ANON

Common Services Agency v Scottish Information Commissioner

Section 1(1) of the 1998 Data Protection Act (DPA) defines personal data as data relating to a living individual from which they can be identified, along with any other information held by the data controller. In Common Services Agency v Scottish Information Commissioner, the House of Lords said that even if the information is “anonymised”, it still constitutes personal data and the data protection principles apply if a third party asks to see it.

Basic facts

In January 2005, a researcher for a member of the Scottish Parliament made an application to the Common Services Agency (which collects statistical information on health) under the Freedom of Information (Scotland) Act 2002 (FOISA).

The Agency, however, refused to divulge details of his request for all incidents of childhood leukaemia from 1990 to 2003 in a certain area by census ward. It argued that, because of the low numbers involved, some individuals might be identified and that it would therefore constitute personal data under section 1(1) of the DPA making it exempt from the requirements of the FOISA.

The researcher then appealed to the Scottish Information Commissioner who ruled that the data could only be disclosed if it was "barnardised" (a statistical process that artificially alters data without distorting it). This would ensure it was sufficiently anonymous so that it would not constitute personal data under section 1(1) and could therefore be released under FOISA.

Court of Session decision

The Court of Session (Scottish Court of Appeal) agreed with the Information Commissioner that "barnardisation" of the data would render it sufficiently anonymous to protect the identity of individuals and their rights under the DPA.

House of Lords decision

The House of Lords, however, overturned that ruling and said that the information still constituted personal data under the DPA and that the data protection principles therefore should have been applied.

It criticised the Information Commissioner for deciding that it was enough to just “exclude personal data from the duty to comply with the data protection principles simply by editing the data.” He should also have considered whether the “barnardised” data itself constituted “personal data” under the DPA

The question then was “whether the data controller, or anybody else who was in possession of the barnardised data, would be able to identify the living individual or individuals to whom the data in that form related.” If the recipient could not identify anyone from it, then it would not constitute “personal data” in his hands. But what about the agency?

As it had access to all the statistical information from which the barnardised information would be derived, it was obvious that it would be able to identify the children concerned. That did not mean it could not process the information in such a way that it became data “from which a living individual can no longer be identified”, however. The House of Lords accepted that “if barnardisation can achieve this, the way will be then open for the information to be released in that form because it will no longer be personal data.” This, however, was a question of fact for the Information Commissioner to rule on.

The next issue was whether any of the data constituted “sensitive personal data” under section 2(e) relating to someone’s “physical or mental health or condition”. This type of data, said their Lordships, was essentially a subset or species of personal data.

The House of Lords concluded that as it was “open” to the Commissioner to hold that the barnardised data constituted personal data, it was a “short step to conclude, that it was also sensitive personal data as “it concerned data about the physical health of living children who could be identified from data released in response to the request together with other information in the possession of, or likely to come into the possession of, the Agency.”

Our claims services

Services

Personal Injury Claims

Road Traffic Accident Claims

Serious Injury Claims

Asbestos Disease Claims

Medical Negligence

Industrial Disease Claims

Accident at Work Claims

Employment Matters

More Legal Services

Trade Unions

Support and Advice

How to Make a Claim

Our Clients

Charities and Support Groups

About

About Thompsons

Our People

Our Offices

News

News Releases

Commentary

Newsletters

Campaigns

More from Thompsons

Contact us today

Call us free on

Email us at

Contact one of our offices

Employment Law Review