and

- - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - -

Kirsten Houghton (instructed by Masons) for the Appellant

Philip Sales and David Mayhew (instructed by the Financial Services Authority) for the Respondent

Hearing dates : 29^th and 30^th July 2003

- - - - - - - - - - - - - - - - - - - - -

Lord Justice Auld:

1. Mr. Michael John Durant, the claimant and appellant, seeks disclosure of information that he claims to be personal data relating to him held by the Financial Services Authority ("the FSA") under section 7 of the Data Protection Act 1998 ("the 1998 Act"). The FSA has provided him with some information in response to his requests for it, but he seeks further disclosure. The outcome of the appeal turns in part on the proper interpretation of certain provisions of the Act governing an individual’s right to disclosure of his personal data held by others within the provisions of the Act and in part on the propriety of the Judge’s findings of fact in the light of that interpretation.
2. The appeal is brought with the permission of Ward LJ, from a decision of His Honour Judge Zeidman, QC, at the Edmonton County Court on 24^th October 2002 dismissing Mr. Durant’s appeal against the refusal by District Judge Rose, to order the FSA to make the further disclosure sought. In granting permission, Ward LJ directed the FSA to provide for our inspection under section 15(2) of the Act copies of all the documents or information that the FSA has declined to disclose to Mr. Durant. The FSA has provided those copies to the Court. We have also received as fresh evidence a (second) witness statement of Mr. Daniel Davies, an associate in the Enforcement Division of the FSA, about its filing system and various files and documents to meet points raised for the first time in this appeal.

The legislative scheme

3. The 1998 Act was enacted, in part, to give effect to Directive 95/46/EC of 24^th October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data ("the 1995 Directive"). It should, therefore, be interpreted, so far as possible in the light of, and to give effect to, the Directive’s provisions. In Campbell v. MGN [2002] EWCA Civ 1373, [2003] QB 633, CA, Lord Phillips of Worth Matravers, MR, said at para. 96:

"In interpreting the Act it is appropriate to look to the Directive for assistance. The Act should, if possible, be interpreted in a manner that is consistent with the Directive. Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman. A purposive approach to making sense of the provisions is called for."

4. The primary objective of the 1995 Directive is to protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others ("data controllers") in computerised form or similarly organised manual filing systems (Recitals (1), (2), (3), (10) and (25)), whilst at the same time facilitating the free movement of such data between Member States of the European Union. There is inevitably a tension between those two primary objectives at an inter-state level, as Lord Hoffmann observed in R v. Brown [1996] AC 543, HL, at 557A-C. That tension is not so evident in the domestic setting for which the Act provides, in particular, in the right of access to personal data. However, the Act contains its own tension in the obligation that it also imposes on data controllers to respect the right of privacy of others whose names may figure in the personal data of an individual seeking access to it.
5. The starting point in this legislative trail (see Recital (11) to the 1995 Directive) is the Convention For The Protection Of Individuals With Regard To Automatic Processing Of Personal Data (1981) (Cmnd. 8341) ("the 1981 Convention"), about which Lord Hoffmann was talking in Brown. As its title indicates, it was concerned only with computerised data, and the Data Protection Act 1984 ("the 1984 Act") to which it gave rise was similarly confined. The 1995 Directive, however, extended the scheme of protection to personal data held in manual files if they were of a similar level of sophistication to that provided by computerised records (Recital (15) Article 2(c)). Article 12, headed "Right of Access", provides:

• confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
• communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
• knowledge of the logic involved in any automatic processing of data concerning him at least in the case of … automated decisions …

6. The purpose of the 1998 Act was to provide for the regulation of the processing, including the obtaining, holding, use and disclosure by "data controllers" of "personal data" held or to be held electronically or, if held in manual files, as part of "a relevant filing system", all as defined in section 1(1) of the Act.
7. Section 7(4)-(6) of the 1998 Act provides an individual with a right of access to "personal data", entitling him to know whether a data controller is processing any of his personal data and, if so, to be told what it is, its source, why it is being processed and to whom the data are or may be disclosed. He is not entitled to information about his personal data which necessarily, that is, notwithstanding possible redaction, involves disclosure of information relating to another individual, either as a subject or the source of the information, without that other’s consent or unless it would be reasonable in all the circumstances for him to have it without that consent.
8. The core of a data subject’s entitlement to access to his personal data is to be found in sections 7(1) and 8(2), which, so far as material and subject to other provisions of section 7 to which I shall return, provide:

"(1) …an individual is entitled –

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of -

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

(c) to have communicated to him in an intelligible form –

(i) the information constituting any personal data of which that individual is the data subject, and (ii) any information available to the data controller as to the source of those data, and

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.".

"8(2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise;

and where any of the information referred to in section 7(1)(c) (i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms."

The facts

9. It will help to introduce the important issues of principle to which this appeal gives rise by first giving a short account of the factual context in which they arise. The FSA is the single regulator for the financial services sector in the United Kingdom, acting under powers currently conferred by the Financial Services and Markets Act 2000 ("the 2000 Act"). It assumed responsibility for the supervision of banks in June 1998. Until December 2001, when the 2000 Act was fully implemented, the FSA had exercised that supervision under the Banking Act 1987 ("the 1987 Act"). In the course of its regulatory work it received and receives much information about companies, firms and individuals which, by section 348 of the 2000 Act, it is obliged to treat as confidential. However, section 27(5) of the 1998 Act overrides that obligation in respect of requests for "personal data" under section 7, which, as I have indicated, requires all data controllers, including the FSA, to strike a balance between, on the one hand, the effective operation of the Act (and, in the case of the FSA, of the regulatory system) and, on the other, the rights of privacy of individuals and third parties.
10. The FSA is a registered data controller for the purpose of the Act. The background of Mr. Durant’s claim against it, is that he had been a customer of Barclays Bank PLC ("Barclays Bank"). There was litigation between them, which he lost in 1993. Since then he has, without success, sought disclosure of various records in connection with the dispute giving rise to that litigation, records that he believes may assist him to re-open his claims against it and/or to secure an investigation of its conduct. In July or August 2000, he sought the assistance of the FSA to obtain this disclosure. In addition, he wanted to know what documents the FSA had obtained from Barclays Bank in its supervisory role under the 1987 Act. The FSA investigated his complaint against the Bank, closing the investigation in March 2001, without informing Mr. Durant of its outcome, pursuant to its obligation of confidentiality under sections 82 to 85 of the 1987 Act. In October 2000, Mr. Durant complained about that refusal to the FSA’s Complaints Commissioner, who, in November 2000, dismissed it.
11. In September and October 2001, Mr. Durant made two requests to the FSA under section 7 of the Act, seeking disclosure of personal data held by it, both electronically and in manual files. In October 2001 the FSA provided Mr. Durant with copies of documents relating to him that it held in computerised form, disclosure that went beyond his entitlement under the Act, which is to have communicated to him in an intelligible form "information constituting any personal data" of which he was the subject (section 7(1)(c)(i); see para. 8 above). Some of the documents were redacted so as not to disclose the names of others. It later made further disclosure of computerised material. However, the FSA refused the whole of his request for information held on manual files on the ground that that the information sought was not "personal" within the definition of "personal data" in section 1(1) of the 1998 Act, and that, even if it was, it did not constitute "data" within the separate definition of that word in section 1(1)(c) in the sense of forming part of a "relevant filing system". The FSA has since maintained that refusal, which encompasses four categories of file.
12. Further details of the nature of each of those files have been provided to us in the second witness statement of Mr. Daniel Davies, to which I have referred. Those were early days for the FSA, when it had only recently assumed responsibility for the work of other regulatory bodies and their disparate files, and it is plain from Mr. Davies’s evidence that, in the case of manual files at least, some of its systems were, in consequence, somewhat basic. I deal briefly with each of the four categories of files to which Mr. Durant’s requests for information relate.
13. The first was the Major Financial Groups Division systems file ("the MFGD Systems file"). It was a file, in two volumes, relating to the systems and controls that Barclays Bank was required to maintain and which was subject to control by the FSA. The file, which was arranged in date order, also contained a few documents relating to part of Mr. Durant’s complaint against the Bank, which concerned such systems and controls.
14. The second category of file was "the MFGD Complaints file" - relating to complaints by customers of Barclays Bank about it to the FSA - the sub-dividers being ordered alphabetically by reference to the complainant’s name, containing behind a divider marked "Mr. Durant" a number of documents relating to his complaint, filed in date order.
15. The third category of file was the Bank Investigations Group file ("the B.I.G file"), maintained by the FSA’s Regulatory Enforcement Department, relating and organised by reference to issues or cases concerning Barclays Bank, but not necessarily identified by reference to an individual complainant. It contained a sub-file marked "Mr. Durant", containing documents relating to his complaint. Neither the file nor the sub-file was indexed in any way save by reference to the name of Mr. Durant on the sub-file itself.
16. The fourth category of file was the Company Secretariat papers, a sheaf of papers in an unmarked transparent plastic folder held by the FSA’s Company Secretariat, relating to Mr. Durant’s complaint about the FSA’s refusal to disclose to him details and the outcome of its investigation of his complaints against Barclays Bank, not organised by date or any other criterion.
17. The FSA has acknowledged in correspondence that each of the files in question contains information in which Mr. Durant features, that some of them identify him by reference to specific dividers within the file and that they contain such documents as: copies of telephone attendance notes, a report of forensic examination of documents, transcripts of judgments, hand-written notes, internal memoranda, correspondence with Barclays Bank, correspondence with other individuals and correspondence between the FSA and him.
18. As to the redaction by the FSA of the computerised documentation provided to Mr. Durant, it redacted it in the main because it did not consider that it contained personal data of which he was the subject and, in the case of two documents only, because it did not consider it reasonable to disclose the name of another individual mentioned in them. The FSA refused Mr. Durant’s request for sight of the redacted material.
19. On Mr. Durant’s appeal to Judge Zeidman against the dismissal by District Judge Rose of his application under section 7(9) of the 1998 Act for further disclosure, the Judge considered the matter afresh. Pursuant to section 15(2) of the Act, he inspected the unredacted versions of the computerised documents and the four manual files the subject of the claim for further disclosure. On 24^th October 2002 the Judge ruled that Mr. Durant, save as to one letter in redacted form, was not entitled to the redacted information in the computerised documents. It is not clear from his judgment whether he did so on the basis that all the redacted material, which was of references to third parties, was not his personal data or because he considered it reflected a proper balance of their respective interests under section 7(4) of the 1998 Act. He also held that Mr. Durant was not entitled to any information from the four manual files since they were not part of "a relevant filing system" as defined in section 1(1) of the Act and, therefore, did not contain data, personal or otherwise, to which he was entitled under section 7. On 20^th March 2003 Ward LJ granted Mr. Durant permission to appeal.

The issues

20. The appeal raises four important issues of law concerning the right of access to personal data provided by sections 7 and 8 of the 1998 Act:

1) The personal data issue – What makes "data", whether held in computerised or manual files, "personal" within the meaning of the term "personal data" in section 1(1) of the 1998 Act so as to entitle a person identified by it to its disclosure under section 7(1) of the Act – more particularly in this context, to what, if any, extent, is information relating to the FSA’s investigation of Mr. Durant’s complaint about Barclay’s Bank within that definition?

2) The relevant filing system issue – What is meant by a "relevant filing system" in the definition of "data" in section 1(1) of the 1998 Act, so as to render personal information recorded in a manual filing system "personal data" disclosable to its subject under section 7(1) – more particularly here, was the FSA’s manual filing such a system so as to require it to disclose to Mr. Durant from those files information that would, if it were in computerised form, constitute "personal data" within section 1(1)?

3) The redaction issue – Upon what basis should a data controller, when responding to a person’s request for disclosure of his personal data under section 7(1), consider it "reasonable in all the circumstances", within the meaning of that term in section 7(4)(b), to comply with the request even though the personal data includes information about another and that other has not consented to such disclosure?

4) The discretion issue – By what principles should a court be guided in exercising its discretion under section 7(9) of the Act to order a data controller who has wrongly refused a request for information under section 7(1), to comply with the request?

"personal data"

21. The first question for a data controller when considering a person’s request for information under section 7 of the 1998 Act is whether the information sought is capable of being that person’s "personal data" within the definition of that term in section 1(1), regardless of whether it is held in computerised or manual form. If and to the extent that it is not, it is not disclosable under section 7(1) and the other issues in the appeal fall away. This issue in its simplest form in the context of this case is whether information – any information - relating to the investigation by the FSA of Mr. Durant’s complaint about Barclays Bank is his "personal data" for this purpose, an issue in its own right to which neither the parties nor the Judge gave much attention below.
22. The starting point is again the 1981 Convention, Article 2.a of which defined "personal data" quite shortly as "any information relating to an identified or identifiable individual (‘data subject’)". An Explanatory Report on the Convention issued by the Council of Europe in 1981, in para. 29, stated that the notion of "data subject" in that definition expressed "the idea that a person has a subjective right with regard to information about himself, even where this is gathered by others". That notion was reflected and developed in the 1995 Directive, Article 2(a) of which defines "personal data" as

"… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"

23. Section 1(1) of the 1998 Act, in its turn, further developed the notion, albeit in an inclusive form. It states:

"‘personal data’ means data which relate to a living individual who can be identified –

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;"

The submissions

24. There is no issue as to the identification of Mr. Durant for the purposes of paragraphs (a) and (b) in the definition in section 1(1) and of the criterion for entitlement to access in section 7(1)(b)(i), "the personal data of which that individual is the data subject" (see para. 8 above). The question is the meaning of the words "relate to" in the opening words of the definition, in particular to what extent, if any, the information should have the data subject as its focus, or main focus. Miss Houghton, on behalf of Mr. Durant, pitched Mr. Durant’s entitlement to information under section 7 in very broad terms, relying on what she described as the extremely wide and inclusive definition of "personal data" in section 1(1). She suggested that it covered any information retrieved as a result of a search under his name, anything on file which had his name on it or from which he could be identified or from which it was possible to discern a connection with him. On that basis, she submitted that Mr. Durant’s letters of complaint to the FSA and the documentation they generated were his personal data because he was the source of the material. She said that, here, the information in the manual files of which she sought disclosure (and that redacted in the computerised files) was likely to refer to the FSA’s conduct in responding to his complaint and that it was difficult to see how information retrievable as a result of a search under his name would not fall within the definition. She sought further support for that proposition in the absence of any statutory exclusion of or distinction based on business or official data. In response to any possible "floodgates" argument that might be advanced against the breadth of disclosure and the burden on data controllers to which her construction might lead, she drew attention to Part IV of the 1998 Act which, in implementation of Article 13 of the Directive (see para. 54 below), contains a wide range of exemptions from the obligation on data controllers to comply with, among other things, requests for personal data under section 7.
25. Mr. Sales disagreed. He said that whilst the key words in the definition, "relate to", considered on their own, are capable of a range of interpretations, they could not sensibly have the broad interpretation for which Miss Houghton contended. He referred to two meanings given to the words "relate to" in the Shorter Oxford English Dictionary: the first, being "have reference to, concern", implying, in this context, a more or less direct connection with an individual; and the second, much broader meaning, "have some connection with, be connected to". He submitted that the former, narrower meaning is to be preferred, relying on the definition of personal data in the 1981 Convention and the 1995 Directive and on Lord Hoffmann’s dictum in relation to the 1984 Act in Brown, at 557E, that personal data was "data concerning a living individual". He relied also on the express inclusion in the definition in section 1(1) of "any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of" him, namely that, absent those words, the information would not "relate to" the data subject. He made similar points by reference to section 7, namely that section 7(1)(c) distinguishes between the data and its source; and section 7(1)(d) distinguishes the purposes for which and how information relating an individual is used from his personal data (see paragraph 8 above). Under Miss Houghton’s broad construction of the definition, such express provisions would, he said, have been unnecessary.

Conclusions

26. The intention of the Directive, faithfully reproduced in the Act, is to enable an individual to obtain from a data controller’s filing system, whether computerised or manual, his personal data, that is, information about himself. It is not an entitlement to be provided with original or copy documents as such, but, as section 7(1)(c)(i) and 8(2) provide, with information constituting personal data in intelligible and permanent form. This may be in documentary form prepared for the purpose and/or where it is convenient in the form of copies of original documents redacted if necessary to remove matters that do not constitute personal data (and/or to protect the interests of other individuals under section 7(4) and (5) of the Act).
27. In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify. In this respect, a narrow interpretation of "personal data" goes hand in hand with a narrow meaning of "a relevant filing system", and for the same reasons (see paragraphs 46-51 below). But ready accessibility, though important, is not the starting point.
28. It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity. A recent example is that considered by the European Court in Criminal Proceedings against Lindquist, Case C-101/01 (6^th November 2003), in which the Court held, at para. 27, that "personal data" covered the name of a person or identification of him by some other means, for instance by giving his telephone number or information regarding his working conditions or hobbies.
29. This narrow meaning of personal data derives, not only from its provenance and form of reproduction in section 1(1), but also from the way in which it is applied in section 7. That section, picking up the definition of "data subject" in section 1(1), sets out the basic entitlement of an individual to access to personal data "of which …[he] is the data subject". I agree with Mr. Sales that the inclusion in section 1(1) of expressions of opinion and indications of intention in respect of him supports an otherwise narrow construction. If the term had the broader construction for which Miss Houghton contended, such provision would have been otiose. A similar pointer to the focus of attention being on the data subject rather than on someone else with whom for some reason he is involved or had contact is in the special provision for "sensitive personal data" in section 2 of, and Schedules 1, para. 1(b) and 3 to, the 1998 Act, giving effect in large part to Articles 6 to 8 of the Directive.
30. Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA’s own conduct in investigating that complaint – is "personal data" within the meaning of the Act. Just because the FSA’s investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains "personal data" or as to whether it is part of a "relevant filing system", the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. The letter of 17^th January 2001 from the FSA to the Bank, referred to by the Judge at page 11C-D of his judgment, is an example. It cannot have been the intention of Parliament that, subject to it being part of a relevant filing system within section 1(1), any document held by the FSA generated by and/or arising out of the FSA’s investigation of such a complaint should itself be disclosable under section 7. As the FSA acknowledges, in its provision of documents in response to Mr. Durant’s first request, which was to enable him to compare documents held by the FSA with documents disclosed to him by the Bank, it provided more than the Act required of it.
31. In short, Mr. Durant does not get to first base in his claim against the FSA because most of the further information he sought, whether in computerised form or in manual files, is not his "personal data" within the definition in section 1(1). It is information about his complaints and the objects of them, Barclays Bank and the FSA respectively. His claim is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by considerations of relevance. It follows that much of Mr. Durant’s complaint about redaction of other individual’s names and details falls away, regardless of the outcome of the correct application of the provisions of section 7(4) – (6) for protection of the confidentiality of other individuals (see paragraphs 52-68 below).

"relevant filing system"

32. The issue concerns the right of access by an individual to his personal data held in manual files and the interpretation of the words "a relevant filing system" in the definition of "data" in section 1(1) of the Act, since there is only a right of access to personal data in manual files that is "structured" in a certain manner. I should set out first the provisions of the Directive and of the Act giving effect to them – there is no material difference between the two. The relevant provisions of the Directive are Article 2 (2)(c) and Recitals (15) and (27). Article 2 (c) provides that, for the purposes of the Directive,

"personal data filing system’ (‘filing system’) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;"

And Recitals 15 and 27 read:

"(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;"

"(27) Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition in Article 2( c ), the different criteria for determining the constituents of a structured set of personal data, and different criteria governing access to such a set, may be laid down by each Member State; whereas files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of the Directive."

33. The 1998 Act, in its definitions of "data" and "relevant filing system" in section 1(1), picks up the Directive’s theme that information held on manual files is only capable of being "data", and hence "personal data", if it forms part of a system so structured by reference to specific information about an individual as to make that information readily accessible. Section 1(1) defines data broadly by reference to whether it is or is intended to be in computerised form or in manual files. It provides, so far as material:

"(1) In this Act, unless the context otherwise requires -

‘data’ means information which -

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that is should form part of a relevant filing system, …;"

"relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible."

34. It is clear from those provisions that the intention is to provide, as near as possible, the same standard or sophistication of accessibility to personal data in manual filing systems as to computerised records. The Judge began his analysis of the issue on that note, observing that, although he was then concerned only with information held by the FSA on manual, not computerised, files, most of the provisions in the Act concerned computerised data. He said that the draftsman’s recourse to the notion of a "relevant filing system" for non-computerised data contemplated an arrangement of paper data in a form similar to that which a computer would use to process the same information. He rightly began by breaking down the definition in section 1(1) of the term "relevant filing system" into three constituents in order to see whether the material in issue in the case fell within it, namely whether: 1) the material was a set of information relating to an individual; 2) the material was structured either by reference to individuals or by reference to criteria relating to individuals; and 3) it was structured in such a way that specific information relating to a particular individual was readily accessible. He then said, at 8F-9A:

"The strict requirements of the definition can be understood if one remembers the context into which this rule is placed. Most of the provisions in this Act deal with computer information but if one is able to arrange material in a non-computer form but in a form which apes the processing of a computer then the information is likely to be caught by the definition. The Act says that the fact that the information is not processed by means of equipment operating automatically in response to instructions given for that purpose will not prevent the material coming within the definition of a relevant filing system if it is structured in the way anticipated by the statute, so I need to concentrate on the structure. ….

 

35. The Judge considered the four manual files in question maintained by the FSA, each of which he had inspected. He concluded that none of them contained "data" as defined in section 1(1), because none of them, for various reasons, constituted "a relevant filing system". As to the MFGD Systems file, he held, at 9C-F, that it was not structured by reference to individuals or to criteria relating to individuals. As to the MFGD Complaints file, he held that it was not structured in such a way that specific information relating to a particular individual was readily accessible. He said, at 9G-10C:

"It does contain documents relating to the appellant’s complaint about the bank under a divider marked ‘Mr. Durant’ and it follows that the information concerning Mr. Durant could be obtained. However, I must remind myself that this is not the statutory criteria. It is not a question of whether the information could be obtained or even whether the information could be obtained easily. The question that I must pose is whether it is structured in such a way that specific information relating to a particular individual is readily accessible. It contains a variety of different documents stored by date order. There is no more detailed structuring than that. The documents are not organised in such a way that would enable one to isolate particular aspects of the information, save that it is all under the name Durant. It is in the file just by date order. It follows again that this does not in my judgment satisfy the requirement of structuring anticipated by the statutory provision."

As to the BIG file, the Judge said, at 10D-F:

"… it relates to issues or cases concerning the bank, although a section of the file does contain documents relating to Mr. Durant. It is organised in sections with reference to the issues or cases themselves but those issues or cases are not necessarily identified by reference to an individual. I accept the submission of Mr. Mayhew that to the extent the file or any section of it is structured with reference to individuals it is not so structured that specific information relating to a particular individual is readily accessible and this includes the section identified by reference to Mr. Durant."

And, as the Secretariat Documents – the sheaf of papers relating to Mr. Durant’s complaint about the FSA’s dealings with him, the Judge said, at 10G-11B:

"The file comprises a variety of documents that relate to Mr. Durant’s complaint. They are not organised by date or any other criterion and again it seems to me that no specific information is readily accessible by virtue of that fact."

The submissions

36. Miss Houghton urged a broad construction of the meaning of the Directive and the Act on the meaning of a filing system for this purpose. She made two related complaints about the Judge’s reasoning – related in the sense of maintaining that he gave too sophisticated a meaning to the term "relevant filing system". First, she submitted that he applied too restrictive a test by merely considering the Act and the respective structures of the files. She said that he should also have considered the matter in the light of the Directive, in particular Article 2 (c) when read with Recital (27). Second, she maintained that, in any event, the Judge mistook the meaning of the word "set" in the phrase "set of information" in the Act’s definition. She submitted that "set" in this context meant, not an individual file and its structure or lack of it, but the whole filing system of which it was part. It was enough, she argued, to show the existence of a filing system in which particular types of documents may be found, for example in an individual file identified by reference simply to the data subject’s name.
37. As to the first of those criticisms, Miss Houghton submitted that Recital (27) makes it plain that the Directive is concerned to prevent a data controller from relying on his techniques for control of filing of manual records to defeat otherwise unobjectionable requests from individuals for access to their personal data. She contrasted the requirement in Recital (27) and Article 2(c) for "filing systems" to be so structured as to allow such individuals easy access to their personal data according to specific criteria, with the various constituents of a system governing access to the data, which are expressly left by Recital (27) for decision by individual member states. The latter, submitted Miss Houghton, indicates a broader construction of the words "relevant filing system" in section 1(1) of the Act than the Judge gave them.
38. Miss Houghton took as an example the Judge’s reasoning for rejecting the last three categories of file as "relevant filing systems", namely that the structure of the files did not, for want of sufficient cross-referencing, enable the data controller readily to identify certain "low level detail", for example, Mr. Durant’s age or address. She said that such reasoning offended the stricture in Recital (27) against allowing the scope of the protection provided by the Directive to be circumvented by the use of filing techniques and that a manual system cannot be expected to have the same level of sophistication as a computerised system. She said that the Judge’s approach would require cross-referencing of manual files to a level of sophistication close to that of full-text search facility on a computer, an outcome that the definition in the Act of "a relevant filing system" could not sensibly require. She submitted that, on the contrary, those three sets of files satisfied the three constituents of the definition in that they contained material relating to an individual which was structured by reference to individuals or criteria relating to them and in such a way that specific information was readily accessible by turning to the divider bearing an individual’s name and looking at the documents behind it. Such a construction, she submitted, is consistent with both the Directive and the Act, whereas the more restrictive one of the Judge would damage their underlying purpose of ready accessibility to personal data, applicable to manual as well as computerised files
39. As to Miss Houghton’s second criticism, she submitted that he wrongly took each individual file instead of the FSA’s overall filing system as the data "set" referred to in the definitions in Article 2(c) and section 1(1). She maintained that in the context of a body like the FSA, a single file cannot be a "filing system"; it must be the collection of all its files or all the files within a specific department, for example, BIG or MFGD. On that basis, she submitted that individual files forming part of a wider filing system amounting to a "set of information" for this purpose may contain data forming part of a relevant filing system even though the files are not internally indexed or cross-referenced, provided that there is some overall system, whether formal or informal, enabling relatively simple access to personal data. Her practical point was that, although the FSA had disclosed and described material files, it had given no account of its "high level" filing structures, that is, the manner in which it stored or organised the files or, say by a system of indexing or cross-referencing or action-log, how it recorded their location and contents in order to provide ready access to specific matters as necessary for its staff. She suggested, by reference to certain documents disclosed by the FSA, that it does indeed maintain systems of this sort in the form of computerised logs of correspondence and documents in various forms, some of which appear to relate to manual files. She referred, for example to: a computer extract identifying Mr. Durant’s complaint as "case no. 007"; references in a report to documents identified by a reference number attaching uniquely to him; a list of card index search results indicating the location of documents referring to him; and two computerised correspondence logs identifying and locating files containing correspondence relating to him, all or some of which the FSA may not have disclosed.
40. Miss Houghton observed that, if those examples are typical of the FSA’s filing system or systems, while each file, looked at on its own, may appear to be unstructured, the contents of it are carefully indexed elsewhere and are thus readily accessible. She submitted that if the same applies to the four categories of documents that the FSA has refused to disclose, the subject of this appeal, any personal data within them relating to Mr. Durant forms part of "a relevant filing system" for the purpose of the Act and should be disclosed. She invited the Court not to do as the Judge did, focus on the individual files, but on the overall filing systems of which they were part.
41. As I have indicated, the FSA has responded evidentially to this new argument with a witness statement from Mr. Davies, describing in some detail its filing systems of which the manual files in question form part. In substance, he shows that the general filing system did not contain indexing mechanisms that would enable location of particular documents within individual files or any indexing mechanism enabling ascertainment of specific information about an individual, other than by physically examining an individual file and reading through it.
42. Mr. Philip Sales urged a narrow interpretation of the definition in the Act of a "relevant filing system". He submitted that the definition is consistent with the approach of the Directive in that it has as its central focus, the right of access to computerised records, which, by their very nature, are readily accessible and retrievable. He said that the Act’s extension of its provisions to manual records in the formula in the definition "although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose", indicates that it does so only to the extent that such records are broadly comparable with computerised records in terms of ease of access to and retrievability of data in them. It follows, he argued, that the Act, in its application to manual records, applies only to data in highly structured individual files as well as overall filing systems.
43. This assimilation of "relevant" manual "filing systems" with the sophisticated operation of computerised files expresses, as Mr. Sales illustrated, the declared intention of the Government during the passage of the Bill giving rise to the Act (HL Debs, vols 585, col 438, 2^nd February 1998 and vol 587, col 467, 16^th March 1998). He submitted that it is also consistent with the Directive in its primary focus on computerised data (see Recitals (3)-(9) and (11)), with its definition in Article 2(c) of a "personal data filing system", and with Recitals (15) and (27) in confining the ambit of the Directive to filing systems "structured according to specific criteria relating to individuals". He added that the narrow application of the Directive – and of the Act – for which he contended was also of a piece with the general EC law principle of proportionality with which all EC secondary legislation must comply; see e.g. R (British American Tobacco Investments) v. Secretary of State for Health, ECJ judgment of 10^th December 2002. He said that the Community legislature would have had that principle well in mind when drafting the Directive, namely the importance of not imposing disproportionate burdens on data controllers. In short, he submitted that the Directive supports a restrictive interpretation of the meaning in the Act of "a relevant filing system".
44. Finally, on this issue, Mr. Sales submitted that Mr. Davies’ evidence makes plain that none of the FSA’s manual filing systems at the time, whether at "high" or "low" level, constituted a "relevant filing system" as defined in section 1(1) of the Act and that, therefore, they did not contain any "data" disclosable by it under the Act, personal or otherwise.

Conclusions

45. The parliamentary intention to which Mr. Sales referred, is, in my view, a clear recognition of two matters: first, that the protection given by the legislation is for the privacy of personal data, not documents, the latter mostly retrievable by a far cruder searching mechanism than the former; and second, of the practical reality of the task that the Act imposes on all data controllers of searching for specific and readily accessible information about individuals. The responsibility for such searches, depending on the nature and size of the data controller’s organisation, will often fall on administrative officers who may have no particular knowledge of or familiarity with a set of files or of the data subject to whose request for information they are attempting to respond. As Mr. Sales pointed out, if the statutory scheme is to have any sensible and practical effect, it can only be in the context of filing systems that enable identification of relevant information with a minimum of time and costs, through clear referencing mechanisms within any filing system potentially containing personal data the subject of a request for information. Anything less, which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search. And, as Mr. Sales also pointed out, it could, in its length and other costs, have a disproportionate effect on the property rights of data controllers under Article 1 of the First Protocol to the ECHR, who are only allowed a limited time, 40 days, under section 7(8) and (10) of the Act to respond to requests, and are entitled to only a nominal fee in respect of doing so.
46. As to the 1998 Act, to constitute a "relevant filing system" a manual filing system must: 1) relate to individuals; 2) be a "set" or part of a "set" of information; 3) be structured by reference to individuals or criteria relating to individuals; and 4) be structured in such a way that specific information relating to a particular individual is readily accessible. That seems to me entirely consistent with the Directive, in particular in the latter’s emphatic emphasis in Article 2(c) and Recital (27) on a file so structured by reference to "specific criteria" about individuals as to provide "easy access" to "the personal data in question" When considered alongside the narrow meaning of personal data in this context and when read with Recital (15) indicating that the required "easy" access to such data must be on a par with that provided by a computerised system, the need for a restrictive interpretation of the definition "relevant filing system" is plain. It is not enough that a filing system leads a searcher to a file containing documents mentioning the data subject. To qualify under the Directive and the Act, it requires, as Mr. Sales put it, a file to which that search leads to be so structured and/or indexed as to enable easy location within it or any sub-files of specific information about the data subject that he has requested.
47. As both parties acknowledge, the Directive is an important aid to construction of the Act. Its primary focus, as that of the Act, is on computerised data (see Articles 3-9 in the context of its ready facilitation of the free movement of personal data, and 11 in its concern for the right to privacy). And it is only to the extent that manual filing systems are broadly equivalent to computerised systems in ready accessibility to relevant information capable of constituting "personal" data that they are within the system of data protection. Recital (11) deserves particular mention as to the primary focus of the Directive on computerised systems, in its statement of the Directive’s intention to "give substance to and amplify" rights set out in the 1981 Convention, which, as I have said, gave rise in this country to the 1984 Act, creating obligations only in relation to computerised data, though permitting Contracting States to extend it to manual data. Returning – and more specifically – to the Directive, the definition in section 1(1) of the Act of "a relevant filing system" accords with the Directive in its equally restrictive definition in Article 2(c) of "a personal data filing system" as a "structured set of personal data which are accessible according to specific criteria …", and also with Recitals (15) and (27), which emphasise that it is intended to cover only files "structured according to specific criteria relating to individuals".
48. It is plain from the constituents of the definition considered individually and together, and from the preface in it to them, "although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose", that Parliament intended to apply the Act to manual records only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system. That requires a filing system so referenced or indexed that it enables the data controller’s employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is located and to locate the relevant information about him within the file or files, without having to make a manual search of them. To leave it to the searcher to leaf through files, possibly at great length and cost, and fruitlessly, to see whether it or they contain information relating to the person requesting information and whether that information is data within the Act bears, as Mr. Sales said, no resemblance to a computerised search. It cannot have been intended by Parliament - and a filing system necessitating it cannot be "a relevant filing system" within the Act. The statutory scheme for the provision of information by a data controller can only operate with proportionality and as a matter of common-sense where those who are required to respond to requests for information have a filing system that enables them to identify in advance of searching individual files whether or not it is "a relevant filing system" for the purpose.
49. Before leaving this issue, I should mention that Jay and Hamilton, in a helpful, practical analysis of these provisions in their Data Protection – Law and Practice, 1999, have reached much the same conclusion. They say that there is some ambiguity in both the Directive and the Act as to the definition of a filing system for this purpose, and that whether a particular file or files will amount to such a system is necessarily fact sensitive. However, they conclude, at pp. 22-23, that the weight of authority, including the provenance of this aspect of the Directive in the German Federal Data Protection Act and the Government’s declared intention and treatment of the matter during the passage of the 1998 Bill through the House of Lords, leans towards a restrictive interpretation of the ambiguity:

"… files or systems which do not have any clear systematic internal indexing mechanism should not fall under the definition. So a file with a name on the front arranged in date order may not fall within the term, whereas a file with a name on but arranged in sections to cover health, education, earnings or family connections is more likely to be; the more readily accessible the particular information, the clearer it is that it will be covered. …the nature of the file, for example whether it is a personnel file or a customer file, is completely irrelevant."

50. Accordingly, I conclude, as Mr. Sales submitted, that "a relevant filing system" for the purpose of the Act, is limited to a system:

1) in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held; and

2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.

51. Returning to Mr. Durant’s requests for further documents from the files in question, it is plain that the FSA’s filing systems at the time did not satisfy those requirements or either of them. As to the first, which approximates to what Miss Houghton has called "high level filing structures", it is plain from the evidence of Mr. Davies, that the FSA’s filing system did not qualify. As I have said, in summarising that evidence, it did not contain indexing mechanisms enabling location of particular documents or, more importantly, of personal data, that is, specific information about Mr. Durant, in a file or files other than by a physical search of the file or files. As to the second, Miss Houghton’s "low level filing structures", it is plain from the description that I have given of the individual files that they did not qualify either. I say that without regard to the fact that Mr. Durant’s requests for information are highly unspecific, sometimes simply for disclosure of documents or categories of document. But to the extent that he might be entitled to specific information, if forming part of "a relevant filing system", none of the files in question is so structured or indexed as to provide ready access to it, as the Judge in his helpfully succinct judgment, given after examination of the files, demonstrated. An ability of staff readily to identify and locate whole files, even those organised chronologically and/or by reference to his and others’ names, is not enough.

Redaction

52. This issue arose only in relation to computerised documents that the FSA provided to Mr. Durant; as I have said, it provided him with no documents from its manual files. There were two categories of redactions: 1) those - nearly all - that the FSA considered did not constitute his personal data; and 2) those – in the case of two documents only – where it considered it unreasonable to disclose the names of another individual.
53. Miss Houghton had two main complaints about the FSA’s redactions. One was as to redaction of information, the nature of which Mr. Durant is unaware, in correspondence about his complaint to the FSA about Barclays Bank. The other was of the redaction of names of other individuals. As to the latter, she said that the pattern of redaction in the documents disclosed by the FSA suggested a "blanket" decision by it to redact all other individual’s names rather than to consider whether, in accordance with section 7(4)(b) of the Act, in each case whether it was "reasonable in all the circumstances" to disclose the identify of the other individual without obtaining his consent. The Judge did not deal, other than inferentially, with this issue of reasonableness, possibly because it was not raised before him in the same detail as Miss Houghton has argued it on this appeal. The Judge dealt with the whole issue of redaction quite shortly at pages 7D-F and 11E-F:

"Having inspected the material I am entirely satisfied first of all that the information that was held on computer and which has been disclosed, subject to redaction, has been the subject of proper… [disclosure], although I will at a later stage come back to deal with one document, the letter of 27^th October 2000. The redacted copies exclude references to third parties, I have seen that by comparing the original with copies, and therefore in respect of those documents I find that the respondents have complied with their duty. In many respects that represents the easiest part of the case because most of the argument has concerned those records which are not held on computer and the issue is whether they come within section 1(1)(c) of the Act. ….

I deal finally with the letter from the FSA to Barclays Bank of 27^th October 2000. This document, it seems to me, does come within the definition … Read realistically, it seems to me that this does contain personal data concerning an individual who can be identified and therefore subject to redaction it should be disclosed and I do in respect of that single document make an order under section 7(9) that in its redacted form it should be served on the appellant."

54. I have already mentioned, but only briefly, the protection given by section 7 of the 1998 Act to other individuals when a data subject seeks access under that provision to his personal data, for example where such data may identify another individual as the source of the information. In such a case both the data subject and the source of the information about him may have their own and contradictory interests to protect. The data subject may have a legitimate interest in learning what has been said about him and by whom in order to enable him to correct any inaccurate information given or opinions expressed. The other may have a justifiable interest in preserving the confidential basis upon which he supplied the information or expressed the opinion. Sections 7(4)-(6) and 8(7) - prompted by the European Court’s decision in Gaskin v. United Kingdom [1990] 1 FLR 167, ECtHR, at para. 49 - provide a machinery for balancing their respective interests, and do so compatibly with Articles 12 and 13.1(g) of the Directive, which, as Mr. Sales observed, mirrors the balance provided by Article 8.2 to 8.1 ECHR. Article 12, to which section 7 of the 1998 Act is intended to give effect, provides a right of access for every data subject to his personal data, which it describes as a "guarantee". And Article 13 permits member states to adopt legislative measures to restrict such right when necessary to safeguard various specified interests, including, in paragraph 1(g), the protection of the rights and freedoms of others. The protection that the 1998 Act gives to other individuals is similarly qualified, reflecting, in this respect, the principle of proportionality in play between the interest of the data subject to access to his personal data and that of the other individual to protection of his privacy. Section 7(4) to (6) and 8(7) provide:

"7(4) Where a data controller cannot comply with the request [i.e. for information under section 7(1)] without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless –

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual, or

(c) the information is contained in a health record and the other individual is a health professional who has compiled or contributed to the health record or has been involved in the care of the data subject in his capacity as a health professional [added by the Data Protection (Subject Access Modification) (Health) Order 2000, SI 2000/413].

(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to –

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller with a view to seeking the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual."

"8(7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request."

55. There are two basic points to make about the scheme of sections 7(4)-(6), and 8(7), for balancing the interests of the data subject seeking access to his personal data and those of another individual who may be identified in such data. The first is that the balancing exercise only arises if the information relating to the other person forms part of the "personal data" of the data subject, as defined in section 1(1) of the Act. The second is that the provisions appear to create a presumption or starting point that the information relating to that other, including his identity, should not be disclosed without his consent. The presumption may, however, be rebutted if the data controller considers that it is reasonable "in all the circumstances", including those in section 7(6), to disclose it without such consent.
56. It is important to note that the question for a data controller posed by section 7(4)(b) is whether it is reasonable to comply with the request for information notwithstanding that it may disclose information about another, not whether it is reasonable to refuse to comply. The distinction may be of importance, depending on who is challenging the data controller’s decision, to the meaning of "reasonable" in this context and to the court’s role in examining it. The circumstances going to the reasonableness of such a decision, as I have just noted, include, but are not confined to, those set out in section 7(6), and none of them is determinative. It is important to note that section 7(4) leaves the data controller with a choice whether to seek consent; it does not oblige him to do so before deciding whether to disclose the personal data sought or, by redaction, to disclose only part of it. However, whether he has sought such consent and, if he has done so, it has been refused, are among the circumstances mentioned in the non-exhaustive list in section 7(6) going to the reasonableness of any decision under section 7(4)(b) to disclose, without consent. Thus far, the broad effect of the scheme is not in dispute, but I shall have to return to the test of reasonableness in section 7(4) and (6) after considering the respective submissions of Miss Houghton and Mr. Sales.
57. In the course of preparing for the appeal, the FSA reconsidered the redactions it had made in the computerised documents provided to Mr. Durant, and in a few cases it concluded that the names of other individuals redacted should, after all, be disclosed to him. It did so because, in those particular instances, the redacted names were part of information constituting his personal data and because it considered it reasonable to disclose the names after balancing their interests with those of Mr. Durant, as required by section 7(4) and (6). But the FSA continues to maintain its entitlement to redact names in other documents because the information of which they formed part did not constitute his "personal data" within the definition of that term in section 1(1), or in two instances, because, although they may have formed part of his "personal data", it considered that it was not reasonable to disclose the name after conducting the balancing exercise under section 7(4)-(6). In those two instances the FSA had sought the consent of the one individual concerned, an FSA employee, who expressly refused to give it on account of Mr. Durant’s abusive manner to him or her in a telephone conversation. So, the FSA conducted the balancing exercise in respect of the only two documents that required it.

The submissions

58. Miss Houghton made two main submissions about the test of reasonableness in section 7(4)(b). The first, which she took from the clear requirement in section 7(4), was that a data controller, who has been refused consent or has not attempted to obtain it, is still obliged to consider, before complying with a request for personal data, whether, in all the circumstances, it is reasonable to do so. In so expressing the requirement, Miss Houghton turned to the use of the word "guarantee" in Article 12 of the Directive, in describing the right of a data subject’s right of access to his personal data. She maintained that it required a court of first instance dealing with an application under section 7(9) and any appellate court to decide the matter of reasonableness for itself. She sought support for this proposition in the following ruling of the European Court in The Gaskin Case, at para. 49 on a provision of United Kingdom law which made access dependent on the consent of the contributor and contained no such balancing of interests requirement as is now provided in section 7(4)(b)), a ruling which, she maintained "outlawed" in this context even the Daly (R (Daly) v. SSHD [2000] 2 AC 532. HL) "anxious scrutiny":

. "….The Court considers … that under such a system the interests of the individual seeking access to records relating to his private and family life must be secured when a contributor to the records either is not available or improperly refuses consent. Such a system is only in conformity with the principle of proportionality if it provides that an independent authority finally decides whether access has to be granted in cases where a contributor fails to answer or withholds consent. No such procedure was available to the applicant in the present case."

59. Mr. Sales acknowledged the many shades of meaning the word "reasonable" can bear depending on its context. Given the essentially public law nature of the statutory remedy provided by section 7(9) for the protection of an individual’s right to privacy of his personal data and the need to avoid imposing a disproportionate burden on data controllers, he submitted that this is a matter in which it is not for a court to substitute its own view for that of a data controller. He suggested that the appropriate analogue for the requirement of reasonableness in this context is the Article 8 ECHR requirement of necessity/proportionality. On such an approach, the court’s task on an application under section 7(9) would be one of review of the data controller’s decision, but a more intensive Daly - "anxious scrutiny" - type of review than the traditional Wednesbury test. Even if the section 7(9) decision were not strictly one of review, but were to be regarded as a primary decision, the test in such a statutory challenge of a non-judicial decision-taker would be much the same, see SSHD v. Rehman {2003] 1 AC 153, per Lord Slynn at paras 22 and 26, Lord Steyn at para. 31 and Lord Hoffmann at paras. 49, 50 and 57.

Conclusions

60. As to Miss Houghton’s first submission, on the nature of the court’s function on an application for access to personal data under section 7(9), and of this Court on an appeal from a refusal of such application, I consider that Mr. Sales’ approach is to be preferred. Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second-guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act. The Directive (see, in particular, Recitals (1) and (10)) and the Act were intended to give effect to the requirements of Article 8 ECHR. And the provision in Article 13 of the Directive for exemptions and restrictions, including that in paragraph 1(g), reflected in section 7(4) of the Act, for the rights of third parties, to the right of access to personal data provided by Article 12 and section 7(1), are of a piece with the similar structure of Article 8.1 and 8.2 ECHR. Miss Houghton’s reliance on Gaskin to suggest that the Directive provides a right overriding that of third parties in this context equivalent to a "guarantee", not only ignores the domestic law under consideration in that case, but, on the European Court’s own jurisprudence, puts too hard an edge on the use of that word in Article 12 setting out a data subject’s right of access. It is plain from Article 13 that member states may pay regard to, among other matters, proportionality in adopting exemptions from and restrictions on the right. As the Court said about the Directive in Lindquist, at para. 83

"83. … its provisions are necessarily relatively general since it has to be applied to a large number of very different situations. …the Directive quite properly includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options." (see also para. 88 in relation to sanctions)

Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits.

61. It follows, as Mr. Sales submitted, that the right to privacy and other legitimate interests of individuals identified in or identifiable from a data subject’s personal data are highly relevant to, but not determinative of, the issue of reasonableness of a decision whether to disclose personal data containing information about someone else where that person’s consent has not been sought. The data controller and, if necessary, a court on an application under section 7(9), should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled, subject to the discretion of the court under section 7(9). The Court of Appeal, in its turn, should have firmly in its mind its duty of "anxious scrutiny" in such matters, but should not be expected to conduct an exercise of detailed or other inspection of documents under section 15(2) of the 1998 Act unless the Judge’s reasoning or lack of it on the issue and the factual issues raised on the appeal demand it. Given: 1) the failure of the bulk of Mr. Durant’s claim because of his misconception of what he is entitled to by way of personal data, a misconception inherent in the nature of his requests for the redacted information; and 2), the plain evidence before the Judge and us as to the manual files in question, negating the existence of a "relevant filing system", we have not felt it necessary to inspect in any detail the documentation put before us.
62. Miss Houghton’s second submission was that data controllers should consider this question of reasonableness of disclosure on a case by case basis, by which I think she meant on a document by document or third party individual by individual basis (see. eg. R (Lord) v. SSHD [2003] EWHC 2073 (Admin), per Munby J, at paras. 143-151). She maintained, initially at any rate, that there was no evidence that the FSA had done that in this case. There appear to be two categories of other individuals in respect of which Mr. Durant sought unredacted copies of the documents. The first consists of information about those whose identities he already knows. Miss Houghton submitted that there could be no good reason for such redaction and that he should have been provided with unredacted copies of the documents. The second category consists of those whom Mr. Durant believes to be employees of the FSA, but with whom he has had no contact. Miss Houghton submitted that there was no good reason to remove their names from the disclosed documents; public servants carrying out their ordinary functions should not be given anonymity as of right; their names should be disclosed unless there are special reasons for non-disclosure. However, as I have said, such information, essentially as to the identities of persons in the FSA with whom Mr. Durant may have had contact or who have in some way dealt with his complaint, cannot, in the circumstances, amount to his personal data. And, in any event, it is plain from the evidence now before us in the form of Mr. Davies’ second witness statement that there is no factual basis – quite the contrary – for Miss Houghton’s submission that the FSA did not consider the question of redaction on a document by document basis.
63. Despite the now narrow factual basis for the complaint as to redaction, it may be helpful for me to comment briefly on the respective arguments of principle advanced by Miss Houghton and Mr. Sales on the issue of reasonableness of disclosure of personal data under section 7(4)(b).
64. It is important for data controllers to keep in mind the two stage thought process that section 7(4) contemplates and for which section 7(4)-(6) provides.
65. The first is to consider whether information about any other individual is necessarily part of the personal data that the data subject has requested. I stress the word "necessarily" for the same reason that I stress the word "cannot" in the opening words of section 7(4), "Where a data controller cannot comply with the request without disclosing information about another individual who can be identified from the information". If such information about another is not necessarily part of personal data sought, no question of section 7(4) balancing arises at all. The data controller, whose primary obligation is to provide information, not documents, can, if he chooses to provide that information in the form of a copy document, simply redact such third party information because it is not a necessary part of the data subject’s personal data.
66. The second stage, that of the section 7(4) balance, only arises where the data controller considers that the third party information necessarily forms part of the personal data sought. In that event, it is tempting to adopt Mr. Sales’s submission that, where the status of an individual is obvious and his or her identity is immaterial or of little legitimate value to the data subject, it would normally be reasonable to withhold information identifying that person in the absence of his consent. However, it is difficult to think in the abstract of information identifying another person and any other information about him which would be so bound up with the data subject as to qualify as his personal data, yet be immaterial or of little legitimate value to him. Much will depend, on the one hand, on the criticality of the third party information forming part of the data subject’s personal data to the legitimate protection of his privacy, and, on the other, to the existence or otherwise of any obligation of confidence to the third party or any other sensitivity of the third party disclosure sought. Where the third party is a recipient or one of a class of recipients who might act on the data to the data subject’s disadvantage (section 7(1)(b)(iii)), his right to protect his privacy may weigh heavily and obligations of confidence to the third party(ies) may be non-existent or of less weight. Equally, where the third party is the source of the information, the data subject may have a strong case for his identification if he needs to take action to correct some damaging inaccuracy, though here countervailing considerations of an obligation of confidentiality to the source or some other sensitivity may have to be weighed in the balance. It should be remembered that the task of the court in this context is likely to be much the same as that under section 7(9) in the exercise of its general discretion whether to order a data controller to comply with the data subject’s request (see para. 74 below). In short, it all depends on the circumstances whether it would be reasonable to disclose to a data subject the name of another person figuring in his personal data, whether that person is a source, or a recipient or likely recipient of that information, or has a part in the matter the subject of the personal data. Beyond the basic presumption or starting point to which I referred in paragraph 55 above, I believe that the courts should be wary of attempting to devise any principles of general application one way or the other.
67. However, as I have indicated, on the facts of the case, the redaction issue is barely worth all the attention given to it in the arguments. It is clear from the Judge’s examination of the documents and the evidence to this Court of Mr. Davies that all the redactions, save arguably two, do not constitute "personal data" for the reasons I have given, and the Act does not, therefore, entitle Mr. Durant to that information. As to those two redactions, they were of the name of an FSA employee which, in itself, can have been of little or no legitimate value to Mr. Durant and who had understandably withheld his or her consent because Mr. Durant had abused him or her over the telephone.

The discretion issue

68. The fourth issue, which if I am right in my conclusions on the first three issues, is no longer live, is the scope of a court’s discretion under section 7(9) of the Act to order a data controller to comply with a request for information under the section. Section 7(9) provides:

"If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request." [my emphasis]

69. The Judge, whilst holding that Mr. Durant was not entitled, as a matter of construction of the Act, to the information he had sought, added that, even if the FSA had not complied with its duty under section 7, he would not, in the exercise of the discretion given to him by section 7(9), have ordered disclosure. He set out three reasons for that, at pages 12G-13C:

"First, I cannot see that the information could be of any practical value to the appellant. Secondly, the purpose of the legislation … is to ensure that records of an inaccurate nature are not kept about an individual. A citizen needs to know what the record says in order to have an opportunity of remedying an error or false information. In this case the appellant seeks disclosure not to correct an error but to fuel a separate collateral argument that he has either with Barclays Bank or with the FSA, litigation which is in any event doomed to failure. [Thirdly,] I am entirely satisfied on the facts of the case that the FSA have acted at all times in good faith, and indeed there has been no suggestion to the contrary from the appellant; his argument is with Barclays Bank, not with the FSA."

The submissions

70. Miss Houghton submitted that at least two of the reasons would have been illegitimate reasons for declining to exercise his discretion against ordering compliance with Mr. Durant’s request. She maintained that the purpose for which Mr. Durant wanted the information was no more relevant to the exercise of this discretion than to the primary question of his entitlement to the information. And she maintained that the Judge gave undue weight to the other matters, particularly the proposition that the primary purpose of the Act was to enable people to check the accuracy of their personal data, since Article 1 of the Directive gave primacy to protection of privacy.
71. The basis for Miss Houghton’s submissions was the argument on which she has relied in part on the redaction issue, namely that the Directive created a guarantee of entitlement to access to personal data, a guarantee that could not, save as provided by the Directive, be watered down by the Act. She maintained that, as a result, the scope for a court to exercise its discretion against requiring compliance when a person had otherwise justified his request under section 7 was limited. She relied on Articles 12 and 22 of the Directive. As I have said, Article 12 requires Member States to "guarantee" every data subject the right to obtain the relevant data from the data controller; and, although Article 13 enables a Member State legislatively to restrict the obligations and rights provided for in, among other Articles, Article 12, Article 22 requires each Member State to provide a judicial remedy for any breach of rights guaranteed by its national law. Thus, she submitted, section 7 as a whole, and section 7(9) in particular, should be construed so to circumscribe the discretion of a court to give effect to that guarantee.
72. Miss Houghton contended that the only practical discretion derived from the word "may" in section 7(9) was to give effect to the partial exemption provided by Article 13 to "restrict" the obligation to disclose to certain specified circumstances, namely when such a restriction constituted "a necessary measure to safeguard" various national and public interests and "the protection of the data subject or of the rights and freedoms of others". She gave instances of the United Kingdom’s exercise of that power of restriction in a number of "subject access modification orders". However, she maintained that such power to restrict does not extend to interpreting section 7(9) of the Act as empowering a court, by way of an exercise of discretion, to override the guarantee for which the Directive provides. She swept together all these arguments by inviting the Court’s attention to the response to them of Ward LJ in granting permission for this appeal:

"… this Act is on the statute book, in order to comply with a directive from the European Union. It is well known, therefore, that the court should be construing the directive rather than the words of the statute, for the statute has to give way to the directive. Consequently, since the directive requires member states to guarantee the data subject the right to obtain relevant data from the data controller, she submits – and I see the force of the argument – that the judge’s error was to circumscribe his discretion. The discretion might arguably be better expressed to be to allow disclosure unless good reason is shown why it should not be disclosed. Moreover, there was more than one purpose to this Act, as the schedule to the Act makes plain."

73. Mr. Sales agreed that the Act must be interpreted and applied so as to conform with the Directive, but said that there may be circumstances in which a court might in the exercise of its discretion decline disclosure on grounds compatible with one or other of those specified in Article 13. However, he did not seek to rely on such an argument in the circumstances of this case, if the FSA lost on any of the primary issues.

Conclusions, so far as they go

74. If I am correct in my conclusions on the primary issues, the question of exercise of discretion under section 7(9) whether or not to order compliance with Mr. Durant’s requests does not call for answer. I say only that I agree with the recent observations of Munby J in Lord, at para. 160, that the discretion conferred by that provision is general and untrammelled, a view supported, I consider, by the observations of the European Court in Lindquist, at paras. 83 and 88, to which I have referred (see para. 61 above). I add, as a corollary to my comment in paragraph 66 on the subject of reasonableness of disclosure of information about a third party under section 7(4)(b), that it might be difficult for a court to conclude under that provision that it was reasonable to comply with a data subject’s request so as to disclose such information, yet exercise its discretion under section 7(9) against ordering compliance with that aspect of the data subject’s request. On the facts of this case, I need only say that, for the reasons given by the Judge, I can see no basis for disagreeing with his putative decision.
75. Accordingly, for the reasons I have given, I would dismiss the appeal.

Lord Justice Mummery:

76. I agree.

Lord Justice Buxton:

77. I respectfully agree with everything that has fallen from my Lord. I add only a very few words of my own, limited to the concept of "personal data". I do so because that is the most important issue in the appeal, determinative of most of the complaints made by Mr. Durant, as it is likely to be determinative of most questions arising under the 1998 Act. I do so also because, despite its centrality, the issue did not receive the attention earlier in the case that it should have done; and, in particular, I am confident that had the issue been explored before him in the terms in which it was eventually attended to before us the single Lord Justice would have been most unlikely to have granted permission for this appeal to be pursued.
78. By section 1 of the 1998 Act, personal data is [processed or recorded] information that (i) relates to a living individual who (ii) can be identified from those data either taken alone or in conjunction with other information. Much of the argument on behalf of Mr. Durant went straight to limb (ii), without considering the implications of limb (i). Plainly, Mr. Durant could be identified "from", or perhaps more accurately in conjunction with, the information sought by him that is summarised by my Lord in his para. 24; the reason for hesitation being only that in some cases it is Mr. Durant’s identity that leads to the information, rather that the information leading to Mr. Durant. Equally plainly, however, the requirement that the information should "relate to" Mr. Durant imposes a limitation on that otherwise very wide claim.
79. The guiding principle is that the Act, following Directive 95/46, gives rights to data subjects in order to protect their privacy. That is made plain in recitals (2), (7) and (11) to the Directive, and in particular by recital (10), which tells us that:

"the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principle of Community law"

The notions suggested by my Lord in his para. 28 will, with respect, provide a clear guide in borderline cases. A recent example of such personal data is information about the occupation, hobbies and in one case medical condition of named, and therefore identifiable, individuals, such as the Court of Justice addressed in Case C-101/01, Lindqvist, 6 November 2003.

80. But the information sought by Mr. Durant was by no stretch of the imagination a borderline case. On the ordinary meaning of the expression, relating to him, Mr. Durant’s letters of complaint to the FSA, and the FSA’s investigation of that complaint, did not relate to Mr. Durant, but to his complaint. The 1998 Act would only be engaged if, in the course of investigating the complaint, the FSA expressed an opinion about Mr. Durant personally, as opposed to an opinion about his complaint; a contingency for which, nonetheless, the draftsman of the Act thought it necessary to make specific provision. And on the purposive construction of the expression, as investigated in para. 78 above, access to that material could not possibly be necessary for or even relevant to any protection by Mr. Durant of his privacy. The excessive nature of his demands is perhaps best illustrated by the claim mentioned by my Lord in his para. 62, that Mr. Durant should be told the identity of all those at the FSA who had handled his complaint. In the formal FSA complaints process in which Mr. Durant engaged before bringing the present proceedings (see para. 10 above) that information may or may not have been relevant, though there is no indication that Mr. Durant or those who may have been advising him then sought it. It has nothing whatsoever to do with Mr. Durant’s privacy, and proceedings under the 1998 Act cannot be used now, or at all, to extract it.
81. In short, these proceedings were misconceived. In future, those contemplating such proceedings and those advising them must carefully scrutinise the guidance given in my Lord’s judgment before going any further. That process should prevent the wholly unjustifiable burden and expense that has been imposed on the data controller in this case.