Barnardisation and the Interplay between DPA 1998 and FOISA 2002: Common Services Agency v. Scottish Information Commissioner

Introduction

The case of Common Services Agency v. Scottish Information Commissioner (Scotland) ([2008] UKHL 47) addresses critical issues surrounding the interaction between the Data Protection Act 1998 (DPA 1998) and the Freedom of Information (Scotland) Act 2002 (FOISA 2002). The central dispute involved Mr. Michael Collie’s request for detailed epidemiological data on childhood leukaemia incidents within the Dumfries and Galloway postal area, and whether such data could be disclosed without infringing data protection principles. The parties involved included the Common Services Agency (the Agency), acting as a special Health Board, and the Scottish Information Commissioner, who adjudicated on the matter.

Summary of the Judgment

The House of Lords reviewed the Agency’s refusal to provide Mr. Collie with detailed leukaemia incidence data, which was deemed to constitute personal data under the DPA 1998. The Agency employed a technique known as barnardisation to anonymize the data. However, the Scottish Information Commissioner required the Agency to reassess whether barnardisation sufficiently anonymized the data to prevent the identification of individuals. The House of Lords ultimately allowed the appeal, directing the Commissioner to re-evaluate the anonymization process in light of legal principles established in the judgment.

Analysis

Precedents Cited

The judgment references several key precedents, notably Durant v Financial Services Authority [2003] EWCA Civ 1746; and Lord Marnoch's observation in the Inner House [2006] CSIH 58, 2007 SC 231. These cases influenced the court's approach to interpreting the balance between data protection and freedom of information. Specifically, Lord Marnoch emphasized a liberal interpretation of FOISA to promote openness, a perspective that the House of Lords sought to balance against the stringent requirements of the DPA 1998.

Legal Reasoning

The court delved into the definitions and interplay between "data," "personal data," and "sensitive personal data" as outlined in the DPA 1998. A pivotal aspect was whether the barnardised data still constituted personal data under section 1(1) of the DPA 1998. The House of Lords scrutinized the effectiveness of barnardisation in rendering data anonymous, referencing recital 26 of Council Directive 95/46/EC, which underpins the DPA’s provisions.

The judgment emphasized that for information to fall outside the scope of "personal data," it must be rendered fully anonymous, ensuring that individuals cannot be identified either directly or indirectly. The court rejected the notion that barnardisation inherently removes an information’s status as personal data, underscoring the necessity for factual determination on the effectiveness of anonymization methods.

Impact

This judgment underscores the critical balance courts must maintain between upholding data protection principles and facilitating transparency through freedom of information laws. It sets a precedent that anonymization techniques like barnardisation must be rigorously evaluated to ensure they effectively prevent individual identification. Future cases involving similar conflicts between DPA and FOISA will reference this judgment to determine the adequacy of data anonymization practices.

Complex Concepts Simplified

Personal Data: Under the DPA 1998, personal data refers to any information relating to an identifiable living individual. This includes data that can directly identify a person or can do so when combined with other information the data controller possesses.
Sensitive Personal Data: A subset of personal data, sensitive personal data encompasses information about an individual's health, racial or ethnic origin, political opinions, religious beliefs, and more. The processing of such data is subject to stricter conditions under the DPA 1998.
Barnardisation: A confidentiality technique used to anonymize data by introducing statistical noise (±1) to count figures in frequency tables. While it aims to obscure individual data entries, it does not guarantee complete anonymity, especially with small data sets.
Data Protection Principles: A set of guidelines within the DPA 1998 that dictate how personal data should be processed fairly, lawfully, and securely. Key principles include necessity, fairness, and purpose limitation.
FOISA 2002: The Freedom of Information (Scotland) Act 2002 grants individuals the right to access information held by Scottish public authorities, subject to specific exemptions, notably those relating to personal data protected under the DPA 1998.

Conclusion

The Common Services Agency v. Scottish Information Commissioner case critically highlights the complexities at the intersection of data protection and freedom of information. The House of Lords clarified that anonymization techniques must be robust enough to ensure that data no longer qualifies as personal data under the DPA 1998. This ensures that while transparency and the public's right to information are upheld, the privacy and protection of individuals' personal data remain paramount. The judgment serves as a guiding framework for future disputes, emphasizing that data controllers must meticulously assess and implement effective anonymization methods when handling sensitive information.