Judgments - Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)

(back to preceding text)

47.  The Agency was constituted by section 19(1) of the National Health Service (Scotland) Act 1972, which was re-enacted as section 10(1) of the National Health Service (Scotland) Act 1978. The Agency is a “public authority” in terms of section 1(1) of the Data Protection Act 1998 (“the 1998 Act”) as amended by article 2 of the Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (SI 2004/3089 (S 10)), since it is listed as one of the Scottish public authorities in Part 4, para 26, of Schedule 1 to the 2002 Act. This has a bearing on the way that the provisions of the 1998 Act apply to the situation.

48.  Section 10(1) of the 1978 Act provides that the Agency is to have the functions conferred on it by section 10; subsection (3) gives the Scottish Ministers the power to delegate to the Agency such of their functions under the Act as they consider appropriate. That power was first exercised by the Secretary of State in The National Health Service (Functions of the Common Services Agency)(Scotland) Order 1974 (SI 1974/467). Article 3(j) provides that it shall be the duty of the Agency to undertake “the collection and dissemination of epidemiological data and participation in epidemiological investigations.” While some other functions of the Agency have come and gone over the years, this duty has remained throughout.

49.  In performance of this duty, the Agency has amassed a vast body of data on a variety of diseases, including cancer and, more particularly, childhood cancers. Nowadays, many of the data are held in a computerised form by the Information Services Division (“ISD”) of the Agency. The Scottish Executive uses the information gathered by ISD in administering health services in Scotland. In addition, ISD not only responds to requests from researchers and others for data but regularly publishes statistics derived from its data.


50.  Plainly, a body like the Agency has information about the health of people all over Scotland. Bodies which gather and disseminate such personal information are very conscious of the need to ensure that, when they disclose any of this information, or data derived from the information, the disclosure is done in such a way as to minimise the risk that the individuals to whom the information or data relate can be identified and, as a result, suffer distress and embarrassment - or worse. Obviously, the risk is greatest where the data are broken down by reference to small units, such as census wards, in which the data will consist of small numbers. Bodies which publish frequency statistics have accordingly developed various techniques - such as combining data for a larger age range or for a larger geographical area, and suppressing particular figures in tables - to counteract the problem. One technique, which is of particular relevance to this appeal, is “barnardisation". It is applied to frequency tables, such as were requested by Mr Collie. The procedure involves modifying each internal cell of every table by +1, 0 or -1. But the technique does not always provide adequate protection, since, when the probability of the event occurring is small, the majority of cells are not modified and so the probability that a 1 is a true 1 is quite high. In such cases the risk of identification may remain unacceptably high.

51.  In July 2005 ISD published draft guidance on disclosure control, relating to handling small numbers. It described the goal as being:

“to devise a method for publishing data that minimises the risk and potential damage to an individual due to inadvertent disclosure of a detail; and to do so without adopting such restrictions that unjustifiably curtail the presentation of information that would otherwise be beneficial to the community at large.”

The guidance went on to identify data of a sensitive nature - for example, where there had been a high degree of controversy or stigma in the recent past regarding the subject matter. These included data on sexually transmitted diseases, abortions, mental health diagnoses and alcohol misuse. The guidance went on to explain that ISD employed barnardisation as its preferred method of perturbing data. It also indicated that other techniques for avoiding the risk of individuals being identified - such as grouping by broader age bands, by a larger geographical area, or using aggregated years of data - should be considered. The guidance concluded:

“Whilst this is straightforward for publications, for customer requests re-specification should only be performed after discussion with the customer to ensure it will continue to meet their needs and this is not wasted effort.”

52.  Barnardisation is, accordingly, one method of reducing the risk of identification. It does not guarantee that the risk will be eliminated. ISD recognises this, of course. For instance, in its Decision Flow Chart for Handling Small Numbers, it deals with data for a population of <40. Where the numerator, ie, the count in the cell relating to that population, is <5, then, if the data are “sensitive” in terms of the ISD classification - relating, for instance, to a sexually transmissible disease - the data are not to be published. If they are not “sensitive” in that sense, then they are to be barnardised. The difference in treatment shows that ISD recognises that barnardisation will reduce the risk of identification to a level which will be acceptable for some data but not for others. Mrs Stacey QC, who appeared for the Agency, indicated that the ISD draft guidance had subsequently been modified, but the House was not given any details of the modifications.

The Data Protection Act 1998

53.  Parliament first sought to regulate bodies which used data relating to individuals in the Data Protection Act 1984, but that Act was repealed and replaced by the 1998 Act. According to the long title, the purpose of the 1998 Act was “to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.” All the operations mentioned in the long title, and others besides, are lumped together as aspects of the “processing” of data: section 1(1) of the 1998 Act. References to “disclosing” in relation to personal data include “disclosing the information contained in the data": section 1(2)(b).

54.  Counsel who drafted the 1998 Act was careful to distinguish between “information” and “data". The 2002 Act maintains that distinction. See, for instance, section 38(1) of that Act. In section 1(1) of the 1998 Act as amended by section 68(2) of the Freedom of Information Act 2000 (“the 2000 Act”), the term “data” is defined widely:

“'data’ means information which—

(a)  is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b)  is recorded with the intention that it should be processed by means of such equipment,

(c)  is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d)  does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; or

(e)  is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)….”

According to paragraphs (a) and (b) of this definition, data include information being processed by a computer, or being recorded with the intention that it should be processed in that way. The term also covers information recorded as part of a relevant filing system (para (c)) and information, not falling within paras (a)-(c), forming part of a health record (para (d) and section 68(1)(a)). Finally, by virtue of para (e), it covers recorded information held by a public authority which does not already fall within any of paragraphs (a) to (d). Para (e) was inserted at the time when the Freedom of Information legislation was brought into effect in order to ensure that, subject to any specified restriction, both the United Kingdom and Scottish Acts covered all the recorded information held by a public authority. Since the Agency is a public authority, in the present case, in effect, any recorded information held by the Agency constitutes “data” held by it for the purposes of the 1998 Act.

55.  The data controller is the person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed: section 1(1). So there is no doubt that ISD is the data controller for any centrally held epidemiological data on human health in Scotland which fall within the definition of “personal data".

56.  In so far as the information being processed relates to individuals who are no longer alive, it simply constitutes “data” in terms of section 1(1)(a). But, in so far as it relates to living individuals, the information may fall within the narrower category of “personal data". That term is defined, again in section 1(1), as meaning:

“data which relate to a living individual who can be identified -

    (a) from those data or

    (b) from those data and other information which is in the

    possession of, or likely to come into the possession of, the

       data controller….”

An individual who is the subject of personal data is a “data subject". But, in fact, if “personal data” consist of information as to the data subject’s physical or mental health or condition, they fall within a particular subset of personal data, viz “sensitive personal data": section 2. That subset includes data consisting of information about other sensitive matters, such as the data subject’s political opinions, religious beliefs and sexual life. The classification matters because the regulation of the processing of sensitive personal data is, understandably, tighter than the regulation of the processing of other personal data. In practice - as I noted previously - ISD treats personal data relating to certain medical conditions, such as mental health conditions and sexually transmissible diseases, as being more sensitive than data relating to other medical conditions because of the stigma which may attach to them and cause embarrassment to the data subject.

57.  Section 4(4) of the 1998 Act regulates the processing of personal data - and only personal data - by the data controller by imposing on him a duty to comply with the data protection principles. This duty is intended to ensure that those with access to data relating to individuals cannot retrieve them except for proper purposes. The principles themselves are found in Schedule 1 to the 1998 Act. The principle which matters for present purposes is the first, which is set out in para 1 of Part I of the schedule:

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a)  at least one of the conditions in Schedule 2 is met, and

(b)  in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”

As is apparent, no personal data are to be processed unless one of the conditions in Schedule 2 is met. But, in the case of sensitive personal data, they are not to be processed, unless, in addition, at least one of the conditions in Schedule 3 is met. It is, partly at least, by insisting that this second hurdle must be overcome before sensitive personal data can be processed that the 1998 Act achieves the tighter regulation of the processing of personal data consisting of information as to the data subject’s health. Even if the conditions in Schedules 2 and 3 are met, however, the data controller cannot process the data if it would not be fair or lawful to do so.

58.  It follows that, under the 1998 Act, no-one in ISD can process - for example, by accessing or disclosing - personal data consisting of information as to an identifiable individual’s health, unless at least one of the conditions in each of Schedules 2 and 3 is met.

59.  So far as Schedule 2 is concerned, it seems clear that ISD needs to process personal data for the exercise of the functions - collecting and disseminating epidemiological data and participating in epidemiological investigations - conferred on it by the then Secretary of State under the predecessor to section 10(3) of the 1978 Act. So, prima facie, condition 5(b) would apply. Condition 6(1) also appears to be potentially relevant to the issue in these proceedings, since it deals specifically with the disclosure of personal data. It provides:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

60.  Assuming that any disclosure of sensitive personal data might satisfy one or other of these conditions, it could still not take place unless it met one or more of the conditions in Schedule 3. But, not surprisingly, para 7(1)(b) of Schedule 3 is in precisely the same terms as para 5(1)(b) of Schedule 2. So, if the processing of the data would prima facie meet the condition in para 5(1)(b) of Schedule 2, it would also prima facie meet the condition in para 7(1)(b) of Schedule 3.

61.  There is no other condition in Schedule 3 as enacted which would seem to be potentially relevant, but para 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417) specifies the following circumstances in which data are to be processed:

“The processing—

(a)  is in the substantial public interest;

(b)  is necessary for research purposes (which expression shall have the same meaning as in section 33 of the Act);

(c)  does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and

(d)  does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.”

It is at least conceivable that, depending on the circumstances, this condition might be of relevance - but I express no view on the point which was not fully argued.

62.  Assuming that processing the sensitive personal data would meet at least one of the conditions in each of Schedules 2 and 3, ISD would still only be able to disclose them if it would be fair and lawful to do so.

The Freedom of Information (Scotland) Act 2002

63.  My Lords, I have so far been outlining the system of regulation which, apart from para (e) of the definition of “data", applied to the Agency’s operations of obtaining, storing and disclosing sensitive personal data under the 1998 Act before the 2002 Act was brought into force. It is important to realise that all these provisions remain in full force and effect. When the Scottish Parliament came to enact the 2002 Act, in order to give people a right to information from Scottish public authorities, it did not destroy, but built upon, the system created by the 1998 Act. Indeed, it had no power to amend the 1998 Act, which relates to a reserved matter. Basically, therefore, the Scottish Parliament wanted to maintain the high degree of protection afforded by the 1998 Act to individuals whose data were processed by Scottish public authorities, and, yet, to give third parties an effective right to obtain information from those public authorities. So the system of regulation of data processing under the 1998 Act remains in place, but the Parliament has grafted on to it provisions for third parties to obtain information without the operation of the pre-existing system of protection for data subjects being compromised. It has not been suggested in this case that the legislation is incompatible with any Convention right.

64.  The key provisions in the 2002 Act come at the very start. Section 1(1) provides:

“A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.”

I have already pointed out that the Common Services Agency is a Scottish public authority in terms of Part 4, para 26, of Schedule 1 to the Act.

65.  By section 1(6), a person has no right to information, however, if it is exempt information in terms of section 2 of the 2002 Act. Among the varieties of exempt information is information which constitutes “personal data” and whose disclosure to a member of the public, otherwise than under the Act, would contravene the data protection principles in the 1998 Act: sections 2(1) and (2)(e) and 38(1)(b) and (2)(a)(i) and (b) of the 2002 Act.

66.  Section 38(1) provides inter alia:

“(1)  Information is exempt information if it constitutes -

(b)  personal data and either the condition mentioned in subsection (2) (the ‘first condition’) or that mentioned in subsection (3) (the ‘second condition’) is satisfied;


  (2)  The first condition is -

(a)  in a case where the information falls within any of paragraphs (a) to (d) of the definition of ‘data’ in section 1(1) of the Data Protection Act 1998 (c. 29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene -

  (i)  any of the data protection principles….


(b)  in any other case, that such disclosure would contravene any of the data protection , that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.”

All the information held by the Agency must fall within either paras (a) to (d) or para (e) of the definition of data in section 1(1) of the 1998 Act. So either para (a) or para (b) of section 38(2) is in play in respect of all the personal data held by the Agency. In practice, in this case, the distinction does not matter. Subsection (5) gives the expressions “the data protection principles", “data subject” and “personal data” the same meanings as in Schedule 1, to and section 1(1) of, the 1998 Act. Since there is no mention of “sensitive personal data", the Parliament must simply have treated such data as being caught by any references to “personal data".

67.  Information will therefore be exempt from disclosure if (1) it constitutes personal data and (2) the disclosure of the information to a member of the public, otherwise than under the 2002 Act, would contravene the data protection principles in Schedule 1 to the 1998 Act. In particular, therefore, personal data will be exempt from disclosure under the 2002 Act if their disclosure to a member of the public would contravene the first data protection principle. And their disclosure will indeed contravene that principle if it is unfair or unlawful. Moreover, it will contravene that principle unless at least one of the conditions in Schedule 2 to the 1998 Act is met and, in the case of sensitive personal data, unless one of the conditions in Schedule 3 to that Act is also met. In other words, the same safeguards against the disclosure of personal data and sensitive personal data as applied before the enactment of the 2002 Act continue to apply today. That is the scheme settled by the legislature.

68.  Where the legislature has thus worked out the way that the requirements of data protection and freedom of information are to be reconciled, the role of the courts is just to apply the compromise to be found in the legislation. The 2002 Act gives people, other than the data subject, a right to information in certain circumstances and subject to certain exemptions. Discretion does not enter into it. There is, however, no reason why courts should favour the right to freedom of information over the rights of data subjects. If Lord Marnoch’s observations, 2007 SC 231, 241-242, para 32, were intended to suggest otherwise, I would respectfully disagree.

The Present Case

69.  As I indicated at the outset, shortly after the 2002 Act came into force, Mr Collie made a request on behalf of a Green Party MSP for the Agency to provide him with the details, by census wards, of all incidents of leukaemia for both sexes, in the age range 0-14, by year, from 1990 to 2003 for all of the Dumfries and Galloway postal area. Eight days later, the Agency confirmed that it held the data for the period up until 2001 and that it had looked at the data by census ward. But the Agency declined to supply the information since it took the view that, because of the small number of cases in each ward, there was a significant risk of indirect identification of living individuals. For that reason, the Agency considered that the information which had been requested was likely to constitute “personal data” as defined in section 1(1) of the 1998 Act. That being so, it considered that the data constituted exempt information which Mr Collie was not entitled to be given in terms of sections 1(1) and (6) and 2 of the 2002 Act.

70.  Mr Collie appealed to the Scottish Information Commissioner (“the Commissioner”), who is the respondent in this appeal. The Commissioner was satisfied that the information sought by Mr Collie was indeed personal data and that disclosing it in its entirety would entail a breach of the first data protection principle in para 1 of Schedule 1 to the 1998 Act, because its disclosure would be unfair and unlawful.

71.  But the Commissioner went on to hold that the Agency had been in breach of its duty under section 15 of the 2002 Act to provide Mr Collie with advice and assistance. In particular, the Agency had failed to provide Mr Collie with information as to the wards in which there had been no cases of leukaemia. Secondly, the Agency had been under a duty to consider whether information could have been provided to Mr Collie in a “less disclosive” manner by perturbing the data so that the risk of personal identification would be “substantially removed” and telling Mr Collie what had been done and why. The Commissioner accordingly required the Agency to provide the census ward data for the relevant years in a barnardised form.

72.  The Agency appealed to the Court of Session, but the First Division (the Lord President, Lord Nimmo Smith and Lord Marnoch) refused the appeal: 2007 SC 231. The Agency appeals to this House against that decision.

Was the information requested by Mr Collie “personal data"?

73.  The disposal of Mr Collie’s request depends, in the first place, on whether the information which he sought constitutes “personal data” as defined in section 1(1) of the 1998 Act. If it does not, then nothing in section 2 of the 2002 Act would take it outside the scope of Mr Collie’s entitlement under section 1(1) of that Act. But, secondly, even if the information does constitute “personal data", the Agency will still be obliged to supply it, if that can be done without contravening the data protection principles in Schedule 1 to the 1998 Act. And, if supplying the information in one form would contravene those principles, in my opinion, section 1(1) of the 2002 Act obliged ISD to consider whether it could comply with its duty by giving the information in another form. Relevant factors would, of course, include the time allowed by section 10 for complying with requests and any expenditure limit prescribed under section 12.

74.  The information which Mr Collie requested was about the incidents of childhood leukaemia in both sexes, by year, in census wards in the Dumfries and Galloway area. As the definition of “sensitive personal data” in section 2 shows, information about a living individual’s medical condition will undoubtedly constitute “personal data” if the other requirements of the definition are satisfied. So there is no need in this case to consider the kinds of issue which the Court of Appeal addressed in Durant v Financial Services Authority [2004] FSR 28. Everything I go on to say about personal data proceeds on the assumption that the only element in question is the identification of the individual to whom the data relate.

75.  It is common ground that ISD itself can identify the individuals to whom the data requested by Mr Collie relate. At the hearing, the argument was that, in these circumstances, the data constituted “personal data” because, in terms of paragraph (b) of the relevant definition in section 1(1) of the 1998 Act, the individuals could be identified either from the data themselves or from the data and other information in the possession of ISD. For instance, even if the data were held in an anonymised form, ISD would also hold the key (“other information”) that would allow it to identify the individuals to whom the data related. My noble and learned friend, Lord Hope of Craighead, has proceeded on the basis of paragraph (b). I would agree with his approach, if paragraph (b) does indeed apply.

Continue  Previous