Case law: ruling changes how organisations define 'personal data' for data protection purposes
Organisational data controllers must make sure they are clear how they define 'personal data' for the purposes of their data protection policies and procedures, following a High Court decision.
This update was published in Legal Alert - December 2013
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
Data protection laws apply if an organisation is processing 'personal data' whether held electronically, in paper form or in any other form. 'Personal data' is defined as data:
- relating to a living individual;
- from which that individual can be identified, with or without other information which is in the possession of, or is likely to come into the possession of, the data controller.
Personal data includes any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of the individual. It could include names, addresses and contact details; and it could include information about, for instance, an individual's online browsing behaviour.
Any individual can ask to see (and is entitled to copies of) personal data held about them; they must be told how their data is being processed, and who is entitled to see it.
In a landmark Court of Appeal decision in 2003 ('Durant'), the court ruled that the fact that someone's name appears in a document does not, in itself, make it 'personal data' -otherwise data protection law could be used as 'an automatic key' to force disclosure to individuals of any information in which their names are mentioned.
The court said data will only be 'personal data' where its inclusion in the document affects the named individual's privacy. This hinges on whether the information is biographical; and whether the focus is on the named individual, or whether the mention of the individual's name is peripheral to the purpose of the document.
But the High Court has recently downplayed the importance of the Durant decision, saying the Durant test should be applied only in 'exceptional' circumstances. In most cases, organisations should be able to decide whether data is personal by a common-sense interpretation of the wording in data protection law. The Durant test is a fall-back to be used only where the legal definition creates uncertainty.
If the matter was still unclear, organisations could resort to the test in An Opinion on the concept of personal data ('WPO'), adopted by a Working Party established by Article 29(1) of EU Directive 95/46/EC on personal data, together with consideration of the Information Commissioner's guidance in Determining what is personal data.
Data controllers are advised to review how they define personal data for the purposes of their data protection policies and procedures. In particular, they should reassess whether records previously outside their definition of 'personal data' will now be treated as within it and therefore have to be disclosed.
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing