December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.
It’s not really surprising that the Information Commissioner’s Office (ICO) didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.
Some of Durant is helpful – the judgement proposes that personal data:
“should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.
Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.
Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.
For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.
The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.
Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.
For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.
An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.
Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:
“The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.
When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.
If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.
Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).
I wonder if you could recommend a fool’s guide to CCTV Law as it pertains to one’s personal home,
A young man I know was arrested by police last Tuesday and put in handcuffs, kept in a cell overnight and interviewed at around 3 pm the day after his arrest.
He had bought some gaffer tape – the sort that claimed it doesn’t leave a residue on the surfaces to which it is applied and covered a few cameras eyes in the gaffer tape to enable him to come and go from his flat without feeling he was under constant surveillance and his privacy invaded. The said cameras are near his home and he resented being filmed coming and going to a flat he has bought on a Council Estate in Hammersmith – his wife has also observed a camera swivelling in her direction too.
CCTV proliferates on the Council Estate – as you would expect when you have a designated Council official with the title CCTV Development Officer.
Hammersmith and Fulham Council’s CCTV Development Officer lodged a complaint about ‘criminal damage’ to the police. Apparently although no ‘damage’ is said to have been done to the cameras the fact that a council employee came out to remove the gaffer tape resulted in a ‘cost’ to the Council of time and human resources. And it is on this basis that he is being charged.
There is also a secondary charge on the sheet – he was handed a booklet on his rights after arrest and the law pertaining to those rights and responsibilities. He assumed he had been given the booklet and used the back cover of the booklet to coer the ehye of the CCTV camera in his cell overnight. Now it seems they are minded to throw the ‘booklet’ at him and charge him for criminal damage to police property which they claimed was not given to him but lent to him. Others may know better whether these booklets are given away or lent.
On a previous occasion he had dismantled a CCTV camera directly outside his front door and taken it to the Council, without damage – knowing that he could not be accused of theft if he did so – since there was no intention to permanently deprive the council of their CCTV camera directly above the front door of his flat. The police and CCTV Development Officer are now bringing charges in relation to that event – about 6 months to a year ago.
If anyone has any idea of what remedies are available – for instance – can the case of the ECJ Judgement of 2014 about a Czech man František Ryneš, apply – or is Czech law different to British law as regards CCTV? Ryneš installed a surveillance camera after he and his family were subjected to attacks by unknown individuals. The individuals were successfully prosecuted following Rynes delivery of CCTV footage showing his home being attacked by a catapult. However one of the perpetrators of the catapult attack then claimed his Human Rights had been breached by the action of Rynes filming him. A Cech Court fined Rynes – who appealed to the ECJ. The interesting part of the ECJ judgement is reported in the Guardian as:
“The (ECJ) court decided Ryneš was not liable for a fine because he had acted to help prosecute a criminal. However, the judgment suggested that if a crime had not been committed he would have breached European data regulations. The directive has an exception in the case of data processing carried out “by a natural person in the course of a purely personal or household activity”, but the court found that the exception would not always apply if a camera is recording images of a public space such as a footpath.”
Is there anything more relevant that would assist the case and what law might be quoted by the prosecution?
Hi – The Information Commissioner’s website is a good starting point: https://ico.org.uk/for-organisations/guide-to-data-protection/cctv/ They have a helpline too.