In Common Services Agency v Scottish Information Commissioner, the House of Lords has ruled on the extent to which anonymised information about individuals constitutes "personal data" for the purposes of the Data Protection Act 1998. The decision makes clear that, in keeping with the EU Directive from which the UK's data protection legislation is derived, disclosure of fully anonymised personal information does not amount to processing of personal data which must be carried out in accordance with the data protection principles.
The issue arose in the context of a Freedom of Information (FOI) Act request made on behalf of a member of the Scottish Parliament (MSP) to the Common Services Agency (CSA), a public authority providing support to the NHS in Scotland. The MSP asked the CSA to disclose details of all incidents of childhood leukaemia in Dumfries & Galloway for both sexes by year from 1990 to 2003 and by census ward.
The CSA refused to disclose the information requested on the basis that, because of the low number of individuals in the specified age group, per census ward, per year, who had been diagnosed with leukaemia, the statistical information was very likely indirectly to identify living individuals. As a result, it would constitute "personal data", disclosure of which to the public would breach the data protection principles, and was therefore exempt from disclosure under FOI.
On appeal, the Scottish Information Commissioner decided that the CSA ought to have disclosed the information in barnardised form. Barnardisation is a process by which statistical information can be modified so as to minimise the risk of identification of individuals by adding 0, +1 or – 1 to small cell counts.
The issue for the House of Lords to decide was whether the information in this barnardised form was "personal data" disclosure of which would breach the data protection principles. "Personal data" is defined in the Data Protection Act 1998 as:
- data which relate to a living individual who can be identified –
a) from those data, or
b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller
It was clear that the statistics in barnardised form were data and that they related to living individuals. The issue was whether the individual patients could be identified from (2) the barnardised data or (2) the barnardised data and from other information held by the CSA.
The Lords decided that if barnardisation of the information would fully anonymise it so that no living individual could be identified from it, then the information would no longer be "personal data" for the purposes of disclosure to the public. However, the Lords also held that whether or not barnardisation would successfully achieve this result, even in the case of very low incidences, was a matter of fact to be decided by the Scottish Information Commissioner.
There was some disagreement among the Lords as to the justification for holding that the barnardised information, if fully anonymised, would not constitute "personal data" under part (b) of the definition on the basis that an individual could be identified from "those data and other information (ie the non-anonymised data) ... in the possession of the data controller", even though the CSA would also have in its possession the original non-anonymised data. Lord Hope, with whom the majority agreed, decided the words "those data and other information" indicated that it was the combination of the data in question and the other information that had to enable identification for the definition to apply; if the "other information" alone enabled the identification, the data concerned would not fall within the definition.
 |
| Helen Rose |
Bristows
100 Victoria Embankment
London EC4Y 0DH
United Kingdom
Tel: +44 20 7400 8000
Fax: +44 20 7400 8050
DX: 269 Chancery Lane
info@bristows.com
www.bristows.com
