One of the quirks of data protection law is that it rarely arises in litigation as an issue in its own right: in many cases, the point at stake concerns the interaction between data protection and freedom of information. (The point where "two worlds collide", in the words of Professor Laurie and Dr Gertz, in a recent Edinburgh Law Review case note.) One reason for this is that a freedom of information request (under the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002) can be turned down where the data sought constitutes "personal data". Under the Data Protection Act 1998, personal data is data which identify the individual, either alone or in conjunction with other information held (or potentially held) by the data controller.
Cases typically turn on whether the public authority is entitled to refuse the FOI request because the data in question are personal data and this of course requires an understanding of "personal data". The leading case to reach the House of Lords on this issue is Common Services Agency v The Scottish Information Commissioner, (also known as SIC v CSA) from 2008.
The recent case of Craigdale Housing Association and others v The Scottish Information Commissioner has provided a fresh opportunity for the Inner House to consider the interaction between data protection and freedom of information.
As with CSA v SIC, this case involved a request for statistics. Here, housing associations in Strathclyde made a request for information from the Chief Constable of Strathclyde Police, seeking details of the number of Registered Sex Offenders (RSOs) residing in the Strathclyde Police area. Specifically, the housing associations wanted to know the number of RSOs in each postcode area, to the fourth postcode digit. The housing associations were keen to find out if the number of RSOs in their postcode areas was higher than the number in what they classed as more affluent areas.
The Chief Constable refused the request under FOISA and, on appeal, this decision was upheld by the Scottish Information Commissioner ("SIC") (whose remit extends to matters under FOISA, but not to data protection issues per se).
The basis on which the request was refused was that the information sought was personal data of the RSOs: to release it would breach the data protection principles. A conviction for any offence is treated as "sensitive personal data" and is generally subject to higher protection under the Data Protection Act 1998.
Although the data sought were statistics and did not name any individual RSO, the SIC "considered that it was necessary to consider the statistics in conjunction with other information in the public domain, including all the means likely to be used by a determined prson with a particular reason to make an identification." (para 3) This approach was based in part upon advice from the Information Commissioner, that the means used to identify an individual should take into account not only the means of the "ordinary man in the street, but also the means that are likely to be used by a determined person with a particular reason to want to identify individuals. Examples would include investigative journalists, estranged partners, stalkers or industrial spies." (ICO guidance, Determining what is personal data, 21.08.07, at page 7.) There was evidence that vigilantes and journalists would be determined persons with a reason to want to identify RSOs in a particular area – even if that would not be done by the housing associations.
The SIC therefore concluded that "the geographical and population size of the postcode districts meant it was unsafe to release the statistics and there was a risk of identification where they were combined with other publicly available information." (para 3).
This conclusion was challenged by the housing associations on two grounds. First, they argued that the SIC had erred in concluding that the statistics were "personal data"; secondly, he was wrong to assume that providing the statistics to the housing associations would place them in the public domain, where there was a risk they would be used by other parties, such as vigilantes or investigative journalists.
In answering these points, the Court spent some time analysing the decision of the House of Lords in CSA v SIC (paras 13 -19). Despite noting that Lady Hale's opinion was unsupported by the other Law Lords (albeit the bench all reached a unanimous decision, but by way of different routes), the Inner House focused on her "purposive, or even adventurous" route to an answer. (para 17). With reference to her speech, the Inner House concluded that there was nothing to help the housing associations' case: she did not limit the concept of personal data to that which identified individuals in the hands of the recipient only. Instead, she "speaks of the particular data 'being anonymised in such a way that neither he nor anyone to whom he might pass them on could identify the infividual to whom they relate'." (para 17). The fact that there is nothing to stop the recipient under an FOI request passing the data on means that the data must be treated as being "at large" once they are released. Accordingly, it may be relevant to take into account the actions of other parties in using those data – in this case, potentially to identify RSOs.
To this extent, the Inner House agreed with the SIC that releasing the data to the housing associations would effectively place them in the public domain. (para 18). However, the Inner House did allow that the housing associations had a relevant ground of challenge in relation to whether the data were (or were not) personal data. The Chief Constable would only be allowed to withhold them if they did constitute personal data, and the SIC agreed that the statistics were indeed personal data, since they could be used (with other information in the public domain) to identify individuals.
The Inner House were critical of this conclusion:
"The [SIC] does not, in paragraph 49 [of his judgment] or elsewhere, explain what "other factors" or "data from another source of publicly available information" he has in mind in relation to the risk of identification of individual RSOs. While we recognise that he may be concerned not to disclose in a potentially public document information which might be made use of by vigilantes, the appellants are, in our view, entitled to be told, at least in general terms, what these other factors or such other data are. Without that, the respondent's decision is unintelligible." (para 28)
While not stating conclusively whether the statistics were personal data, the Court remitted the issue back to the SIC to "consider of new his reasons for concluding that the statistics in question are personal data" (para 32) and to explain it in view of the above comments.
This appears to be a reasonable conclusion. The SIC undoubtedly has a difficult job in trying to determine whether statistics could identify individuals, if combined with other information in the public domain by those with a vested interest in doing so – especially since the consequences of such identification could be far-reaching if disclosed in the press or used by vigilantes. However, it is important for the precise basis upon which individuals could be identified from statistics aggregated by postcode area to be made explicit. If there is no further information which could be combined with the statistics in order to identify individuals, then the statistics are not personal data and there can be no reason not to release them.
We therefore await with interest the SIC's new decision in due course.
One of the interesting features about the decision of the Inner House, which was delivered by the Lord President on behalf of the Court, is that it used the European Directive upon which the Data Protection Act is based to help interpret the UK Act. It did so in preference to relying on the leading English Court of Appeal decision on data protection, Durant v FSA, from 2003, which has been the subject of some criticism. This is arguably a (positive) signal that the influence of Durant is waning and, at least in Scotland, the courts will not be influenced by a decision which has considerably narrowed the concept of "personal data". Instead, the Directive which forms the basis of European data protection law has more to offer to enable the courts to take a purposive approach to data protection in the UK.