|
|
Law - Durant v Financial Services Authority [2003]
EWCA Civ 1746
- - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - -
Kirsten Houghton (instructed by Masons) for the Appellant
Philip Sales and David Mayhew (instructed by the Financial
Services Authority) for the Respondent
Hearing dates : 29th and 30th July 2003
- - - - - - - - - - - - - - - - - - - - -
JUDGMENT : APPROVED BY THE COURT FOR HANDING DOWN (SUBJECT
TO EDITORIAL CORRECTIONS)
Lord Justice Auld:
1. Mr. Michael John Durant, the claimant and appellant, seeks
disclosure of information that he claims to be personal data
relating to him held by the Financial Services Authority ("the
FSA") under section 7 of the Data Protection Act 1998
("the 1998 Act"). The FSA has provided him with
some information in response to his requests for it, but he
seeks further disclosure. The outcome of the appeal turns
in part on the proper interpretation of certain provisions
of the Act governing an individual’s right to disclosure
of his personal data held by others within the provisions
of the Act and in part on the propriety of the Judge’s
findings of fact in the light of that interpretation.
2. The appeal is brought with the permission of Ward LJ, from
a decision of His Honour Judge Zeidman, QC, at the Edmonton
County Court on 24th October 2002 dismissing Mr. Durant’s
appeal against the refusal by District Judge Rose, to order
the FSA to make the further disclosure sought. In granting
permission, Ward LJ directed the FSA to provide for our inspection
under section 15(2) of the Act copies of all the documents
or information that the FSA has declined to disclose to Mr.
Durant. The FSA has provided those copies to the Court. We
have also received as fresh evidence a (second) witness statement
of Mr. Daniel Davies, an associate in the Enforcement Division
of the FSA, about its filing system and various files and
documents to meet points raised for the first time in this
appeal.
The legislative scheme
3. The 1998 Act was enacted, in part, to give effect to Directive
95/46/EC of 24th October 1995 On The Protection Of Individuals
With Regard To The Processing Of Personal Data And On The
Free Movement Of Such Data ("the 1995 Directive").
It should, therefore, be interpreted, so far as possible in
the light of, and to give effect to, the Directive’s
provisions. In Campbell v. MGN [2002] EWCA Civ 1373, [2003]
QB 633, CA, Lord Phillips of Worth Matravers, MR, said at
para. 96:
"In interpreting the Act it is appropriate to look to
the Directive for assistance. The Act should, if possible,
be interpreted in a manner that is consistent with the Directive.
Furthermore, because the Act has, in large measure, adopted
the wording of the Directive, it is not appropriate to look
for the precision in the use of language that is usually to
be expected from the parliamentary draftsman. A purposive
approach to making sense of the provisions is called for."
4. The primary objective of the 1995 Directive is to protect
individuals’ fundamental rights, notably the right to
privacy and accuracy of their personal data held by others
("data controllers") in computerised form or similarly
organised manual filing systems (Recitals (1), (2), (3), (10)
and (25)), whilst at the same time facilitating the free movement
of such data between Member States of the European Union.
There is inevitably a tension between those two primary objectives
at an inter-state level, as Lord Hoffmann observed in R v.
Brown [1996] AC 543, HL, at 557A-C. That tension is not so
evident in the domestic setting for which the Act provides,
in particular, in the right of access to personal data. However,
the Act contains its own tension in the obligation that it
also imposes on data controllers to respect the right of privacy
of others whose names may figure in the personal data of an
individual seeking access to it.
5. The starting point in this legislative trail (see Recital
(11) to the 1995 Directive) is the Convention For The Protection
Of Individuals With Regard To Automatic Processing Of Personal
Data (1981) (Cmnd. 8341) ("the 1981 Convention"),
about which Lord Hoffmann was talking in Brown. As its title
indicates, it was concerned only with computerised data, and
the Data Protection Act 1984 ("the 1984 Act") to
which it gave rise was similarly confined. The 1995 Directive,
however, extended the scheme of protection to personal data
held in manual files if they were of a similar level of sophistication
to that provided by computerised records (Recital (15) Article
2(c)). Article 12, headed "Right of Access", provides:
"Member States shall guarantee every data subject the
right to obtain from the controller:
(a) without constraint at reasonable intervals and without
excessive delay or expense:
o confirmation as to whether or not data relating to him are
being processed and information at least as to the purposes
of the processing, the categories of data concerned, and the
recipients or categories of recipients to whom the data are
disclosed,
o communication to him in an intelligible form of the data
undergoing processing and of any available information as
to their source,
o knowledge of the logic involved in any automatic processing
of data concerning him at least in the case of … automated
decisions …
(b) as appropriate the rectification, erasure or blocking
of data the processing of which does not comply with the provisions
of this Directive, in particular because of the incomplete
or inaccurate nature of the data;
(c) notification to third parties to whom the data have been
disclosed of any rectification, erasure or blocking carried
out in compliance with (b), unless this proves impossible
or involves a disproportionate effort".
6. The purpose of the 1998 Act was to provide for the regulation
of the processing, including the obtaining, holding, use and
disclosure by "data controllers" of "personal
data" held or to be held electronically or, if held in
manual files, as part of "a relevant filing system",
all as defined in section 1(1) of the Act.
7. Section 7(4)-(6) of the 1998 Act provides an individual
with a right of access to "personal data", entitling
him to know whether a data controller is processing any of
his personal data and, if so, to be told what it is, its source,
why it is being processed and to whom the data are or may
be disclosed. He is not entitled to information about his
personal data which necessarily, that is, notwithstanding
possible redaction, involves disclosure of information relating
to another individual, either as a subject or the source of
the information, without that other’s consent or unless
it would be reasonable in all the circumstances for him to
have it without that consent.
8. The core of a data subject’s entitlement to access
to his personal data is to be found in sections 7(1) and 8(2),
which, so far as material and subject to other provisions
of section 7 to which I shall return, provide:
"(1) …an individual is entitled –
(a) to be informed by any data controller whether personal
data of which that individual is the data subject are being
processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller
a description of -
(i) the personal data of which that individual is the data
subject,
(ii) the purposes for which they are being or are to be processed,
and
(iii) the recipients or classes of recipients to whom they
are or may be disclosed,
(c) to have communicated to him in an intelligible form –
(i) the information constituting any personal data of which
that individual is the data subject, and (ii) any information
available to the data controller as to the source of those
data, and
(d) where the processing by automatic means of personal data
of which that individual is the data subject for the purpose
of evaluating matters relating to him such as, for example,
his performance at work, his creditworthiness, his reliability
or his conduct, has constituted or is likely to constitute
the sole basis for any decision significantly affecting him,
to be informed by the data controller of the logic involved
in that decision-taking.".
"8(2) The obligation imposed by section 7(1)(c)(i) must
be complied with by supplying the data subject with a copy
of the information in permanent form unless-
(a) the supply of such a copy is not possible or would involve
disproportionate effort, or
(b) the data subject agrees otherwise;
and where any of the information referred to in section 7(1)(c)
(i) is expressed in terms which are not intelligible without
explanation the copy must be accompanied by an explanation
of those terms."
The facts
9. It will help to introduce the important issues of principle
to which this appeal gives rise by first giving a short account
of the factual context in which they arise. The FSA is the
single regulator for the financial services sector in the
United Kingdom, acting under powers currently conferred by
the Financial Services and Markets Act 2000 ("the 2000
Act"). It assumed responsibility for the supervision
of banks in June 1998. Until December 2001, when the 2000
Act was fully implemented, the FSA had exercised that supervision
under the Banking Act 1987 ("the 1987 Act"). In
the course of its regulatory work it received and receives
much information about companies, firms and individuals which,
by section 348 of the 2000 Act, it is obliged to treat as
confidential. However, section 27(5) of the 1998 Act overrides
that obligation in respect of requests for "personal
data" under section 7, which, as I have indicated, requires
all data controllers, including the FSA, to strike a balance
between, on the one hand, the effective operation of the Act
(and, in the case of the FSA, of the regulatory system) and,
on the other, the rights of privacy of individuals and third
parties.
10. The FSA is a registered data controller for the purpose
of the Act. The background of Mr. Durant’s claim against
it, is that he had been a customer of Barclays Bank PLC ("Barclays
Bank"). There was litigation between them, which he lost
in 1993. Since then he has, without success, sought disclosure
of various records in connection with the dispute giving rise
to that litigation, records that he believes may assist him
to re-open his claims against it and/or to secure an investigation
of its conduct. In July or August 2000, he sought the assistance
of the FSA to obtain this disclosure. In addition, he wanted
to know what documents the FSA had obtained from Barclays
Bank in its supervisory role under the 1987 Act. The FSA investigated
his complaint against the Bank, closing the investigation
in March 2001, without informing Mr. Durant of its outcome,
pursuant to its obligation of confidentiality under sections
82 to 85 of the 1987 Act. In October 2000, Mr. Durant complained
about that refusal to the FSA’s Complaints Commissioner,
who, in November 2000, dismissed it.
11. In September and October 2001, Mr. Durant made two requests
to the FSA under section 7 of the Act, seeking disclosure
of personal data held by it, both electronically and in manual
files. In October 2001 the FSA provided Mr. Durant with copies
of documents relating to him that it held in computerised
form, disclosure that went beyond his entitlement under the
Act, which is to have communicated to him in an intelligible
form "information constituting any personal data"
of which he was the subject (section 7(1)(c)(i); see para.
8 above). Some of the documents were redacted so as not to
disclose the names of others. It later made further disclosure
of computerised material. However, the FSA refused the whole
of his request for information held on manual files on the
ground that that the information sought was not "personal"
within the definition of "personal data" in section
1(1) of the 1998 Act, and that, even if it was, it did not
constitute "data" within the separate definition
of that word in section 1(1)(c) in the sense of forming part
of a "relevant filing system". The FSA has since
maintained that refusal, which encompasses four categories
of file.
12. Further details of the nature of each of those files have
been provided to us in the second witness statement of Mr.
Daniel Davies, to which I have referred. Those were early
days for the FSA, when it had only recently assumed responsibility
for the work of other regulatory bodies and their disparate
files, and it is plain from Mr. Davies’s evidence that,
in the case of manual files at least, some of its systems
were, in consequence, somewhat basic. I deal briefly with
each of the four categories of files to which Mr. Durant’s
requests for information relate.
13. The first was the Major Financial Groups Division systems
file ("the MFGD Systems file"). It was a file, in
two volumes, relating to the systems and controls that Barclays
Bank was required to maintain and which was subject to control
by the FSA. The file, which was arranged in date order, also
contained a few documents relating to part of Mr. Durant’s
complaint against the Bank, which concerned such systems and
controls.
14. The second category of file was "the MFGD Complaints
file" - relating to complaints by customers of Barclays
Bank about it to the FSA - the sub-dividers being ordered
alphabetically by reference to the complainant’s name,
containing behind a divider marked "Mr. Durant"
a number of documents relating to his complaint, filed in
date order.
15. The third category of file was the Bank Investigations
Group file ("the B.I.G file"), maintained by the
FSA’s Regulatory Enforcement Department, relating and
organised by reference to issues or cases concerning Barclays
Bank, but not necessarily identified by reference to an individual
complainant. It contained a sub-file marked "Mr. Durant",
containing documents relating to his complaint. Neither the
file nor the sub-file was indexed in any way save by reference
to the name of Mr. Durant on the sub-file itself.
16. The fourth category of file was the Company Secretariat
papers, a sheaf of papers in an unmarked transparent plastic
folder held by the FSA’s Company Secretariat, relating
to Mr. Durant’s complaint about the FSA’s refusal
to disclose to him details and the outcome of its investigation
of his complaints against Barclays Bank, not organised by
date or any other criterion.
17. The FSA has acknowledged in correspondence that each of
the files in question contains information in which Mr. Durant
features, that some of them identify him by reference to specific
dividers within the file and that they contain such documents
as: copies of telephone attendance notes, a report of forensic
examination of documents, transcripts of judgments, hand-written
notes, internal memoranda, correspondence with Barclays Bank,
correspondence with other individuals and correspondence between
the FSA and him.
18. As to the redaction by the FSA of the computerised documentation
provided to Mr. Durant, it redacted it in the main because
it did not consider that it contained personal data of which
he was the subject and, in the case of two documents only,
because it did not consider it reasonable to disclose the
name of another individual mentioned in them. The FSA refused
Mr. Durant’s request for sight of the redacted material.
19. On Mr. Durant’s appeal to Judge Zeidman against
the dismissal by District Judge Rose of his application under
section 7(9) of the 1998 Act for further disclosure, the Judge
considered the matter afresh. Pursuant to section 15(2) of
the Act, he inspected the unredacted versions of the computerised
documents and the four manual files the subject of the claim
for further disclosure. On 24th October 2002 the Judge ruled
that Mr. Durant, save as to one letter in redacted form, was
not entitled to the redacted information in the computerised
documents. It is not clear from his judgment whether he did
so on the basis that all the redacted material, which was
of references to third parties, was not his personal data
or because he considered it reflected a proper balance of
their respective interests under section 7(4) of the 1998
Act. He also held that Mr. Durant was not entitled to any
information from the four manual files since they were not
part of "a relevant filing system" as defined in
section 1(1) of the Act and, therefore, did not contain data,
personal or otherwise, to which he was entitled under section
7. On 20th March 2003 Ward LJ granted Mr. Durant permission
to appeal.
The issues
20. The appeal raises four important issues of law concerning
the right of access to personal data provided by sections
7 and 8 of the 1998 Act:
1) The personal data issue – What makes "data",
whether held in computerised or manual files, "personal"
within the meaning of the term "personal data" in
section 1(1) of the 1998 Act so as to entitle a person identified
by it to its disclosure under section 7(1) of the Act –
more particularly in this context, to what, if any, extent,
is information relating to the FSA’s investigation of
Mr. Durant’s complaint about Barclay’s Bank within
that definition?
2) The relevant filing system issue – What is meant
by a "relevant filing system" in the definition
of "data" in section 1(1) of the 1998 Act, so as
to render personal information recorded in a manual filing
system "personal data" disclosable to its subject
under section 7(1) – more particularly here, was the
FSA’s manual filing such a system so as to require it
to disclose to Mr. Durant from those files information that
would, if it were in computerised form, constitute "personal
data" within section 1(1)?
3) The redaction issue – Upon what basis should a data
controller, when responding to a person’s request for
disclosure of his personal data under section 7(1), consider
it "reasonable in all the circumstances", within
the meaning of that term in section 7(4)(b), to comply with
the request even though the personal data includes information
about another and that other has not consented to such disclosure?
4) The discretion issue – By what principles should
a court be guided in exercising its discretion under section
7(9) of the Act to order a data controller who has wrongly
refused a request for information under section 7(1), to comply
with the request?
"personal data"
21. The first question for a data controller when considering
a person’s request for information under section 7 of
the 1998 Act is whether the information sought is capable
of being that person’s "personal data" within
the definition of that term in section 1(1), regardless of
whether it is held in computerised or manual form. If and
to the extent that it is not, it is not disclosable under
section 7(1) and the other issues in the appeal fall away.
This issue in its simplest form in the context of this case
is whether information – any information - relating
to the investigation by the FSA of Mr. Durant’s complaint
about Barclays Bank is his "personal data" for this
purpose, an issue in its own right to which neither the parties
nor the Judge gave much attention below.
22. The starting point is again the 1981 Convention, Article
2.a of which defined "personal data" quite shortly
as "any information relating to an identified or identifiable
individual (‘data subject’)". An Explanatory
Report on the Convention issued by the Council of Europe in
1981, in para. 29, stated that the notion of "data subject"
in that definition expressed "the idea that a person
has a subjective right with regard to information about himself,
even where this is gathered by others". That notion was
reflected and developed in the 1995 Directive, Article 2(a)
of which defines "personal data" as
"… any information relating to an identified or
identifiable natural person (‘data subject’);
an identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;"
23. Section 1(1) of the 1998 Act, in its turn, further developed
the notion, albeit in an inclusive form. It states:
"‘personal data’ means data which relate
to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the
possession of, or is likely to come into the possession of,
the data controller,
and includes any expression of opinion about the individual
and any indication of the intentions of the data controller
or any other person in respect of the individual;"
The submissions
24. There is no issue as to the identification of Mr. Durant
for the purposes of paragraphs (a) and (b) in the definition
in section 1(1) and of the criterion for entitlement to access
in section 7(1)(b)(i), "the personal data of which that
individual is the data subject" (see para. 8 above).
The question is the meaning of the words "relate to"
in the opening words of the definition, in particular to what
extent, if any, the information should have the data subject
as its focus, or main focus. Miss Houghton, on behalf of Mr.
Durant, pitched Mr. Durant’s entitlement to information
under section 7 in very broad terms, relying on what she described
as the extremely wide and inclusive definition of "personal
data" in section 1(1). She suggested that it covered
any information retrieved as a result of a search under his
name, anything on file which had his name on it or from which
he could be identified or from which it was possible to discern
a connection with him. On that basis, she submitted that Mr.
Durant’s letters of complaint to the FSA and the documentation
they generated were his personal data because he was the source
of the material. She said that, here, the information in the
manual files of which she sought disclosure (and that redacted
in the computerised files) was likely to refer to the FSA’s
conduct in responding to his complaint and that it was difficult
to see how information retrievable as a result of a search
under his name would not fall within the definition. She sought
further support for that proposition in the absence of any
statutory exclusion of or distinction based on business or
official data. In response to any possible "floodgates"
argument that might be advanced against the breadth of disclosure
and the burden on data controllers to which her construction
might lead, she drew attention to Part IV of the 1998 Act
which, in implementation of Article 13 of the Directive (see
para. 54 below), contains a wide range of exemptions from
the obligation on data controllers to comply with, among other
things, requests for personal data under section 7.
25. Mr. Sales disagreed. He said that whilst the key words
in the definition, "relate to", considered on their
own, are capable of a range of interpretations, they could
not sensibly have the broad interpretation for which Miss
Houghton contended. He referred to two meanings given to the
words "relate to" in the Shorter Oxford English
Dictionary: the first, being "have reference to, concern",
implying, in this context, a more or less direct connection
with an individual; and the second, much broader meaning,
"have some connection with, be connected to". He
submitted that the former, narrower meaning is to be preferred,
relying on the definition of personal data in the 1981 Convention
and the 1995 Directive and on Lord Hoffmann’s dictum
in relation to the 1984 Act in Brown, at 557E, that personal
data was "data concerning a living individual".
He relied also on the express inclusion in the definition
in section 1(1) of "any expression of opinion about the
individual and any indication of the intentions of the data
controller or any other person in respect of" him, namely
that, absent those words, the information would not "relate
to" the data subject. He made similar points by reference
to section 7, namely that section 7(1)(c) distinguishes between
the data and its source; and section 7(1)(d) distinguishes
the purposes for which and how information relating an individual
is used from his personal data (see paragraph 8 above). Under
Miss Houghton’s broad construction of the definition,
such express provisions would, he said, have been unnecessary.
Conclusions
26. The intention of the Directive, faithfully reproduced
in the Act, is to enable an individual to obtain from a data
controller’s filing system, whether computerised or
manual, his personal data, that is, information about himself.
It is not an entitlement to be provided with original or copy
documents as such, but, as section 7(1)(c)(i) and 8(2) provide,
with information constituting personal data in intelligible
and permanent form. This may be in documentary form prepared
for the purpose and/or where it is convenient in the form
of copies of original documents redacted if necessary to remove
matters that do not constitute personal data (and/or to protect
the interests of other individuals under section 7(4) and
(5) of the Act).
27. In conformity with the 1981 Convention and the Directive,
the purpose of section 7, in entitling an individual to have
access to information in the form of his "personal data"
is to enable him to check whether the data controller’s
processing of it unlawfully infringes his privacy and, if
so, to take such steps as the Act provides, for example in
sections 10 to 14, to protect it. It is not an automatic key
to any information, readily accessible or not, of matters
in which he may be named or involved. Nor is to assist him,
for example, to obtain discovery of documents that may assist
him in litigation or complaints against third parties. As
a matter of practicality and given the focus of the Act on
ready accessibility of the information - whether from a computerised
or comparably sophisticated non-computerised system - it is
likely in most cases that only information that names or directly
refers to him will qualify. In this respect, a narrow interpretation
of "personal data" goes hand in hand with a narrow
meaning of "a relevant filing system", and for the
same reasons (see paragraphs 46-51 below). But ready accessibility,
though important, is not the starting point.
28. It follows from what I have said that not all information
retrieved from a computer search against an individual’s
name or unique identifier is personal data within the Act.
Mere mention of the data subject in a document held by a data
controller does not necessarily amount to his personal data.
Whether it does so in any particular instance depends on where
it falls in a continuum of relevance or proximity to the data
subject as distinct, say, from transactions or matters in
which he may have been involved to a greater or lesser degree.
It seems to me that there are two notions that may be of assistance.
The first is whether the information is biographical in a
significant sense, that is, going beyond the recording of
the putative data subject’s involvement in a matter
or an event that has no personal connotations, a life event
in respect of which his privacy could not be said to be compromised.
The second is one of focus. The information should have the
putative data subject as its focus rather than some other
person with whom he may have been involved or some transaction
or event in which he may have figured or have had an interest,
for example, as in this case, an investigation into some other
person’s or body’s conduct that he may have instigated.
In short, it is information that affects his privacy, whether
in his personal or family life, business or professional capacity.
A recent example is that considered by the European Court
in Criminal Proceedings against Lindquist, Case C-101/01 (6th
November 2003), in which the Court held, at para. 27, that
"personal data" covered the name of a person or
identification of him by some other means, for instance by
giving his telephone number or information regarding his working
conditions or hobbies.
29. This narrow meaning of personal data derives, not only
from its provenance and form of reproduction in section 1(1),
but also from the way in which it is applied in section 7.
That section, picking up the definition of "data subject"
in section 1(1), sets out the basic entitlement of an individual
to access to personal data "of which …[he] is the
data subject". I agree with Mr. Sales that the inclusion
in section 1(1) of expressions of opinion and indications
of intention in respect of him supports an otherwise narrow
construction. If the term had the broader construction for
which Miss Houghton contended, such provision would have been
otiose. A similar pointer to the focus of attention being
on the data subject rather than on someone else with whom
for some reason he is involved or had contact is in the special
provision for "sensitive personal data" in section
2 of, and Schedules 1, para. 1(b) and 3 to, the 1998 Act,
giving effect in large part to Articles 6 to 8 of the Directive.
30. Looking at the facts of this case, I do not consider that
the information of which Mr. Durant seeks further disclosure
- whether about his complaint to the FSA about the conduct
of Barclays Bank or about the FSA’s own conduct in investigating
that complaint – is "personal data" within
the meaning of the Act. Just because the FSA’s investigation
of the matter emanated from a complaint by him does not, it
seems to me, render information obtained or generated by that
investigation, without more, his personal data. For the same
reason, either on the issue as to whether a document contains
"personal data" or as to whether it is part of a
"relevant filing system", the mere fact that a document
is retrievable by reference to his name does not entitle him
to a copy of it under the Act. The letter of 17th January
2001 from the FSA to the Bank, referred to by the Judge at
page 11C-D of his judgment, is an example. It cannot have
been the intention of Parliament that, subject to it being
part of a relevant filing system within section 1(1), any
document held by the FSA generated by and/or arising out of
the FSA’s investigation of such a complaint should itself
be disclosable under section 7. As the FSA acknowledges, in
its provision of documents in response to Mr. Durant’s
first request, which was to enable him to compare documents
held by the FSA with documents disclosed to him by the Bank,
it provided more than the Act required of it.
31. In short, Mr. Durant does not get to first base in his
claim against the FSA because most of the further information
he sought, whether in computerised form or in manual files,
is not his "personal data" within the definition
in section 1(1). It is information about his complaints and
the objects of them, Barclays Bank and the FSA respectively.
His claim is a misguided attempt to use the machinery of the
Act as a proxy for third party discovery with a view to litigation
or further investigation, an exercise, moreover, seemingly
unrestricted by considerations of relevance. It follows that
much of Mr. Durant’s complaint about redaction of other
individual’s names and details falls away, regardless
of the outcome of the correct application of the provisions
of section 7(4) – (6) for protection of the confidentiality
of other individuals (see paragraphs 52-68 below).
"relevant filing system"
32. The issue concerns the right of access by an individual
to his personal data held in manual files and the interpretation
of the words "a relevant filing system" in the definition
of "data" in section 1(1) of the Act, since there
is only a right of access to personal data in manual files
that is "structured" in a certain manner. I should
set out first the provisions of the Directive and of the Act
giving effect to them – there is no material difference
between the two. The relevant provisions of the Directive
are Article 2 (2)(c) and Recitals (15) and (27). Article 2
(c) provides that, for the purposes of the Directive,
"personal data filing system’ (‘filing system’)
shall mean any structured set of personal data which are accessible
according to specific criteria, whether centralised, decentralised
or dispersed on a functional or geographical basis;"
And Recitals 15 and 27 read:
"(15) Whereas the processing of such data is covered
by this Directive only if it is automated or if the data processed
are contained or are intended to be contained in a filing
system structured according to specific criteria relating
to individuals, so as to permit easy access to the personal
data in question;"
"(27) Whereas the protection of individuals must apply
as much to automatic processing of data as to manual processing;
whereas the scope of this protection must not in effect depend
on the techniques used, otherwise this would create a serious
risk of circumvention; whereas nonetheless, as regards manual
processing, this Directive covers only filing systems, not
unstructured files; whereas, in particular, the content of
a filing system must be structured according to specific criteria
relating to individuals allowing easy access to the personal
data; whereas, in line with the definition in Article 2( c
), the different criteria for determining the constituents
of a structured set of personal data, and different criteria
governing access to such a set, may be laid down by each Member
State; whereas files or sets of files as well as their cover
pages, which are not structured according to specific criteria,
shall under no circumstances fall within the scope of the
Directive."
33. The 1998 Act, in its definitions of "data" and
"relevant filing system" in section 1(1), picks
up the Directive’s theme that information held on manual
files is only capable of being "data", and hence
"personal data", if it forms part of a system so
structured by reference to specific information about an individual
as to make that information readily accessible. Section 1(1)
defines data broadly by reference to whether it is or is intended
to be in computerised form or in manual files. It provides,
so far as material:
"(1) In this Act, unless the context otherwise requires
-
‘data’ means information which -
(a) is being processed by means of equipment operating automatically
in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed
by means of such equipment,
(c) is recorded as part of a relevant filing system or with
the intention that is should form part of a relevant filing
system, …;"
"relevant filing system’ means any set of information
relating to individuals to the extent that, although the information
is not processed by means of equipment operating automatically
in response to instructions given for that purpose, the set
is structured, either by reference to individuals or by reference
to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily
accessible."
34. It is clear from those provisions that the intention is
to provide, as near as possible, the same standard or sophistication
of accessibility to personal data in manual filing systems
as to computerised records. The Judge began his analysis of
the issue on that note, observing that, although he was then
concerned only with information held by the FSA on manual,
not computerised, files, most of the provisions in the Act
concerned computerised data. He said that the draftsman’s
recourse to the notion of a "relevant filing system"
for non-computerised data contemplated an arrangement of paper
data in a form similar to that which a computer would use
to process the same information. He rightly began by breaking
down the definition in section 1(1) of the term "relevant
filing system" into three constituents in order to see
whether the material in issue in the case fell within it,
namely whether: 1) the material was a set of information relating
to an individual; 2) the material was structured either by
reference to individuals or by reference to criteria relating
to individuals; and 3) it was structured in such a way that
specific information relating to a particular individual was
readily accessible. He then said, at 8F-9A:
"The strict requirements of the definition can be understood
if one remembers the context into which this rule is placed.
Most of the provisions in this Act deal with computer information
but if one is able to arrange material in a non-computer form
but in a form which apes the processing of a computer then
the information is likely to be caught by the definition.
The Act says that the fact that the information is not processed
by means of equipment operating automatically in response
to instructions given for that purpose will not prevent the
material coming within the definition of a relevant filing
system if it is structured in the way anticipated by the statute,
so I need to concentrate on the structure. ….
35. The Judge considered the four manual files in question
maintained by the FSA, each of which he had inspected. He
concluded that none of them contained "data" as
defined in section 1(1), because none of them, for various
reasons, constituted "a relevant filing system".
As to the MFGD Systems file, he held, at 9C-F, that it was
not structured by reference to individuals or to criteria
relating to individuals. As to the MFGD Complaints file, he
held that it was not structured in such a way that specific
information relating to a particular individual was readily
accessible. He said, at 9G-10C:
"It does contain documents relating to the appellant’s
complaint about the bank under a divider marked ‘Mr.
Durant’ and it follows that the information concerning
Mr. Durant could be obtained. However, I must remind myself
that this is not the statutory criteria. It is not a question
of whether the information could be obtained or even whether
the information could be obtained easily. The question that
I must pose is whether it is structured in such a way that
specific information relating to a particular individual is
readily accessible. It contains a variety of different documents
stored by date order. There is no more detailed structuring
than that. The documents are not organised in such a way that
would enable one to isolate particular aspects of the information,
save that it is all under the name Durant. It is in the file
just by date order. It follows again that this does not in
my judgment satisfy the requirement of structuring anticipated
by the statutory provision."
As to the BIG file, the Judge said, at 10D-F:
"… it relates to issues or cases concerning the
bank, although a section of the file does contain documents
relating to Mr. Durant. It is organised in sections with reference
to the issues or cases themselves but those issues or cases
are not necessarily identified by reference to an individual.
I accept the submission of Mr. Mayhew that to the extent the
file or any section of it is structured with reference to
individuals it is not so structured that specific information
relating to a particular individual is readily accessible
and this includes the section identified by reference to Mr.
Durant."
And, as the Secretariat Documents – the sheaf of papers
relating to Mr. Durant’s complaint about the FSA’s
dealings with him, the Judge said, at 10G-11B:
"The file comprises a variety of documents that relate
to Mr. Durant’s complaint. They are not organised by
date or any other criterion and again it seems to me that
no specific information is readily accessible by virtue of
that fact."
The submissions
36. Miss Houghton urged a broad construction of the meaning
of the Directive and the Act on the meaning of a filing system
for this purpose. She made two related complaints about the
Judge’s reasoning – related in the sense of maintaining
that he gave too sophisticated a meaning to the term "relevant
filing system". First, she submitted that he applied
too restrictive a test by merely considering the Act and the
respective structures of the files. She said that he should
also have considered the matter in the light of the Directive,
in particular Article 2 (c) when read with Recital (27). Second,
she maintained that, in any event, the Judge mistook the meaning
of the word "set" in the phrase "set of information"
in the Act’s definition. She submitted that "set"
in this context meant, not an individual file and its structure
or lack of it, but the whole filing system of which it was
part. It was enough, she argued, to show the existence of
a filing system in which particular types of documents may
be found, for example in an individual file identified by
reference simply to the data subject’s name.
37. As to the first of those criticisms, Miss Houghton submitted
that Recital (27) makes it plain that the Directive is concerned
to prevent a data controller from relying on his techniques
for control of filing of manual records to defeat otherwise
unobjectionable requests from individuals for access to their
personal data. She contrasted the requirement in Recital (27)
and Article 2(c) for "filing systems" to be so structured
as to allow such individuals easy access to their personal
data according to specific criteria, with the various constituents
of a system governing access to the data, which are expressly
left by Recital (27) for decision by individual member states.
The latter, submitted Miss Houghton, indicates a broader construction
of the words "relevant filing system" in section
1(1) of the Act than the Judge gave them.
38. Miss Houghton took as an example the Judge’s reasoning
for rejecting the last three categories of file as "relevant
filing systems", namely that the structure of the files
did not, for want of sufficient cross-referencing, enable
the data controller readily to identify certain "low
level detail", for example, Mr. Durant’s age or
address. She said that such reasoning offended the stricture
in Recital (27) against allowing the scope of the protection
provided by the Directive to be circumvented by the use of
filing techniques and that a manual system cannot be expected
to have the same level of sophistication as a computerised
system. She said that the Judge’s approach would require
cross-referencing of manual files to a level of sophistication
close to that of full-text search facility on a computer,
an outcome that the definition in the Act of "a relevant
filing system" could not sensibly require. She submitted
that, on the contrary, those three sets of files satisfied
the three constituents of the definition in that they contained
material relating to an individual which was structured by
reference to individuals or criteria relating to them and
in such a way that specific information was readily accessible
by turning to the divider bearing an individual’s name
and looking at the documents behind it. Such a construction,
she submitted, is consistent with both the Directive and the
Act, whereas the more restrictive one of the Judge would damage
their underlying purpose of ready accessibility to personal
data, applicable to manual as well as computerised files
39. As to Miss Houghton’s second criticism, she submitted
that he wrongly took each individual file instead of the FSA’s
overall filing system as the data "set" referred
to in the definitions in Article 2(c) and section 1(1). She
maintained that in the context of a body like the FSA, a single
file cannot be a "filing system"; it must be the
collection of all its files or all the files within a specific
department, for example, BIG or MFGD. On that basis, she submitted
that individual files forming part of a wider filing system
amounting to a "set of information" for this purpose
may contain data forming part of a relevant filing system
even though the files are not internally indexed or cross-referenced,
provided that there is some overall system, whether formal
or informal, enabling relatively simple access to personal
data. Her practical point was that, although the FSA had disclosed
and described material files, it had given no account of its
"high level" filing structures, that is, the manner
in which it stored or organised the files or, say by a system
of indexing or cross-referencing or action-log, how it recorded
their location and contents in order to provide ready access
to specific matters as necessary for its staff. She suggested,
by reference to certain documents disclosed by the FSA, that
it does indeed maintain systems of this sort in the form of
computerised logs of correspondence and documents in various
forms, some of which appear to relate to manual files. She
referred, for example to: a computer extract identifying Mr.
Durant’s complaint as "case no. 007"; references
in a report to documents identified by a reference number
attaching uniquely to him; a list of card index search results
indicating the location of documents referring to him; and
two computerised correspondence logs identifying and locating
files containing correspondence relating to him, all or some
of which the FSA may not have disclosed.
40. Miss Houghton observed that, if those examples are typical
of the FSA’s filing system or systems, while each file,
looked at on its own, may appear to be unstructured, the contents
of it are carefully indexed elsewhere and are thus readily
accessible. She submitted that if the same applies to the
four categories of documents that the FSA has refused to disclose,
the subject of this appeal, any personal data within them
relating to Mr. Durant forms part of "a relevant filing
system" for the purpose of the Act and should be disclosed.
She invited the Court not to do as the Judge did, focus on
the individual files, but on the overall filing systems of
which they were part.
41. As I have indicated, the FSA has responded evidentially
to this new argument with a witness statement from Mr. Davies,
describing in some detail its filing systems of which the
manual files in question form part. In substance, he shows
that the general filing system did not contain indexing mechanisms
that would enable location of particular documents within
individual files or any indexing mechanism enabling ascertainment
of specific information about an individual, other than by
physically examining an individual file and reading through
it.
42. Mr. Philip Sales urged a narrow interpretation of the
definition in the Act of a "relevant filing system".
He submitted that the definition is consistent with the approach
of the Directive in that it has as its central focus, the
right of access to computerised records, which, by their very
nature, are readily accessible and retrievable. He said that
the Act’s extension of its provisions to manual records
in the formula in the definition "although the information
is not processed by means of equipment operating automatically
in response to instructions given for that purpose",
indicates that it does so only to the extent that such records
are broadly comparable with computerised records in terms
of ease of access to and retrievability of data in them. It
follows, he argued, that the Act, in its application to manual
records, applies only to data in highly structured individual
files as well as overall filing systems.
43. This assimilation of "relevant" manual "filing
systems" with the sophisticated operation of computerised
files expresses, as Mr. Sales illustrated, the declared intention
of the Government during the passage of the Bill giving rise
to the Act (HL Debs, vols 585, col 438, 2nd February 1998
and vol 587, col 467, 16th March 1998). He submitted that
it is also consistent with the Directive in its primary focus
on computerised data (see Recitals (3)-(9) and (11)), with
its definition in Article 2(c) of a "personal data filing
system", and with Recitals (15) and (27) in confining
the ambit of the Directive to filing systems "structured
according to specific criteria relating to individuals".
He added that the narrow application of the Directive –
and of the Act – for which he contended was also of
a piece with the general EC law principle of proportionality
with which all EC secondary legislation must comply; see e.g.
R (British American Tobacco Investments) v. Secretary of State
for Health, ECJ judgment of 10th December 2002. He said that
the Community legislature would have had that principle well
in mind when drafting the Directive, namely the importance
of not imposing disproportionate burdens on data controllers.
In short, he submitted that the Directive supports a restrictive
interpretation of the meaning in the Act of "a relevant
filing system".
44. Finally, on this issue, Mr. Sales submitted that Mr. Davies’
evidence makes plain that none of the FSA’s manual filing
systems at the time, whether at "high" or "low"
level, constituted a "relevant filing system" as
defined in section 1(1) of the Act and that, therefore, they
did not contain any "data" disclosable by it under
the Act, personal or otherwise.
Conclusions
45. The parliamentary intention to which Mr. Sales referred,
is, in my view, a clear recognition of two matters: first,
that the protection given by the legislation is for the privacy
of personal data, not documents, the latter mostly retrievable
by a far cruder searching mechanism than the former; and second,
of the practical reality of the task that the Act imposes
on all data controllers of searching for specific and readily
accessible information about individuals. The responsibility
for such searches, depending on the nature and size of the
data controller’s organisation, will often fall on administrative
officers who may have no particular knowledge of or familiarity
with a set of files or of the data subject to whose request
for information they are attempting to respond. As Mr. Sales
pointed out, if the statutory scheme is to have any sensible
and practical effect, it can only be in the context of filing
systems that enable identification of relevant information
with a minimum of time and costs, through clear referencing
mechanisms within any filing system potentially containing
personal data the subject of a request for information. Anything
less, which, for example, requires the searcher to leaf through
files to see what and whether information qualifying as personal
data of the person who has made the request is to be found
there, would bear no resemblance to a computerised search.
And, as Mr. Sales also pointed out, it could, in its length
and other costs, have a disproportionate effect on the property
rights of data controllers under Article 1 of the First Protocol
to the ECHR, who are only allowed a limited time, 40 days,
under section 7(8) and (10) of the Act to respond to requests,
and are entitled to only a nominal fee in respect of doing
so.
46. As to the 1998 Act, to constitute a "relevant filing
system" a manual filing system must: 1) relate to individuals;
2) be a "set" or part of a "set" of information;
3) be structured by reference to individuals or criteria relating
to individuals; and 4) be structured in such a way that specific
information relating to a particular individual is readily
accessible. That seems to me entirely consistent with the
Directive, in particular in the latter’s emphatic emphasis
in Article 2(c) and Recital (27) on a file so structured by
reference to "specific criteria" about individuals
as to provide "easy access" to "the personal
data in question" When considered alongside the narrow
meaning of personal data in this context and when read with
Recital (15) indicating that the required "easy"
access to such data must be on a par with that provided by
a computerised system, the need for a restrictive interpretation
of the definition "relevant filing system" is plain.
It is not enough that a filing system leads a searcher to
a file containing documents mentioning the data subject. To
qualify under the Directive and the Act, it requires, as Mr.
Sales put it, a file to which that search leads to be so structured
and/or indexed as to enable easy location within it or any
sub-files of specific information about the data subject that
he has requested.
47. As both parties acknowledge, the Directive is an important
aid to construction of the Act. Its primary focus, as that
of the Act, is on computerised data (see Articles 3-9 in the
context of its ready facilitation of the free movement of
personal data, and 11 in its concern for the right to privacy).
And it is only to the extent that manual filing systems are
broadly equivalent to computerised systems in ready accessibility
to relevant information capable of constituting "personal"
data that they are within the system of data protection. Recital
(11) deserves particular mention as to the primary focus of
the Directive on computerised systems, in its statement of
the Directive’s intention to "give substance to
and amplify" rights set out in the 1981 Convention, which,
as I have said, gave rise in this country to the 1984 Act,
creating obligations only in relation to computerised data,
though permitting Contracting States to extend it to manual
data. Returning – and more specifically – to the
Directive, the definition in section 1(1) of the Act of "a
relevant filing system" accords with the Directive in
its equally restrictive definition in Article 2(c) of "a
personal data filing system" as a "structured set
of personal data which are accessible according to specific
criteria …", and also with Recitals (15) and (27),
which emphasise that it is intended to cover only files "structured
according to specific criteria relating to individuals".
48. It is plain from the constituents of the definition considered
individually and together, and from the preface in it to them,
"although the information is not processed by means of
equipment operating automatically in response to instructions
given for that purpose", that Parliament intended to
apply the Act to manual records only if they are of sufficient
sophistication to provide the same or similar ready accessibility
as a computerised filing system. That requires a filing system
so referenced or indexed that it enables the data controller’s
employee responsible to identify at the outset of his search
with reasonable certainty and speed the file or files in which
the specific data relating to the person requesting the information
is located and to locate the relevant information about him
within the file or files, without having to make a manual
search of them. To leave it to the searcher to leaf through
files, possibly at great length and cost, and fruitlessly,
to see whether it or they contain information relating to
the person requesting information and whether that information
is data within the Act bears, as Mr. Sales said, no resemblance
to a computerised search. It cannot have been intended by
Parliament - and a filing system necessitating it cannot be
"a relevant filing system" within the Act. The statutory
scheme for the provision of information by a data controller
can only operate with proportionality and as a matter of common-sense
where those who are required to respond to requests for information
have a filing system that enables them to identify in advance
of searching individual files whether or not it is "a
relevant filing system" for the purpose.
49. Before leaving this issue, I should mention that Jay and
Hamilton, in a helpful, practical analysis of these provisions
in their Data Protection – Law and Practice, 1999, have
reached much the same conclusion. They say that there is some
ambiguity in both the Directive and the Act as to the definition
of a filing system for this purpose, and that whether a particular
file or files will amount to such a system is necessarily
fact sensitive. However, they conclude, at pp. 22-23, that
the weight of authority, including the provenance of this
aspect of the Directive in the German Federal Data Protection
Act and the Government’s declared intention and treatment
of the matter during the passage of the 1998 Bill through
the House of Lords, leans towards a restrictive interpretation
of the ambiguity:
"… files or systems which do not have any clear
systematic internal indexing mechanism should not fall under
the definition. So a file with a name on the front arranged
in date order may not fall within the term, whereas a file
with a name on but arranged in sections to cover health, education,
earnings or family connections is more likely to be; the more
readily accessible the particular information, the clearer
it is that it will be covered. …the nature of the file,
for example whether it is a personnel file or a customer file,
is completely irrelevant."
50. Accordingly, I conclude, as Mr. Sales submitted, that
"a relevant filing system" for the purpose of the
Act, is limited to a system:
1) in which the files forming part of it are structured or
referenced in such a way as clearly to indicate at the outset
of the search whether specific information capable of amounting
to personal data of an individual requesting it under section
7 is held within the system and, if so, in which file or files
it is held; and
2) which has, as part of its own structure or referencing
mechanism, a sufficiently sophisticated and detailed means
of readily indicating whether and where in an individual file
or files specific criteria or information about the applicant
can be readily located.
51. Returning to Mr. Durant’s requests for further documents
from the files in question, it is plain that the FSA’s
filing systems at the time did not satisfy those requirements
or either of them. As to the first, which approximates to
what Miss Houghton has called "high level filing structures",
it is plain from the evidence of Mr. Davies, that the FSA’s
filing system did not qualify. As I have said, in summarising
that evidence, it did not contain indexing mechanisms enabling
location of particular documents or, more importantly, of
personal data, that is, specific information about Mr. Durant,
in a file or files other than by a physical search of the
file or files. As to the second, Miss Houghton’s "low
level filing structures", it is plain from the description
that I have given of the individual files that they did not
qualify either. I say that without regard to the fact that
Mr. Durant’s requests for information are highly unspecific,
sometimes simply for disclosure of documents or categories
of document. But to the extent that he might be entitled to
specific information, if forming part of "a relevant
filing system", none of the files in question is so structured
or indexed as to provide ready access to it, as the Judge
in his helpfully succinct judgment, given after examination
of the files, demonstrated. An ability of staff readily to
identify and locate whole files, even those organised chronologically
and/or by reference to his and others’ names, is not
enough.
Redaction
52. This issue arose only in relation to computerised documents
that the FSA provided to Mr. Durant; as I have said, it provided
him with no documents from its manual files. There were two
categories of redactions: 1) those - nearly all - that the
FSA considered did not constitute his personal data; and 2)
those – in the case of two documents only – where
it considered it unreasonable to disclose the names of another
individual.
53. Miss Houghton had two main complaints about the FSA’s
redactions. One was as to redaction of information, the nature
of which Mr. Durant is unaware, in correspondence about his
complaint to the FSA about Barclays Bank. The other was of
the redaction of names of other individuals. As to the latter,
she said that the pattern of redaction in the documents disclosed
by the FSA suggested a "blanket" decision by it
to redact all other individual’s names rather than to
consider whether, in accordance with section 7(4)(b) of the
Act, in each case whether it was "reasonable in all the
circumstances" to disclose the identify of the other
individual without obtaining his consent. The Judge did not
deal, other than inferentially, with this issue of reasonableness,
possibly because it was not raised before him in the same
detail as Miss Houghton has argued it on this appeal. The
Judge dealt with the whole issue of redaction quite shortly
at pages 7D-F and 11E-F:
"Having inspected the material I am entirely satisfied
first of all that the information that was held on computer
and which has been disclosed, subject to redaction, has been
the subject of proper… [disclosure], although I will
at a later stage come back to deal with one document, the
letter of 27th October 2000. The redacted copies exclude references
to third parties, I have seen that by comparing the original
with copies, and therefore in respect of those documents I
find that the respondents have complied with their duty. In
many respects that represents the easiest part of the case
because most of the argument has concerned those records which
are not held on computer and the issue is whether they come
within section 1(1)(c) of the Act. ….
I deal finally with the letter from the FSA to Barclays Bank
of 27th October 2000. This document, it seems to me, does
come within the definition … Read realistically, it
seems to me that this does contain personal data concerning
an individual who can be identified and therefore subject
to redaction it should be disclosed and I do in respect of
that single document make an order under section 7(9) that
in its redacted form it should be served on the appellant."
54. I have already mentioned, but only briefly, the protection
given by section 7 of the 1998 Act to other individuals when
a data subject seeks access under that provision to his personal
data, for example where such data may identify another individual
as the source of the information. In such a case both the
data subject and the source of the information about him may
have their own and contradictory interests to protect. The
data subject may have a legitimate interest in learning what
has been said about him and by whom in order to enable him
to correct any inaccurate information given or opinions expressed.
The other may have a justifiable interest in preserving the
confidential basis upon which he supplied the information
or expressed the opinion. Sections 7(4)-(6) and 8(7) - prompted
by the European Court’s decision in Gaskin v. United
Kingdom [1990] 1 FLR 167, ECtHR, at para. 49 - provide a machinery
for balancing their respective interests, and do so compatibly
with Articles 12 and 13.1(g) of the Directive, which, as Mr.
Sales observed, mirrors the balance provided by Article 8.2
to 8.1 ECHR. Article 12, to which section 7 of the 1998 Act
is intended to give effect, provides a right of access for
every data subject to his personal data, which it describes
as a "guarantee". And Article 13 permits member
states to adopt legislative measures to restrict such right
when necessary to safeguard various specified interests, including,
in paragraph 1(g), the protection of the rights and freedoms
of others. The protection that the 1998 Act gives to other
individuals is similarly qualified, reflecting, in this respect,
the principle of proportionality in play between the interest
of the data subject to access to his personal data and that
of the other individual to protection of his privacy. Section
7(4) to (6) and 8(7) provide:
"7(4) Where a data controller cannot comply with the
request [i.e. for information under section 7(1)] without
disclosing information relating to another individual who
can be identified from that information, he is not obliged
to comply with the request unless –
(a) the other individual has consented to the disclosure of
the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with
the request without the consent of the other individual, or
(c) the information is contained in a health record and the
other individual is a health professional who has compiled
or contributed to the health record or has been involved in
the care of the data subject in his capacity as a health professional
[added by the Data Protection (Subject Access Modification)
(Health) Order 2000, SI 2000/413].
(5) In subsection (4) the reference to information relating
to another individual includes a reference to information
identifying that individual as the source of the information
sought by the request; and that subsection is not to be construed
as excusing a data controller from communicating so much of
the information sought by the request as can be communicated
without disclosing the identity of the other individual concerned,
whether by the omission of names or other identifying particulars
or otherwise.
(6) In determining for the purposes of subsection (4)(b) whether
it is reasonable in all the circumstances to comply with the
request without the consent of the other individual concerned,
regard shall be had, in particular, to –
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to
seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent,
and
(d) any express refusal of consent by the other individual."
"8(7) For the purposes of section 7(4) and (5) another
individual can be identified from the information being disclosed
if he can be identified from that information, or from that
and any other information which, in the reasonable belief
of the data controller, is likely to be in, or to come into,
the possession of the data subject making the request."
55. There are two basic points to make about the scheme of
sections 7(4)-(6), and 8(7), for balancing the interests of
the data subject seeking access to his personal data and those
of another individual who may be identified in such data.
The first is that the balancing exercise only arises if the
information relating to the other person forms part of the
"personal data" of the data subject, as defined
in section 1(1) of the Act. The second is that the provisions
appear to create a presumption or starting point that the
information relating to that other, including his identity,
should not be disclosed without his consent. The presumption
may, however, be rebutted if the data controller considers
that it is reasonable "in all the circumstances",
including those in section 7(6), to disclose it without such
consent.
56. It is important to note that the question for a data controller
posed by section 7(4)(b) is whether it is reasonable to comply
with the request for information notwithstanding that it may
disclose information about another, not whether it is reasonable
to refuse to comply. The distinction may be of importance,
depending on who is challenging the data controller’s
decision, to the meaning of "reasonable" in this
context and to the court’s role in examining it. The
circumstances going to the reasonableness of such a decision,
as I have just noted, include, but are not confined to, those
set out in section 7(6), and none of them is determinative.
It is important to note that section 7(4) leaves the data
controller with a choice whether to seek consent; it does
not oblige him to do so before deciding whether to disclose
the personal data sought or, by redaction, to disclose only
part of it. However, whether he has sought such consent and,
if he has done so, it has been refused, are among the circumstances
mentioned in the non-exhaustive list in section 7(6) going
to the reasonableness of any decision under section 7(4)(b)
to disclose, without consent. Thus far, the broad effect of
the scheme is not in dispute, but I shall have to return to
the test of reasonableness in section 7(4) and (6) after considering
the respective submissions of Miss Houghton and Mr. Sales.
57. In the course of preparing for the appeal, the FSA reconsidered
the redactions it had made in the computerised documents provided
to Mr. Durant, and in a few cases it concluded that the names
of other individuals redacted should, after all, be disclosed
to him. It did so because, in those particular instances,
the redacted names were part of information constituting his
personal data and because it considered it reasonable to disclose
the names after balancing their interests with those of Mr.
Durant, as required by section 7(4) and (6). But the FSA continues
to maintain its entitlement to redact names in other documents
because the information of which they formed part did not
constitute his "personal data" within the definition
of that term in section 1(1), or in two instances, because,
although they may have formed part of his "personal data",
it considered that it was not reasonable to disclose the name
after conducting the balancing exercise under section 7(4)-(6).
In those two instances the FSA had sought the consent of the
one individual concerned, an FSA employee, who expressly refused
to give it on account of Mr. Durant’s abusive manner
to him or her in a telephone conversation. So, the FSA conducted
the balancing exercise in respect of the only two documents
that required it.
The submissions
58. Miss Houghton made two main submissions about the test
of reasonableness in section 7(4)(b). The first, which she
took from the clear requirement in section 7(4), was that
a data controller, who has been refused consent or has not
attempted to obtain it, is still obliged to consider, before
complying with a request for personal data, whether, in all
the circumstances, it is reasonable to do so. In so expressing
the requirement, Miss Houghton turned to the use of the word
"guarantee" in Article 12 of the Directive, in describing
the right of a data subject’s right of access to his
personal data. She maintained that it required a court of
first instance dealing with an application under section 7(9)
and any appellate court to decide the matter of reasonableness
for itself. She sought support for this proposition in the
following ruling of the European Court in The Gaskin Case,
at para. 49 on a provision of United Kingdom law which made
access dependent on the consent of the contributor and contained
no such balancing of interests requirement as is now provided
in section 7(4)(b)), a ruling which, she maintained "outlawed"
in this context even the Daly (R (Daly) v. SSHD [2000] 2 AC
532. HL) "anxious scrutiny":
. "….The Court considers … that under such
a system the interests of the individual seeking access to
records relating to his private and family life must be secured
when a contributor to the records either is not available
or improperly refuses consent. Such a system is only in conformity
with the principle of proportionality if it provides that
an independent authority finally decides whether access has
to be granted in cases where a contributor fails to answer
or withholds consent. No such procedure was available to the
applicant in the present case."
59. Mr. Sales acknowledged the many shades of meaning the
word "reasonable" can bear depending on its context.
Given the essentially public law nature of the statutory remedy
provided by section 7(9) for the protection of an individual’s
right to privacy of his personal data and the need to avoid
imposing a disproportionate burden on data controllers, he
submitted that this is a matter in which it is not for a court
to substitute its own view for that of a data controller.
He suggested that the appropriate analogue for the requirement
of reasonableness in this context is the Article 8 ECHR requirement
of necessity/proportionality. On such an approach, the court’s
task on an application under section 7(9) would be one of
review of the data controller’s decision, but a more
intensive Daly - "anxious scrutiny" - type of review
than the traditional Wednesbury test. Even if the section
7(9) decision were not strictly one of review, but were to
be regarded as a primary decision, the test in such a statutory
challenge of a non-judicial decision-taker would be much the
same, see SSHD v. Rehman {2003] 1 AC 153, per Lord Slynn at
paras 22 and 26, Lord Steyn at para. 31 and Lord Hoffmann
at paras. 49, 50 and 57.
Conclusions
60. As to Miss Houghton’s first submission, on the nature
of the court’s function on an application for access
to personal data under section 7(9), and of this Court on
an appeal from a refusal of such application, I consider that
Mr. Sales’ approach is to be preferred. Parliament cannot
have intended that courts in applications under section 7(9)
should be able routinely to "second-guess" decisions
of data controllers, who may be employees of bodies large
or small, public or private or be self-employed. To so interpret
the legislation would encourage litigation and appellate challenge
by way of full rehearing on the merits and, in that manner,
impose disproportionate burdens on them and their employers
in their discharge of their many responsibilities under the
Act. The Directive (see, in particular, Recitals (1) and (10))
and the Act were intended to give effect to the requirements
of Article 8 ECHR. And the provision in Article 13 of the
Directive for exemptions and restrictions, including that
in paragraph 1(g), reflected in section 7(4) of the Act, for
the rights of third parties, to the right of access to personal
data provided by Article 12 and section 7(1), are of a piece
with the similar structure of Article 8.1 and 8.2 ECHR. Miss
Houghton’s reliance on Gaskin to suggest that the Directive
provides a right overriding that of third parties in this
context equivalent to a "guarantee", not only ignores
the domestic law under consideration in that case, but, on
the European Court’s own jurisprudence, puts too hard
an edge on the use of that word in Article 12 setting out
a data subject’s right of access. It is plain from Article
13 that member states may pay regard to, among other matters,
proportionality in adopting exemptions from and restrictions
on the right. As the Court said about the Directive in Lindquist,
at para. 83
"83. … its provisions are necessarily relatively
general since it has to be applied to a large number of very
different situations. …the Directive quite properly
includes rules with a degree of flexibility and, in many instances,
leaves to the Member States the task of deciding the details
or choosing between options." (see also para. 88 in relation
to sanctions)
Under both international legal codes, it is for the Member
State to justify, subject to a margin of national discretion,
any provisions enabling refusal of disclosure in terms of
necessity and proportionality, and similarly, data controllers
should have those notions in mind when considering under section
7(4)-(6) whether to refuse access on that account. So also
should courts on application by way review of any such decision
under section 7(9). But it does not follow that the courts
should assume, if and when such a question reaches them, the
role of primary decision-maker on the merits.
61. It follows, as Mr. Sales submitted, that the right to
privacy and other legitimate interests of individuals identified
in or identifiable from a data subject’s personal data
are highly relevant to, but not determinative of, the issue
of reasonableness of a decision whether to disclose personal
data containing information about someone else where that
person’s consent has not been sought. The data controller
and, if necessary, a court on an application under section
7(9), should also be entitled to ask what, if any, legitimate
interest the data subject has in disclosure of the identity
of another individual named in or identifiable from personal
data to which he is otherwise entitled, subject to the discretion
of the court under section 7(9). The Court of Appeal, in its
turn, should have firmly in its mind its duty of "anxious
scrutiny" in such matters, but should not be expected
to conduct an exercise of detailed or other inspection of
documents under section 15(2) of the 1998 Act unless the Judge’s
reasoning or lack of it on the issue and the factual issues
raised on the appeal demand it. Given: 1) the failure of the
bulk of Mr. Durant’s claim because of his misconception
of what he is entitled to by way of personal data, a misconception
inherent in the nature of his requests for the redacted information;
and 2), the plain evidence before the Judge and us as to the
manual files in question, negating the existence of a "relevant
filing system", we have not felt it necessary to inspect
in any detail the documentation put before us.
62. Miss Houghton’s second submission was that data
controllers should consider this question of reasonableness
of disclosure on a case by case basis, by which I think she
meant on a document by document or third party individual
by individual basis (see. eg. R (Lord) v. SSHD [2003] EWHC
2073 (Admin), per Munby J, at paras. 143-151). She maintained,
initially at any rate, that there was no evidence that the
FSA had done that in this case. There appear to be two categories
of other individuals in respect of which Mr. Durant sought
unredacted copies of the documents. The first consists of
information about those whose identities he already knows.
Miss Houghton submitted that there could be no good reason
for such redaction and that he should have been provided with
unredacted copies of the documents. The second category consists
of those whom Mr. Durant believes to be employees of the FSA,
but with whom he has had no contact. Miss Houghton submitted
that there was no good reason to remove their names from the
disclosed documents; public servants carrying out their ordinary
functions should not be given anonymity as of right; their
names should be disclosed unless there are special reasons
for non-disclosure. However, as I have said, such information,
essentially as to the identities of persons in the FSA with
whom Mr. Durant may have had contact or who have in some way
dealt with his complaint, cannot, in the circumstances, amount
to his personal data. And, in any event, it is plain from
the evidence now before us in the form of Mr. Davies’
second witness statement that there is no factual basis –
quite the contrary – for Miss Houghton’s submission
that the FSA did not consider the question of redaction on
a document by document basis.
63. Despite the now narrow factual basis for the complaint
as to redaction, it may be helpful for me to comment briefly
on the respective arguments of principle advanced by Miss
Houghton and Mr. Sales on the issue of reasonableness of disclosure
of personal data under section 7(4)(b).
64. It is important for data controllers to keep in mind the
two stage thought process that section 7(4) contemplates and
for which section 7(4)-(6) provides.
65. The first is to consider whether information about any
other individual is necessarily part of the personal data
that the data subject has requested. I stress the word "necessarily"
for the same reason that I stress the word "cannot"
in the opening words of section 7(4), "Where a data controller
cannot comply with the request without disclosing information
about another individual who can be identified from the information".
If such information about another is not necessarily part
of personal data sought, no question of section 7(4) balancing
arises at all. The data controller, whose primary obligation
is to provide information, not documents, can, if he chooses
to provide that information in the form of a copy document,
simply redact such third party information because it is not
a necessary part of the data subject’s personal data.
66. The second stage, that of the section 7(4) balance, only
arises where the data controller considers that the third
party information necessarily forms part of the personal data
sought. In that event, it is tempting to adopt Mr. Sales’s
submission that, where the status of an individual is obvious
and his or her identity is immaterial or of little legitimate
value to the data subject, it would normally be reasonable
to withhold information identifying that person in the absence
of his consent. However, it is difficult to think in the abstract
of information identifying another person and any other information
about him which would be so bound up with the data subject
as to qualify as his personal data, yet be immaterial or of
little legitimate value to him. Much will depend, on the one
hand, on the criticality of the third party information forming
part of the data subject’s personal data to the legitimate
protection of his privacy, and, on the other, to the existence
or otherwise of any obligation of confidence to the third
party or any other sensitivity of the third party disclosure
sought. Where the third party is a recipient or one of a class
of recipients who might act on the data to the data subject’s
disadvantage (section 7(1)(b)(iii)), his right to protect
his privacy may weigh heavily and obligations of confidence
to the third party(ies) may be non-existent or of less weight.
Equally, where the third party is the source of the information,
the data subject may have a strong case for his identification
if he needs to take action to correct some damaging inaccuracy,
though here countervailing considerations of an obligation
of confidentiality to the source or some other sensitivity
may have to be weighed in the balance. It should be remembered
that the task of the court in this context is likely to be
much the same as that under section 7(9) in the exercise of
its general discretion whether to order a data controller
to comply with the data subject’s request (see para.
74 below). In short, it all depends on the circumstances whether
it would be reasonable to disclose to a data subject the name
of another person figuring in his personal data, whether that
person is a source, or a recipient or likely recipient of
that information, or has a part in the matter the subject
of the personal data. Beyond the basic presumption or starting
point to which I referred in paragraph 55 above, I believe
that the courts should be wary of attempting to devise any
principles of general application one way or the other.
67. However, as I have indicated, on the facts of the case,
the redaction issue is barely worth all the attention given
to it in the arguments. It is clear from the Judge’s
examination of the documents and the evidence to this Court
of Mr. Davies that all the redactions, save arguably two,
do not constitute "personal data" for the reasons
I have given, and the Act does not, therefore, entitle Mr.
Durant to that information. As to those two redactions, they
were of the name of an FSA employee which, in itself, can
have been of little or no legitimate value to Mr. Durant and
who had understandably withheld his or her consent because
Mr. Durant had abused him or her over the telephone.
The discretion issue
68. The fourth issue, which if I am right in my conclusions
on the first three issues, is no longer live, is the scope
of a court’s discretion under section 7(9) of the Act
to order a data controller to comply with a request for information
under the section. Section 7(9) provides:
"If a court is satisfied on the application of any person
who has made a request under the foregoing provisions of this
section that the data controller in question has failed to
comply with the request in contravention of those provisions,
the court may order him to comply with the request."
[my emphasis]
69. The Judge, whilst holding that Mr. Durant was not entitled,
as a matter of construction of the Act, to the information
he had sought, added that, even if the FSA had not complied
with its duty under section 7, he would not, in the exercise
of the discretion given to him by section 7(9), have ordered
disclosure. He set out three reasons for that, at pages 12G-13C:
"First, I cannot see that the information could be of
any practical value to the appellant. Secondly, the purpose
of the legislation … is to ensure that records of an
inaccurate nature are not kept about an individual. A citizen
needs to know what the record says in order to have an opportunity
of remedying an error or false information. In this case the
appellant seeks disclosure not to correct an error but to
fuel a separate collateral argument that he has either with
Barclays Bank or with the FSA, litigation which is in any
event doomed to failure. [Thirdly,] I am entirely satisfied
on the facts of the case that the FSA have acted at all times
in good faith, and indeed there has been no suggestion to
the contrary from the appellant; his argument is with Barclays
Bank, not with the FSA."
The submissions
70. Miss Houghton submitted that at least two of the reasons
would have been illegitimate reasons for declining to exercise
his discretion against ordering compliance with Mr. Durant’s
request. She maintained that the purpose for which Mr. Durant
wanted the information was no more relevant to the exercise
of this discretion than to the primary question of his entitlement
to the information. And she maintained that the Judge gave
undue weight to the other matters, particularly the proposition
that the primary purpose of the Act was to enable people to
check the accuracy of their personal data, since Article 1
of the Directive gave primacy to protection of privacy.
71. The basis for Miss Houghton’s submissions was the
argument on which she has relied in part on the redaction
issue, namely that the Directive created a guarantee of entitlement
to access to personal data, a guarantee that could not, save
as provided by the Directive, be watered down by the Act.
She maintained that, as a result, the scope for a court to
exercise its discretion against requiring compliance when
a person had otherwise justified his request under section
7 was limited. She relied on Articles 12 and 22 of the Directive.
As I have said, Article 12 requires Member States to "guarantee"
every data subject the right to obtain the relevant data from
the data controller; and, although Article 13 enables a Member
State legislatively to restrict the obligations and rights
provided for in, among other Articles, Article 12, Article
22 requires each Member State to provide a judicial remedy
for any breach of rights guaranteed by its national law. Thus,
she submitted, section 7 as a whole, and section 7(9) in particular,
should be construed so to circumscribe the discretion of a
court to give effect to that guarantee.
72. Miss Houghton contended that the only practical discretion
derived from the word "may" in section 7(9) was
to give effect to the partial exemption provided by Article
13 to "restrict" the obligation to disclose to certain
specified circumstances, namely when such a restriction constituted
"a necessary measure to safeguard" various national
and public interests and "the protection of the data
subject or of the rights and freedoms of others". She
gave instances of the United Kingdom’s exercise of that
power of restriction in a number of "subject access modification
orders". However, she maintained that such power to restrict
does not extend to interpreting section 7(9) of the Act as
empowering a court, by way of an exercise of discretion, to
override the guarantee for which the Directive provides. She
swept together all these arguments by inviting the Court’s
attention to the response to them of Ward LJ in granting permission
for this appeal:
"… this Act is on the statute book, in order to
comply with a directive from the European Union. It is well
known, therefore, that the court should be construing the
directive rather than the words of the statute, for the statute
has to give way to the directive. Consequently, since the
directive requires member states to guarantee the data subject
the right to obtain relevant data from the data controller,
she submits – and I see the force of the argument –
that the judge’s error was to circumscribe his discretion.
The discretion might arguably be better expressed to be to
allow disclosure unless good reason is shown why it should
not be disclosed. Moreover, there was more than one purpose
to this Act, as the schedule to the Act makes plain."
73. Mr. Sales agreed that the Act must be interpreted and
applied so as to conform with the Directive, but said that
there may be circumstances in which a court might in the exercise
of its discretion decline disclosure on grounds compatible
with one or other of those specified in Article 13. However,
he did not seek to rely on such an argument in the circumstances
of this case, if the FSA lost on any of the primary issues.
Conclusions, so far as they go
74. If I am correct in my conclusions on the primary issues,
the question of exercise of discretion under section 7(9)
whether or not to order compliance with Mr. Durant’s
requests does not call for answer. I say only that I agree
with the recent observations of Munby J in Lord, at para.
160, that the discretion conferred by that provision is general
and untrammelled, a view supported, I consider, by the observations
of the European Court in Lindquist, at paras. 83 and 88, to
which I have referred (see para. 61 above). I add, as a corollary
to my comment in paragraph 66 on the subject of reasonableness
of disclosure of information about a third party under section
7(4)(b), that it might be difficult for a court to conclude
under that provision that it was reasonable to comply with
a data subject’s request so as to disclose such information,
yet exercise its discretion under section 7(9) against ordering
compliance with that aspect of the data subject’s request.
On the facts of this case, I need only say that, for the reasons
given by the Judge, I can see no basis for disagreeing with
his putative decision.
75. Accordingly, for the reasons I have given, I would dismiss
the appeal.
Lord Justice Mummery:
76. I agree.
Lord Justice Buxton:
77. I respectfully agree with everything that has fallen from
my Lord. I add only a very few words of my own, limited to
the concept of "personal data". I do so because
that is the most important issue in the appeal, determinative
of most of the complaints made by Mr. Durant, as it is likely
to be determinative of most questions arising under the 1998
Act. I do so also because, despite its centrality, the issue
did not receive the attention earlier in the case that it
should have done; and, in particular, I am confident that
had the issue been explored before him in the terms in which
it was eventually attended to before us the single Lord Justice
would have been most unlikely to have granted permission for
this appeal to be pursued.
78. By section 1 of the 1998 Act, personal data is [processed
or recorded] information that (i) relates to a living individual
who (ii) can be identified from those data either taken alone
or in conjunction with other information. Much of the argument
on behalf of Mr. Durant went straight to limb (ii), without
considering the implications of limb (i). Plainly, Mr. Durant
could be identified "from", or perhaps more accurately
in conjunction with, the information sought by him that is
summarised by my Lord in his para. 24; the reason for hesitation
being only that in some cases it is Mr. Durant’s identity
that leads to the information, rather that the information
leading to Mr. Durant. Equally plainly, however, the requirement
that the information should "relate to" Mr. Durant
imposes a limitation on that otherwise very wide claim.
79. The guiding principle is that the Act, following Directive
95/46, gives rights to data subjects in order to protect their
privacy. That is made plain in recitals (2), (7) and (11)
to the Directive, and in particular by recital (10), which
tells us that:
"the object of the national laws on the processing of
personal data is to protect fundamental rights and freedoms,
notably the right to privacy, which is recognised both in
Article 8 of the European Convention for the Protection of
Human Rights and Fundamental Freedoms and in the general principle
of Community law"
The notions suggested by my Lord in his para. 28 will, with
respect, provide a clear guide in borderline cases. A recent
example of such personal data is information about the occupation,
hobbies and in one case medical condition of named, and therefore
identifiable, individuals, such as the Court of Justice addressed
in Case C-101/01, Lindqvist, 6 November 2003.
80. But the information sought by Mr. Durant was by no stretch
of the imagination a borderline case. On the ordinary meaning
of the expression, relating to him, Mr. Durant’s letters
of complaint to the FSA, and the FSA’s investigation
of that complaint, did not relate to Mr. Durant, but to his
complaint. The 1998 Act would only be engaged if, in the course
of investigating the complaint, the FSA expressed an opinion
about Mr. Durant personally, as opposed to an opinion about
his complaint; a contingency for which, nonetheless, the draftsman
of the Act thought it necessary to make specific provision.
And on the purposive construction of the expression, as investigated
in para. 78 above, access to that material could not possibly
be necessary for or even relevant to any protection by Mr.
Durant of his privacy. The excessive nature of his demands
is perhaps best illustrated by the claim mentioned by my Lord
in his para. 62, that Mr. Durant should be told the identity
of all those at the FSA who had handled his complaint. In
the formal FSA complaints process in which Mr. Durant engaged
before bringing the present proceedings (see para. 10 above)
that information may or may not have been relevant, though
there is no indication that Mr. Durant or those who may have
been advising him then sought it. It has nothing whatsoever
to do with Mr. Durant’s privacy, and proceedings under
the 1998 Act cannot be used now, or at all, to extract it.
81. In short, these proceedings were misconceived. In future,
those contemplating such proceedings and those advising them
must carefully scrutinise the guidance given in my Lord’s
judgment before going any further. That process should prevent
the wholly unjustifiable burden and expense that has been
imposed on the data controller in this case.
|
