EA-2023-0405 - [2024] UKFTT 00700 (GRC)

Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.

Any information to which a request for information relates is also exempt information if –

It constitutes personal data which does not fall within subsection (1), and

either the first, second or the third condition below is satisfied.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

would contravene any of the data protection principles, or..

‘Personal data’ means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to—

an identifier such as a name, an identification number, location data or an online identifier, or

one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a

manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Whether the data in question "relate to" a living individual and

Whether the individual is identified or identifiable, directly or indirectly, from those data.

Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated.

It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him.

Does the data "relate" to an individual in the sense that it is "about" that individual because of its:

"Content" in referring to the identity, characteristics or behaviour of the individual?

"Purpose" in being used to determine or influence the way in which the individual is treated or evaluated?

"Result" in being likely to have an impact on the individual's rights and interests, taking into account all the circumstances surrounding the precise case (the WPO test)?

Are any of the 8 questions provided by the TGN are applicable?

These questions are as follows:

Can a living individual be identified from the data or from the data and other information in the possession of, or likely to come into the possession of, the data controller?

Does the data 'relate to' the identifiable living individual, whether in personal or family life, or business or profession?

Is the data 'obviously about' a particular individual?

Is the data 'linked to' an individual so that it provides particular information about that individual?

Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?

Does the data have any biographical significance in relation to the individual?

Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?

Does the date impact or have potential impact on an individual, whether in a personal or family or business or professional capacity (the TGN test)?

Does the data "relate" to the individual including whether it includes an expression of opinion about the individual and/or an indication of the intention of the data controller or any other person in respect of that individual. (the DPA section 1(1) test)?

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

Is the data controller or a third party pursuing a legitimate interest or interests?

Is the processing involved necessary for the purposes of those interests?

Are the above interests overridden by the interests or fundamental rights and freedoms of the data subject?

... It is well established in community law that, at least in the context of justification rather than derogation, ‘necessary’ means ‘reasonably’ rather than absolutely or strictly necessary .... The proposition advanced by Advocate General Poiares Maduro in Huber is uncontroversial: necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less. ...