House of Lords portcullis
House of Lords
Session 2007 - 08
Publications on the Internet
PDF Print Versionpdf icon

Judgments - Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)


SESSION 2007-08

[2008] UKHL 47

on appeal from: [2006] SCOTCS CSIH 58




Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)

Appellate Committee

Lord Hoffmann

Lord Hope of Craighead

Lord Rodger of Earlsferry

Baroness Hale of Richmond

Lord Mance



Valerie Stacey QC

Ruth Crawford

(Instructed by Reynolds Porter Chamberlain LLP for R F Macdonald)


Paul Cullen QC

Morag Ross

(Instructed by Brodies LLP)

First Intervener (Information Commissioner)

Timothy Pitt-Payne

(Instructed by Information Commissioner’s Office)

Second Intervener (Secretary of State for Justice)

Lord Davidson of Glen Clova QC

Jason Coppel

John MacGregor

(Instructed by Treasury Solicitors for Office of the Solicitor to the Advocate General)

Hearing date:

1 and 2 APRIL 2008






Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)

[2008] UKHL 47


My Lords,

1.  I have had the advantage of reading in draft the speech of my noble and learned friend Lord Hope of Craighead. For the reasons he gives, with which I agree, I too would allow this appeal.


My Lords,

2.  This case raises important questions about the interaction between provisions of the Data Protection Act 1998 (“DPA 1998”) on the one hand and provisions of the Freedom of Information (Scotland) Act 2002 (“FOISA 2002”) on the other. The corresponding provisions of the Freedom of Information Act 2000 (“FOIA 2000”), which extends to the whole of the United Kingdom and applies to UK public authorities located in Scotland, are not engaged directly. The appellant, the Common Services Agency (“the Agency”), is a special Health Board the regulation of whose functions is a matter for the Scottish Parliament: see FOIA 2000, section 80. But much of the wording of section 38 of FOISA 2002, which addresses the overlap between rights of access under that Act and rights of access under DPA 1998, is reproduced in section 40 of FOIA 2000, which addresses the same problem. Section 38(2)(a) of FOISA, in particular, is in exactly the same terms as section 40(3)(a) of FOIA 2000. So resolution of these questions will have a bearing on the interaction between DPA 1998 and freedom of information legislation throughout the United Kingdom.

3.  Unlike DPA 1998, which was designed to implement Council Directive 95/46/EC of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, neither FOIA 2000 nor FOISA 2002 were enacted to give effect to the United Kingdom’s obligations under community law. But there had been increasing pressure for the enactment of legislation of this kind, reflecting concern about the lack of openness on the part of the executive. The US Freedom of Information Act 1966 was an important landmark, as was the introduction, following Declaration No 17 to the Treaty of Maastricht 1992 that openness is an essential aspect of democracy, in 1994 of a provision giving freedom of information rights to any citizen of the EU enforceable against institutions of the European Community: article 255 EC. The Labour Party came to power in 1997 with a manifesto commitment to introduce a Freedom of Information Act. FOIA 2000 was the product of that commitment. In November 1999, within six months of the commencement of the Scotland Act 1998, the Scottish Executive published a consultation document called “An Open Scotland". This was followed by the publication in March 2001 of a draft Freedom of Information (Scotland) Bill. Section 1(1) of FOISA 2002 resulted from these initiatives. It sets out a general entitlement on the part of any applicant for information from a Scottish public authority which holds it to be given that information. But the general entitlement to that information is qualified by the reference in section 2 to exemptions. An annotation in Current Law Statutes describes section 2 as probably the most structurally significant section of the Act.

4.  There is much force in Lord Marnoch’s observation in the Inner House that, as the whole purpose of FOISA is the release of information, it should be construed in as liberal a manner as possible: [2006] CSIH 58, 2007 SC 231, para 32. But that proposition must not be applied too widely, without regard to the way the Act was designed to operate in conjunction with DPA 1998. It is obvious that not all government can be completely open, and special consideration also had to be given to the release of personal information relating to individuals. So while the entitlement to information is expressed initially in the broadest terms that are imaginable, it is qualified in respects that are equally significant and to which appropriate weight must also be given. The scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework.

5.  Section 2(1) FOISA 2002 distinguishes between exemptions which are absolute and those which are not. A provision which confers absolute exemption is not subject to a public interest test. Other exemptions are. Among the absolute exemptions is that for “personal data” within the meaning given to that expression by section 1(1) of DPA 1998: FOISA 2002, section 38. According to the Explanatory Notes, p 6, this section is intended to ensure that FOISA does not interfere with DPA 1998. Any information which constitutes personal data of which the applicant is the data subject is exempt from the obligation which section 1 FOISA 2002 imposes on the public authority: section 38(1)(a). The right of the data subject to obtain access to that information is confined to that which the individual is given by sections 7 to 9 DPA 1998. Any information which constitutes personal data other than that of which the applicant is the data subject is also exempt if it satisfies one or other of two conditions which are designed to preserve the application of DPA 1998 to that information. This is the effect of section 38(1)(b), section 38(2) and section 38(3).

6.  Section 38(1)(b) FOISA 2002 provides:

“Information is exempt information if it constitutes -

(b) personal data and either the condition mentioned in subsection (2) (the ‘first condition’) or that mentioned in subsection (3) (the ‘second condition’) is satisfied.”

The second condition mentioned in section 38(3) is not relevant to this case. The first condition mentioned in section 38(2) takes one or other of two alternative forms, of which the one relevant to this case is set out in section 38(2)(a) (i) as follows:

“The first condition is -

(a)  in a case where the information falls within any of paragraphs (a) to (d) of the definition of ‘data’ in section 1(1) of the Data Protection Act 1998 (c 29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene -

(i) any of the data protection principles.”   

The data protection principles are set out in Schedule 1 DPA 1998. The first principle is in para 1 of Schedule 1, which provides:

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a)  at least one of the conditions in Schedule 2 is met, and

(b)  in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”

7.  In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The references which that Act makes to provisions of DPA 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive. Recital 34 and article 8(1) recognise that some categories of data require particularly careful treatment. Section 2 DPA 1998, which defines the expression “sensitive personal data", must be understood in the light of this background.

The request and how it was dealt with

8.  Among the functions which the Agency performs under the powers that have been given to it by the National Health Service (Functions of the Common Services Agency) (Scotland) Order 1974 (SI 1974/467), as amended, is the collection and dissemination of epidemiological information from other Health Boards. It was with that in mind that on 11 January 2005 Mr Collie, acting on behalf of Chris Ballance who was then a member of the Scottish Parliament, asked the Agency to supply him with details of all incidents of childhood leukaemia for both sexes by year from 1990 to 2003 for all the DG (Dumfries and Galloway) postal area by census ward. There is no doubt that there was, and still is, a genuine public interest in the disclosure of this information. For many years concern has been expressed about risks to public health in the area arising from operations at the MOD’s Dundrennan firing range, the now decommissioned nuclear reactor at Chapelcross and the nuclear processing facilities at Sellafield. But the Agency refused Mr Collie’s request. He was told that the Agency did not hold these details for 2002 or 2003 as the data relating to these years was still incomplete. As for the earlier years, there was a significant risk of the indirect identification of living individuals due to the low numbers resulting from the combination of the rare diagnosis, the specified age group and the small geographic area. As a result it was personal data within the meaning of section 1(1) of DPA and was exempt information for the purposes of FOISA 2002. The Agency also maintained that it owed a duty of confidence equivalent to that of the clinicians to whom the information had originally been made available.

9.  Mr Collie then applied to the Commissioner under section 47 FOISA 2002 for a decision whether his request for information had been dealt with in accordance with Part I of the Act. The Commissioner provided the parties with an initial draft of his decision. In para 68 he said that he was minded to accept that the data at ward census level constituted personal data. But he saw the task of the Agency as being to establish the level of release which most closely matched that which Mr Collie had requested, while giving an appropriate level of confidence that the data did not represent personal data. He said that at that stage he had in mind the release of the information for each year requested at Health Board level, but this was not acceptable to Mr Collie. On 15 August 2005 the Commissioner issued his decision under section 49(3)(b) FOISA. In para 95 of the decision he said that he was satisfied that a living individual could be identified from the data at census ward level and that it constituted personal data as defined by section 1(1) FOISA 2002. He then turned to Schedule 1 DPA 1998, which sets out the data protection principles with which the Agency had to comply.

10.  In paras 101 - 105 of the decision the Commissioner said that he was satisfied that the disclosure of the information requested by Mr Collie would breach the first principle and that it should not be released. Its release could be said to be unlawful if it could be said to constitute a breach of confidence. It would also be unfair, as a person would not expect their diagnosis of leukaemia to be placed in the public domain and would expect it to remain confidential. But he said that this did not mean that Mr Collie should not have been provided with information. He referred to the fact that, in response to his initial draft decision, the Agency had provided him with a copy of a document entitled Draft Guidance on Handling Small Numbers, which was subsequently published by the Information Services Division (ISD) of National Health Services in Scotland in July 2005. It set out a process to be followed when handling statistics where there is a potential risk of disclosure of personal information as a result of small cell counts. This is a disclosure control method, known as “barnardisation". As employed by ISD, it uses a modification rule which adds 0, +1, or -1 to all values where the true value lies in the range from 2 to 4 and adding 0 or +1 to cells where the value is 1. 0s are always kept at 0. It does not guarantee against disclosure but aims to disguise those cells that have been identified as unsafe.

11.  In paras 113 and 114 of the decision the Commissioner said that provision of information in this alternative form would provide the closest fit to fulfilling Mr Collie’s request, and that the Agency could have offered it to him under its duty to provide advice and assistance under section 15 FOISA. He found that the Agency did not deal with Mr Collie’s request for information in accordance with Part I of FOISA 2002 and did not provide him with advice and assistance as to what information it was possible for it to supply to him. He ordered it to provide the census ward data for 1990 to 2001 for the DG postal area in a barnardised form to Mr Collie, unless he would prefer to receive alternative information on aggregate annual figures for the whole Dumfries and Galloway Health Board area.

12.  The Agency appealed against this decision to the Court of Session, to which an appeal lies on a point of law under section 56 FOISA against a decision by the Commissioner under section 49 of that Act. The First Division (the Lord President (Hamilton) and Lords Nimmo Smith and Marnoch) refused the appeal. It held that a table setting out the census ward data, barnardised in the manner described by the Commissioner, would not constitute personal data of any of the children resident in the area who had in a relevant year been diagnosed with leukaemia. It was information that was held by the Agency at the time when the request was received, and the Commissioner was entitled to require the Agency to provide this data in the exercise of his supervisory powers under the Act.

13.  The issues raised by the appeal against this decision to your Lordships’ House require a series of questions to be addressed: (a) was the information which the Commissioner ordered the Agency to release in barnardised form to Mr Collie “held” by the Agency at the time of his request, (b) if it was, would information in this form constitute “personal data", (c) if so, would its release to Mr Collie be in accordance with the data protection principles, (d) in particular, would it meet at least one of the conditions for the processing of personal data in Schedule 2 DPA 1998, (e) if so, would the information also constitute “sensitive personal data", (f) if it would, would its release to Mr Collie also meet at least one of the conditions for processing sensitive personal data in Schedule 3 DPA 1998.

Was the data to be barnardised information “held” by the Agency?

14.  The general entitlement of an applicant to receive the requested information from a Scottish public authority applies only to information which is “held” by it at the time the request is received: section 1(4) FOISA 2002. The Agency submits that the process of barnardisation would require the production or making of information that was different from that which was held by it at the time of the request. The process required information to be created, and until this was done it was not “held” by the Agency. The Secretary of State for Justice, in a helpful intervention, has drawn attention to the fact that the question whether an authority holds information which does not actually exist in the form and with the contents requested but which could be created from information which it does unquestionably hold is one which very commonly arises in practice. He submits that the obligations of public authorities ought to be limited to information which is truly held by them so that they are not put into the position of having to conduct research or create new information on behalf of requesters.

15.  It seems to me that the position that the Agency has adopted to the request in this case is an unduly strict response to what FOISA requires. This part of the statutory regime should, as Lord Marnoch said, be construed in as liberal a manner as possible. The effect of barnardisation would be to apply a form of disguise, or camouflage, to information that was undoubtedly held by the Agency at the time of the request. It would amount to the provision of that information in a form that concealed those parts of it that have to be withheld but which would nevertheless, to some degree, convey to the recipient information that was undoubtedly held by the Agency at the time of the request. The process is similar to that of redaction, which involves doing something to information in the form in which it was held so that those parts of it which are not private or confidential can be released. It would not amount to the creation of new information, nor would it involve the carrying out of any research. It would be to do no more than was reasonable in the circumstances, having regard to the need for the form in which the information was disclosed to comply with the data protection principles.

16.  The latitude which should be given to a request which cannot be met in the form requested is indicated by section 11(2)(b) FOISA which provides for the provision of a digest or summary of the information, and by section 11(4) which provides that information may be given by any means which are reasonable in the circumstances. No hard and fast rules can be laid down as to what it may be reasonable to ask a public authority to do to put the information which it holds into a form which will enable it to be released consistently with the data protection principles. Protection against the excessive cost of compliance is provided by section 12 FOISA. But it has not been suggested that the process of barnardisation which the Commissioner said should be adopted in this case would be excessively costly. In my opinion information in that form would contain information that was “held” by the Agency at the time of the request and, unless it was “personal data” and its disclosure would contravene any of the data protection principles, it would have to be released in response to it.

Would the barnardised data be “personal data"?

17.  One can sympathise with the difficulties which the Commissioner faced when he was asked to deal with this aspect of the case within a very short time of taking up his appointment. But it has to be said, with respect, that the approach which he took to it suffers from a number of defects. Most important of all, he did not ask himself whether the barnardised data would be personal data within the meaning of section 1(1) DPA and, if so, whether its disclosure to Mr Collie would satisfy the disclosure principles. In the result he did not find it necessary to consider whether release of the data in that form would be in accordance with the data protection principles.

18.  The Commissioner indicated in para 109 that he regarded the provision of the information in the barnardised form as less disclosive. He said in para 113 that he thought that it would provide the closest fit to fulfilling Mr Collie’s request. He treated the provision of the data in that form as an appropriate response by the Agency under section 15 FOISA. That section requires a public authority to provide, so far as it is reasonable to expect it to do so, advice and assistance to a person who has made a request for information. But the effect of the Commissioner’s decision was to require the Agency to release information to Mr Collie, not just to give him advice or assistance. He did not pursue the point to its proper conclusion. This was an error of law. Its release would only have been appropriate if he was satisfied that it was not personal data in the hands of the Agency to which the first condition in section 38(2)(a)(i) applied or, if it was, that disclosure of the information in this form would not contravene any of the data protection principles. His decision contains no findings on these points.

19.  In the First Division the Lord President looked for guidance as to how to approach the problem to the decision of the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746; [2004] FSR 28. That was a case where the person who was seeking disclosure of the information was the data subject, as he was the individual who was the subject of the personal data to which he request related. Part II DPA 1998 contains provisions which are designed, on certain conditions, to enable the data subject to obtain access to such information. Among these provisions are sections 7(4) and section 8(7), which enable the data controller to refuse to disclose the information if the data subject would be able to identify another person from the information which he would have to supply to comply with the request and any other information which, in his reasonable belief, is likely to be in, or come into, the possession of the data subject. It was in that context that Auld LJ said in para 28 that mere mention of the data subject in a document held by a data controller did not necessarily amount to his personal data and suggested two notions that might be of assistance in determining whether it did. One of these was whether the information was biographical in a significant sense. The other was one of focus.

20.  The Lord President, applying the second of these two guidelines, said in para 23 that the effect of barnardisation was to move the focus of the information away from the individual children to the incidence of disease in particular wards in particular years. It may indeed have this effect. But this does not resolve the question whether or not it is “personal data” within the meaning of DPA 1998, which is the question that must be addressed in this case. I do not think that the observations in Durant v Financial Services Authority on which the Lord President relied have any relevance to this issue. The answer to the problem must be found in the wording of the definition in section 1(1), read in the light of Council Directive 95/46/EC which was adopted on 24 October 1995 and Member States were obliged to implement by 1998.

21.  Section 1(1) defines “personal data” in these terms:

“'personal data’ means data which relate to a living individual who can be identified -

(a)  from those data, or

(b)  from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

The word “data” is also defined in section 1(1), although the word “information” is not. For the purposes of DPA 1998 “data” means information which is in a form capable of being processed by a computer or other automatic equipment, or is recorded with the intent that it be should be processed by such means, or is recorded as part of a relevant filing system, such as a card file, which is structured in such a way that specific information relating to a particular individual is readily accessible or is part of an accessible record as defined by section 68, such as a set of notes kept by a health professional which relate to a named patient. The word “processing” is also given a wide meaning by section 1(1). It includes carrying out any operations on data, including adapting, altering or disclosing it.

22.  As the definitions in section 1(1) DPA make clear, disclosure is only one of the ways in which information or data may be processed by the data controller. The duty in section 4(4) is all embracing. He must comply with the data protection principles in relation to all “personal data” with respect to which he is the data controller and to everything that falls within the scope of the word “processing". The primary focus of the definition of that expression is on him and on everything that he does with the information. He cannot exclude personal data from the duty to comply with the data protection principles simply by editing the data so that, if the edited part were to be disclosed to a third party, the third party would not find it possible from that part alone without the assistance of other information to identify a living individual. Paragraph (b) of the definition of “personal data” prevents this. It requires account to be taken of other information which is in, or is likely to come into, the possession of the data controller.