By Bridget Treacy and Prini Patel

The Court of Appeal has provided potentially far reaching and much awaited clarification of the nature and scope of the obligation to respond to subject access requests under the Data Protection Act 1998 (the "Act"). In practical terms, the judgment is likely to reduce the burden, for data controllers, of the obligation to comply with subject access requests, particularly where the personal data sought is held in a manual filing system. More significantly, the decision could also restrict the ambit of the Act itself since the Court favoured a narrow interpretation of what amounts to "personal data".

MICHAEL JOHN DURANT V FINANCIAL SERVICES AUTHORITY 2003

Facts

Mr Durant sought further disclosure of information that the FSA had declined to provide following a subject access request made by him under section 7 of the Act. Mr Durant had previously been unsuccessful in proceedings against Barclays Bank. He had then sought disclosure from the FSA of documents he believed the FSA had obtained from Barclays in its supervisory role.

The FSA provided certain information to Mr Durant and the judgment notes that in respect of the information provided, the FSA went beyond their strict obligations under the Act. Mr Durant claimed that further personal data stored in manual files should have been disclosed to him.

"Personal Data"

As the subject access provisions of the Act (section 7) concern the disclosure of "personal data", Auld LJ began by considering the issue of what constitutes personal data, in the context of both computerised and manual files. Having determined that a purposive approach is appropriate to the interpretation of this legislation, Auld LJ explained that the purpose of the section 7 subject access rights is to enable an individual to check whether the processing of his/her personal data by a data controller unlawfully infringes his privacy. If it does, steps may then be taken to protect the personal data. The purpose of the section 7 subject access rights is not, however, to provide "an automatic key to any information, readily accessible or not, of matters in which he may be named or involved".

Applying this approach to the more readily accessible category of computerised records, Auld LJ concluded that not all information retrieved from a computer search against an individual’s name or unique identifier would necessarily amount to "personal data". In addition to the name itself, there needs to be some connection to the individual. Useful factors to consider are: (i) whether the information is "biographical in a significant sense", and (ii) whether the information has the relevant individual as its focus, rather than incidentally making reference to the individual. In other words, does the information affect that person’s privacy?

Applying this test to the FSA’s manual files, the Court of Appeal held that Mr Durant was not entitled to the information contained in them as it did not amount to his personal data. Rather, the relevant data related to Mr Durant’s complaint and the investigation of that complaint and these factors did not render the information his personal data. Auld LJ went as far as to state that Mr Durant’s claim was a misguided attempt to use subject access "as a proxy for third party discovery… seemingly unrestricted by considerations of relevance" to uncover information for further litigation.

This represents a restrictive view of what is discloseable pursuant to a subject access request and potentially also what personal data is covered by the other provisions of the Act. In the context of subject access, this approach will be welcomed by data controllers who are faced with the burdensome task of retrieving and analysing, within a short timeframe, large amounts of information, often at considerable expense.

It should also be noted that frequently subject access requests are made as a precursor to or in the context of litigation. However, unlike the disclosure process in litigation, there is no test of "relevance" to narrow the scope of a subject access request. One of the likely consequences of this decision is that potential litigants will receive (and can expect to receive) a much reduced volume of material than may have been the case previously.

"Relevant Filing System"

Although Auld LJ held that Mr Durant’s appeal failed (because the data he was seeking was not personal data), he nevertheless went on to consider whether the manual files that were the subject of this appeal would amount to a "relevant filing system" as defined in section 1(1) of the Act. Personal data is required to be disclosed following a subject access request if it is held by the data controller in a relevant filing system.

Auld LJ held that to constitute a relevant filing system, a manual filing system should be akin to a computerised system in terms of ready accessibility of the data. In this context he mentioned again the fact that the underlying intention of this legislation is to protect the privacy of personal data (not documents). Significantly, for data controllers, he also referred to the practicality of responding to a subject access request. Frequently this task will be undertaken by an administrator who has no knowledge of either the files or the data subject. If the administrator has to leaf through files to see whether they contain the personal data of a particular individual, the process is hardly the equivalent of a computerised search. Auld LJ commented too on the potential cost to the data controller of conducting such an exercise, which might well be disproportionate.

What then is the test of "relevant filing system"? The main elements are to consider whether (i) the files forming part of the system are structured or referenced in such a way that it is clear as soon as the search is started whether personal data is held within the system; and (ii) the system is structured so as to give a sufficiently sophisticated and detailed means of quickly identifying the file(s) in which such data can be found. This provides welcome guidance for data controllers, particularly given the emphasis that Auld LJ gave to the requirement that it should be apparent that specific personal data would be located in a particular set of manual files at the outset of any search. This would appear to exclude most manual files referenced in date order and where the indexing relates to a matter or event, rather than an individual.

Redaction Of Third Party Information

The Court also provided helpful guidance on balancing the interests of the individual seeking access and respecting the privacy of a third party who might be identified in the data sought. Here Auld LJ clarified that the balancing exercise only arises if the third party information forms part of the personal data of the individual making the request. In addition, there is a presumption that the third party data should not be disclosed without the third party’s consent, but this presumption may be rebutted when the data controller considers it reasonable to disclose without consent.

Auld LJ said that whether it is reasonable to disclose the third party data would depend on the circumstances of each case and that the Courts should be wary of devising any general principles in this regard.

Conclusion

This case has provided some much needed guidance on the lengths that a data controller is required to go to in responding to subject access requests. In particular, the narrow interpretation of "personal data" and "relevant filing system" will, it is to be hoped, go some way towards establishing a sense of proportionality in the way in which such requests are made and responded to. Furthermore, as the Act concerns the processing of "personal data", more generally, the decision will have wider implications for the application of the Act in other circumstances.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.