FREEDOM OF INFORMATION
www.pdpjournals.com
What’s in a
name?
A comment
on Edem
S
ection 40 of the Freedom of
Information Act 2000 (‘FOIA’)
is one of the most-used, and
most-feared, exemptions in the
legislation. The difficulty of the personal
data exemption is that it reads across
and directs the user to the provisions
of the Data Protection Act 1998 (‘DPA’).
This has considerable sense: the DPA is
intended to be the one-stop shop for all
legal questions relating to personal data.
It also has a considerable disadvantage,
namely that the DPA is one of the most
complicated and obtusely drafted pieces
of legislation in regular use. It is filled
with concepts that have been the subject
of very little detailed higher court consideration. Indeed, much of the practical
understanding of how to use the DPA
has come through the case law interpreting and applying section 40 FOIA.
Personal data
Christopher Knight,
Barrister at 11KBW,
comments on the practical
implications of the
recent decision in
Edem v Information
Commissioner and
the Financial Services
Authority
The starting point for those wishing to
use section 40, and using the DPA, is
‘personal data’. That is what the DPA
and section 40 is designed to protect.
It is the raison d’etre of the DPA and
Directive 95/46/EC (the Data Protection
Directive) that the DPA implements.
Yet there continues to be litigation
about what personal data actually
means.
‘Personal data’ is statutorily defined in
section 1(1) DPA as: ‘data which relate
to a living individual who can be identified (a) from those data, or (b) from
those data and other information which
is in the possession of, or is likely to
come into the possession of, the data
controller, and includes any expression
of opinion about the individual and any
indication of the intentions of the data
controller or any other person in respect
of the individual’.
There are two key aspects of the definition in section 1(1): relation and identification. Despite the apparent wording of
the definition, the possibility of identification may be by any other person to
whom the information is disclosed,
which under FOIA would be disclosure
‘to the world’. This was clarified in
Department of Health v Information
Commissioner [2011] EWHC 1430;
[2011] 2 Info LR 27 and in Information
Commissioner v Magherafelt District
Council [2012] UKUT 263 (AAC); [2013]
1 Info LR 175. The Information
Commissioner
V OLU ME 1 0, ISSU E 5
recommends applying a test of reasonable likelihood as to whether or not disclosure will lead to identification.
For a long time, the only real guidance
that users of the DPA and FOIA had
as to whether information ‘related to’
an individual so that it was personal
data was the judgment of Auld LJ in
Durant v Financial Services Authority
[2003] EWCA Civ 1746; [2011] 1 Info LR
1. In seeking to provide some sort of
workable approach to the potentially
broad definition, Auld LJ adopted two
notions which rapidly become
touchstones:
 is the information in question bio-
graphical in a significant sense; and
 is the individual among the focuses
of that information.
Overall, asked Auld LJ, does the
information have a bearing on that
individual’s privacy?
Starved of much else to consider, many
began to fall into the habit of routinely
applying the two notions of significantly
biographical or individual focus. The
more general overall question Auld LJ
asked often tended to be overlooked,
as users understandably sought to
apply what appeared to be authoritative
tests to scenarios which were often
quite difficult to resolve.
Edem v Information
Commissioner & Financial
Services Authority
[2014] EWCA Civ 92
The utility of Durant fell in issue in
Edem. Mr Edem’s complaint to the
First-Tier Tribunal (‘FTT’) concerned
the decision of the-then FSA to withhold
the disclosure of the names of three
junior FSA officials who had worked on
Mr Edem’s complaint, but had not corresponded with him. The FSA considered
section 40(2) applied to those names.
Both the Upper Tribunal and the Court
of Appeal were readily satisfied that
the names, taken with the documents
emanating from the FSA showing what
capacity they worked in, meant that the
individuals were identifiable. Moses LJ
stressed that ‘identifiability’ was not the
same as being able to contact or trace
(Continued on page 12)
www.pdpjournals.com
(Continued from page 11)
FREEDOM OF INFORMATION
not obviously about the individual
or clearly linked to them. The
appeal was dismissed.
that person. The issue for the Court
of Appeal was whether the Upper
Tribunal had been right to hold that
the names were ‘personal data’.
Comment
The Court of Appeal was obviously
slightly surprised that it was having
to consider the point at all. It noted
that the Court of Justice had twice
held that names were personal data
under the Directive (Case C-101/01,
Criminal Proceedings against Lindqvist [2003] ECR I-12971; Case
C-28/08, Commission v Bavarian
Lager [2010] ECR I-6055).
The Court of Appeal’s decision is
a welcome application of common
sense. It would be bizarre if a
name was not that person’s personal
data. Even if it was necessary to ask
whether it was of biographical significance, it is difficult to imagine what is
less biographically significant about
someone as a method of identification than their name.
The issue arose because the FTT
had applied Auld LJ’s two notions
and come to the conclusion that
the name of an individual who
worked in the FSA was neither significantly biographical, nor of individual
focus. It had held that it might be true
in some cases that such information
would be personal data — for example, if the name was of someone
holding an animal testing licence
—but not in the more generalised
situation.
What the Edem decision most
helpfully does is to remind those
who have to apply section 40 FOIA
— and deal with subject access
requests (‘SARs’) under the DPA
— is that the starting point should
be common sense. Although Moses
LJ did not actually say so, the judgment of Auld LJ did not purport to
do anything different. The focus
on his two notions of relation always
overshadowed his overall question
which he then posed: does the
information have a bearing on that
individual’s privacy? In short, there
are some aspects of personal data
which are so obvious that one simply
does not need any further questions.
Moses LJ, on behalf of a unanimous
Court of Appeal, held that this was
wrong. The FTT had absolutely no
need to apply Durant, and in doing
so had reached a conclusion which
was contrary to the DPA, the
Directive and the Court of Justice’s
case law. The information ‘was
plainly concerned with those three
individuals’.
The Court went on to helpfully
explain what had been happening
in Durant. In that case, Auld LJ’s
approach had been designed to
explain why the information and
documents in which Mr Durant’s
name appeared were not personal
data relating to him. A person’s
name is inherently the personal
data of that person, unless,
suggested Moses LJ, the name is
so common that without further information a person would remain unidentifiable, despite its disclosure.
Moses LJ then went on to approve
the Information Commissioner’s Data
Protection Technical Guidance, in
which it is suggested that it is only
necessary to consider biographical
significance of information if it is
It is where the information is more
difficult that Durant remains helpful.
Information which does not so obviously relate to any particular individual can still be usefully analysed by
reference to biographical significance
and individual focus. The point
of Edem is that Durant was never
intended to be the starting point,
and should not be used as such.
But it is equally important not to see
Edem as the end point. There have
been worried-sounding comments
about how Edem has broadened
the scope of personal data. This
is clearly not correct: a name has
always been personal data (see
Lindqvist, for example). What it
is necessary to avoid is an overcorrection whereby every email
which includes the requestor’s name
is now treated as their own personal
data (either to cite section 40(1) or
for the purposes of a SAR). Where,
for example, a SAR is made, it is
correct that every email into which
V OLU ME 1 0, ISSU E 5
that individual was copied will fall
within the scope, but only in the
sense that the name itself will fall
within the scope of the SAR. It does
not mean that the content of the
email is also within scope. Whether
the content falls within scope is much
more likely to be something which
should be addressed by reference
to Durant. This may mean that an
SAR response should mention that
the requestor was a party to x
number of other emails which do
not otherwise contain his personal
data, and that versions of those
emails with all but the requestor’s
email address redacted will not be
supplied. It is difficult to see how the
Information Commissioner could take
issue with that.
It should also be mentioned that,
prior to the judgment in Edem, the
High Court handed down judgment
in Kelway v The Upper Tribunal,
Northumbria Police and the Information Commissioner [2013] EWHC
2575 (Admin). The judgment in that
case is so labyrinthine (over 250 paragraphs), and apparently reached
without any oral argument by any
party, that it is difficult to draw much
of significant utility from it.
Aside from the fact that Kelway too
reached the view that Durant was
but one test, and that it considered
it helpful to look at the approach of
the EU Article 29 Data Protection
Working Party in their 2007 ‘Opinion
on the Concept of Personal Data’,
it is generally recommended that
the busy user consult the Information
Commissioner’s Technical Guidance
instead.
The practical implications of appellate judgments always take some
time to work through, but Edem
provides a clear and workable
approach which happily accords
with both common sense and the
language of the DPA. It also enables
us to be sure that were Juliet to
now utter her question – from Act
II, Scene 2 – ‘What’s in a name?’,
the answer should now surely
come wafting from below that
Verona balcony: ‘Personal data’.
Christopher Knight
11KBW
christopher.knight@11kbw.com