Data protection principles and the public interest have clashed in the Court of Session, throwing the spotlight on Scotland’s information commissioner. James McMorrow reports
The decision of the Court of Session in Common Services Agency v Scottish Information Commissioner represented a landmark judgment for the Scottish Information Commissioner (SIC), in that it was the first time that a decision of the SIC had been appealed to the Court of Session on a point of law.
The Court of Session refused the Common Service Agency’s appeal and upheld the SIC’s original decision in respect of the disclosure of information by the agency. The agency subsequently appealed the Court of Session decision to the House of Lords. The appeal by the Common Services Agency of the decision of the Court of Session in the Common Services Agency case has now been upheld by the House of Lords, which issued its decision in respect of the appeal on 9 July 2008.
The Common Services Agency case centred upon the applicant, Michael Collie, acting on behalf of Chris Balance MSP, who requested information regarding the incidence of childhood leukaemia for both sexes in the age range of 0-14 years, between the years 1990-2003, for all the Dumfries and Galloway postal area by census ward. The purpose of the request was to establish whether a nearby nuclear power station and military firing range has an effect on incidences of cancer.
It was undisputed by the Common Services Agency that there was genuine public interest in the disclosure of the requested information. Indeed, concern had been expressed regarding risks to public health in the area, arising from operations at the Ministry of Defence’s Dundrennan firing range, the now decommissioned nuclear reactor at Chapelcross and the nuclear processing facilities at Sellafield.
Nevertheless, the Common Services Agency refused the request on the grounds that the information being requested was of such a specific nature that, if the requested information was disclosed, there was a significant risk of indirect identification of living individuals. Consequently, the Common Services Agency considered the information requested to be personal data in terms of the Data Protection Act 1998, therefore exempt from disclosure in terms of the 2002 Freedom of Information (Scotland) Act.
Collie referred the Common Services Agency’s decision to withhold the requested information to the SIC, who determined that the information could be released if the personal data was ‘barnardised’. Barnardisation is an anonymisation technique used to minimise the risk of individuals being identified when low incidences occur in statistical compilations by modifying data by +1 or -1 to protect it from identification. The SIC’s view was that rendering personal data anonymous in such a way would enable the information to be disclosed.
The Common Services Agency appealed the SIC’s decision to the Court of Session, which upheld the Commissioner’s stance in respect of the disclosure of the information requested in a barnardised format. In reaching its decision, the Court of Session stated that the barnardised data was ‘held’ by the agency for the purposes of the 2002 Act and was sufficiently anonymous that it did not constitute personal data. The SIC was, therefore, entitled to require the Agency to disclose this information in the exercise of his supervisory powers under the 2002 Act.
The Common Services Agency appealed the decision of the Court of Session to the House of Lords.
In reaching a decision in respect of the appeal by the Common Services Agency, there was a prevailing concern among the Lords as to the potential impact of their decision. The Lords noted that, if they decided in favour of the Common Services Agency, such a decision could potentially affect the ability of individuals to use their rights under the 2002 Act to obtain anonymous statistical information from Scottish public authorities.
The key issues upon which the appeal turned were: if the Common Services Agency was required to barnardise the information requested, did the Common Services Agency ‘hold’ such information for the purposes of the 2002 Act; and, if the Common Services Agency was determined to hold such information, was this information personal data for the purposes of the 1998 Act?
In relation to the first issue, the Common Services Agency argued that the process of barnardisation would require the production of information that was different from that held by the Agency at the time of the request. On the basis that the barnardisation process required information to be
created, such information was not ‘held’ by the Agency at the point at which the request was made and the terms of the 2002 Act did not, therefore, apply.
The Lords considered the Agency’s position, that the barnardised information was not ‘held’ for the purposes of the 2002 Act, unduly restrictive and claimed that it did not comply with the underlying principles of the 2002 Act.
The Lords noted that the terms of the 2002 Act, in respect of the holding of information, should be construed as liberally as possible and that the effect of barnardisation would be to apply a form of disguise or camouflage to information that was already held by the Agency at the time of the request.
Disclosure of the barnardised information would amount to the provision of such information in an anonymised format that concealed those parts of it that have to be withheld, rather than the creation of new information not held at the time of the request. The Lords drew parallels between the barnardisation process and that of redaction of personal or confidential information prior to disclosure.
In relation to the second issue, the Lords held that information requested should not be disclosed unless it could either be anonymised so that it was not personal data, or could be released in a form which did not contravene one of the data protection principles under the 1998 Act.
The Lords noted that, in his original decision, the SIC had not properly considered the question of whether the barnardised data would constitute personal data in terms of the 1998 Act and, if so, whether its disclosure would be in compliance with the terms of that Act and the data protection principles contained therein.
Accordingly, the Lords determined that the appropriate course of action was for Collie’s application to be remitted to the SIC for a determination as to whether the information in question can be sufficiently anonymised for it not to constitute personal data.
In the event that the SIC considers that the barnardised information is not sufficiently anonymous to take it beyond the definition of ‘personal data’ in terms of the 1998 Act, the SIC would need to consider whether disclosure of such information would comply with the data protection principles and, in particular, the requirements for the processing of sensitive personal data in terms of the 1998 Act.
The SIC has welcomed the decision of the House of Lords and has recognised the need to address again the question of what, if any, barnardised information can be disclosed to Collie while at the same time taking into account the need to adequately protect the privacy of individual patients.
The SIC’s further decision in this regard is awaited with keen interest by all those involved in the Scottish public sector.
James McMorrow is a partner at Harper Macleod.
ScotlandJuly2008
