Quo vadis, FoI…? Dr Renate Gertz School of Law University of Glasgow

In this paper, I will… …examine ‘personal data’ under the Freedom of Information Acts and the Data Protection Act …to do so, consider two main cases …analyse them through the instances

Part I The formalities

The Freedom of Information Acts 2005: Freedom of Information legislation England/Wales + Scotland came into force Purpose: –General right of access to information held by or on behalf of public authorities –Promotes a culture of openness and accountability across public sector

Exemptions to FoI Reasons for withholding information → exemptions from the right to know. Absolute exemptions: will always prohibit disclosure Qualified exemptions: public interest test - public interest in maintaining the exemption must outweigh public interest in disclosure.

The formalities of FoISA Request for information Refusal of the request Request for internal review Appeal to the SIC Appeal to the Court of Session Appeal to the House of Lords

The formalities of FoIA Request for information Refusal of the request Request for internal review Appeal to the IC Appeal to the Information Tribunal Appeal to the High Court Appeal to the Court of Appeal (only with permission of the CoA) Appeal to the House of Lords (subject to leave from CoA or HoL)

The Data Protection Act 2000: Data Protection Act 1998 came into force Purpose: –Protects ‘personal data’ against unlawful processing, e.g. disclosure to third parties –Promotes a spirit of confidentiality.

The link between the Acts Section 40 [section 38 ] personal data: –Information is exempt if it consists of personal data AND a data protection principle is breached For definition of personal data and the principles, referral to the Data Protection Act → linking the two Acts

Personal data Personal data: –S. 1- personal data: “data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. “ –S. 2 – sensitive personal data: “personal data consisting of information as to …(e) his physical or mental health or condition...”

The relevant Data Protection Principle Problematic here: 1 st principle = data must be processed fairly and lawfully. To be read together with the conditions in Schedule 2 and/or 3 (a condition from Schedule 2, for sensitive personal data, 1 condition each from Sch. 2 AND 3 have to be fulfilled.

Schedule 2, condition 6(1) “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

The precedent case of Durant Durant v Financial Services Authority, Court of Appeal Subject access request Personal data: data which relate to an individual + need to (1) have that data subject as their focus and (2) have to be of biographical significance

The input from Europe Article 29 Working Party, June 2007, guidance on the meaning of personal data: –“The Directive contains a broad notion of personal data “ And in addition: October 2005, European Commission – UK before ECJ if personal data definition remains too narrow, not in line with the Directive!

A potentially considerable problem 1 DPA But 2 FoIAs 1 UK Information Commissioner for DPA 1 each Information Commissioner for England/Wales and for Scotland → the potential for development in different directions!

The cases In England: –The ‘John Lewis List case’ – journalists ask for amounts of items MPs spent under Additional Cost Allowance (ACA) In Scotland: –The ‘Collie case’ – researcher for MSP wants cases of children with leukaemia in a table by year and census ward

Part II The John Lewis List case

Corporate Officer of the House of Commons v Information Commissioner Three journalists asked for a list of items claimed by various MPs under the Additional Costs Allowance (ACA). Grounds for refusal: The lists are personal data of each MP

The Information Commissioner’s decision Information requested = personal data Fair processing principle? Private v professional data Here: professional data, as in respect of the ACA: –Not useful to distinguish between personal and professional expenses –Costs are for the purpose of performing Parliamentary duties

Private v professional Condition 6 of Schedule 2: legitimate interest of third party, balancing exercise When personal data relate to professional life, less importance on protection of data. → disclosure of aggregated account of list, as potential for intrusion into the private lives of MPs and their families.

Professional life: European guidance and case law Durant: “..in short, it is information that affects his privacy,whether in his personal or family life, business or professional capacity” Art. 29 WP, ‘Personal Data’, 20 June 07: ”Example No. 1: Professional habits and practices“ “..the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life.” European Court of Human Rights, Amann v Switzerland, “…the term ‘private life must not be interpreted restrictively…there is no reason of principle to justify excluding activities of a professional or business nature from the notion of ‘private life’”

The Information Tribunal’s decision Information = personal data, having looked at the Directive and applied Durant – data relates to the personal expenditure of MPs on their living arrangements Focus on ‘necessary’ to process and whether processing still unwarranted. Art. 8 Human Rights Convention to be taken into account! → proportionality Result: Widening the IC’s decision considerably: all information to be disclosed, sensitive data to be redacted

Evaluating the decision Application of Durant, but still a reasonable outcome No discussion of the private v professional personal data question, rather focus on balancing exercise in condition 6 of Schedule 2 Taking into account the Human Rights Convention

The High Court’s decision Appeal rejected Confirms the Tribunal decision in its entirety. No discussion of what constitutes personal data, or private v professional data

Part III The Collie case

Common Services Agency (CSA) v Scottish Information Commissioner The CSA: Manages national health database on patient and activity data Mr Collie (researcher for the then Green MSP Chris Balance) asked for information on childhood leukaemia cases (0-14 years) in Dumfries and Galloway by year and census ward from 1990 to 2003 Grounds for refusal: combination of rare diagnosis, specified age group, small area, low numbers = identifiability = personal data

The SIC’s decision Data on childhood leukaemia = personal data But then: “Firstly, imagining as outlined above that census ward data would be made up of 564 cells (12 columns representing years, with 47 rows, one for each census ward), then some or many of those cells will contain zero. This does not contain personal information and so that information should have been provided to Mr Collie.”

Disclosive but not personal? Data that do not fall under the definition provided by s 1 (1) of the DPA, but still allow conclusions to be drawn to the identity of the data subjects. Example: A table of all postcodes in Scotland where there have been no incidences of a condition Individuals obviously not be identifiable from the zero cells alone = not personal data But: from the zero cells, together with other information, individuals diagnosed with the rare disease may be identifiable → disclosive but not personal!

Barnardisation The CSA was to “consider whether this information could be provided to Mr Collie in a less disclosive manner “ Barnardisation: –statistical instrument for disguising small numbers in a table that are not larger than ‘4’ –To numbers other than 0, + or – ‘1’ is added. It’s not possible to turn a ‘1’ into a ‘0’. –While material change seems to take place, barnardisation provides no different information, so barnardised data is only different from the raw data in presentation, not in kind. No discussion whether barnardised data could be considered personal data or not, just assumption that it is not!

The Edinburgh Court of Session judgement Court agreed with the submissions of the SIC and applied Durant Focus had moved away from individual children to the more general incidence of disease in particular wards in particular years Data were no longer of biographical significance to the children in question.  Barnardised data is not personal data

Does that make sense? No, and here’s why: Court stipulates that barnardised data are no different from the original raw data, only presented differently. Court then explains that while original raw data are personal data, barnardised data are not, as their focus has shifted. Inconsistency in the Court’s reasoning: If barnardised data are no different from the raw data, then how can the raw data be classified as personal data, while the barnardised data do not fall into that category?

The House of Lords decision - Collie The opinions focused on the major questions of: (i) can barnardised data be considered ‘held’, (ii) do barnardised data constitute personal data, (iii) if barnardised data were personal data, would disclosure breach the data protection principles, (iv) if (ii) applied, could barnardised data also be considered sensitive personal data, and (v) if this were the case, does a condition of Schedule 3 DPA apply

The House of Lords on Durant The great disappointment of the data protection community: According to the House of Lords, Durant does not have any relevance for the issue in the CSA case Lord Hope: The Court of Session’s deliberations did not answer the question whether it is actually ‘personal data’ within the meaning of the DPA. Rather, an answer to the question should be sought from the definition in section 1(1) of the DPA together with Council Directive 95/46/EC.

Cont. Not a single, consistent reason for their decision to deem Durant inapplicable from the Law Lords Lord Hope’s statement may even be considered an evasion. In fact, the question of whether the Durant test of whether data ‘related’ to living individuals and the focus on data being ‘obviously about’ a person seems to be more than relevant to the present case.

Cont. Would have helped to answer the question whether the focus had been moved from individual incidents of childhood leukaemia and individual patients to the more general request for incidences of the illness. Relevant for whether data are personal data, as main problem with Durant: too narrow definition of personal data. The Law Lords ignored Durant, decided summarily that information about incidences of childhood leukaemia was obviously information about the children and therefore no need to examine any further whether concepts of ‘focus’ and ‘biographical significance’ as set out in Durant, applied.

The problem of identifiability (1) Instead of Durant, identifiability issue according to section 1(1)(b), “(1) ’Personal data’ means data which relate to a living individual who can be identified – (b) from those data and other information which is in the possession of, or is likely to come into the possession of the data controller.” Paragraph (b): data controller’s ability to identify individuals. Lord Hope: two possible solutions: completely anonymise the data or find a way to disclose without breaching a data protection principle So: can barnardisation provide either solution?

The problem of identifiability (2) Lord Hope: first solution only possible where combination of ‘those data’ and the ‘other information’, will not lead to identification – original data set completely anonymised – even with the help of the additional information. = Combination is the crux of the matter = Barnardise original table (barnardised version = ‘those data’) to the degree that original, unbarnardised set (= the ‘other information’) will not help CSA to decode the barnardised table. Rather, the original (‘other’) set alone is identifiable.

The problem of identifiability (3) Section 1(1)(b) will not apply. Problematic issue – familiar to the data protection community and often discussed – of what can actually be considered adequate and sufficient anonymisation. Widely accepted that the law does not demand absolute anonymity, whereby data and individual can never again be linked. However, if relative anonymity sufficient, then the varying degrees of risk of identification depending on the circumstances will need to be accepted.

Lord Rodger’s opinion (1) “Look at what the draftsman intended”: Section 1(1)(b) not relevant at all, rather: use of terminology in section 1 – the word ‘information’ in section 1(1)(b) as opposed to ‘data’ in section 1(1). Personal data only identifiable directly from the original data as set out in section 1(1), or from data together with other information, ≠‘data’ definition. Example: coding key on piece of paper ≠ ‘data’ (no relevant filing system) →all data held by the CSA = ‘those data’ relating to the individual Hence, according to Lord Rodger, paragraph (a) rather than paragraph (b) of the personal data definition applies.

Lord Rodger’s opinion (2) Regarding the intentions of the draftsman: Campbell v MGN Ltd: –“… because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for precision in the use of language that is usually to be expected from the parliamentary draftsman.” Article 29 Data Protection Working Party: “The Directive contains a broad notion of personal data “

Lord Rodger’s opinion (3) ‘Information’ in the Compact Oxford English Dictionary: 1 facts or knowledge provided or learned; Aim of the DPA, (protection of personal data), sensible to broaden requirements for identifiability rather than narrowing it down. Conclusion: definition of ‘information’ in section 1(1)(b) necessarily includes ‘data’ ‘Information’ = umbrella, ‘data’ = subcategory

A conclusion to the identifiability issue? None provided by the Law Lords Anonymisation ideal, but barnardisation? –In agreement with the CSA: it does not work! The result: Barnardised data = personal data, part 1 of the exemption fulfilled

The result The data protection community rejoices: the Edinburgh Court of Session decision has been recalled. The data protection community mourns: the Lords of Appeal did not find it necessary to comment on Durant, despite being asked to do so by the Secretary of State for Justice, particularly since the threat of the UK being taken to the European Court of Justice by the European Commission over the definition of personal data in this highly problematic Court of Appeal decision still exists. The House of Lords reached the only sensible conclusion, but the way it was reached is highly problematic with two conflicting views.

Comparing the approach In the Collie case sensitive personal data, deemed by the DPA to be even more worthy of protection than ‘mere’ personal data In the John Lewis List case, ‘mere’ personal data that might intrude into MPs’ families’ lives A table with incidents of childhood leukaemia where individual children can still be identified is not personal data, but the list of expenses of MPs is! → a cautious conclusion: UK Information Commissioner more careful with ordering data release