Common Services Agency v Scottish Information Commissioner (Scotland)

The House of Lords considered the interaction between the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 where a requester sought small‑cell epidemiological data. The court held that information which has been rendered effectively anonymous so that a living individual is no longer identifiable is not "personal data" within the meaning of section 1(1) DPA 1998 and therefore is not exempt under section 38 FOISA 2002. If anonymisation is not achieved, disclosure of personal data remains subject to the data protection principles in Schedule 1 DPA 1998 and the relevant conditions in Schedule 2 and, where appropriate, Schedule 3. The court recalled the Court of Session's decision and remitted the matter to the Scottish Information Commissioner to determine as a matter of fact whether the proposed form of "barnardised" data would be sufficiently anonymised and, if not, whether disclosure would nonetheless satisfy the applicable Schedule 2 and Schedule 3 conditions.

This appeal arose from a request made on behalf of an MSP for the incidence of childhood leukaemia (age 0–14) by census ward and year (1990–2003) for the Dumfries and Galloway postal area. The Common Services Agency (the Agency / ISD) refused on the grounds that small cell counts created a significant risk of indirect identification of living children and that the requested information therefore constituted personal data and was exempt under section 38 FOISA 2002. The Scottish Information Commissioner ordered release of the data in a "barnardised" form (a disclosure control technique adding small random perturbations). The Agency appealed to the Court of Session (First Division) which upheld the Commissioner's decision. The Agency then appealed to the House of Lords.

The key issues identified were:

• whether information produced by perturbation (barnardisation) was "held" by the Agency at the time of request;
• whether the barnardised information, if held, would be "personal data" under section 1(1) DPA 1998;
• if it were personal data, whether disclosure would contravene the data protection principles in Schedule 1 DPA 1998 and meet any relevant conditions in Schedule 2 and Schedule 3 (sensitive personal data).

The House of Lords held that producing data in a barnardised form did not amount to creation of new information such that it was not "held"; it could be treated as information in a different form of that which was held. On the characterisation question, the court explained that data rendered anonymous so that the data subject is no longer identifiable fall outside the definition of "personal data" (recital 26 to Directive 95/46/EC and section 1(1) DPA 1998). If anonymisation is not achieved, the information remains personal data in the hands of the controller and disclosure is governed by the data protection principles; where the data concern health they are likely to be "sensitive personal data" and require satisfaction of at least one condition in both Schedule 2 and Schedule 3. Because the Commissioner had not made the necessary factual findings about the effectiveness of barnardisation or, if it failed, whether any Schedule 2 / Schedule 3 condition was met, the House of Lords allowed the appeal, recalled the Court of Session interlocutor and remitted the application to the Commissioner to decide those factual and legal issues afresh.

Appeal allowed. The House of Lords held (1) information provided in a masked or perturbed form ("barnardised") can be "held" by the public authority for the purposes of FOISA 2002; (2) data rendered truly anonymous so that a living individual is no longer identifiable do not constitute "personal data" under section 1(1) DPA 1998 and are not caught by section 38 FOISA 2002; (3) if barnardisation does not achieve effective anonymisation the information remains "personal data" and disclosure must comply with the data protection principles and meet any applicable conditions in Schedule 2 and Schedule 3 DPA 1998; (4) because the Commissioner had not made the necessary findings on anonymisation or on satisfaction of Schedule 2/3 conditions, the decision was set aside and the matter remitted to the Commissioner for fresh consideration.

Request to Common Services Agency refused; decision of Scottish Information Commissioner issued 15 August 2005 (ordered release in barnardised form); appeal to Court of Session (First Division) refused (appeal from Commissioner) (interlocutor 1 December 2006; reported [2006] CSIH 58 / [2007] SC 231); further appeal to the House of Lords allowed ([2008] UKHL 47) and matter remitted to the Commissioner.