Common Services Agency v Scottish Information Commissioner (HL)

Reference: [2008] UKHL 47

Court: House of Lords

Judge: Lord Hoffmann, Lord Hope of Craighead, Lord Rodger of Earlsferry, Baroness Hale of Richmond and Lord Mance

Date of judgment: 9 Jul 2008

Summary: Freedom of information - s.38(1)(b), Freedom of Information (Scotland) Act 2002 - Data protection - Whether information held at time requested - Whether information 'personal data' - Whether information 'sensitive personal data' - s.1(1), Schedules 1, 2, and 3, Data Protection Act 1998 - Disclosure of medical information - Anonymous data - 'Barnardisation'

Instructing Solicitors: Reynolds Porter Chamberlain for the CSA; Brodies LLP for the SIC

Facts

Among the CSA’s functions is the collection and dissemination of epidemiological information from Health Boards. C, acting on behalf of a member of the Scottish Parliament, asked the CSA to supply him with details of all incidents of childhood leukaemia for both sexes by year from 1990 to 2003 for all the Dumfries and Galloway postal area by census ward. The CSA refused, stating that the data for 2002 and 2003 was incomplete, and that for the earlier years there was a significant risk of indirect identification of living individuals so that the information was personal data under the Data Protection Act and thus exempt for the purposes of the Freedom of Information (Scotland) Act 2002. It also said that it owed a duty of confidence to the patients.

The Scottish Information Commissioner agreed that the information was personal data, but ruled that the CSA should provide it to C after applying a method known as ‘barnardisation’ to disguise personal information.

The CSA appealed.

Issue

(1) Whether the information in barnardised form was information ‘held’ by the CSA at the time of the request;
(2) If so, whether it would constitute ‘personal data’
(3) If so, whether its release to C would be in accordance with the data protection principles, in particular the conditions for the processing of personal data in Schedule 2 of the DPA 1998;
(4) If so, whether the information was also ‘sensitive personal data’ and whether its release would also meet one of the conditions for processing sensitive personal data in Schedule 3 of the DPA 1998.

Held

Allowing the appeal and remitting the case to the SIC:
(1) The information was ‘held’ by the CSA at the time requested. This part of the statutory regime should be construed in as liberal a manner as possible. Barnardising the information was reasonable in the circumstances.
(2) It was only if the result of applying barnardisation to the information was that the CSA as data controller could no longer identify any living individuals as the subjects of that information that it would not be personal data. Whether barnardisation achieved that was a question of fact for the SIC.
(3) As barnardisation effectively anonymises the data, condition 6(1) of Sch 2 (processing necessary for the purposes of legitimate interests and not unwarranted by prejudice to the data subject) would be met.
(4) Whether the data would also be ‘sensitive personal data’ and whether any of the Sch 3 conditions were satisfied were questions of fact for the SIC.

Comment

This case was directly concerned with the interplay between the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002, but as much of the relevant wording of the latter is also to be found in the Freedom of Information Act 2000, the case of UK-wide significance.

Their Lordships were hindered to an extent by the lack of findings of fact by the SIC, but the case as remitted is likely turn upon the effectiveness or otherwise of the barnardisation process in rendering the information “fully anonymous”, both to recipients and to the CSA (although the disclosure sought may also fall foul of the requirements of Sch 3 applicable to sensitive personal data).

Lord Hope’s speech is notable for his rejection of the submission that whether information was ‘sensitive personal data’ was to be determined by reference to that information alone and not by other information that was or was likely to come into the data controller’s possession.