Meaning of Personal Data under the Data Protection Act

In the recent case of Durant v Financial Services Association [2003] EWCA Civ 1746. the meaning of “personal data” as defined in the Data Protection Act 1998 received consideration from the Court of Appeal. The decision influenced the Information Commissioner to conduct review and revise the guidance issued by his Office.

Purposes: Data Protection Act

The Court considered the overarching legislation that prompted revisions to the Act in 1997 by Parliament. The Court held that "The primary objective of the 1995 directive is to protect individuals’ fundamental rights, notably to privacy and accuracy of their personal data held by others in computerised or similarly organised manual filing systems, while at the same time facilitating the free movement of such data between member states and the European Union”.

Access Rights

The Data Protection Act grants individuals rights to access personal data held by “Data Controllers” as defined by the Act. In Durant, the Financial Services Authority had investigated a complaint by Mr Durant pursuant to its powers under the Banking Act 1987 and the Financial Services and Markets Act 2000. Mr Durant sought disclosure of that information on the basis that it was ‘personal data’ within the meaning of the Data Protection Act. The Financial Services Authority resisted the application on the basis that the information obtained from the bank (Barclays) was protected by duties of confidentiality imposed by the Banking Act.

Purpose of Access

To determine whether Mr Durant was entitled at law to the information, the Court considered the meaning of ‘personal data’. The Court noted in passing that the purpose of the Act was “to enable an individual to obtain from a data controller’s filing system, whether computerised or manual, his personal data that is information about himself”. Mr Durant was granted the right to do so under the Data Protection Act and to ascertain whether the data controller unlawfully infringed his privacy, and to take such steps to enforce those rights granted to him under the Act.

Distinction with Computer Records

The Court held that the Data Protection Act was not designed to assist an applicant to discover documents that may assist him in litigation or in the furtherance of complaints against third parties, such as the Bank, nor was it an automatic key to obtain any information that was readily accessible. An application on this basis would be for a purpose outside his rights under the Act, i.e. an ulterior motive for which the Data Protection Act did not recognise.

Mr Justice Auld ruled that “Not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data… the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act”. Buxton LJ agreed. The information required to have some biographical quality as to the data subject and affect his privacy in his professional, business, personal or family life.

Businesses and the Data Protection Act

The Act does not provide free access to information to ensure that their personal information is processed within the bounds set by the Act. The dispute clarified to some extent the meaning of personal data and the purpose for which it may be requested. Companies which have not set in place procedures to produce records within the 40 days required by the Act. The purposes for which a business may use personal data is set out in a public register maintained by the Information Commissioner, which is a starting point to assess whether a business or company has complied with its obligations under the Data Protection Act.