Data Protection, Human Rights and Freedom of Information: Latest Developments

March 1, 2004

In some ways, as mere IT lawyers, data protection, human rights and freedom of information are subjects which take us on a voyage of discovery. The purpose of this article is to illuminate some aspects of those travels and to illustrate some of the ways in which these subjects are becoming increasingly intertwined.

As a traditional IT lawyer, my early contacts with data protection related to the Data Protection Act 1984 and the original compliance regime. Back in those days, the rationale for data protection laws in the UK was driven by an increasing concern, even prior to the days of the Internet, that the capacity of computers to store information about individuals provided an opportunity for abuse of that information. However, things have very much moved on from those early beginnings and an IT lawyer back in the 1980s would have been hard pressed to have foreseen the legal and, to a degree, public policy issues that we are now considering.

Data Protection Act 1998

The Data Protection Act 1998 implemented the Data Protection Directive 95/46/EC. Even in the mid-1990s, before the explosion of the Internet and its capacity seamlessly to disseminate information, data protection laws were perceived in a wider context on a European stage. Article 1 of the Directive provides that:

Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing personal data“.

I do not propose to go through the main provisions of the Data Protection Act with which readers will be familiar. However, broadly it provides that personal data processed automatically or as part of a relevant manual filing system must be processed in accordance with the eight data protection principles set out in Schedule 1. Individuals have a right of access to data under s 7 and rights to prevent processing and to apply to the court to rectify, block, erase or destroy data. There is an exemption from most of the provisions of the Act in s 32 if the data is processed with a view to the publication of journalistic, literary or artistic material which the data controller reasonably believes, having regard to the importance of freedom of expression, would be in the public interest.

Freedom of Information Act 2000

The Freedom of Information Act 2000 is a UK Government initiative aimed broadly at promoting open government. It provides clear statutory rights for those requesting information from a public authority (which term is widely defined). It should be noted that this relates to information generally and not just to information about an individual. It is intended that the right of access to information will come into force in January 2005. There are certain exemptions, including, for example, information intended for future publication, national security, the economy, audit functions, health and safety and environmental information. However, even if an exemption applies, the authority must then decide whether it must disclose in the public interest irrespective of the exemption. The Act provides for a co-ordinated regime with the Data Protection Act which is overseen by the Information Commissioner.

Human Rights Act 2000

The Human Rights Act 2000, which is the third of this trilogy of overlapping UK statutes, gives expression in UK law to the European Convention on Human Rights 1950. This in turn evolved from the UN Declaration of Human Rights in 1948, which set out various rights and freedoms designed to protect Europe against totalitarianism and a repeat of war-time atrocities. If you consider it in these terms then the rights enshrined in the convention take on a heightened meaning. It is so easy in a less troubled age to take some of these rights for granted. The rights include:

· the right to life

· freedom from torture

· right to liberty

· right to a fair trial

· right to respect for private and family life

· freedom of expression

· freedom of assembly

· right to marry and found a family.

The Act, which came into force on 2 October 2000, was a key part of the Government’s programme to modernise the constitution and incorporates into domestic law the European Convention. The Act makes it unlawful for any public authority to act in a way that is incompatible with a Convention Right. The term ‘public authority’ is not defined but includes all obvious public authorities as well as private bodies when they exercise public functions. The Act modernises relationships between people and, in particular, between people and the state and is intended to reflect values of fairness, respect for human dignity and inclusiveness in public services. The then Home Secretary Jack Straw said:

I believe that in time the Human Rights Act will help bring about a culture of rights and responsibilities across the UK . the Convention Rights . are going to become an anchor for our laws and policies and a sail for service delivery“.

Common Theme

One of the common themes that now runs amongst these three areas is the need to create a fair balance between the interests of society and the protection of the individual’s fundamental rights. It is this balancing test that means that in data protection cases, such as that of Bodil Lindqvist, human rights are raised as an issue.

Legal Developments

During 2003 there were a number of interesting case-law developments.

Michael John Durant v Financial Services Authority

The most significant of these was undoubtedly the the Court of Appeal’s ruling, handed down on 8 December, in Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746. Although the case focused on subject access requests and in particular what kind of manual files are caught by the definition of a “relevant filing system” for the purposes of the Act, the Court of Appeal also opined on the fundamental question of what is meant by “personal data”.

By way of background, this case had its origins in some unsuccessful litigation by Mr Durant against Barclays Bank in the early 1990s, and a subsequent, unsuccessful, attempt to obtain disclosure of certain documents which he thought might assist him to re-open the case. Mr Durant then made a complaint to the FSA, which conducted an investigation. Mr Durant made two requests to the FSA under the subject access provisions of the Data Protection Act: some disclosure was given, but much was refused. That led to an application to a county court, which was dismissed on the basis that the FSA files in question did not fall within the definition of a “relevant filing system” and that, in turn, the data within them was not “personal data” under the Act. Starting with the assumption that the intention of the legislation “is to provide, as near as possible, the same standard or sophistication of accessibility to personal data in manual filing systems as to computerised records”, the court adopted a restrictive approach, concluding that “a “relevant filing system” is limited to a system:

in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it . is held within the system and, if so, in which file or files it is held; and

which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.”

Anything less, for example a system requiring a researcher to “leaf through files”, would not be caught by the Act.

As mentioned above, the Court of Appeal also considered the fundamental question of what type of information (whether held in computerised or manual files) constitutes “personal data ” within the meaning of the Act. In a comprehensive analysis, the Court traced the legislative trail of the Act from its origins in the 1981 European Convention, via the EU Directive and, finally, its passage through the UK Parliament. It concluded that the purpose of the subject access provisions is “to enable [an individual] to check whether the data controller’s processing.unlawfully infringes his privacy and, if so, to take such steps as the Act provides (ie blocking and rectification).it is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved.” Adopting this narrow interpretation, the Court concluded “it is likely in most cases that only information that names or directly refers to [a data subject] will qualify” and that “not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act.” In deciding on a case-by-case basis whether information falls within the Act, two factors are relevant: “The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations.The second is [that].information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event .In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.

The Information Commissioner has announced that he will revise existing guidance in the light of the Court of Appeal’s restrictive interpretation of “personal data”.

With data subject access requests on the increase as a tactical weapon, the ruling also sent a clear warning to litigants tempted to emulate Mr Durant. In his leading judgment, Lord Justice Auld stated that the Act “. is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him. to obtain discovery of documents that may assist him in litigation or complaints against third parties.”

Bodil Lindqvist

Just one month before the Court of Appeal’s landmark ruling in Durant, the European Court of Justice had given its first substantial ruling on the Data Protection Directive on a number of general and Internet-related issues in the case of Bodil Lindqvist. The unfortunate Mrs Lindqvist was prosecuted by the zealous Swedish data protection authorities after she set up Internet pages on her personal computer which contained information about the parish church at which she worked on a voluntary basis. She included information about herself and 18 colleagues in the parish, sometimes including their full names and in other cases only their first names, and their jobs and hobbies . She also mentioned that one colleague had injured her foot and was working part-time on medical grounds. The information was posted without the consent of those concerned, although the pages were removed when objections were received.

A number of issues were referred to the ECJ which held as follows:

· Referring to various persons on an Internet page and identifying them either by name or by other means constitutes processing of personal data by automatic means within the meaning of community law.

· The exemption for the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic does not apply to the publication of information on the Internet. By virtue of the fact that Internet publication means those data are accessible to an infinite number of people, this could not be considered to be exclusively personal or domestic.

· Restrictions on the processing of data regarding the health of the individual (enacted in the provisions regarding “sensitive personal data” under UK law) should be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.

· The community legislature did not intend the expression “transfer of data to a third country” to cover the loading of data onto an Internet page even if such data are thereby made accessible to persons in third countries. This is the position regardless of whether an individual in a third country has accessed the Internet page or whether the server of that hosting service is physically located in a third country. It does not seem to go on to address the issue of providing a facility for those persons in a third country to download the data. The ECJ considered only the position of the person publishing the information on the Internet page, and not the position of hosting providers which it expressly reserved.

· The Directive did not itself entail a restriction contrary to the principle of freedom of expression or other fundamental rights. It is for national authorities and courts to ensure a fair balance between the rights and interests in question including those fundamental rights.

Naomi Campbell

One of the most high profile cases has been that involving Naomi Campbell (Naomi Campbell v MGN Limited [2002] EWCA Civ 1373), which demonstrated that the legislation provides a legal means for celebrities to complain about invasions of personal privacy as much as ordinary individuals. She claimed damages from the Daily Mirror for breach of confidence and breach of the Data Protection Act. The High Court determined that the journalistic exemption in s 32 of the Act only applied pre-publication and therefore did not apply here. The Court of Appeal reversed this. The House of Lords judgment in the case is awaited with interest.

The ubiquitousness of data protection issues is further illustrated by Douglas and Others v Hello! Ltd and Others [2003] EWHC 786. Following the analysis in Campbell, the judge readily found that the pictures represented personal data and that publication is covered by the Act. The journalistic exemption did not apply because the publication of unauthorised photographs in Hello!, when the authorised photographs were shortly to be published in OK!, could hardly be regarded as in the public interest.

Other trends in privacy law

In the House of Lords case of Secretary of State for the Home Department v Wainwright [2003] UK HL 53, there is a rejection of the development of a “tort of privacy”. This case involved a strip search of prison visitors. The court held that there was no general cause of action for invasion of privacy. The case arose before the Human Rights Act was in force and an action could now have been brought under that Act. It seems that the UK courts consider that the right under the Act to award damages for breach of a Convention right is founded in a public law remedy rather than a new constitutional tort.

One of the trends we have seen is for the subject access rights under the Data Protection Act to be used for pre-action disclosure purposes in litigation. In other words, not seeking access to data primarily for the purpose of finding out what sort of data was being processed about the individual or ensuring that it was accurate, such as in the context of credit references, but for the more arbitrary purpose of assisting in the process of making a claim against the data controller. Indeed, in one case P v David Wozencroft [2002] EWHC 1724 (July 2002), the claimant sought but failed to use a subject access request following the conclusion of a court case in order to reopen the dispute. As noted above, in its ruling in the Durant case the Court of Appeal has now sent a clear warning to litigants and their lawyers to – in the words of Lord Buxton – “think very carefully” before attempting to use the subject access provisions as a weapon in litigation.

Legislation and guidance

The year was marked by a number of legislative, as well as case law, developments.

In June the European Commission published its report on implementation of Directive 95/46/ EC, drawing on the previous year’s consultation exercise. Essentially this called for more vigorous enforcement of the existing regime (and the ironing out of divergences between Member States’ implementation) with a further review to consider possible reform of the Directive in 2005.

In late 2002 and early 2003 the UK Government carried out a public consultation on the subject access provisions in the light of technological and legislative change such as the Freedom of Information Act 2000. At the time of writing, the Government is still considering responses to that consultation (and must now, in addition, reflect on the Durant ruling) before issuing proposals for reform – although these are not expected to be extensive.

The Telecoms Data Protection Directive (97/66/EC) has recently been updated by the Directive on Privacy and Electronic Communications (2002/58/EC). The new Directive updates existing rules for network operators marketers and introduces, among other things, new constraints on the use of e-mail and SMS marketing and Web site cookies. This has been implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which came into force on 11 December 2003.

Other developments worth noting include the publication in June by the Information Commissioner of the final version of the controversial Part 3 of the Employment Practices Code, setting out guidance for employers on the extent to which monitoring and surveillance of employees is lawful under the Data Protection Act. The fourth and final part of the Code, on medical records, was published at the end of the year. The year was rounded off by the Commissioner’s announcement that, in the light of the Court of Appeal’s more restrictive interpretation of the scope of “personal data” in the Durant case, the Commissioner would review his existing guidance in 2004.


By way of overall conclusion it seems to me that we are moving towards an era where individual rights of privacy, and indeed rights to image in the case of celebrities, are increasingly debated. Interestingly the Government rejected the need for a privacy law in its response to the fifth report of the Culture, Media and Sports Select Committee on privacy and media intrusion published on 14 October 2003. It agreed with the Committee on a number of recommendations aimed at improving the system of self-regulation and the work of the Press Complaints Commission, but made it clear that the Government has no intention of introducing any extra legislation. The House of Lords in Wainwright has also limited common-law development of a tort of privacy. However, the combined effect of these three Acts does seem to move in the direction of new and extensive rights and remedies for individuals. Indeed, with the rejection by the Government of new privacy legislation and by the judiciary, in Wainwright, of a separate tort, it seems inevitable that the spotlight will fall increasingly on the Data Protection Act as a means for claimants to achieve this end. As IT lawyers whose practices were originally versed in traditional data protection legislation, we now need to recognise the broader context in which data protection operates and the relationship it has with freedom of information and human rights.

Clive Davies is a Partner at Olswang.