Saturday, July 23, 2011

Durant v FSA DBA Financial Services Authority Data Protection Act

Misunderstanding ‘personal information’: Durant v Financial Services Authority

David Lindsay UNIVERSITY OF MELBOURNE

One of the most difficult legal issues in information privacy (or data protection) law concerns the scope of the information covered by such laws. The scope of information privacy (or data protection) laws is conventionally established by the definition of ‘personal information’ or ‘personal data’. This article examines Durant v Financial Services Authority [2003] EWCA Civ 1746 (8 December 2003), a recent decision of the English Court of Appeal that elaborates on the interpretation of ‘personal data’ under the Data Protection Act 1998 (UK) (DPA).

As the highest judicial interpretation of the term ‘personal data’, Durant has implications for the interpretation of ‘personal information’ under Australian information privacy laws. It is argued in this article that the approach taken in Durant should be resisted if the matter ever comes before an Australian court.

Facts

The case concerned requests made by Durant for access to information held by the Financial Services Authority (FSA), which is the single regulator for the financial services sector in the UK. The information concerned a dispute between Durant and Barclays Bank, which had resulted in litigation in which Durant had been unsuccessful. Durant subsequently lodged a complaint with the FSA, which was dismissed. Following the dismissal of the complaint, Durant requested disclosure of information concerning the matter that was held by the FSA both electronically and in manual files. The FSA released the information it held in computerised form, some of which was redacted (had identifying information deleted) so as not to disclose the names of others. The FSA, however, refused Durant’s request for access to information held on manual files.

Durant applied to the first instance court under s 7(9) of the DPA for an order requiring the FSA to comply with the request for access. Following rejection of the application, permission was granted to appeal to the Court of Appeal. The appeal dealt with the following four issues concerning the statutory right of access to personal data established under s 7 of the DPA.

1. Was the information held by the FSA relating to the investigation of Durant’s complaint ‘personal data’ under the DPA? The FSA contended that the information was not ‘personal data’, and so not subject to the statutory right of access.

2. Was the information held in manual files recorded as part of a ‘relevant filing system’ and so subject to the DPA? Information held in manual files only amounts to ‘data’ under the DPA if it is a ‘relevant filing system’, meaning that it must be structured in a certain way. The FSA contended that the manual files were not a ‘relevant filing system’.

3. Was it ‘reasonable in all the circumstances’ for the FSA to redact the information disclosed so as not to reveal the names of other individuals? Under s 7(4)(b) of the DPA, a data controller is not obliged to disclose information relating to another individual who can be identified unless it is ‘reasonable in all the circumstances’ to do so. Durant contended that the FSA redacted names when it was not entitled to because the reasonableness test was capable of being satisfied.

4. What principles should guide a court in exercising its discretion to order a data controller to provide access to information under s 7(9) of the DPA?

Personal data

Section 1(1) of the DPA defines ‘personal data’ to mean:

... data which relate to a living individual who can be identified —

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Whether information falls within the scope of an information privacy (or data protection) law usually centres on the difficult issue of whether or not an individual is identifiable from the information. In this case, however, identifiability was not an issue because the information in the manual files essentially concerned letters of complaint written by Durant and material generated in response to those complaints. The definitional issue that arose concerned whether the data (that clearly identified the data subject) could be said to ‘relate to’ Durant. On the one hand, Durant argued that the definition of ‘personal data’ should be broadly construed, so as to include any information retrieved as a result of a search under the name of the data subject, anything on file with the name of the data subject on it or anything from which the data subject could be identified. The FSA, on the other hand, relied mainly on dictionary definitions to contend that the words ‘relate to’ should be interpreted narrowly to mean either ‘have reference to, concern’ or ‘have some connection with, be connected to’.

To begin with, Auld LJ referred to the 1995 European Commission Data Protection Directive[1] for assistance in construing the definition of ‘personal data’. In this respect, the Court held at [27] that the statutory right of access under the DPA is designed to enable the data subject to:

... check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides ... to protect it.

Following from this, the Court concluded at [28] that the relevant information is:

... information that affects [the data subject’s] privacy, whether in his personal or family life, business or professional capacity.

This analysis suggests that not all identifying information will fall within the definition of ‘personal data’, but only information that is capable of adversely affecting the privacy of the data subject. In order to further assist in determining whether or not information ‘relates to’ the data subject, Auld LJ proposed two notions or ‘tests’ at [28], the first of which was:

... whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised.

The second test concerned whether:

... the information has the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated.

Auld LJ also drew support for a narrow construction of the definition of ‘personal data’ from the wording of the DPA. The Court pointed out, for example, that the DPA’s definition of ‘personal data’ extends to expressions of opinion about an individual, which it held would be otiose if the words ‘relate to’ were construed broadly.

The Court of Appeal therefore concluded that information about Durant’s complaint to the FSA or about the FSA’s investigation of the complaint did not fall within the definition of ‘personal data’ as it did not ‘relate to’ Durant in the requisite sense. The Court further held that the mere fact that a document is retrievable by reference to the name of the data subject does not render the information in the document ‘personal data’. Finally, the Court held that the information sought by Durant was information about his complaints and about the objects of his complaints, namely Barclays Bank and the FSA, and not information relating to Durant himself. In this respect, Auld LJ characterised Durant’s application at [28] as:

... a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further litigation, an exercise, moreover, seemingly unrestricted by considerations of relevance.

‘Relevant filing system’

The Data Protection Directive applies to manual files only insofar as they form part of a personal data filing system. The Directive defines a ‘relevant filing system’ to mean:

... any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

The DPA mirrors this arrangement by providing that ‘data’ only includes manual files that form part of a ‘relevant filing system’. A ‘relevant filing system’ is defined to mean:

... any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Durant contended, in part, that the first instance judge had mistakenly interpreted a ‘set’ of personal data in the definition as only an individual file, whereas it should be interpreted broadly to a wider filing system, such as all of the files held by a specific department. This would mean that an individual file would not necessarily need to be structured to any degree, provided it formed part of a wider structured filing system. The FSA, on the other hand, argued for a narrow definition of a ‘relevant filing system’, on the basis that the definition was aimed at treating manual files in the same way as computerised files only to the extent that the information in manual records is as readily accessible as information held on computer. On this basis, the information in an individual file would need to be structured so as to be accessible.

On this issue, Auld LJ reiterated that the DPA was aimed at protecting the privacy of personal data and not at protecting documents. The Court therefore preferred the narrow construction of a ‘relevant filing system’, essentially for the reasons advanced by the FSA. In this respect, Auld LJ stated at [48] that:

... Parliament intended to apply the Act to manual records only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system. That requires a filing system so referenced or indexed that it enables the data controller’s employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is located and to locate the relevant information about him within the file or files, without having to make a manual search of them.

Following this reasoning, the Court concluded at [50] that a ‘relevant filing system’ is limited to a system:

1) in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it ... is held within the system and, if so, in which file or files it is held; and

2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.

As the manual files held by the FSA were not sufficiently structured to enable the retrieval of personal data, the Court held that they did not constitute ‘relevant filing systems’ for the purposes of the DPA. In particular, Auld LJ held that an ability to readily identify and locate whole files, even files organised chronologically or by name, is insufficient for the files to form part of a ‘relevant filing system’. In other words, it seems that in order for a file to form part of a ‘relevant filing system’, the filing system as a whole must be structured so as to enable the identification of individual files that contain personal information and that the individual files must be structured to enable the identification of personal information within those files.

Redaction

The DPA incorporates a principle of proportionality for balancing the interests of the data subject in obtaining access to his or her personal data and the interests of other individuals that may be identified in the data. The principle establishes that, in the absence of consent, the data controller is not required to comply with a request to reveal information about another individual unless it is ‘reasonable in all the circumstances’ to reveal the information without consent. In releasing the information held in computerised files to Durant, the FSA redacted most of the names of other individuals. In arguing that the Court should find that it was reasonable to reveal the identities of the other individuals, Durant maintained that it was a matter for the Court to determine whether or not access would be reasonable. The FSA, on the other hand, contended that the Court is merely required to review the decision of a data controller to refuse access.

Auld LJ held that the role of the Court under the DPA is to review the decision of the data controller and not to act as the primary decision maker, meaning that there would usually be no need for the Court to conduct a detailed examination of the relevant documents. The Court further held that, in deciding whether or not it is reasonable to reveal information about another person, the data controller must apply a two stage test. First, the data controller must consider whether the information about another individual is ‘necessarily part of the personal data that the data subject has requested’ [65]. Second, the data controller must balance the privacy interests of the applicant and those of the third party [66]. Apart from the presumption against disclosure of third party personal data without consent, Auld LJ saw little value in attempting to devise general principles to apply in establishing the balance.

In this case, the Court held that the issue of whether or not the redaction of third party information was ‘reasonable’ did not arise because the information contained in the computerised files was not ‘personal data’, and so not subject to the right of access. In relation to two files that contained ‘personal data’, however, the Court held that information regarding an FSA employee who had been abused by Durant over the telephone was properly withheld because it ‘can have been of little or no legitimate value’ to Durant [67].

Court’s discretion

Under s 7(9) of the DPA the Court has a discretion to order a data controller to comply with a request for information. Durant contended that the Court’s discretion to refuse to order access should be narrowly construed because the DPA should be interpreted to conform to the Data Protection Directive, which creates a guaranteed right of access. As the Court held that most of the files did not contain ‘personal data’ there was no need for it to comment on the question of the exercise of discretion. Auld LJ, nevertheless, observed that the exercise of the Court’s discretion under s 7(9) was ‘general and untrammelled’, meaning that it was not limited by the terms of the Data Protection Directive [74].

Analysis and implications for Australia

Common law courts have experienced considerable difficulties in interpreting information privacy (or data protection) laws.[2] One reason for these difficulties is the ‘fuzzy law’ nature of information privacy (or data protection) principles, meaning that the principles are stated in broad, general terms rather than in terms capable of precise legal delineation.[3] Given the ubiquity of data processing, information privacy laws can be seen to be aimed at broad organisational changes in information processing practices, rather than conferring precisely definable legal rights. Article 22 of the Data Protection Directive, however, requires EU Member States to provide a right to a judicial remedy for a breach of any of the rights guaranteed by the Directive. This means that English courts must necessarily confer some precise meaning on principles expressed in general terms, a task which sits uncomfortably with traditional principles of statutory interpretation. The Durant decision is an interesting example of a common law court attempting to apply a purposive approach to the construction of an information privacy law, but ultimately failing because of an inability to adequately understand the nature and specificity of information privacy laws.

In particular, the reasoning by which the Court of Appeal narrowly construes the definition of ‘personal data’ is artificial and unhelpful. The Court essentially concludes that ‘personal data’ includes only information that ‘relates to’ the data subject in the sense that it is ‘private’ information. Auld LJ elaborates at [28] on what amounts to ‘private’ information by suggesting two tests for distinguishing protected from unprotected information: that the information must be ‘biographical in a significant sense’; and that the data subject must be the focus of the information. The Court reaches this conclusion by expressly adopting a purposive approach, essentially maintaining that because the purpose of the access right is to protect the privacy of the data subject, it is only information that is relevant to that purpose that can be subject to the access right.

This approach to the interpretation of the definition of ‘personal data’, however, completely misconceives the role of the definition of ‘personal data’ or ‘personal information’ in determining the scope of an information privacy law. The basic assumption of all information privacy laws is that the privacy of the data subject is threatened by the processing of any information which identifies the data subject, or is capable of identifying the data subject, regardless of the nature of the information. This is recognised, for example, by Recital 26 to the Data Protection Directive, which provides that:

... the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.

In other words, the purpose of definition of ‘personal data’ (or ‘personal information’) is to distinguish identifying information from anonymous information, not to distinguish between different kinds of information on the basis of the extent to which the information may relate to the privacy interests of the data subject.

It would be counter-productive for the definition of the scope of information covered by an information privacy law to attempt to distinguish private information from other identifying information because the difficulty of drawing this sort of distinction would inevitably create considerable uncertainty. Moreover, the narrow interpretation imposed on the definition of ‘personal data’ by the Court of Appeal reveals a misunderstanding of the rights based approach that underpins the Data Protection Directive. On the one hand, it is true that the right of access serves purely instrumental objectives insofar as it enables the data subject to check the accuracy of the information and to seek to have any inaccuracies rectified. Over and above its instrumental role, however, the access right should be seen as intrinsically important insofar as it is essential to individual autonomy and human dignity. In other words, in interpreting laws deriving from the Data Protection Directive, it is important to give full weight to the roots of the rights based approach embodied in the Directive in the ‘right to informational self-determination’, first recognised by the German Constitutional Court in the 1983 Census case.[4] The ‘right to informational self-determination’ recognises that a degree of control over identifying information is necessary for the development of autonomous individuals. Following this approach, there should be a presumption that the access right applies to all identifying or identifiable information, not just a subset of that information.

At the same time, the rights of the data subject must be balanced against the rights of other individuals, as well as against other, more instrumental, objectives. This balance, however, is not properly struck by artificially confining the scope of the information to which an information privacy law applies, but by the exceptions to the rights of the data subject. In other words, the definition of ‘personal data’ under the DPA as ‘any information relating to an identified or identifiable natural person’ should be given its clear and natural meaning of ‘any information at all’ in which the data subject is identified or is identifiable. Similarly, the definition of ‘personal information’ in Australian information privacy laws should not be artificially and narrowly confined to apply only to certain kinds of identifiable information. For example, the Privacy Act 1988 (Cth) defines ‘personal information’ at s 6(1) as:

... information or an opinion ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Following Durant, it could be contended that information or an opinion is about an individual only if it is ‘private’ information, in the sense that it is, first, somehow ‘biographical’ and, second, that the data subject is the focus of the information. Rather than following this strained attempt to confine the scope of ‘personal information’, however, the clear words of the legislation should be relied upon to ensure that the law applies to any information or opinion which identifies the data subject, or from which the data subject is identifiable.

In the case of the Australian laws, this conclusion is reinforced by the extent to which the exceptions to the access right are spelt out in some detail. For example, National Privacy Principle (NPP) 6.1 provides that an organisation may refuse a request for access if:

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations.

Although it is always possible to question some of the exceptions in the Australian laws, the Federal Privacy Act clearly establishes the balance between the interests of the data subject and other interests by means of detailed legislative exemptions and exceptions, and not by means of the definition of ‘personal information’. Similarly, if the DPA were to recognise other competing rights or interests, then this would be expected to take the form of specific exceptions to the rights of the data subject and not limits on the nature of the identifying information covered by the Act. Apparently to the chagrin of the English Court of Appeal, however, the DPA does not include an exception similar to NPP 6.1(e), meaning that the access right can be used to obtain information for the purpose of legal proceedings. Whether this is a result of the ‘high level’ of protection of the rights of the data subject required by the Data Protection Directive, or whether it is simply legislative oversight, is impossible to say. In any case, attempting to rectify what may be seen as a legislative shortcoming by applying a strained interpretation to an essential definition is likely to make for bad law, and should be resisted if the matter ever comes before an Australian court. l

David Lindsay is a Senior Fellow at the Centre for Media and Communications Law, University of Melbourne. He is employed on an ARC funded project to study the regulation of online privacy.

Endnotes

[1]. European Commission Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Official Journal L 281, 23/11/1995P. 0031-0050.

[2]. For a good example see Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] HKCA 140 (28 March 2000).

[3]. See Judge Kevin O’Connor ‘The Federal Privacy Commissioner: Pursuing a Systemic Approach’ (2001) UNSWLJ 3.

[4]. 65 BverfGE 1 (1983).

 

No comments:

Post a Comment