Durant v FSA (2003) UK Data Protection

Author: CCa2z

Date: 1st December 2004

Case Summary - Information Commissioner's Case Summary (with Initial Commentary) of Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division).  Decision of Lord Justices Auld, Mummery and Buxton dated 8th December 2003

History

Mr. Durant was a customer of Barclays Bank plc. There was litigation between them, which Mr. Durant lost in 1993. Since then he has sought disclosure of records in connection with the dispute which he believes may assist him to re-open claims against Barclays.

In July/August 2000 he asked the Financial Services Authority (The regulator for financial services in the U.K.) to help him obtain disclosure. In addition, he wanted to know what documents the FSA had obtained from Barclays in its supervisory role. The FSA completed its investigation against Barclays and closed the investigation without informing Mr. Durant of the outcome due to its obligation of confidentiality under the Banking Act 1987. Mr. Durant complained about that to the FSA Complaints Commissioner who dismissed his complaint.

In September/October 2001 Mr. Durant made two subject access requests under the Data Protection Act 1998 to the FSA. In October 2001 the FSA provided copies of documents relating to him held in computerised form, some redacted so as not to disclose the names of others. However, it refused access to all the manual files on the basis that the information sought was not "personal" and even if it was, it did not form part of a "relevant filing system".

The FSA acknowledged that some of its files contained information on which Mr. Durant featured, that some of them identified him by reference to specific dividers within the file and that they contained documents such as copies of telephone attendance notes, a report of forensic examinations document, transcripts of judgments, handwritten notes, internal memoranda, correspondence with Barclays Bank, correspondence with other individuals and correspondence between the FSA and Mr. Durant.

The judges considered that four important issues of law concerning the right of access to personal data were raised:

  1. What makes "data" "personal" within the meaning of "personal data"?
  2. What is meant by a "relevant filing system"?
  3. Upon what basis should a data controller consider it "reasonable in all the circumstances" within the meaning of section 7(4)(b) to comply with the request even though the personal data includes information about another and that other has not consented to disclosure?
  4. How much discretion does the court have as to whether to order compliance with a request if it finds the data controller has wrongly refused a request under section 7(4)?

The Court of Appeal's Findings

  1. Personal data

    Is information relating to the investigation by the FSA of Mr. Durant's complaints against Barclays "personal data"?

    The judges found that in conformity with the 1981 Council of Europe Convention (Convention 108) and the 1995 General Data Protection Directive (95/46/EC) the purpose of section 7 of the Act is to enable an individual to check whether a data controller's processing of his personal data unlawfully infringes his privacy and, if so, to take steps, for example under section 14 or section 10, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is it to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. It is likely in most cases that only information that named and directly refers to him will qualify.

    "Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a "continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree."

    The judgment highlighted two notions that may assist:

    "The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in the matter or an event that has no personal connotations…. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest"

    These notions were summarised as information affecting a person's privacy whether in his personal or family life, business or professional capacity.

    The mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act.

    The court found that none of the personal data sought by Mr. Durant amounted to personal data and therefore his claim fell at the first hurdle.
     
  2. "Relevant Filing System"

    The judges noted that there was no material difference in the provisions of the Directive and of the Act. The court concluded that the intention "is to provide as near as possible the same standard of sophistication of accessibility to personal data in manual filing systems as to computerised records". It is right that the definition be broken down into three constituents:
    1. Whether the material was a set of information relating to an individual;
    2. Whether the material was structured either by reference to individuals or by reference to criteria relating to individuals;
    3. Whether it was structured in such a way that specific information relating to a particular individual was readily accessible.

The Court found that the Directive supported a restrictive interpretation of "relevant filing system", and that "the protection given by the legislation was for the privacy of personal data, not documents".

The judgment summarised the meaning of "a relevant filing system" as a "system":

  1. in which the files forming part of it are structured or referenced in such a way as to clearly indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held; and
  2. which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located."

Redaction

The Court found the protection that the Act gives to other individuals is qualified. The principle of proportionality means that the interest of the data subject in gaining access to his personal data must be balanced against that of the other individual in the protection of his privacy.

The balancing exercise only arises if the information relating to the other person forms part of the "personal data" of the data subject. The provisions of the Act appear to create a presumption that information relating to a third party should not be disclosed without his consent. The presumption may, however, be rebutted if the data controller considers that it is reasonable "in all the circumstances" to disclose it without such consent. The circumstances that go to the reasonableness of such a decision include, but are not confined to, those set out in section 7(6).

It is appropriate to ask what, if any, legitimate interests the data subject has in disclosure of the identity of another individual named in or identifiable from personal data.

Section 7(4) contemplates a two stage thought process:

  1. Is the information about the third party necessarily part of the personal data the data subject has requested?
  2. If so, how critical is the third party information to the legitimate protection of the data subject's privacy, when balanced against the existence or otherwise of any obligation of confidence to the third party or any other sensitivity of the third party disclosure sought.

Where the third party is a recipient of the data and he might act on the data to the data subject's disadvantage, the data subject's right to protect his privacy may weigh heavily and obligations of confidence may be non existent or of less weight. Equally, where the third party is the source of information, the data subject may have a strong case for his identification if he needs to take action to correct some damaging inaccuracy, though consideration for the obligation of confidence to the source or some other sensitivity may have to be weighed in the balance.

The Court's Discretion

The last issue to be considered by the Court was the extent of the Court's discretion under section 7(9) of the Act to order a data controller to comply with a request for information under that section where the data controller has failed to do so in breach of the Act.

The Court noted that the question of the exercise of discretion did not arise in this case but agreed with the observations of Mundy J in the case of R (on the application of Alan Lord) v The Secretary of State for the Home Department [2003] EWHC 2073, at paragraph 160, that "the discretion conferred by that provision is general and untrammelled".

Commissioner's Commentary

The Commissioner welcomes this judgment to the extent that it provides firm guidance and greater clarity as to the meaning of "personal data" and "relevant filing system". These have always been complex issues and any jurisprudence in this area is helpful. The Commissioner particularly welcomes the fact that the Court has reiterated the fundamental link between data protection and privacy rights.

The Commissioner recognises that the interpretation suggested by Lord Justice Auld is different than the approach previously adopted by the Commissioner. The guidance issued by the Commissioner's office is being reviewed in the light of this difference of approach. All the Commissioner's responsibilities, including existing and future casework, will properly take account of this judgment.  (Information Commissioner's Office 17 December 2003 - amended 5th October 2004)


Share this
email this page to a friend print this page