Tag: DPA

Prince Andrew: The Data Protection Angle 

Over the weekend, the Mail on Sunday piled more pressure on Prince Andrew.  

It alleged that he asked his police protection officer to investigate his accuser, Virginia Giuffre,  just before the newspaper published a photo of Ms Giuffre’s first meeting with the prince in February 2011. The Mail alleges that Prince Andrew gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he “sought to dig up dirt” on Ms Giuffre. 

Ms Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Prince Andrew has consistently denied all allegations against him. 

The Metropolitan Police said on Sunday, “We are aware of media reporting and are actively looking into the claims made.” Of course we don’t have detailed information about the circumstances around latest allegations against Prince Andrew, but (if true) there is a possible breach of Section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:  

(a) obtain or disclose personal data without the consent of the controller,  

(b) procure the disclosure of personal data to another person without the consent of the controller, or  

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

So if the latest allegations are true, Prince Andrew and/or his police protection officer at the time, could have committed a criminal offence under the DPA 2018. Unlike the other allegations against him, this offence does not carry a prison term; just a fine. Successive Information Commissioners have argued that a custodial sentence under S.170 would be a better deterrent (but to no avail).  

Will the Information Commissioner’s Office be knocking on Prince Andrew’s door? In June 2023, the ICO disclosed that, since 1stJune 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. There have been a number of more recent S.170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.  

Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025. 

Sales Consultant Prosecuted  

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving S.170 offences (Data Protection Act 2018) were investigated by its Criminal Investigations Team. Section 170 makes it a criminal offence for a person to knowingly or recklessly: 

(a) obtain or disclose personal data without the consent of the controller, 

(b) procure the disclosure of personal data to another person without the consent of the controller, or 

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

Rogue workers accessing and abusing personal data for their own gain is a real risk for organisations with vast customer databases that have commercial value. There have been a number of S.170 prosecutions by the ICO recently. The latest involves a sales consultant at a car leasing company. 

On 17th September 2024, Alexander Doré pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for.
The information had been taken shortly before Doré resigned . He approached multiple competitor companies with this information, whilst claiming that it belonged to him. Doré was ordered to pay a fine of £1,200 and £300 costs. 

The Head of Investigations at the ICO, Andy Curry, said: 

“Customers put their trust in any number of organisations on a daily basis to use and store their data in a legal and appropriate way. Mr Doré took advantage of that trust, as well as the trust of his employers, by taking customer information that he then passed on to other companies, purely for his own financial gain. 

“It is with great thanks to Leaseline Vehicle Management Ltd that they brought Mr Doré’s wrongdoing to our attention, and we were able to investigate. 

“We hope this successful prosecution shows we will work with companies to bring those committing crimes to justice.” 

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? The answer is in our recent blog which can be read here

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Data Protection Prosecutions and Employer Liability

Rogue workers accessing and abusing personal data for their own gain is a perennial issue for organisations with vast databases of personal data that may have commercial value. Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly: 

(a) obtain or disclose personal data without the consent of the controller, 

(b) procure the disclosure of personal data to another person without the consent of the controller, or 

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

In June 2023, the ICO disclosed that since 1st June 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team.  A recent prosecution involved a man who worked for Enterprise Rent-A-Car where he illegally accessed customers’ records. He was ordered to pay a fine of £265, along with costs of £450 and a victim surcharge of £32. S.170 is similar to the offence under section 55 of the old Data Protection Act 1998. S.55 can still be used to bring a prosecution where an offence pre-dates the current S.170 coming into force.  

In August, Jonathan Riches pleaded guilty under S.55 at Cardiff Crown Court. Mr. Riches, also a former employee of Enterprise Rent-A-Car, left the company in 2009 to establish his own personal injury firm. However, he remained in contact with former colleagues, through whom he illegally obtained details of individuals involved in road traffic accidents, then contacted them to offer legal services. At one point, Mr. Riches, through his accomplices, gained access to Enterprise’s internal database, allowing him to retrieve clients’ personal details. 

Previously, Mr. Riches had been ordered to pay Enterprise Rent-A-Car a £300,000 civil settlement. He was later interviewed by the ICO, which led to him being summoned to court in 2016. However, having relocated to the United States, he failed to appear, prompting a warrant for his arrest. He eventually returned to the UK and surrendered to authorities in 2024. 

Mr. Riches’s accomplices in the crimes had all been sentenced earlier. Judge Francis described Riches’s actions as part of a sophisticated and long-running scheme that involved a cynical breach of trust. He fined £10,000, plus £1,700 in costs.  

Of course prosecutions for mishandling personal data would have a much greater deterrent effect if the available sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail. This has led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims. 

Employer Liability 

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? 

In 2020, the Supreme Court ruled that as an employer, Morrisons Supermarket could not be held responsible when an employee, Andrew Skelton, uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website as well as leaking it to several newspapers. The court decided that, whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed under the old Data Protection Act 1998. 

However, Morrisons lost on the argument that the DPA 1998 operated so as to exclude vicarious liability completely. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach. 

This case only went as far as it did because the Morrisons employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employee’s actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the 6th Data Protection Principle which both impose obligations to ensure the security of personal data. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

A General Election! But what about the Data Protection Bill Mr Sunak?

So Rishi Sunak is finally calling a General Election!

We know what you’re thinking! What will happen to the the Data Protection and Digital Information Bill which was due to enter the Report stage in the House of Lords on 10th June? 

We must admit we had to Google that one! To quote the Institute for Government:

“There are normally several days between an election being called and parliament being dissolved. During this period, parliament will continue until it is either dissolved or prorogued (and then dissolved) – whichever comes first. This period is known as ‘wash-up’.

Any parliamentary business not completed by the end of ‘wash-up’ will fall. This means any bills that have not already received Royal Assent will not enter into law and cannot be continued into the next parliament. This leads to a rush to rapidly pass legislation through parliament to get it onto the statute book, normally requiring cooperation between parties to agree which bills they will support through this expedited legislative process.

The length of ‘wash-up’ is decided by the prime minister and can vary. Since 1992, the longest wash-up period was in 2017, when parliament sat for a further seven days after the election was called.”

So, it could be that the Bill is passed during “wash-up” if the political parties agree; although they may have other Bills to pass as a priority.

If it does not pass during wash up, the next government could pick up the Bill (or a likely a new version), although it would have to start the full Parliamentary process again. Given the Labour Party did not propose substantial amendments to the current Bill, this is a possibility (assuming they win of course); though when this will happen is uncertain. DPOs will look forward to reading the parties’ General Election manifestos! 

At the moment it seems that readers who have purchased the Act Now UK GDPR Handbook, will not need to buy a new version!

Supreme Court Rules on the Legality of Sharing Personal Data with the United States

bill-oxford-udXD2NrbXS8-unsplash

Could a recent Supreme Court decision on information sharing lead to “terrorists” escaping justice?  Part 3 of the Data Protection Act 2018 (DPA) regulates the processing of personal data for law enforcement purposes by Competent Authorities which includes, amongst others,  government departments and the police.

The case of Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10 is interesting because it examines the application of GDPR’s less well-known cousin to a complex situation involving the possible extradition of alleged terrorists to the United States. The Supreme Court ruled that the UK acted unlawfully by personal data with the US that could lead to the execution of two British citizens accused of being part of an Islamic State murder squad known as “The Beatles”. Seven justices concluded that the decision in 2018 by the Home Secretary breached Part 3 of the DPA.

Background 

Shafee Elsheikh and Alexander Kotey are currently in US custody in Iraq having been linked to 27 murders in Syria carried out by “The Beatles”. In June 2015, the US made a mutual legal assistance (MLA) request to the UK in relation to an investigation into the activities of that group. The then Home Secretary, Sajid Javid, requested an assurance that any information the UK supplied would not be used by the US, directly or indirectly, in a prosecution that could lead to the imposition of the death penalty on the two men. The US refused to provide this assurance and, in June 2018, Mr Javid agreed to provide the information anyway.

Elsheikh’s mother, Maha Elgizouli, challenged (by way of judicial review) the Home Secretary’s decision to share that information with the US, not to prevent him from being prosecuted and jailed but, to protect him from the death penalty. Her claim was dismissed by the High Court, which certified two legal questions of public importance for the Supreme Court to answer:

  1. Whether it is unlawful for the Secretary of State to exercise his power to provide an MLA so as to supply evidence to a foreign state that will facilitate the imposition of the death penalty in that state on the individual in respect of whom the evidence is sought.
  2. Whether (and if so in what circumstances) it is lawful under Part 3 of the DPA, as interpreted in the light of relevant principles of EU data protection law, for law enforcement authorities in the UK to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.

The Judgement

The Supreme Court allowed the appeal. Most of the Justices dismissed the challenge brought under the common law (question 1 above) to the Home Secretary’s decision but they unanimously held that the decision failed to comply with part 3 of the DPA (question 2). Data Protection professionals, especially those in law enforcement agencies, will be particularly interested in the court’s analysis of the rules relating to international transfers, as set out in Chapter 5 of the DPA

Section 73 of the DPA, like Article 49 of the GDPR, prohibits transfers of personal data to a third country unless a number of conditions are met. Condition two is that the transfer :

“(a) is based on an adequacy decision (see section 74),

(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or

(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76)”

The court noted that the transfer in question was not based on an adequacy decision; nor was it based on appropriate safeguards which are set out in Section 75(1):

“A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—

(a) a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or

(b) the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.”

The lawfulness of the transfer therefore stands or falls on the “special circumstances” condition in section 73.  This will only apply, according to section 76, if the transfer is necessary for any of the following five purposes:

“(a) to protect the vital interests of the data subject or another person,

(b) to safeguard the legitimate interests of the data subject,

(c) for the prevention of an immediate and serious threat to the public security of a member State or a third country,

(d) in individual cases for any of the law enforcement purposes, or

(e) in individual cases for a legal purpose.”

The court ruled that a transfer on the basis of special circumstances can only occur following an assessment of what is strictly necessary. Such an assessment was not made by the Home Secretary before sharing the information with the US. Hence the transfer was unlawful. Lord Carnwath said:

“The decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria.”

Furthermore, in relation to the special circumstances gateway, section 76(2) states:

“Subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”.

Lady Hale found that these “fundamental rights and freedoms” include the rights protected by the European Convention on Human Rights, the most fundamental of which is the right to life. This points towards an interpretation of section 76(2) which, even if an assessment had been made, would not allow the transfer of personal data to facilitate a prosecution which could result in the death penalty for UK citizens.

So there you have it; a very careful analysis by the Supreme Court of the international transfer provisions under Part 3 of the DPA. There must now be a further court decision over what the UK must do to comply with the law, including potentially asking the US to return the shared information. This could lead to the two individuals in question avoiding extradition to the US where they would, if convicted, face the death penalty. Of course, the UK government can still bring them back to the UK to face justice.

This and other developments will be discussed in our forthcoming information law webinars. We have created a policy pack containing essential document templates to help you meet the requirements of Part 3 of the DPA 2018.

online-gdpr-banner

A Matter of Priorities: FOI and DP Deadlines in a Pandemic

round silver colored wall clock
Photo by Oladimeji Ajegbile on Pexels.com

Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.

In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come.  Where requests are made by post, they may be delivered to offices which will not be staffed for some time.

The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of…  (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”

The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).

Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.

For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.

While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”

Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:

  • Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
  • Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
  • Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
  • At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.

At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.

Be kind and stay safe.

More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.

online-gdpr-banner

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

Section 56 is here! Oh no it isn’t! Oh yes it is!

Interstate56

Section 56 prevents employers from requiring people to use their subject access rights under the DPA to obtain and then provide certain records, as a condition of employment. It also prevents contracts from requiring certain records as a condition for providing or receiving a service. Section 56 does not, however, prevent such requests where the record is required by law or is justified in the public interest.

Section 56 was due to be commenced on 1 December 2014. Commencement was delayed because of a technical issue encountered when finalising arrangement for introduction. This issue has now been resolved.

Section 56 was commenced on 10 March 2015. There is a SI 2015/312, entitled, ‘The Data Protection Act 1998 (Commencement No. 4) Order 2015′.

It makes it a criminal offence to require an individual to make a subject access request and supply it to a potential employer for the purpose of obtaining or continuing in employment. It also relates to a supplier of goods, facilities and services to the public who require the production of a record to access that service. The ICO webinar suggests insurance might be such a case. They also suggest it applies to volunteers who help your organisation even they may not be in employment.

Most practitioners called it Enforced Subject Access. In November 2014 the ICO ran a webinar outlining what this means and it’s worth look. See the webinar on youtube at https://www.youtube.com/watch?v=zTYBvr-tb5U. It’s 36 minutes long so set aside a lunch hour and buy your sandwich first. It does a good job looking into all the minor points and ends up with a few good examples of how it will be used.

It’s quite a logical and straightforward concept. Why on earth would you require someone to produce their police record to progress their application for employment? Certain jobs with vulnerable people involve disclosures from the Disclosure & Barring Service and Disclosure Scotland is widely used but employers in these area know about this. Making people outside these areas obtain and produce a relevant record is clearly wrong.

There are some defences to a Section 56 charge – the usual suspects of under enactment, rule of law, court and also in the public interest but specifically excludes prevention or detection of crime from the public interest.

Now it’s time to watch the webinar, download the ICO guidance from https://ico.org.uk/for-organisations/enforced-sar/ and wait for the first case involving section 56.

Looking for a DP qualification? The Act Now Data Protection Practitioner Certificate is a practical four day course. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester. 

Information Governance in Health & Social Care Conference

capture-20141210-161914Act Now is pleased to announce that it will be holding a major conference in the new year on the 24th of March entitled ‘Health Now – Information Governance in Health and Social Care – Where are we now?’ Speakers from the ICO, many areas of the NHS, NADPO and Act Now will be meeting in Leeds to discuss the future of information governance and patient care.

If you work in information governance, records management, data protection, freedom of information, IT, compliance, information and compliance management, data & information management then this is for you. Over 100 delegates are expected from Local and Central Government, Health and Social Care and associated sectors.

To download your advance copy of the conference flyer click here. With a delegate fee of only £199 we expect a high demand for places. Book Now for Health Now! See our other courses for the health and social care sector here.

Definition of Personal Data: Durant Revisited

DPA22December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.

It’s not really surprising that the Information Commissioner’s Office (ICO)  didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.

Some of Durant is helpful – the judgement proposes that personal data:

should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.

Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.

Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.

For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.

The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.

Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.

For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.

An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.

Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:

The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.

When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.

If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.

Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).