|Judgments - Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)
23. The question then is whether the respondent can meet Mr Collies request by requiring the Agency to release the information to him in a barnardised form. Barnardisation is a method of rendering the information, so far as it is possible to do so, anonymous. If the definition of personal data can be read in a way that excludes information that has been rendered fully anonymous in the sense that it is information from which the data subject is no longer identifiable, putting it into that form will take it outside the scope of the Agencys duty as data controller under section 4(4) DPA 1998 to comply with the data protection principles. It will also remove it from the definition of exempt information in section 38 FOISA 2002. This is because that definition extends only to information which is personal data within the meaning of section 1(1) DPA 1998. If the definition of personal data cannot be read in this way, it will not be open to the respondent to require the Agency to release the information to Mr Collie, even although barnardised to eliminate any possible risk of identification, unless processing it in this way would be in accordance with the data protection principles. There is an obvious attraction in the first of these two routes towards meeting the request, as it is a much simpler way of dealing with it. But is the definition open to this construction?
24. The relevant part of the definition is head (b). It directs attention to those data", which in the present context means the information which is to be barnardised, and to other information which is or may come to be in the possession of the data controller. Those data will be personal data if, taken together with the other information", they enable a living individual to whom the data relate to be identified. The formula which this part of the definition uses indicates that each of these two components must have a contribution to make to the result. Clearly, if the other information is incapable of adding anything and those data by themselves cannot lead to identification, the definition will not be satisfied. The other information will have no part to play in the identification. The same result would seem to follow if those data have been put into a form from which the individual or individuals to whom they relate cannot be identified at all, even with the assistance of the other information from which they were derived. In that situation a person who has access to both sets of information will find nothing in those data that will enable him to make the identification. It will be the other information only, and not anything in those data", that will lead him to this result.
25. The wording of recital 26 of the preamble to the Directive supports this approach. It provides:
Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
The definition of personal data gives effect to recital 26. The first phrase in the recital is the situation referred to in head (a) of the definition, where the information itself enables the person to whom it relates to be identified. The second phrase is the situation referred to in head (b), where the information has this effect when taken together with other information. The third phrase casts further light on what Member States were expected to achieve when implementing the Directive. Rendering data anonymous in such a way that the individual to whom the information from which they are derived refers is no longer identifiable would enable the information to be released without having to apply the principles of protection. Read in the light of the Directive, therefore, the definition in section 1(1) DPA 1998 must be taken to permit the release of information which meets this test without having to subject the process to the rigour of the data protection principles.
26. The effect of barnardisation would be to conceal, or disguise, information about the number of incidences of leukaemia among children in each census ward. The question is whether the data controller, or anybody else who was in possession of the barnardised data, would be able to identify the living individual or individuals to whom the data in that form related. If it was impossible for the recipient of the barnardised data to identify those individuals, the information would not constitute personal data in his hands. But we are concerned in this case with its status while it is still in the hands of the data controller, as the question is whether it is or is not exempt from the duty of disclosure that FOISA says must be observed by him.
27. In this case it is not disputed that the Agency itself holds the key to identifying the children that the barnardised information would relate to, as it holds or has access to all the statistical information about the incidence of the disease in the Health Boards area from which the barnardised information would be derived. But in my opinion the fact that the Agency has access to this information does not disable it from processing it in such a way, consistently with recital 26 of the Directive, that it becomes data from which a living individual can no longer be identified. If barnardisation can achieve this, the way will be then open for the information to be released in that form because it will no longer be personal data. Whether it can do this is a question of fact for the respondent on which he must make a finding. If he is unable to say that it would in that form be fully anonymised he will then need to consider whether disclosure of this information by the Agency would be in accordance with the data protection principles and in particular would meet any of the conditions in Schedule 2. This is the more difficult of the two routes that I have mentioned. As the issues were fully argued I shall say what I think about them. But there is no doubt that the respondents task will be greatly simplified if he is able to satisfy himself that the process of barnardisation will enable the data to be sufficiently anonymised.
The data protection principles
28. The respondents approach, as I understand it and which - if I am right about this - I would respectfully approve, has been to try to use the barnardisation system to take the data out of the personal data category. If this proves not to be possible however thought will have to be given to the detailed provisions of the relevant schedules and as to how any of the conditions that they contain might be met so that the information could be released to Mr Collie compatibly with the data protection principles. Neither the Agency nor the Commissioner made any submissions on this point in their written cases. But the Secretary of State did deal with it in his written submissions and the parties were able to address it in oral argument. The conditions require careful treatment in the context of a request for information under FOISA 2002. It must be borne in mind that they were not designed to facilitate the release of information. They were designed for the context in which they appear, which is the protection of personal data from processing in a way that might prejudice the rights and freedoms or legitimate interests of the data subject.
29. Section 4(4) DPA provides that it shall be the duty of the data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. These principles are the data protection principles set out in Part I of Schedule 1 to the Act. The definition of processing in section 1(1) DPA includes the disclosure of information or data by transmission, dissemination or making it available. FOISA 2002 has greatly increased the range of circumstances in which a data controller may be required to process information in this way, but section 38(2)(b) FOISA 2002 insists that this may only be done in compliance with the data protection principles. The first principle begins by stating that personal data shall be processed fairly and lawfully. That was the test that was applied by the Commissioner to the unbarnardised information in paras 101 to 105 of his decision. But the principle goes on to state in particular that personal data shall not be processed unless at least one of the conditions in Schedule 2 for the processing of personal data and of Schedule 3 for the processing of sensitive personal data is met.
30. The Commissioner said in paras 101 to 105 of his decision, after concluding that the unbarnardised data at census ward level was personal data as defined by section 1(1) DPA 1998, that its disclosure would breach the first data protection principle because disclosure would be unfair and unlawful. He did not express any view as to whether any of the conditions in Schedule 2 for the processing of personal data were met. Nor did he express any view as to whether the information was sensitive personal data within the meaning of section 1(1) DPA and, if so, whether any of the conditions in Schedule 3 for the processing of such data were also met. The concept of fairness for the purposes of the first data protection principle is explained in Part II of Schedule 1. It is concerned essentially with the method by which the information is obtained, and in particular with whether the person from whom it was obtained was deceived or misled. In this case the processing which is in issue is the disclosure of statistical information in the possession of the Agency, and there is no suggestion that any unfairness of that kind will be involved. The concept of lawfulness cannot sensibly be addressed without considering the conditions set out in Schedule 2 and in Schedule 3 also, if it is applicable, because any disclosure which fails to meet at least one of the conditions in these Schedules would be contrary to section 4(4) DPA 1998. This is made clear by the words in particular in the first principle.
The Schedule 2 conditions
31. Schedule 2 DPA 1998 sets out six conditions which are relevant for the processing of any personal data. At least one of these conditions must be met if the data controller is to comply with section 4(4) of the Act, which requires him to comply with the data protection principles in relation to all personal data of which he is the data controller. Mr Cullen submitted that the condition in Schedule 2 that is relevant to this case is para 6(1), which provides:
The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Condition 5(b) may also be relevant. It provides:
The processing is necessary -
(b) for the exercise of any functions conferred on any person by or under any enactment.
Condition 5(b) reappears in condition 7(1)(b) of Schedule 3 which I will consider in more detail later. The issues which it raised in relation to the dissemination of epidemiological data under para 3(j) of the National Health Service (Functions of the Common Services Agency) (Scotland) Order 1974 are essentially the same as those raised by condition 6.
32. There is no doubt that Mr Collie, and the MSP for whom he was acting, had a legitimate interest in obtaining the information that he requested due to the proximity of the sites at Drundennan, Chapelcross and Sellafield to the census wards in Dumfries and Galloway, and that to enable him to pursue those interests the disclosure of the information was necessary. Mrs Stacey QC for the Agency readily acknowledged that this was so. The question whether its disclosure would prejudice the rights and interests of the children because their identities might be discovered as a result of its release and whether, if so, its release would for this reason be unwarranted is a different matter. Striking the right balance between these two considerations would raise issues of fact as to which no findings have been made and which only the Commissioner is in a position to determine. Resolution of this issue would require the case to be remitted to the Commissioner so that he can carry out this exercise. But if the result of barnadisation is effectively to anonymise the data, no private interests of the children will be affected and there will be no balance to be struck.
33. Then there is the question whether, to comply with section 4(4) DPA 1998, it is necessary for at least one of the conditions in Schedule 3 to be met also. This in turn raises the question whether the information which the barnardised data would contain would constitute sensitive personal data". As already noted, this was an issue which neither the Commissioner nor the First Division of the Court of Session found it necessary to consider.
Would barnardised data be sensitive personal data"?
34. Section 2 DPA 1998 provides:
In this Act sensitive personal data means personal data consisting of information as to -
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
35. The item on this list which is relevant to this case is item (e). The information which Mr Collie asked for was details of all incidents of childhood leukaemia for all the DG postal area by census ward. This was information about the physical health or condition of the children who had been diagnosed as having this disease. For the reasons already given, I consider that it is open to the Commissioner to hold that the barnardised data would constitute personal data within the meaning which has been given to that expression by section 1(1) DPA 1998. It would seem to be a short step to conclude, that if it was personal data, it must be sensitive personal data too because it was data about the physical health of living children who could be identified from data released in response to the request together with other information in the possession of, or likely to come into the possession of, the Agency. This too is a question of fact on which the Commissioner must make a finding.
36. But Mr Cullen QC for the Commissioner submitted that it would not be open to him because the definition in section 2 was a self-standing definition. The only data that were relevant to the question whether the information was sensitive personal data were the data that were to be processed by releasing it. As it would not be possible from the barnardised data alone to discover the childrens identities it could not be said to consist, in that form, of information about their physical health or condition. The difficulty of meeting any of the conditions in Schedule 3 if it was to be released was another factor to be taken into account. A narrow interpretation of the expression was necessary in these circumstances. Otherwise it would not be lawful for information about a matter which was of genuine public interest to be released in this case.
37. I do not think that the wording of the Act as whole supports this interpretation. The fact that the expression that is being defined in section 2 DPA 1998 includes the words personal data suggests that the whole of the definition of personal data is written into it. This is not just data as defined in section 1(1). Sensitive personal data is a subset, or a species, of personal data". This approach is reinforced by section 4(4), which provides:
Subject to section 27(1) [exemptions], it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
The expression personal data in this subsection must be taken to mean personal data as defined in section 1(1). The context shows that it is being used here to embrace not only all personal data as so defined but also sensitive personal data", although sensitive personal data as such are not separately identified. This is because the data protection principles make special provision in Schedule 3 for the processing of sensitive personal data. The expression personal data must include sensitive personal data to bring that species of data too within the scope of the obligation that is imposed on the data controller by section 4(4).
38. The same use of language is to be found in para 1 of Schedule 1. It sets out the first principle for the processing of personal data", within which special provision is made for the processing of sensitive personal data. I can find nothing in the context of this Schedule or of Schedule 3 to suggest that the reference to data of that kind should be read as narrowly as Mr Cullen suggested. The words personal data are also used repeatedly in Schedule 3. There seems to me to be no good reason for refusing to apply the full definition of that expression in section 1(1) to its use in this context, especially in view of the way the obligation that section 4(4) sets out is expressed.
39. Reference was made to article 8(1) of the Directive which uses the words personal data when it refers in the first place to the processing of data revealing some things such as racial and ethnic origin and the word data only when it refers in the second place to the processing of data concerning health or sex life. But the Directive is not as precise as the statute is in its choice of language, and I would not attach any significance to this aspect of the article. On the contrary, recital 2 read together with article 1(1) of the Directive seem to me to support the view that data of such a sensitive nature as that relating to a persons health or sex life should be given just as much protection in the hands of the data controller as that relating to his racial or ethnic origin and the other things referred to in the first place in article 8(1).
40. For these reasons I would hold that DPA 1998 requires the definition of personal data to be read into the definition of sensitive personal data". I would not be deterred by any difficulty that may be found in any particular case in meeting any of the conditions in Schedule 3. This is not an appropriate context for the statutory language to be construed liberally in favour of the release of information. DPA 1998, as its short title indicates, is designed to regulate and control the processing of data and to protect the interests of those who may be affected by its release. The definition of sensitive personal data forms an essential part of the statutory scheme of data protection. The fact that the definition is relevant to the question whether the data is exempt information as defined by section 38 FOISA 2002 does not justify giving it a narrower meaning than it has for the purposes of DPA 1998. If none of the conditions in Schedule 3 can be met, so be it. This must be taken to be what Parliament intended when the legislation that it enacted was put into effect.
The Schedule 3 conditions
41. Schedule 3 DPA 1998 sets out ten conditions which are relevant for the processing of sensitive personal data. At least one of these conditions must also be met if the data controller is to comply with section 4(4) DPA 1998. Mr Cullen QC was unable to point to any of the conditions on this list which were relevant to this case, except possibly condition 10 which refers to personal data processed in circumstances specified in an order made by the Secretary of State for the purposes of that paragraph. But the circumstances referred to here are those specified in the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417). Mr Cullen did not suggest than any of them applied to this case and, apart possibly from para 9 which deals with processing which is in the substantial public interest, I have not been able to find any that do. The Secretary of State, on the other hand, submitted in his written case that a possible candidate in Schedule 3 was condition 7(1)(b), which is in almost exactly the same terms as condition 5(b) in Schedule 2. It provides:
The processing is necessary -
(b) for the exercise of any functions conferred on any person by or under an enactment.
42. The National Health Service (Functions of the Common Services Agency) (Scotland) Order 1974, pursuant to which the Agency was established, deals with the release of information which it holds in para 3. It provides:
It shall be the duty of the Agency to undertake the following functions:
(c) the provision of information, advisory, and management services in support of the functions of the Secretary of State and Health Boards other than where the Health Protection Agency is exercising functions under the Health Protection Agency (Scottish Health Functions) Order 2006
(j) the collection and dissemination of epidemiological data and participation in epidemiological investigations.
The disclosure of the information to Mr Collie would not fall within head (c) of para 3, which deals with the provision of information in support of the functions of the Secretary of State and Health Boards. But it is arguable that it would fall within head (j) of the paragraph. The question is whether its disclosure to Mr Collie can be said to be necessary for the performance of that function, as condition 7(1)(b) of schedule 3 requires. This is a question of fact which only the Commissioner is in a position to determine, as is the further question which is inherent in the opening words of the first data protection principle. That is whether its disclosure would prejudice the rights and freedoms and legitimate interests of the children in the relevant census wards. The case would have to be remitted to him if these issues are to be resolved, as there are no findings in his decision would enable them to be answered by your Lordships.
43. In my opinion it must follow, if the Commissioner finds that the information is sensitive personal data and that none of the conditions in Schedule 3 are met, that it will not be possible for the data at ward census level to be released without contravening the first data protection principle. The Agency, as the data controller, is prohibited by section 4(4) DPA 1998 from processing the data which it holds in a way that does not comply with those principles. That prohibition is built into FOISA 2002 by section 38(1)(b) read together with section 38(2)(a)(i). As this would mean that disclosure of the information would contravene the first data protection principle, it would be exempt information and the Agency would not be under any duty in terms of section 1(1) FOISA to release it to Mr Collie.
44. For these reasons, I am of the opinion that the proper course would be for Mr Collies application to be remitted to the Commissioner so that he can examine the facts in the light of your Lordships judgment and determine whether the information can be sufficiently anonymised for it not to be personal data". If he decides that it cannot be so anonymised, he will need then to consider whether its disclosure to Mr Collie will comply with the data protection principles. In order to satisfy the first of the data protection principles listed in Schedule 1 he will need to decide whether information in that form would also be sensitive personal data", so that at least one of the conditions in Schedule 3 DPA must be met as well as at least one of the conditions in Schedule 2.
45. I would allow the appeal. I would recall the Court of Sessions interlocutor of 1 December 2006 and set aside the decision that the respondent made on 15 August 2005 under section 49(3)(b) FOISA 2002. I would remit Mr Collies application to him so that he can consider it afresh in the light of the opinions of your Lordships.
LORD RODGER OF EARLSFERRY
46. This appeal arises out of a request by Mr Michael Collie to the Common Services Agency (the Agency) under the Freedom of Information (Scotland) Act 2002 (the 2002 Act) to provide the details, by census wards, of all incidents of leukaemia for both sexes, in the age range 0-14, by year, from 1990 to 2003, for all of the Dumfries and Galloway postal area.