Saturday, 20 February 2010

Seeing your personal information: questions of attribution

In a recent moment of madness, my mind wandered and I started to think what my reaction would be if I were the Data Protection Manager of the Al Bustan Rotana hotel in Dubai and I were to receive a subject access request from one of the individuals whose images are pictured in this blog.

This hotel was the scene of the recent assassination of the Hamas leader Mahmoud al-Mabhouh by persons currently unknown. It seems clear that they used the identities of the people whose images are pictured, and it is equally clear that the hit squad stole these identities from innocent victims.

What should my response be if they were to ask for a report on the personal data the hotel held about them? Would I feel obliged to send them copies of the hotel registration forms, the CCTV footage of them walking around the hotel, the restaurant chits they may have signed after their meals, or would I just send them copies of their passports?

In the end I decided that all they were actually entitled to by UK law was a copy of their passport, but that I would exercise my own discretion let them see the rest of the stuff simply to assure them that I was totally confident it didn’t relate to them, but the people it did relate to probably had no legitimate expectation of privacy anyway. If you pretend to be someone else, then you only have yourself to blame if I let the innocent victim person know how you had managed to impersonate them.

My point is, of course, that just because an individual was originally linked with certain types of information, this does not automatically make all of that information their personal data, and thus available to them should they make a Subject Access Request.

As to what is personal data, well that’s a moot point, and an issue that has been debated with varying degrees of passion over the years. If economists can’t agree on the best way of removing this country from the economic mess it has got itself into, then why should data protection professionals feel inclined to follow identical interpretations.

Life got really interesting in the UK in December 2003, when the Court of Appeal delivered a judgment defining access rights to personal data in terms that were not welcomed with open arms by the guys in Wilmslow, nor by the most hardened privacy activists elsewhere. The atmosphere around the tea trolly at the Commissionser's office must have been positively funereal as Lord Justice Auld delivered a judgment in what has become known as the Durant case. The atmosphere would have been just as gloomy along the corridors of the European Commission.

To cut an extremely long story short, the case was brought by Michael Durant, a former customer of Barclays Bank. Following an unsuccessful dispute with his bank he asked the Financial Services Authority to investigate the bank's conduct. The FSA did so, but did not tell Mr Durant the result, citing reasons of confidentiality. Mr Durant then complained to the FSA Complaints Commissioner, and when that failed, he tried to exercise what he thought were his legal rights to access the FSA’s records containing his personal data.

Mr Durant asked the FSA to disclose manual and electronic documents containing his personal data, in a search for information with which to reopen the original case against Barclays. But, according to Lord Justice Auld: "Mr Durant's letter of complaint to the FSA and the FSA's investigation of that complaint did not relate to Mr Durant but to his complaint".

It was held that the FSA's investigation into Mr Durant's complaint could not be personal data concerning Mr Durant because, "the 1998 Act would only be engaged if, in the course of investigating this complaint, the FSA expressed an opinion about Mr Durant personally, as opposed to an opinion about his complaint."

Lord Justice Auld effectively looked behind the wording of the Act. He looked at the purpose of the wording, which was effectively to protect privacy. It was not, he reasoned, to provide a general right of access to information. He said of the access right: "It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties."

He continued:"It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree."

This is a really important decision, as it differs from the view that the more privacy friendly advocates generally take, which is that anything which relates in any way to a living individual can be held to be their personal data, so they have a right to access it.

It’s also important as we move into a world increasingly dominated by digital transactions and the internet. We are fast creating an internet of things. Occasionally these things are linked to an individual, possibly because they are to be held accountable should these things get lost or broken. But does this make those things information that an individual is entitled by law to access through the exercise of their subject access rights? I think not. Responsible organisations may always allow these people to see information about the things that they are linked with, but I don’t see why a general discretion to access this information should be confused with a formal entitlement to access it. Especially when an applicant is only entitled to be charged £10 to access information that could have cost a great deal more to compile.

The full Durant judgment can be found at