Data Protection: New Interpretation of the Data Protection Act

A restrictive interpretation of the Data Protection Act 1998 ("the Act") will limit subject access requests1. Businesses may welcome the Court of Appeal's judgment from Durant v FSA [2003], as it might make their obligations under the Act easier to fulfill.

The case of Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746 - Court of Appeal focuses on the right of an individual to access his or her personal data held by an organisation. After a dispute with his bank, which involved the bank successfully applying an exemption which denied him the right of access to his data, Mr Durant complained to the Financial Services Authority ("FSA").

Although the FSA investigated his complaint, it did not reveal detailed information about its investigation to Mr Durant. The FSA made available documents in computerised format but refused him access to manual files, claiming that the information sought was neither "personal" nor part of a "relevant filing system". Mr Durant appealed.

The Court of Appeal held that:-

The purpose of the subject access provision is "...to enable [an individual] to check whether the data controller's processing... unlawfully infringes his privacy and, if so, to take such steps as the Act provides (i.e. blocking or rectification)... It is not an automatic key to any information, readily accessible or not of matters in which he may be named or involved."

Records that make reference to an individual are not necessarily "personal data";

The records must be relevant or proximate to the individual (i.e. significantly biographical or of which the individual was the focus of attention). In deciding on a case-by-case basis whether information falls within the Act, two factors are relevant:

"...Whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or event that has no personal connotations... ...information should have the the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction event...In short, it is information that affects his privacy, whether in his personal or family life, business of professional capacity";

It is not sufficient that the records just relate to something in which the individual was involved;

The records must contain "information that affects [the individual's] privacy, whether in his personal or family life, business or professional capacity" - "It is likely in most cases that only information that names or directly refers to [a data subject] will qualify and "not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act";

The definition of "relevant filing system" in relation to manual filing systems (i.e. paper-based) are those which are clearly structured, in a manner akin to computerised records, and within which the data must be readily accessible for reasons of practicality, easily identifying the fact that it contains personal data relating to the individual;

There must be clear warning to litigants that the Act: "...is not an automatic key to any information, readily accessible or not, of matters of matters in which he may be named or involved. Nor is to assist him...to obtain discovery of documents that may assist him in litigation or complaints against third parties."

The Court ruled that Mr Durant should not be given the documents requested as, "mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data".

Mr Durant is awaiting permission to challenge the Court of Appeal's ruling in the House of Lords.

Request by data subjects or individuals for the data that a company holds in relation to the individuals

If you require further information contact us.

Email: enquiries@rtcoopers.com