Legislation
Case Law
Durant v Financial Services
Authority
[2003] EWCA Civ 1746 (8 Dec 2003)
Information Commissioner
New guidance: Durant v Financial
Services Authority Court of Appeal’s ruling
Information and Communications Technology: Case Note - Durant v Financial Services Authority
10 Jun 2004
This case note first appeared on the NIPC website
This appeal addressed the following aspects of the subject access provisions of the Data Protection Act 1998:
 |
the meaning of "persona data" for the purposes of s.1 (1) of the Act; |
|
|
the meaning "relevant filing system" within the definition of "data" in s.1 (1); |
|
|
the basis upon which a data controller might consider it "reasonable in all the circumstances" to comply with a subject access request where the data includes information about another individual who has not consented to disclosure of the data; and |
|
|
the principles by which a court should exercise its discretion under s.7 (9) of the Act. |
This was a further appeal from a
circuit judge's dismissal of an appeal against a district judge's refusal to
order the defendant regulatory authority to disclose certain information
that it held to perform certain. Information was sought in case to assist a
disappointed litigant to reopen proceedings against a clearing bank. The
authority had delivered some records to the claimant but they were redacted
on the grounds that the redacted matter were not personal data of which the
applicant was subject and that the authority did not consider it reasonable
to disclose the name of another individual mentioned in those records. This
application was essentially for an order to compel disclosure of the
redacted matter.
Meaning of Personal Data
As to the first issue, Auld LJ observed that the legislative intention was
to enable an individual to obtain from information about himself. It was not
an entitlement to original or copy documents as such. The purpose of subject
access is to enable an individual to check whether the processing of his
data was lawful and, if not, to seek redress. It is not an automatic key to
any information in which the individual may be named or involved and it does
not give the right to discovery of documents for use in litigation or
complaints against third parties. As his lordship put it:
"As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify."
Whether a record constitutes personal data depends on whether:
|
|
the information is biographical in a significant sense, that is to say, going beyond the recording of the individual's involvement in a matter or an event that has no personal connotations and in respect of which his privacy could not be said to be compromised; and |
|
|
it has the individual as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest. |
Applying those tests, the
information of which further disclosure was sought did not constitute
personal data.
Meaning of "Relevant Filing System"
The term "relevant filing system" applied to manual as opposed to automated
data files. Auld LJ concluded that that "a relevant filing system" for the
purpose of the Act, is limited to a system:
"(1) in which the files forming
part of it are structured or referenced in such a way as clearly to indicate
at the outset of the search whether specific information capable of
amounting to personal data of an individual requesting it under section 7 is
held within the system and, if so, in which file or files it is held; and
(2) which has, as part of its own structure or referencing mechanism, a
sufficiently sophisticated and detailed means of readily indicating whether
and where in an individual file or files specific criteria or information
about the applicant can be readily located."
On the evidence before the Court, the defendant's filing system did not satisfy either of those requirements.
Data Controllers' Duty
Although it was not strictly necessary to consider the last 2 issues in view
of the Court's findings on the first 2, Auld LJ suggested a 2-stage test for
data controllers. The first was to consider whether information about the
other individual was necessarily part of the personal data requested and if
it was to balance the objections of the individual against any imperative
for disclosure. However, his lordship stressed that courts should be wary of
attempting to devise any principles of general application one way or the
other. Similarly, the fourth question did not require an answer although
Auld J approved observations by Munby J in
R (Lord) v Home Secretary [2003] EWHC 2073 (Admin) at paragraph
[160] that the discretion was general and untrammelled.
