it being personal data, the disclosure of which would breach the first Data Protection Principle. The Respondent conceded, however, that the reasoning of the First-tier Tribunal on whether the summarised schedule contained personal data would have to be revisited as a result of the decision of the Administrative Court in the Department of Health case. Nonetheless, the other findings of the First-tier Tribunal mean the Respondent must succeed on the personal data issue on an alternative basis which was not called into question by the Department of Health case.

 

42. The First-tier Tribunal, having concluded that the summarised schedule feel within limb (b) of the definition of personal data in section 1(1) DPA 1998, because living individuals could be identified from the summarised schedule taken together with other information held by the Council, did not consider whether the summarised schedule contained personal data under the same limb (b) on the alternative basis that a living individual could be identified from the information in the summarised schedule taken together with information which was in the possession of persons other than the Council.

 

43. The Respondent submitted that the First-tier Tribunal did consider, albeit obiter, that the summarised schedule contained personal data within limb (a) of the definition of personal data in section 1(1) DPA 1998. As was noted above, the First-tier Tribunal could not find a direct risk of identifiability from the summarised schedule alone. It followed that the definition of data in limb (a) could not apply.

 

44. The Respondent submitted that the Council accepted that the decision of the Administrative Court in the Department of Health case represented the correct approach to limb (b) of the definition of personal data in section 1(1) DPA 1998 and that the Upper Tribunal should adopt the approach set out in the Department of Health case. Further, the Respondent submitted that the First-tier Tribunal in the Department of Health case, having found that the information in dispute was personal data within limb (b) of the definition of personal data within section 1(1) DPA 1998, on account of information held by the data controller, it did not have to consider whether the information in dispute was personal data within limb (b) on the alternative ground that living individuals could be identified after disclosure of the information. Nonetheless, the First-tier Tribunal, as part of an examination as to whether disclosure of the information would breach any of the Data Protection Principles and, more particularly, whether disclosure would be unfair, did, in fact address the issue of the extent of risk of identification by third parties after disclosure. The First-tier Tribunal had found that the possibility of identification of a living individual by a third party after disclosure was ‘extremely remote’. The Respondent submitted that:

 

‘12. In §55 of his judgment (…), Cranston J applied the ruling which the FTT had made under the head of “fairness” in order to resolve the question, which the FTT had not directly addressed, of whether the information could be personal data under limb (b) on account of the risk of identification of living individuals after disclosure of the information to the public. Since the risk of identification by a third party was extremely remote, it followed that limb (b) could not apply on that basis either.’

 

45. The Respondent submitted that what the Upper Tribunal should do is to answer the question as to whether limb (b) of the definition of personal data in section 1(1) DPA 1998 is applicable on ‘… account of risk of identification after disclosure with reference to relevant findings which the FTT made on the issues of fairness and disclosure.’ The submitted conclusion was as follows:

 

‘15. As in the Department of Health case, these findings on the issue of fairness are directly applicable to the unresolved limb (b) question, whether living individuals could be identified from the information in question taken together with other information in the possession of, or likely to come into the possession of, a third party. In the Department of Health case, the fairness findings were conclusive against the application of limb (b) of the definition of personal data. But in the present case, the position is the opposite: having reached the view which it did on the risk of identification in the context of fairness, it is plain and obvious that the FTT would have reached the same view of the facts if it had sought to apply limb (b) on the correct footing, and would have held that limb (b) was applicable to the Summarised Schedule.’

 

46. The Respondent noted that the Appellant had agreed that, in light of the decision of the Administrative Court in the Department of Health case that it would have been appropriate for the First-tier Tribunal to have considered the risk of identification when considering whether the information in dispute amounted to personal data. The Appellant went on, however, to challenge the findings which the First-tier Tribunal had made in connection with this issue. More particularly, the Respondent submitted that:

 

·       The Appellant had not appealed against the finding of the First-tier Tribunal that there was a very real risk of identification of individuals by a third party such as a journalist making routine enquiries on the basis of the information in the summarised schedule.

 

·       It was, accordingly, difficult to understand how the Appellant could purport to criticise the factual findings of the First-tier Tribunal and such criticisms should be disallowed and ignored by the Upper Tribunal.

 

·       The reason why the Appellant did not appeal against the findings of the First-tier Tribunal in fairness was that such findings cannot be overturned in an appeal on a point of law.

 

·       There was no inconsistency between the findings of the First-tier Tribunal in paragraph 39 of its decision and its conclusions at paragraph 48. The First-tier Tribunal recognized that its findings in paragraph 39 were in connection with whether the definition of personal data in limb (a) of section 1(1) DPA 1998 and its findings in paragraph 48 were related to a very different issue.

 

·       The First-tier Tribunal was entitled to consider the steps which a journalist might take to identify individuals using the summarised schedule as a starting point.

 

·       Many of the criticisms of Mr Tohill’s evidence were not put to him during the course of the hearing before the First-tier Tribunal.

 

The relevant legislative background

 

47. The relevant statutory background and its context were set out by Cranston J at paragraphs 12 to 24 of his decision in R (on the application of the Department of Health) v Information Commissioner. I have reproduced those paragraphs in Appendix A to this decision. I have also added certain passages from the speech of Lord Hope in Common Services Agency v Scottish Information Commissioner, on the context of the relevant statutory framework, including the Data Protection Act 1998, the Freedom of Information Act 2000, and the Freedom of Information (Scotland) Act 2002 as Appendix B.

 

Analysis

 

48. As was noted above, the appeal was stayed pending the outcome of the proceedings before the Administrative Court in R (on the application of the Department of Health) v Information Commissioner. What was decided in that case?

 

49. Much of what was at issue in the Department of Health case has been set out above in the analysis of the decision of the First-tier Tribunal in the instant case. The key paragraphs in the judgment of Cranston J are at 49 to 55:

 

‘49. It would be wrong to pretend that the interpretation of the CSA case is an easy matter.  In my view, the starting point to a solution lies in the order Lord Hope proposed.  That was that the matter be remitted to the Commissioner

 

"so that he can examine the facts in the light of your Lordship's judgment and determine whether the information can be sufficiently anonymised for it not to be 'personal data'.  If he decides that it cannot be so anonymised, he will need then to consider whether its disclosure to [the researcher] will comply with the data protection principles."  [44]

 

50. Mr Eadie QC submits that the key factual issue in CSA was whether barnardisation would render data fully anonymous even to the data controller, and that that was the issue that Lord Hope ordered referred back to the Scottish Information Commissioner.  He invokes in support the reasons given by the First Tier Tribunal in Magherafelt District Council v Information Commissioner EA/2009/0047, paragraphs 33 to 34.  That, to my mind, cannot be correct.  In the Inner House, the Lord President described barnardisation as the random modification of small numbers, and continued ([2007] SC 231, 233)

 

"By adding zero plus one or minus one to all values where the true value lies in the range of two to four inclusive adding zero or plus one to cells where the value is one, zeros are kept as zero."

 

If that is all that there is to barnardisation, it would have been obvious to the Appellate Committee, in the CSA case that it would have done little, if anything, to further the anonymisation of the data, given its nature.  Barnardisation would certainly not have rendered it "fully anonymous", to use the phrase Mr Eadie QC majored on, to members of the Agency, who still had the original data.

 

51. In my view, the only interpretation open of Lord Hope's order is that it recognised that although the Agency held the information as to the identities of the children to whom the requested information related, it did not follow from that that the information, sufficiently anonymised, would still be personal data when publicly disclosed.  All members of the House of Lords agreed with Lord Hope's order demonstrating, in my view, their shared understanding that anonymised data which does not lead to the identification of a living individual does not constitute personal data.

 

52. In my judgment, this conclusion maintains faith with Lord Hope's reasoning.  The status of information in the data controller's hands did not arise for decision in the CSA case.  It was concerned with the implications of disclosure by the data controller, and hence Lord Hope's order.  The relevant part of Lord Hope's speech, the background to the order, is paragraph 27, which I quoted earlier.  The opening sentence of paragraph 27 acknowledges that the Agency holds the key to identifying the children, but continues that, in his Lordship's opinion, the fact that the Agency had access to this information did not disable it from processing it in such a way consistent with recital 26 of the Directive, "that it becomes data from which a living individual can no longer be identified".  That must relate to whether any living individuals can be identified by the public following the disclosure of the information.  It cannot relate to whether any living individuals can be identified by the Agency, since that is addressed in the first sentence of the paragraph.  Thus the order made by the House of Lords in the CSA case was concerned with the question of fact, whether barnardisation could preclude identification of the relevant individuals by the public.

 

53. Secondly, the conclusion reflects the legal backdrop to the definition of personal data in the DPA, which is recital 26 of Directive, with the ambit of protection drawn in the third part of the recital so as not to apply to data rendered anonymous in such a way that the data subject is no longer identifiable.  Mr Eadie QC relies heavily on the Article 29 Working Party opinion.  Even if the passages he cited, summarised earlier in the judgment, can be interpreted in the manner he contends, the juridical status of this type of advisory report is lower, in my view, than that of the Directive itself.

 

54. Finally, any other conclusion seems to me to be divorced from reality.  The Department of Health's interpretation is that any statistical information derived from reporting forms or patient records constitutes personal data.  If that were the case, any publication would amount to the processing of sensitive personal data.  That would be so notwithstanding the statistical exemption in Section 33, since that exemption does not exclude the requirement to satisfy Schedule 3 of the DPA.  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics. 

 

55. Thus, on this issue, the Tribunal was wrong in its interpretation of the law.’

 

50. In the instant case, the First-tier Tribunal relied on the reasoning of the parallel First-tier Tribunal in the Department of Health case and, more significantly, the interpretation given by that First-tier Tribunal of the decision of the House of Lords in Common Services Agency. The reasoning of the First-tier Tribunal in the Department of Health case, including its interpretation of Common Services Agency was found to be flawed by Cranston J in the Administrative Court. Further, the judge was not persuaded by the argument that the decision of the First-tier Tribunal in the instant case reinforced the view taken in the Department of Health case at First-tier.

 

51. I am in agreement that the interpretation given by Cranston J to the decision of the House of Lords in Common Services Agency is, at this stage, definitive. The proper approach to the question of whether anonymised information is personal data within section 1(1)(b) of the Data Protection Act 1998, for the purposes of a disclosure request, is to consider whether an individual or individuals could be identified from it, and other information which is in the possession of, or likely to come into the possession of the recipient after it had been disclosed.

 

52. For my part, I would agree that the relevant paragraph in the speech of Lord Hope in Common Services Agency paragraph 27:

 

‘In this case it is not disputed that the Agency itself holds the key to identifying the children that the barnardised information would relate to, as it holds or has access to all the statistical information about the incidence of the disease in the Health Board's area from which the barnardised information would be derived. But in my opinion the fact that the Agency has access to this information does not disable it from processing it in such a way, consistently with recital 26 of the Directive, that it becomes data from which a living individual can no longer be identified. If barnardisation can achieve this, the way will be then open for the information to be released in that form because it will no longer be personal data. Whether it can do this is a question of fact for the respondent on which he must make a finding. If he is unable to say that it would in that form be fully anonymised he will then need to consider whether disclosure of this information by the Agency would be in accordance with the data protection principles and in particular would meet any of the conditions in Schedule 2. This is the more difficult of the two routes that I have mentioned. As the issues were fully argued I shall say what I think about them. But there is no doubt that the respondent's task will be greatly simplified if he is able to satisfy himself that the process of barnardisation will enable the data to be sufficiently anonymised.’

 

53. I also agree that to the extent that the First-tier Tribunal relied on the reasoning of the parallel First-tier Tribunal in the Department of Health case, that reasoning is flawed and, as in that case, was wrong on its interpretation of the law.   

 

54. Does that render the decision of the First-tier Tribunal as being in error of law? It is important to recall that the first two parts of the substituted decision of the First-tier Tribunal were that:

 

‘a) The disputed information consisting of the summarised schedule constitutes personal data pursuant to section 1(1)(b) of the Data Protection Act 1998.

 

b) The summarised schedule is exempt from disclosure under section 40(2) of the Freedom of Information Act 2000 (FOIA) on the grounds that disclosure would breach the First Data Protection Principle of the Data Protection Act 1998.’

 

55. The Respondent has argued that there was an alternative basis on which the First-Tier Tribunal in the instant case could also have decided that the disputed information in the summarised schedule constituted personal data within section 1(1)(b) of the Data Protection Act 1998. This was because there was a real risk of living individuals being identified after disclosure of the anonymised information. As was noted above, the Respondent submitted that in the Department of Health case, Cranston J noted that the First-tier Tribunal in that case had considered, as part of an examination of whether disclosure would breach any of the Data Protection Principles, the extent of the risk of identification by third parties after disclosure. Having found that such a risk was ‘extremely remote’ the judge ‘… applied the ruling which the FTT had made under the head of “fairness” in order to resolve the question, which the FTT had not directly addressed, of whether the information could be personal data under limb (b) on account of the risk of identification of living individuals after disclosure of the information to the public. Since the risk of identification by a third party was extremely remote, it followed that limb (b) could not apply on that basis either.’ The Respondent submitted that the Upper Tribunal should adopt the same approach

 

56. I have to ask whether there is, as has been submitted by the Respondent, a second basis upon which the definition of personal data in section 1(1)(b) of the Data Protection Act 1998 might be satisfied. It is important to remember that the precise definition of personal data in section 1(1)(b) is data in relation to a living individual who can be identified from those data and other information which is in the possession of, or likely to come into the possession of, the data controller. The Respondent submits that despite the apparent restriction of the wording in section 1(1)(b) to identification from data linked to other information in the possession of (or likely to come into the possession of) the data controller, it is possible for the definition in section 1(1)(b) to be satisfied on the basis that a living individual could be identified from data linked to other information which was in the possession of (or likely to come into the possession of) persons other than the data controller.

 

57. I am reminded of what Cranston J had to say, at paragraphs 17 and 21 to 22 of his decision in the Department of Health case, about the relationship between the Data Protection Act 1998 and Directive 95/46/EC:

 

‘17. The DPA was enacted to implement European Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.  In accordance with established principles the DPA must be interpreted insofar as possible in a manner consistent with the directive, including its recitals.  Recital 26 reads in part:

 

"Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas to determine whether a person is identifiable account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles the protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable ..."

 

21. The concept of personal data in Directive 95/46/EC was considered at length by an advisory working party to the Commission, constituted under Article 29 of the directive ("the Article 29 working party").  Its Opinion 4/2007 on the concept of personal data was adopted in June of 2007.  It states that the objective was to reach a common understanding on the concept of personal data.  It noted that the proposal of the European Commission for a directive had been amended to meet the wishes of the European Parliament, that the definition of personal data should be as general as possible so as to include all information concerning an identifiable individual.  It also noted the objective of the rules in the directive as being to protect individuals.  The working party stated that the better option was not to restrict unduly the interpretation of the definition of personal data, but rather to note that there was considerable flexibility in the application of the rules to the data.  National authorities should endorse a definition which was wide enough so that it would catch all "shadow zones" within its scope, while making legitimate uses of the flexibility contained in the directive.  The text of the directive invited a development of policy which combined a wide interpretation of the notion of personal data and an appropriate balance in the application of the directive's rules. 

 

22. The working party report continued that, in general terms, information could be considered to relate to an individual when it was about that individual.  To determine whether a person was identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify that person.  The report concluded that anonymous data in the sense used when applying the directive could be defined as any information relating to a natural person, where the person could not be identified, whether by the data controller or by any other person, taking account of all means likely reasonably to be used to identify that individual.’

 

58. Similarly, in Common Services Agency, Lord Hope stated, at paragraph 7:

 

‘[7] In my opinion there is no presumption in favour of the release of personal data under the general obligation that the 2002 Act lays down. The references which the 2002 Act makes to provisions of the 1998 Act must be understood in the light of the legislative purpose of that Act, which was to implement the 1995 Directive. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data (see recital 2 of the preamble to, and art 1(1) of, the 1995 Directive).’

 

59. That reflects the comments of Auld LJ in Durant v Financial Services Authority ([2003] EWCA Civ 1746). At paragraph 3 he stated:

 

‘3. The 1998 Act was enacted, in part, to give effect to Directive 95/46/EC of 24th October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data (“the 1995 Directive”).  It should, therefore, be interpreted, so far as possible in the light of, and to give effect to, the Directive’s provisions.  In Campbell v. MGN  [2002] EWCA Civ 1373, [2003] QB 633, CA, Lord Phillips of Worth Matravers, MR, said at para. 96:

 

“In interpreting the Act it is appropriate to look to the Directive for assistance.  The Act should, if possible, be interpreted in a manner that is consistent with the Directive.  Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman.  A purposive approach to making sense of the provisions is called for.”’

 

60. The emphasis in all of the quotations is my own.

 

61. It is legitimate, therefore, to look to the terms of the Directive to derive assistance when interpreting the Data Protection Act 1998 and, in turn, it is appropriate to interpret the 1998 Act in a manner consistent with the 1995 Directive.

 

62. Recital 26 of the preamble to Directive 95/46/EC is in the following terms:

 

'Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable ... '

 

63. Once again the emphasis in this quotation is my own. The extension of the principles of protection and, more significantly, the factors determining identifiability, to means likely reasonably to be used either by the data controller or by any other person is, arguably, wider than what is proposed in the act, where, by section 1(1)(b) identification is restricted to the data controller.

 

64. Nonetheless I am satisfied that it is appropriate to interpret section 1(1)(b) in harmony with the principles set out in Recital 26 of the preamble to Directive 95/46/EC even if that has the effect of widening the ambit of that definition. I find support for this conclusion in the remarks of Lord Hope at paragraphs 25 and 26 of Common Services Agency:

 

‘[25] … The definition of 'personal data' gives effect to recital 26. The first phrase in the recital is the situation referred to in head (a) of the definition, where the information itself enables the person to whom it relates to be identified. The second phrase is the situation referred to in head (b), where the information has this effect when taken together with other information. The third phrase casts further light on what member states were expected to achieve when implementing the 1995 Directive. Rendering data anonymous in such a way that the individual to whom the information from which they are derived refers is no longer identifiable would enable the information to be released without having to apply the principles of protection. Read in the light of the 1995 Directive, therefore, the definition in s 1(1) of the 1998 Act must be taken to permit the release of information which meets this test without having to subject the process to the rigour of the data protection principles.

 

[26] The effect of barnardisation would be to conceal, or disguise, information about the number of incidences of leukaemia among children in each census ward. The question is whether the data controller, or anybody else who was in possession of the barnardised data, would be able to identify the living individual or individuals to whom the data in that form related. If it was impossible for the recipient of the barnardised data to identify those individuals, the information would not constitute 'personal data' in his hands. But we are concerned in this case with its status while it is still in the hands of the data controller, as the question is whether it is or is not exempt from the duty of disclosure that the 2002 Act says must be observed by him.’

 

65. The emphasis in this quotation is, once again, my own. It seems to me that Lord Hope, in linking the definition in section 1(1) of the Data Protection Act 1998 to Directive 95/46/EC, and, more particularly to Recital 16, concludes that the definition in section 1(1)(b) must extend to persons other than the data controller.

 

66. It seems to me that the Information Commissioner has also presaged the extension of the definition in section 1(1)(b) to include persons other than the data controller. In his published document ‘Data Protection Act 1998 – Legal Guidance’ at paragraph 2.2.25, the following guidance is given:

 

‘Whether or not data which have been stripped of all personal identifiers are personal data in the hands of a person to whom they are disclosed, will depend upon that person being in possession of, or likely to come into the possession of, other information which would enable that person to identify a living individual.’

 

67. Finally, the Information Commissioner, as Appellant in the instant case, has not submitted that the proposed interpretation given to section 1(1)(b) of the Data Protection Act 1998 by me is incorrect. Rather it has made further submissions on the question of ‘…whether the recipient of the disputed information in this case could identify the individuals to whom the purportedly anonymised information relates.’

 

68. My conclusion on what I consider to be the proper interpretation of section 1(1)(b) of the Data Protection Act 1998 is not the end of the matter, however. I have to answer the question as to whether, for the purposes of section 1(1)(b) of the 1998 Act living individuals could be identified from the information in the summarised schedule and other information which is in the possession of, or is likely to come into the possession of persons other than the data controller and, for the purposes of this case, the intended recipient of the summarised schedule after disclosure.

 

69. It is clear that the First-tier Tribunal below made no specific findings in connection with the question set out in the preceding paragraph. The Respondent, however, points to other findings of the First-tier Tribunal in connection with its consideration of the question as to whether disclosure would contravene any of the Data Protection Principles. Those findings were concerned with the specific issue of the risk of identification of a living individual by a third party after disclosure. Accordingly they could be applied to this specific question. That was the method adopted by Cranston J in the Department of Health case and the Respondent urged me to espouse the same approach. 

 

70. Not so submitted the Appellant who pointed to other findings by the First-tier Tribunal, albeit also in connection with another issue, namely whether the data in the summarised schedule was personal data for the purposes of section 1(1)(a). The Appellant urged me to accept those findings as definitive of the application of section 1(1)(b). Further, the findings on the potential contravention of the Data Protection Principles were in direct conflict with its findings in respect of the possible application of section 1(1)(a). Finally, the appeal tribunal’s conclusions of the First-tier Tribunal relating to the risk of identification could be challenged on the basis that too much weight was given to the evidence of an officer of the Council.

 

71. The Respondent countered with a submission that (i) the findings of the First-tier Tribunal on the question of the potential contravention of the Data Protection Principles should not be permitted to be the subject of a challenge on an appeal on a point of law (ii) that there is no inconsistency between the findings of the First-tier Tribunal on the question of the possible application of section 1(1)(a) of the Data Protection Act 1998 and its findings with respect to the potential contravention of the Data Protection Principles and (iii) many of the criticism being made of the evidence of the officer of the Council were either put to that officer during cross-examination, and were dealt with satisfactorily, or were not put to him at that time and should not be raised at this stage.

 

72. I begin by considering whether there is any ‘direct conflict’, as has been submitted by the Appellant between the findings of the First-tier Tribunal, in paragraph 39 of its decision, on the potential application of section 1(1)(a) of the Data Protection Act 1998 and its findings, at paragraphs 47 and 48 of its decision, on whether disclosure would be in contravention of any of the Data Protection Principles.

 

73. I find that there is no such direct conflict. The First-tier Tribunal was not required to consider the question of whether section 1(1)(a) of the Data Protection Act 1998 had any potential application. It decided, however, to answer that question, in any event. Its conclusions and findings are set out in paragraph 39 of its decision. Those findings and conclusions are in respect of the specific question of whether a living individual could be identified from the information in the summarised schedule alone. The First-tier Tribunal was addressing a wholly different question in paragraphs 47 and 48 of its decision ie would disclosure contravene any of the Data Protection Principles. Once again its findings and conclusions were specific to that question. The First-tier Tribunal recognised that a finding that it would not be difficult for a journalist to take steps to identify living individuals was not the same as concluding that the information contained in the summarised schedule on its own permitted identification.

 

74. I turn next to the submission that the findings of the First-tier Tribunal on the potential contravention of the Data Protection Principles should not be permitted to be the subject of a challenge in an appeal on a point of law. It is correct that an appeal on a question of law should not be permitted to become a re-hearing or further assessment of the evidence, when that assessment has already been fully and thoroughly undertaken. I am mindful, however, that the findings of the First-tier Tribunal, at paragraphs 47 and 48 of its decision were not specific to the question which I am now required to consider. Accordingly, I have considered those findings and have concluded that there is no ground for a challenge to them overall on the basis of perversity or irrationality, or on the basis of an inadequate assessment of the evidence giving rise to them. I am of the view, however, for the reasons set out below, that the First-tier Tribunal might have gone further in its explanation of some of its conclusions.

 

75. I have considered the evidence given by the officer of the Council to the First-tier Tribunal and noted by the Tribunal in paragraphs 22 to 26 of its decision. The First-tier Tribunal has recorded the evidence in those paragraphs but has not gone on to set out in specific terms what its assessment of that evidence is. I have also a witness statement of the officer which was provided to me as part of the bundle of documents which was before the First-tier Tribunal.

 

76. The First-tier Tribunal, in paragraph 47, noted that the officer of the Council had informed the Tribunal that the Council and Council employees would ‘… have had an expectation that their disciplinary record would be kept confidential.’ I find nothing wrong with the evidence in that regard. The Tribunal concluded that it would not be difficult for ‘… journalist to take steps to identify the individuals in question …’ and that while ‘…further investigative steps would need to be taken, but given that these do not appear to be onerous or unlikely, it would be artificial for the Tribunal to ignore what appeared to be a very real risk.’

 

77. The Appellant has conceded that an individual, such as an investigative journalist, could be motivated to identify living individuals from anonymised or summarised data and might take a number of steps to make such identification. Nonetheless, the Appellant submitted that it was not enough simply to make a generalised statement that there is a risk (or more, accurately a very real risk) that the individuals to whom the information in the summarised schedule relates could be identified. The First-tier Tribunal was under a duty to explain ‘… how such identification is likely to occur, identify what other information may be available to a motivated intruder, what form this other information may take, who is in possession of such other information and whether they are likely to disclose such information to a motivated intruder’ Further the First-tier Tribunal was under a duty to explain what ‘further investigative steps’ might be undertaken.

 

78. I have some empathy with the Appellant’s submission that the First-tier Tribunal might have added to its findings on the issue of how a ‘very real risk’ of identification might arise or what ‘further investigative steps’ might be undertaken and, finally, why such steps might not be onerous. As I noted above, the First-tier Tribunal has not set out, in specific terms, what was its assessment of the evidence of the officer of the Council. It seems to me, however, that it is implicit in the findings of the First-tier Tribunal, on the question of whether any of the Data Protection Principles have been contravened, that it had accepted the officer’s evidence. 

 

79. I am, however, prepared to fill in the necessary gaps where they occur. In so doing, I am reminded that Recital 26 of the preamble to Directive 95/46/EC sets out as a principle in connection with identification that in order to ‘… determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person’. The emphasis is my own.

 

80. As noted above, I have a copy of the witness statement from the officer of the Council and have noted the evidence recorded by the First-tier Tribunal. From this it is clear that the Council is a small employer of around 150 employees some of who are deployed in small departments – there were only three employees in the Accounts Department, for example. I have no doubt that the officer’s statement that all employees in the Council were known to each other and to a ‘significant proportion of the local population’ is accurate.

 

81. It is not difficult to see how each employee would know everyone else who worked in the Council This would be because they either worked in close proximity with other employees on a daily basis, arrived and left at the same time as other employees, interacted with other employees on a supervisory or management basis, and networked with them socially, at break or meal-times, for example or on birthday or holiday celebrations. The First-tier Tribunal recorded that the officer of the Council likened the organisation to a ‘family’.

 

82. It is equally not difficult to see how employees of the Council would be known to a significant portion of the local population, particularly in the small population catchment area identified by the officer of the Council. This is because the local population might interact formally with officers of the Council either in the Council offices or through the provision of Council services in the community; might interact socially with employees of the Council; might be related by family, close or extended, or similarly through marriage; and, quite simply, might know who worked for the Council through ordinary everyday conversation and social interaction. A local Council is a public authority and, as such, it and its employees will be more visible in the local community. It is also important to remember that communities in Northern Ireland, such as that described by the officer, are undoubtedly close-knit.  

 

83. How then could an individual, armed with certain limited information, such as that contained within the summarised schedule, go about identifying living individuals from that information? What investigative steps could be undertaken? I begin by noting the evidence recorded by the First-tier Tribunal that employees of the Council would be likely to be aware of what disciplinary action was being taken and against whom. I regard that as irrefutable. Further, the nature of some of the offences on the list and the sanction imposed, particularly where this involved suspension or removal, would not go unnoticed to the other employees in the organisation. Additionally, the disciplined employee might have sought advice from another employee in connection with the disciplinary action, including representation or accompaniment to disciplinary hearings. Once again, I cannot see how such a conclusion can be rebutted.

 

84. Remembering that an individual such as an investigative journalist might be highly motivated to identify living individuals, and using the language of Recital 26 of the preamble to Directive 95/46/EC, taking into all the means likely reasonably to be used, a first port of call for investigation towards identification of a specific individual might be to that individual’s work colleagues. I accept, however, and as was submitted by the Appellant, that those work colleagues might be motivated to defend any individual employee in connection with whom investigative steps might be taken. I think that is particularly the case where the disciplined employee was a close working colleague of any individual approached for further information or where assistance was rendered to that employee by the approached work colleague. Further, it may well be the case that the Council has a code of practice on confidentiality. I outlined above that I regarded it as irrefutable that all of the employees of the Council would be aware of disciplinary proceedings being taken against an individual employee, particularly where such an offence was serious or where the imposed sanction was suspension or dismissal. In those circumstances, I am satisfied that not every employee will necessarily be motivated to defend and there is a chance that a motivated individual such as an investigative journalist, might obtain the additional required information, through contact with an employee, to enable identification.

 

85. I have also no doubt that in a small community where the names and identities of the employees of the local Council are known to a ‘significant portion of the local population’, that details of disciplinary action will also, in due course become known to at least a portion of the local population. That might be because a Council employee, armed with the information might disseminate that information to family and friends. In turn, that information might be broadcast more widely. Further, the possibility of a member of the local population becoming aware of disciplinary proceedings against an individual employee might be increased where the nature of the disciplinary offence was serious or where the sanction imposed was suspension or dismissal. A member of the local population who interacted regularly with a Council employee would, no doubt, express surprise, and make further enquiries, should that employee no longer be working either temporarily or permanently.

 

86. I am satisfied that the membership of the local population would be less motivated to defend than would be a fellow Council employee. More significantly, I am also satisfied that a motivated individual such as an investigative journalist, would have little difficulty in making the necessary enquiries which could lead to the identification of individuals subject to disciplinary proceedings and sanction in the local Council. I am of the view that identification by investigation would be all the more likely where the sanction involved was suspension or dismissal. I agree with the findings of the First-tier Tribunal that it would not be ‘… hard for a journalist to take steps to identify the individuals in question …’ and that any necessary investigative steps would not be onerous or unlikely. It seems to me, for example, and remembering that account should be taken of all of the means likely reasonably to be used, that such a process could commence with enquiries made through work colleagues, contacts or family relations within the local population. If that process did not result in identification then I am satisfied that simple enquiries in the local area which would have every chance of eliciting sufficient information to enable identification.

 

87. Accordingly, my answer to the question as whether, for the purposes of section 1(1)(b) of the Data Protection Act 1998, living individuals could be identified from the information in the summarised schedule and other information which is in the possession of, or is likely to come into the possession of persons other than the data controller and, for the purposes of this case, the intended recipient of the summarised schedule after disclosure, the investigative journalist, is ‘yes’. That would mean that the data in the summarised schedule is, for the purposes of section 1(1)(b) of the Data Protection Act 1998, ‘personal data’.

 

88. The next question is whether disclosure of that personal data would contravene any of the Data Protection Principles. The Respondent, in the final submission to the Upper Tribunal, submits that:

 

‘The IC does not seek to appeal the FTT’s finding that, if the Summarised Schedule did contain personal data, the Council would breach the first data protection principle by disclosing it, and therefore that the Summarised Schedule was exempt from disclosure under s. 40 FOIA.’

 

89. In the final submission to the Upper Tribunal, the Appellant had, in fact, stated that:

 

‘The Commissioner would submit that, having concluded that an individual could not be identified from the summarised schedule and therefore that the schedule would not amount to personal data (such that section 40(2) and 40(3)(i)(a) of the Act are not engaged), there is no necessity to then go on to consider whether disclosure of the withheld information would breach any of the data protection principles.’

 

90. It is arguable that the door to argument about contravention of the Data Protection Principles was left a little ajar by that statement. In the original grounds of appeal to the Upper Tribunal, however, the Appellant had stated that the appeal lay against the conclusion by the First-tier Tribunal that the disputed information was personal data in the hands of the Council and did not lie against any of the other findings of the First-tier Tribunal which included the finding on contravention.

 

91. I am of the view that the Appellant is correct to abandon any further challenge to the findings of the First-tier Tribunal that the disclosure of the information in the summarised schedule would contravene the First Data Protection Principle in the Data Protection Act 1998. The findings and conclusion of the First-tier Tribunal were entirely sound.

 

92. I return to the question of whether the decision of the First-tier Tribunal was in error of law. I have accepted that to the extent that the First-tier Tribunal relied on the reasoning of the parallel First-tier Tribunal in the Department of Health case, that reasoning is flawed and, as in that case, was wrong on its interpretation of the law. I have concluded that the First-tier Tribunal did not address the question as to whether, for the purposes of section 1(1)(b) of the Data Protection Act 1998 living individuals could be identified from the information in the summarised schedule and other information which is in the possession of, or is likely to come into the possession of persons other than the data controller and, for the purposes of this case, the intended recipient of the summarised schedule after disclosure. I have answered that question in the affirmative, by drawing on and expanding the findings of the First-tier Tribunal. Accordingly, the data in the summarised schedule is, for the purposes of section 1(1)(b) of the Data Protection Act 1998, ‘personal data’. I have also concluded that disclosure of the information in the summarised schedule would contravene the First Data Protection Principle in the Data Protection Act 1998. Accordingly, the summarised schedule is exempt from disclosure under section 40(2) of the Freedom of Information Act 2000. In substance, therefore, my decision is the same as that of the First-tier Tribunal. That decision, therefore, does not involve an error on a point of law.

 

93. If I am wrong in my conclusion that the decision of the First-tier Tribunal does not involve an error of law, then I would have been prepared to exercise the power given to me by section 12(2) of the Tribunals, Courts and Enforcement Act 2007, to set aside that decision and re-make it to the effect set out above.

 

Disposal

 

94. The decision of the First-tier Tribunal (General Regulatory Chamber) (Information Rights) dated 3 February 2010 under file reference EA/2009/0047 does not involve an error on a point of law.  The appeal is dismissed.

 

 

 

 

 

 

 

 

(Signed on the original)

Kenneth Mullan

Judge of the Upper Tribunal

 

Dated: 14 June 2012

 

 

 


Appendix A 

 

Paragraphs 12 to 24 of the decision of Cranston J in R (on the application of the Department of Health) v Information Commissioner.

 

Statutory framework

 

12. The general right of access to information held by public authorities is contained in Section 1 of FOIA.  Section 1(1) establishes a right of access to information held by public authorities.  Any person making a request is entitled to be informed in writing by the public authority whether it holds information of the description specified in the request, and if that is the case, to have that information communicated to him.

 

13. Section 1(1), is subject to subsection (2), which sets out the effect of the exemptions in part 2 of FOIA.  The exemptions contained in part 2 fall into two classes: absolute exemptions and qualified exemptions.  Absolute exemptions exempt all information of a specified description.  With an absolute exemption, the only question is whether the information falls within the description.  Qualified exemptions are subject to a public interest test.  Among the exemptions in part 2 are Section 36 information, the disclosure of which would prejudice the effective conduct of public affairs; Section 40, personal information; and Section 44, information the disclosure of which is prohibited by, inter alia, legislation.

 

14. The exemption for personal information in Section 40 is an absolute exemption, so does not depend on whether the balance of the public interest favours disclosure.  If the request is for an individual's own personal data, the request is then governed by Section 7 of the DPA, which gives a person a right of access to personal information about themselves.  Where the requester is asking for personal data about third parties, Section 40(2) applies.  Its effect is that there is an absolute exemption if disclosure of the information to a member of the public otherwise than under FOIA would breach any of the data protection principles.  It is necessary to set out the precise statutory language of Section 40(2).

 

"Any information to which a request for information relates is also exempt information if:

 

 (a) It constitutes personal data which does not fall within subsection (1), and:

 

 (b) Either the first or second condition below is satisfied."

 

15. Section 40(3) sets out the first condition:

 

(3) The first condition is:

 

 (a) In a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in Section 1(1) of the [1998 c. 29.] Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene:

 

I.  Any of the data protection principles, or.

 

Ii. Section 10 of that Act (right to prevent processing likely to cause damage or distress), and:

 

(b) In any other case, that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles if the exemptions in Section 33A(1) of the [1998 c. 29.] Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded."

 

The second condition is set out in subsection (4):

 

"The second condition is that by virtue of any provision in Part IV of the DPA the information is exempt from Section 7(1)(c) of that act (the data subject's right to access of personal data)."

 

16. The application of Section 40 thus demands consideration of a number of concepts, concepts drawn from the DPA.  In broad outline, the thrust of the DPA is that data controllers, those who determine how personal data is held and used, must comply with the eight data protection principles.  Disclosure of personal data is in breach of the DPA unless those principles are satisfied.  Among the exemptions in the DPA is Section 33, which applies to the publication of statistics. 

 

17. The DPA was enacted to implement European Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.  In accordance with established principles the DPA must be interpreted insofar as possible in a manner consistent with the directive, including its recitals.  Recital 26 reads in part:

 

"Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas to determine whether a person is identifiable account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles the protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable ..."

 

The recitals also refer to Article 8 of the European Convention on Human Rights ("ECHR"), the right to respect for private and family life.  In any event, Section 3 of the Human Rights Act 1998 requires courts, so far as possible, to read and give effect to legislation in a way which is compatible with the ECHR.

 

 

 

(a)  Personal data

 

18. The first concept in Section 40 of relevance is that of personal data.  By Section 40(7) of FOIA, personal data has the same meaning as in Section 1(1) of the DPA.  Section 1(1) of the DPA provides that:

 

"Personal data means data which relate to a living individual who can be identified:

 

(a) from those data, or

 

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller."

 

19. That definition does not track precisely the definition of personal data in the directive, which defines it as:

 

"any information relating to an identified or identifiable natural person, a data subject, an identifiable person being one who can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

 

20. "Data" is also defined in subsection (1) of the DPA, although information is not defined. 

 

"Data means information which ‑

 

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

 

(b) is recorded with the intention that it should be processed by means of such equipment,

 

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

 

(d) does not fall within paragraph (a), (b), or (c), but forms part of an accessible record as defined by Section 68; or

 

(e) is recorded information held by a public authority which does not fall within any of the paragraphs (a) to (d)."

 

21. The concept of personal data in Directive 95/46/EC was considered at length by an advisory working party to the Commission, constituted under Article 29 of the directive ("the Article 29 working party").  Its Opinion 4/2007 on the concept of personal data was adopted in June of 2007.  It states that the objective was to reach a common understanding on the concept of personal data.  It noted that the proposal of the European Commission for a directive had been amended to meet the wishes of the European Parliament, that the definition of personal data should be as general as possible so as to include all information concerning an identifiable individual.  It also noted the objective of the rules in the directive as being to protect individuals.  The working party stated that the better option was not to restrict unduly the interpretation of the definition of personal data, but rather to note that there was considerable flexibility in the application of the rules to the data.  National authorities should endorse a definition which was wide enough so that it would catch all "shadow zones" within its scope, while making legitimate uses of the flexibility contained in the directive.  The text of the directive invited a development of policy which combined a wide interpretation of the notion of personal data and an appropriate balance in the application of the directive's rules. 

 

22. The working party report continued that, in general terms, information could be considered to relate to an individual when it was about that individual.  To determine whether a person was identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify that person.  The report concluded that anonymous data in the sense used when applying the directive could be defined as any information relating to a natural person, where the person could not be identified, whether by the data controller or by any other person, taking account of all means likely reasonably to be used to identify that individual.

 

(b)  The data protection principles

 

23. Next is the concept of the data protection principles.  The eight principles are addressed in schedule 1 to the DPA.  The first protection principle states:

 

"(1)  Personal data shall be processed fairly and lawfully, and in particular shall not be processed, unless ‑

 

(a) at least one of the conditions in Schedule 2 is met; and

 

(b) in the case of sensitive personal data at least one of the conditions in Schedule 3 is also met."

 

Sensitive personal data is defined in Section 2 of the DPA to include personal data consisting of information as to a person's physical or mental health, or condition.

 

(c)  Processing personal data

 

24. Thirdly, there is the concept of processing personal data.  Processing is defined widely in Section 1(1) of the DPA to include the holding and use of personal data and its disclosure, or otherwise making it available.  In that regard, Schedule 2 sets out the conditions necessary for the processing of personal data for the purposes of the first data protection principle.  Paragraph 6(1) of that schedule reads:

 

"The processing is necessary for the purposes of legitimate interest pursued by the data controller, or by the third party, or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

Schedule 3 is also applicable as setting out the conditions relevant for the processing of sensitive personal data.  Paragraph 7 is satisfied if:

 

"(1)  The processing is necessary ‑

 

(a) ...

 

(b) for the functions conferred on any person by or under an enactment, or

 

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department."


Appendix B

 

Extracts from the speech of Lord Hope in Common Services Agency v Scottish Information Commissioner:

 

‘[3] Unlike the 1998 Act, which was designed to implement Council Directive (EC) 95/46 of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L281 p 31) (the 1995 Directive), neither the 2000 Act nor the 2002 Act were enacted to give effect to the United Kingdom's obligations under community law. But there had been increasing pres-sure for the enactment of legislation of this kind, reflecting concern about the lack of openness on the part of the executive. The United States Freedom of Information Act 1966 was an important landmark, as was the introduction, following Declaration no 17 to the Treaty of Maastricht 1992 (Maastricht, 7 February 1992) (OJ 1992 C191 p1) that openness is an essential aspect of democracy, in 1994 of a provision giving freedom of information rights to any citizen of the European Union enforceable against institutions of the European Community (art 255 EC). The Labour Party came to power in 1997 with a manifesto commitment to introduce a Freedom of Information Act. The 2000 Act was the product of that commitment. In November 1999, within six months of the commencement of the Scotland Act 1998, the Scottish Executive published a consultation document called An Open Scotland. This was followed by the publication in March 2001 of a draft Freedom of Information (Scotland) Bill. Section 1(1) of the 2002 Act resulted from these initiatives. It sets out a general entitlement on the part of any applicant for information from a Scottish public authority which holds it to be given that information. But the general entitlement to that information is qualified by the reference in s 2 to exemptions. An annotation in Current Law Statutes describes s 2 as probably the most structurally significant section of the Act.

 

[4] There is much force in Lord Marnoch's observation in the Inner House of the Court of Session that, as the whole purpose of the 2002 Act is the release of information, it should be construed in as liberal a manner as possible (see [2006] CSIH 58, 2007 SC 231, 2007 SLT 7 (para 32)). But that proposition must not be applied too widely, without regard to the way the Act was designed to operate in conjunction with the 1998 Act. It is obvious that not all government can be completely open, and special consideration also had to be given to the release of personal information relating to individuals. So while the entitlement to information is expressed initially in the broadest terms that are imaginable, it is qualified in respects that are equally significant and to which appropriate weight must also be given. The scope and nature of the various exemptions plays a key role within the Act's complex analytical framework.

 

 

[7] In my opinion there is no presumption in favour of the release of personal data under the general obligation that the 2002 Act lays down. The references which the 2002 Act makes to provisions of the 1998 Act must be understood in the light of the legislative purpose of that Act, which was to implement the 1995 Directive. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data (see recital 2 of the preamble to, and art 1(1) of, the 1995 Directive). Recital 34 and art 8(1) recognise that some categories of data require particularly careful treatment. Section 2 of the 1998 Act, which defines the expression 'sensitive personal data', must be understood in the light of this background.

 

 

[14] The general entitlement of an applicant to receive the requested information from a Scottish public au-thority applies only to information which is 'held' by it at the time the request is received (s 1(4) of the 2002 Act). The agency submits that the process of barnardisation would require the production or making of information that was different from that which was held by it at the time of the request. The process required information to be created, and until this was done it was not 'held' by the agency. The Secretary of State for Justice, in a helpful intervention, has drawn attention to the fact that the question whether an authority holds information which does not actually exist in the form and with the contents requested but which could be created from information which it does unquestionably hold is one which very commonly arises in practice. He submits that the obligations of public authorities ought to be limited to information which is truly held by them so that they are not put into the position of having to conduct research or create new information on behalf of requesters.

 

[15] It seems to me that the position that the agency has adopted to the request in this case is an unduly strict response to what the 2002 Act requires. This part of the statutory regime should, as Lord Marnoch said, be construed in as liberal a manner as possible. The effect of barnardisation would be to apply a form of disguise, or camouflage, to information that was undoubtedly held by the agency at the time of the request. It would amount to the provision of that information in a form that concealed those parts of it that have to be withheld but which would nevertheless, to some degree, convey to the recipient information that was undoubtedly held by the agency at the time of the request. The process is similar to that of redaction, which involves doing something to information in the form in which it was held so that those parts of it which are not private or confidential can be released. It would not amount to the creation of new information, nor would it involve the carrying out of any research. It would be to do no more than was reasonable in the circumstances, having regard to the need for the form in which the information was disclosed to comply with the data protection principles.

 

[16] The latitude which should be given to a request which cannot be met in the form requested is indicated by s 11(2)(b) of the 2002 Act which provides for the provision of a digest or summary of the information, and by s 11(4) which provides that information may be given by any means which are reasonable in the circumstances. No hard and fast rules can be laid down as to what it may be reasonable to ask a public authority to do to put the information which it holds into a form which will enable it to be released consistently with the data protection principles. Protection against the excessive cost of compliance is provided by s 12 of the 2002 Act. But it has not been suggested that the process of barnardisation which the commissioner said should be adopted in this case would be excessively costly. In my opinion information in that form would contain information that was 'held' by the agency at the time of the request and, unless it was 'personal data' and its disclosure would contravene any of the data protection principles, it would have to be released in response to it.

 


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/cases/UKUT/AAC/2012/263.html