- Home
- About Ashfords
- Services
- International
- Our partners
- Deals Done
- Careers
- Press
- Articles & Publications
- Accidents and Injuries
- Construction
- Commerial Contracts
- Corporate
- Crime
- Employment
- Family
- Housing & Property Litigation
- Insolvency & Debt Recovery
- Intellectual Property and Technology
- Litigation
- Marine & Transport
- PFI / Projects
- Lion Apparel Systems Limited v Firebuy Limited 27/09/2007
- An Introduction to Procurement
- General Principles of Public Procurement and PFI
- The PFI Process
- Landmark Waste Management Deal Struck
- CSA -v- SIC - the House of Lords Judgment
- Information Commissioner orders the release of the Cabinet minutes relating to the decision to take military action against Iraq
- Planning and Environment
- Property
- Sport
- Trusts & Estates
- Ashfords News
- Articles & Publications
- Events
- Offices
CSA -v- SIC - the House of Lords Judgment
Introduction
This note provides an update on the House of Lord's recent judgment in the case of The Common Services Agency against The Scottish Information Commissioner (CSA -v- SIC ). The case considered both the Data Protection Act 1998 (DPA) and the Freedom of Information (Scotland) Act 2002 (FOISA) and their interaction.
Although the case concerns a Scottish Act of Parliament, the decision will have far reaching implications throughout the United Kingdom. This is because the relevant provisions of the FOISA are almost identical to the corresponding provisions of the UK Freedom of Information Act 2000 (FOIA), a point which the Lords noted in their judgment.
The House of Lords gave its judgment on the 9th of July 2008 in a decision which will have implications for public authorities which are caught by either one or both of the DPA and the FOISA/FOIA and 'data controllers' in both the public and private sectors. It also affects individuals whose information may be held and disclosed by public authorities.
What are the facts of the case?
In 2005, a researcher for the Green Party made a request for information about the number of cases of child leukaemia in Dumfries and Galloway, broken down by ward, between 1990 and 2003. The aim behind the request was to find evidence of leukaemia clusters around a nuclear power plant.
The Common Services Agency (CSA) confirmed there were 15 cases of leukaemia but refused to provide the information on the basis that the numbers involved were so small that disclosure of the information would risk identifying the individuals involved. The CSA concluded that it did not have to disclose the information as it fell under the exemption under the FOISA which relates to personal data in accordance with the principles of the DPA.
The case went before the Scottish Information Commissioner (the SIC) who disagreed with the CSA and argued that the data could be released in a modified way (using the statistical method of "barnadisation" which randomises small numbers) which would conceal the identity of the individuals concerned.
The Inner Court of Session's decision
The CSA appealed the SIC's decision and the case ended up at the Court of Session in Scotland in 2006.
The CSA argued that it should not have to disclose the information on the basis that it did not hold the information in the barnadised form at the time of the request for information.
The court disagreed, stating that the CSA could create the barnadised data with little effort and that the resulting data would not prejudice the individuals' privacy rights. Interestingly, from the point of view of the DPA, the President was of the opinion that the barnadised data did not constitute "personal data" for the purposes of the DPA. The President considered that the information was statistical only and was no longer biographical in a significant sense in respect of any child. Therefore, the rights to privacy of the individual children were not infringed by the disclosure of the barnadised data.
The Court of Session looked to the policy of the FOISA and concluded that its purpose is to promote the giving of information by public authorities. Lord Marnoch went as far as saying in his judgment that the FOISA must be "construed in as liberal manner as possible".
The route to the House of Lords
The CSA made a final appeal to the House of Lords which was heard in April of this year. The ruling of the House of Lords was expected to determine whether the SIC was entitled to order the CSA to disclose the information concerned.
The House of Lords decision
The House of Lords allowed the CSA's appeal and remitted the case to the SIC to determine whether the data in question can be anonymised such that it no longer constitutes personal data. If it can, the data can be disclosed to the requester. If it cannot, the SIC will have to address the trickier question as to whether the disclosure of the data would breach any of the data protection principles.
On the question of whether barnadised data constitutes "personal data"
It had been anticipated that the House of Lords would address the issue of what is "personal data" for the purposes of the DPA in general terms. The last time this issue was considered in the courts was in the case of Durant[1], where the Court of Appeal interpreted the meaning of "personal data" narrowly.
Commentators were fairly unanimous in hoping that this case would resolve some of the uncertainties of the Durant decision and that House of Lords would re-evaluate what is meant by personal data. However, the House of Lords did not do this in its judgment.
The House of Lords did not review the Durant decision and held that it has no relevance to the case in question. The Lords were confident that the barnadised data was information about the health of the children involved. It therefore obviously related to the children and it was not necessary to apply the tests which are set out in Durant.
Lord Hope, who gave the main judgment, criticized the SIC's approach to the case. He said that the SIC should not have ordered the disclosure of the data without first satisfying himself that the data (in its barnadised form) was not "personal data", i.e. – even in its barnadised form, would it be possible to identify individuals from the barnadised data?
Barnadised data will constitute "personal data" where it still identifies a living individual.
In contrast, if it is not possible to identify the living individual(s) to whom the data relates, the information does not constitute "personal data" for the purposes of the DPA and the anonymised data in question is disclosable (i.e. it falls outside the scope of the DPA).
As mentioned above in this note, the issue in the present case is that there is doubt that the data would be truly anonymous, even in its barnadised state due to the small numbers of statistics.
On the question of how FOISA / FOIA interacts with the DPA
Lord Hope agreed with Lord Marnoch that the FOISA must be construed in as liberal a manner as possible, but cautioned that the FOISA must be applied with due concern for the way in which FOISA is designed to interact with the DPA. That is to say, sometimes the public's entitlement to information must be qualified by virtue of issues arising out of the DPA which are equally important.
On the question as to whether the barnadised data could be deemed to be "held" by the CSA
The CSA and the Secretary of State for Justice had argued that the obligations of public authorities ought to be limited to information which is actually held by them, so that they are not put into the position of having to conduct research or create new information to respond to a request under FOISA. So clearly if the CSA did not have to barnadise the statistical data, the exemption would have applied to prevent the disclosure of the statistics.
Lord Hope disagreed with this approach and held that the FOISA must be interpreted in as liberal a way as possible. He held that the process of barnadisation is similar to that of redaction in that it does not require any research or amount to the creation of something new saying;
"It would be to do no more than was reasonable in the circumstances, having regard to the need for the form in which the information was disclosed to comply with the data protection principles".
Therefore, barnadised data was deemed to be "held" by the CSA and should be disclosed, unless that barnadised data amounts to personal data and its disclosure would contravene any of the data protection principles. The process of anonymising data does not create new data.
On the question as to whether public authorities are required to anonymise data in response to a FOISA request
Lord Hope held that public authorities can be required to anonymise data in response to a FOISA request where to do so would mean that the data will no longer constitute "personal data".
The Lords reminded that public authorities are protected to a certain extent from excessive costs of compliance by the provisions of section 12 FOISA which applies a maximum limit to the cost and time which an authority must devote to responding to a FOISA request.
What are the implications if the Scottish Information Commissioner orders the disclosure of the data?
- If the SIC determines that the data is capable of being rendered fully anonymous, then that data will not be personal data for the purposes of the DPA. The CSA will therefore have to fully anonymise the data and disclose it.
- If however, the SIC determines that the data cannot be anonymised, he must go on to consider whether the disclosure of the data would breach any of the data protection principles. If not, the CSA will be obliged to disclose the information requested, albeit in a barnadised form.
- The SIC's decision will have implications for individuals who currently have a legitimate expectation that their personal data will not be disclosed by a public authority.
For now, it's a question of "Watch this Space!" to see what ruling the SIC makes. We will keep you updated on the ruling as soon as it is made public.
This briefing note is a brief overview of the outcome of the recent case of CSA –v- SIC and is not intended to be a comprehensive guide.If you require any advice in relation to the Freedom of Information Act or the Data Protection Act please contact a member of the Ashfords Commercial, IP and IT team or the Projects/PFI team who will be pleased to assist.
Ashfords is regulated by the Solicitors Regulation Authority. The information in this article is intended to be general information about English law only and not comprehensive. It is not to be relied on as legal advice nor as an alternative to taking professional advice relating to specific circumstances.
|
