K-Zine

Data Protection - Important UK Court of Appeal decision with implications for the interpretation of "Personal Data".

A recent decision in the UK Court of Appeal in the case of Durant -v- Financial Services Authority has significant implications for any person making or responding to an access request.

This is a decision of the English Court of Appeal and as such it is not binding on the Irish Courts. That said it could have persuasive authority if a case turning on similar facts was to come before the Irish Courts.

Briefly the facts of the case are as follows. Mr. Durant sought information from the UK Financial Services Authority (FSA) under the provisions of the UK Data Protection Act (DPA) which he claimed was personal data relating to him. The access request related to complaints made by Mr. Durant to the FSA regarding Barclays Bank plc and also relating to the handling of his complaint by the FSA.

The FSA provided him with certain information which it had maintained in electronic form but with certain information relating to the identities of other persons removed. The FSA refused to supply any relevant documents held in its manual files.

Mr. Durant then sought full disclosure of the electronic documents and full disclosure of the manual files. This request was refused and arising out of this refusal the matter came before the UK Court of Appeal.

In the context of this brief article the appeal to the Court raised three important legal issues:

1.	What constitutes data (whether held in electronic or manual files) as "Personal Data" as defined in the DPA entitling the person identified by it to seek its disclosure?
2.	What does "relevant filing system" mean in the context of the definition of "data" in the DPA so as to constitute information recorded in a manual filing system as "Personal Data" that is disclosable in response to an access request?
3.	On what basis would a Data Controller - when responding to an access request - be entitled to redact such information that would identify third parties whose consent to such disclosure had not been obtained?

As to the first of these three questions the Court held that further disclosure as sought by Mr. Durant (whether of computerised or manual files) was not justified because the information in question did not have Mr. Durant as its focus and as such was not "Personal Data" within the meaning of the DPA.

In response to the second of these questions the Court found that Mr Durant was not entitled to disclosure of the FSA's manual files because these did not constitute a "relevant filing system" as defined in the DPA. The files in question were not structured in such a way that specific information about Mr. Durant would be readily accessible on a search being made for specific information about him.

As to the third or these questions the Court held that the FSA had acted properly in redacting certain information from the information provided to Mr. Durant that identified other individuals and that such redacted information did not constitute Mr. Durant's "Personal Data".

Although this is an authoritative case in the UK with important implications for individuals making access requests in that jurisdiction and for Data Controllers responding to such requests it may yet prove to be a precedent with persuasive authority before the Irish Courts.

For further information contact:
Patrick Ryan at
Email : pryan@kilroys.ie

If you would like to receive our
Business Briefing on the Irish Data
Protection legislation in CD-Rom format
please contact Patrick Ryan

© Kilroys Solicitors 2004