It has been clear for some time that personal data leads a somewhat schizophrenic existence. So identical photographs can be personal data in the hands of the police, but not in the hands of a journalist. See the example on page 11 of the Information Commissioner’s technical guidance “Determining what is personal data”, which leads him to conclude that “the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands”.
However it also now seems possible that determining whether something is personal data depends on what question you ask, even for the same data held by a single data controller. “Is this exempt from disclosure under FOI?” or “Is this disclosable to an applicant who makes a subject access request (SAR)?”. Like poor Schrödinger’s cat , until the question is posed the data may exist in an indeterminate ‘superposition of states’. Similarly the answer to the first question may vary depending on whether the applicant was involved in the matter.
In a recent flurry of Decision Notices, of which FS50426097 is a typical example, the Information Commissioner (IC) asked the FOI question. The complainant had made a prior request to the police for detailed information about a forensic service provider, its machines and procedures. Subsequently, the applicant made a request for “any documentation in relation to communication with any third party in respect of the questions contained in my original FOIA request”. After internal review and upheld by the Information Commissioner in this and related decisions the police relied on s40(5)(a) and declined to confirm or deny whether it held the material, on the basis that if it did, it would be the personal data of the complainant. In effect saying that the complainant should have made an SAR, and presumably pay £10 for the privilege.
As the IC observed (my emphasis) “After careful consideration of the wording of the request, the Information Commissioner is satisfied that the complainant is, or would be, the subject of all of the information requested.” He concluded therefore that the authority was not required to comply with the obligation to confirm or deny whether it held the information, since this would itself involve the disclosure of personal data about the complainant – the s40(5)(a) exemption. Note that the IC appears to have made no examination of the information held, which appears to go against normal practice. There are a number of cases where authorities and their FOI officers have been criticised by the IC for making decisions on disclosure without ever looking at the material held.
Be that as it may, what will happen when the complainant, as it appears he has, makes his SAR? Pragmatically, having taken its stance and fee, the authority may well supply the requested information, subject to possibly removing any other person’s personal data under s7(4) Data Protection Act 1998. But step back a minute and assume that the police actually deal with the SAR in accordance with the strict legal position. What personal data is there ? Certainly information which identifies the complainant as the maker of the original FOI request. But what about all the content? The FOI request was not about a personal issue at all. The bulk of the material relating to such a request, particularly if dealt with on an applicant blind basis, will surely be about enquiries into what information was held, directly or on behalf of the authority, or about whether any such material (if it existed) was possibly exempt. That cannot be the personal data of the applicant even if, as the police indicated, it was “contained within files which are stored by reference to the applicant’s name”.
This would seem in SAR terms to be a classic Durant situation. To paraphrase Auld LJ from paragraphs 30-31 of the Durant judgement:
Just because the authority’s response to the request emanated from an FOI request by the complainant does not render information obtained or generated by that request, without more, his personal data. For the same reason, either on the issue as to whether a document contains “personal data” or as to whether it is part of a “relevant filing system”, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. In short the complainant does not get to first base in his claim against the authority because most of the further information sought, whether in computerised form or in manual files, is not his “personal data” within the definition in section 1(1). It is information about his FOI request and the objects of them, the authority and the forensic service provider respectively.
Now of course it may be that there is more personal data than this, particularly if the internal response to the request, ignoring the applicant blind principle, has focussed on the complainant, rather than the request, but the IC is in no position to make that judgement if he decides on the basis of the wording of the request, rather than a consideration of the information held. Possibly, considering the history of the complainant, the IC has assumed the purpose of the request is to find out how the authority was dealing with him, but there is no objective basis for that assumption.
A contrasting situation arises in the April 2012 Tribunal case of Efifiom Edem v IC . The Tribunal sought to apply the Durant criteria strictly in an FOI case. I will gloss over here the rather alarming addition of the word “adversely” to the Durant consideration of whether the processing affects someone’s privacy (paragraph 34), but would point out that if Edem is correctly decided it severely limits the ability of staff to access their ‘personal data’ under an SAR, as much of what may have been thought to be personal is not so, in fact . But for present purposes there is a huge gulf between the approach in Edem and in FS50426097. Imagine for a moment that it was a third party, not the complainant, who made the second FOI request in FS50426097 i.e. it was typical meta-request about the handling of someone else’s earlier request. I do not believe for one moment one could argue that this request would fail under s40(2) as responding would disclose the personal data of the complainant. At worst the authority would redact the complainant’s identity and supply the rest of the information, and if that is done, the application of s40(5)(a) as a blanket when the complainant makes the request cannot be correct.
The definition of personal data is tricky enough as it is, but if the IC and Tribunal continue to determine the result based on the nature of the enquiry, data protection and FOI teams face some impossible dilemmas.
Philip Bradshaw is a former solicitor and local authority data protection officer. He now delivers our information law courses in Cardiff.
Since I posted the above article, it is notable that the Upper Tribunal has effectively recognised the problem and reversed the earlier decision – see Information Commissioner v Financial Services Authority & Edem [2012] UKUT 464 (AAC). Names in the circumstances discussed are personal data. See the Panopticon blog for a discussion at http://www.panopticonblog.com/2013/02/07/personal-data-its-all-in-the-name/ .
The result is not incompatible with Durant, but may lead to a valid response to an SAR being of the type “We have 100 pages of documents which contain your name, but that is the only personal data relating to you on those pages …