It’s not really surprising that the Information Commissioner’s Office (ICO) didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority  EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.
Some of Durant is helpful – the judgement proposes that personal data:
“should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.
Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.
Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.
For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.
The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.
Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.
For confirmation of this, fast-forward to Edem v IC & Financial Services Authority  EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.
An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.
Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:
“The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.
When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.
If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.
Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).