The UK Court of Appeal issued judgment in December 2003 in the case of Durant v. Financial Services Authority. The judgment provides important guidance on the meaning of "personal data" under the UK Data Protection Act 1998 ("DPA"), which implements the EU Data Protection Directive 96/46/EC, and provides guidance on responding to requests for access to information and documents under the subject access provisions of the DPA.

The case concerned a request for access to information and documents made by a Mr Durant to the Financial Services Authority ("FSA"), the body responsible for regulation of the financial services industry in the UK. Mr. Durant had made complaints to the FSA regarding Barclay’s Bank PLC, and subsequently to the FSA itself regarding its handling of that complaint. In 2001 he made a subject access request under s.7 of the DPA, demanding disclosure of information and documents held by the FSA relating to his complaints. The FSA provided Mr Durant with copies of certain documents which it held in electronic form. However, parts of these documents were redacted to remove names of other individuals, and the FSA refused to provide copies of documents relating to the complaints from its manual filing systems. Mr Durant sought disclosure of unredacted copies of the electronic documents, and of documents from the FSA’s manual filing system. A County Court Judge refused to order further disclosure in 2002, and Mr Durant appealed to the Court of Appeal.

The Court of Appeal considered several important issues, including:

  1. the meaning of "personal data" under the DPA, and in particular whether documents relating to Mr Durant’s complaints amounted to personal data of which he was the data subject;
  2. the meaning of "relevant filing system", and whether the FSA’s manual filing systems amounted to "relevant filing systems", which would be subject to the Act; and
  3. whether the FSA had acted correctly in redacting information from electronic documents.

The Court of Appeal refused to order further disclosure of documents to Mr Durant, and held that a narrow interpretation should be given to both of the terms "personal data" and "relevant filing system":

  • In relation to the definition of "personal data" the Court stated that mere mention of an individual in a document does not necessarily amount to personal data. In order to constitute personal data, information (whether electronic or manual) should have the individual as its focus. The fact that Mr Durant had initiated the complaints to the FSA did not mean that all information relating to those complaints amounted to his personal data.
  • A manual filing system would only be a "relevant filing system" (and so be caught by the DPA) if the files within it are structured and referenced in such a way as to indicate at the outset of a search where in any file specific information about the individual can readily be located. The FSA’s files, which included sections for each complaint, did not meet these criteria.
  • The FSA had acted properly in redacting information in documents which it had disclosed, since the information removed did not amount to personal data about Mr Durant.

The decision has important implications for those either making or responding to subject access requests in the UK, and indicates a potentially significant restriction on the scope of information which is subject to the DPA regime in the UK. 

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.