[2024] UKUT 287 (AAC)

The FTT in this case adopted as its starting point the three limbs to the definition of personal data distilled from the legislation and Upper Tribunal Judge Jacobs’ analysis in NHS Business Services Authority v Information Commissioner and Spivack [2021] UKUT 192 (AAC):

“Limb (i): data which identifies a living individual directly;

Limb (ii): Data which identifies a living individual indirectly when combined with other information in the possession of (or likely reasonably to be in the possession of) the data controller; and

Limb (iii): As limb (ii), but where the additional information is or is likely reasonably to be in the possession of a third party.”

The DPA 1998 was introduced to implement in domestic law Directive 95/46/EC and its provisions must be interpreted, insofar as possible, in a manner consistent with the Directive, including the recitals: per Cranston J in Department of Health v Information Commissioner [2011] EWHC 1430 (Admin) at paragraph 17 (“Department of Health”).

Recital 26 of the Directive gives the following guidance relevant to the definition of personal data:

“Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; …”

Article 2(a) of the Directive provides that for the purposes of the Directive:

“’personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

Accordingly, the Directive’s concept of “personal data” takes account of the material that is reasonably likely to be accessed by others, as well as the data controller, for identification purposes. Recital 26 also refers to the concept of anonymisation, as a process whereby personal data could cease to be personal data (under any limb) if it would no longer be possible, by all reasonably likely means, for a person to be identified from the data.

A number of cases have considered issues as to the dividing line between personal data and anonymised data, or what the authorities refer to as “plain vanilla” data or just “information”. We return to the case law below. Some of the developments in that case law are reflected in the ‘new’ DPA 2018 regime in the equivalent recital to the UK GDPR (also recital 26) as follows:

“The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

The new recital 26 thus refers to the concept of ‘pseudonymisation’ whereby (unlike true anonymisation) data remains personal data because the individual remains identifiable by some reasonably likely means. The Article 29 Working Party, in its Opinion 05/2014 on Anonymisation Techniques warned about the dangers of conflating anonymisation and pseudonymisation (at 2.2.3):

“A specific pitfall is to consider pseudonymised data to be equivalent to anonymised data. The Technical Analysis section will explain that pseudonymised data cannot be equated to anonymised information as they continue to allow an individual data subject to be singled out and linkable across different data sets. Pseudonymity is likely to allow for identifiability, and therefore stays inside the scope of the legal regime of data protection.”

This issue as to the dividing line between personal data and plain vanilla data, which is relevant to both the limb (ii) and limb (iii) definitions of personal data, has been considered in a number of domestic and European authorities. Those authorities have considered the issue in two contexts: (a) controlled release of data under the Freedom of Information Act 2000 (“FOIA”); and (b) alleged unlawful disclosure cases under the data protection regime. The focus in those contexts has generally been the limb (iii) definition of personal data and the question of whether the information would be personal data in the hands of a third party. The case law also illustrates that data may be personal data in the hands of one entity, but not personal data in the hands of another, if the former holds or can access additional information that enables identification to take place, but the latter does not.

As to the relevant case law, the starting point is in principle the decision of the House of Lords in Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550 (“CSA”). However, the parties in this case agreed that there is no need for us to go back to the judgments of their Lordships in that case as, on the issue with which we are concerned, subsequent decisions of the courts and this Upper Tribunal have analysed the effect and implications of the House of Lords’ decision, and it is sufficient to refer to those subsequent cases for the purposes of determining this appeal.

The Information Commissioner v Miller [2018] UKUT 229 (AAC) provides the most convenient summary of the principles to be applied when considering limb (iii) issues. This was a decision of Upper Tribunal Judge Markus QC concerned with a request made under FOIA for data on homelessness from each local authority. For data relating to five or fewer individuals or households, the Department for Communities and Local Government (DCLG) had relied on the exemption for personal data in section 40(2) of FOIA to withhold disclosure. The FTT held that the data was not personal data and ordered release of the data. Judge Markus dismissed the appeal, but set out the relevant legal principles by reference to the case law as follows:

“10.

The correct approach to the application of section 1(1)(b) to disclosure of anonymised data was addressed by the House of Lords in Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550. That decision was discussed by the Administrative Court in R (Department of Health) v Information Commissioner [2011] EWHC1430 (Admin). Cranston J explained that the House of Lords had decided that, even though the data controller holds the key to identification of individuals to which the data relates, whether it is personal information when disclosed depends on “whether any living individuals can be identified by the public following disclosure of the information” (paragraph 52). In Information Commissioner v Magherafelt District Council [2013] AACR 14 the Upper Tribunal said that the decision in Department of Health meant that the proper approach to whether anonymised information is personal data within section 1(1)(b), for the purposes of a disclosure request, is to consider whether an individual or individuals could be identified from it and other information which is in the possession of, or likely to come into the possession of a person other than the data controller after disclosure.

11.

In the Department of Health case Cranston J said at paragraph 66 that the assessment of the likelihood of identification included “assessing a range of every day factors, such as the likelihood that particular groups,

such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.”

12.

As for the likelihood of identification, Recital 26 of the preamble to the Directive provides that “account should be taken of all the means likely reasonably to be used”. In Magherafelt the Upper Tribunal acknowledged the “motivated intruder” test advanced by the Information Commissioner:

“37 …A ‘motivated intruder’ was ‘…a person who starts without any prior knowledge but who wishes to identify the individual or individuals referred to in the purportedly anonymised information and will take all reasonable steps to do so.’. The question was then one of assessment by a public authority as to ‘… whether, taking account of the nature of the information, there would be likely to be a motivated intruder within the public at large who would be able to identify the individuals to whom the disclosed information relates.”

13.

While not expressly adopting that test, the approach of the Upper Tribunal in that case was consistent with it. A similar approach was taken by the Court of Session (Inner House) in Craigdale Housing Association v The Scottish Information Commissioner [2010] CSIH 43 at paragraph 24:

“…it is not just the means reasonably likely to be used by the ordinary man on the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual…using the touchstone of, say, an investigative journalist…”

14.

The Information Commissioner’s Code of Practice on “Anonymisation: managing data protection risk” provides guidance at page 22/23 on the application of the “motivated intruder” test:

“The approach assumes that the ‘motivated intruder’ is reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward. The ‘motivated intruder’ is not assumed to have any specialist knowledge such as computer hacking skills, or to have access to

specialist equipment or to resort to criminality such as burglary, to gain access to data that is kept securely.”

15.

The guidance also addresses the risk of re-identification where one individual or group of individuals already knows a great deal about another individual, such as a family member, colleague or doctor, and says at page 26:

“The starting point for assessing re-identification risk should be recorded information and established fact. It is easier to establish that particular recorded information is available, than to establish that an individual – or group of individuals - has the knowledge necessary to allow re-identification. However, there is no doubt that non-recorded personal knowledge, in combination with anonymised data, can lead to identification. It can be harder though to substantiate or argue convincingly. There must be a plausible and reasonable basis for non-recorded personal knowledge to be considered to present a significant re-identification risk.” (my emphasis)

16.

The guidance also distinguishes between identification and an educated guess:

“[Identification] implies a degree of certainty that information is about one person and not another. Identification involves more than making an educated guess that information is about someone; the guess could be wrong. The possibility of making an educated guess about an individual’s identity may present a privacy risk but not a data protection one because no personal data has been disclosed to the guesser. Even where a guess based on anonymised data turns out to be correct, this does not

mean that a disclosure of personal data has taken place.”

In the present case, DSG relies on a number of other decisions where it was emphasised that disclosure of data that is personal data in the hands of the data controller (on the limb (ii) test), but only plain vanilla data in the hands of a third party (on the limb (iii) test), is not unlawful as, once released, the data in such cases is no longer subject to the data protection regime.

Thus in APPGER v Information Commissioner [2011] UKUT 153 (AAC) (“APPGER”), the Upper Tribunal considered information requested from the MOD under FOIA. The MOD relied on section 40 of FOIA to resist disclosure of information on the numbers of individuals transferred to particular detention facilities or particular kinds of detention facilities. The Commissioner determined this was not personal data. On appeal, the First-tier Tribunal and Upper Tribunal agreed. The Upper Tribunal in its judgment considered the implications of the House of Lords’ decision in the CSA case. Having determined at paragraph 125 that the reasoning of their Lordships on this issue contained three different approaches and no majority decision, the Upper Tribunal went on to express its own view at paragraphs 126 - 128 as follows. The Upper Tribunal’s conclusion at paragraph 128 has a particular resonance for the present case, indicated by our emphasis below:

“126.

We consider there is force in Baroness Hale’s analysis, which Mr Hickman strongly urged us to adopt. It is difficult to imagine any situation where disclosure of anonymised information about living individuals, whose identities were known to the data controller, would not be regarded as disclosure of personal data, if one were required to take into account, in determining whether individuals were identifiable, the data controller’s own knowledge of their identity. At first sight, that cannot be

right, since it would have the result of retaining protection for anodyne information not affecting anyone’s privacy (what Lord Rodger called “plain vanilla data”). The Commissioner similarly urged on us that the MOD’s construction would give rise to absurdities. Mr Hooper submitted that on the MOD’s construction, the number of individuals who had died of heart disease in the UK over the last decade would amount to “personal data” if this number were in the hands of a data controller that

held the underlying records identifying each individual concerned, however large that number might be, but it would plainly not be a sensible construction of the DPA to require all processing of such a wholly general piece of information to comply with the data protection principles.

127.

We cannot accept the Commissioner’s argument in full. As we understand the reasoning of Lord Hope, it is important to remember in this context that the definition of ‘processing’ does not only cover disclosure. Information or data are also processed when they are merely held, or indeed when they are destroyed (so that no one can any longer be identified). Anonymisation by redaction is itself a form of processing. If the data controller carries out such anonymisation, but also retains the

unredacted data, or retains the key by which the living individuals can be identified, the anonymised data remains “personal data” within the meaning of paragraph (b) of the definition and the data controller remains under a duty to process it only in compliance with the data protection principles. On this basis, therefore, and contrary to the submissions of the Commissioner, we consider that the analysis of the essence of Lord Hope’s reasoning by the Information Tribunal in Department of Health v

Information Commissioner and Prolife Alliance EA/2008/0074 (15 October 2009) at paragraphs 30-43 was probably correct.

128.

However, we remain concerned at the use of this analysis in such a way as would have the effect of treating truly anonymised information as if it required the protection of the DPA, in circumstances where that is plainly not the case and indeed would be absurd. Lord Hope’s reasoning appears to lead to the result that, in a case where the data controller retains the ability to identify the individuals, the processing of the data by disseminating it in a fully anonymised form, from which no recipient can identify individuals, can only be justified by showing that it is effected in compliance with the data protection principles. Certainly the whole of the information still needs the protection of the DPA in the hands of the data controller, for as long as the data controller retains the other information which makes individuals identifiable by him. But outside the hands of the data controller the information is no longer personal data, because no individual can be identified. We therefore think, with diffidence given the difficulties of interpretation which led to such divergent reasoning among their Lordships, the best analysis is that disclosure of fully anonymised information is not a breach of the protection of the Act because at the moment of disclosure the information loses its character as personal data. It remains personal data in the hands of the data controller because the controller holds the key, but it is not personal data in the hands of the recipients, because the public cannot identify any individual from it. That which escapes from the data controller to the outside world is only plain vanilla data. We think this was the reasoning that Baroness Hale had in mind, when she said at [92]:

“For the purpose of this particular act of processing, therefore, which is disclosure of these data in this form to these people, no living individual to whom they relate is identifiable”.”

Cranston J in Department of Health disagreed with the Upper Tribunal’s analysis of CSA in APPGER, considering that it was not open to a lower court or Tribunal to rely on the speech of Baroness Hale when “our system of precedent demands that the High Court treat Lord Hope’s speech as determinative” (paragraph 45). For what it is worth, we agree with Cranston J’s analysis of the application of the doctrine of precedent, but we do not consider that anything turns on this particular point of divergence between APPGER and Department of Health. In the course of argument, Mr Lockley for the Information Commissioner referred us to paragraphs 46 - 47 of Cranston J’s judgment, emphasising Lord Hope’s view that even “barnardised” personal data (barnardisation is a means of anonymising statistical data) would remain personal data in the hands of the data controller, up to and including the point of disclosure to a third party when the lawfulness of its disclosure would need to be judged by reference to the data protection principles. Cranston J’s analysis of Lord Hope’s reasoning was as follows (emphasis added; the parties are in agreement about the “not” missing from the first paragraph):

“46.

Lord Hope's reasoning began by pointing out that disclosure is only one of the ways in which a data controller can process information. The data controller must comply generally with data protection principles. It could [not] exclude personal data from the duty to comply with the data protection principles simply by editing the data so that a third party would not find it possible from that part alone, without the assistance of other information, to identify a living individual: [22]. If the definition of personal data could be read in a way that excluded information that had been rendered fully anonymous, putting it into that form would take it outside the scope of the agency's duty as data controller: [23]. Lord Hope continued that the relevant part of the definition was limb B, since a living individual could not be identified from those data, ie the barnardised statistics themselves (limb A). Data would not be personal data if the other information was incapable of adding anything, and the data itself could not lead to identification, or if the data had been put into a form from which individuals to whom they related could not be identified at all, even with the assistance of the "other information" from which they were derived: [24]. In the latter situation, a person who had access to anonymised data and "other information" held by the data controller would find nothing in the anonymised data that would enable identification. It would be the "other information" only, and not anything in the anonymised data, which would result in the identification: [24].

47.

Lord Hope then referred to the wording of recital 26 of the preamble to Directive 95/46/EC, noting that the definition of personal data contained in Section 1(1) of the DPA gives effect to it. The first two parts of the recital refer to situations set out expressly in Section 1(1), the third part casting further light on what member states were expected to achieve when implementing the directive: [25]. Lord Hope's analysis is then completed at paragraphs 26 to 27, which deserve quoting in extensio.

"26.

The effect of barnardisation would be to conceal, or disguise,

information about the number of incidences of leukaemia among children in each census ward. The question is whether the data controller, or anybody else who was in possession of the barnardised data, would be able to identify the living individual or individuals to whom the data in that form related. If it were impossible for the recipient of the barnardised data to identify those individuals, the information would not constitute 'personal data' in his hands. But we are concerned in this case with its status while it is still in the hands of the data controller, as the question is whether it is or is not exempt from the duty of disclosure that the 2002 Act says must be observed by him.

"27.

In this case it is not disputed that the agency itself holds the key to identifying the children that the barnardised information would relate to, as it holds or has access to all the statistical information about the incidence of the disease in the health board's area from which the barnardised information would be derived. But in my opinion the fact that the agency has access to this information does not disable it from processing it in such a way, consistently with recital 26 of the Directive, that it becomes data from which a living individual can no longer be identified. If barnardisation can achieve this, the way will then be open for the information to be released in that form because it will no longer be personal data. Whether it can do this is a question of fact for the commissioner on which he must make a finding. If he is unable to say that it would in that form be fully anonymised he will then need to consider whether disclosure of this information by the agency would be in accordance with the data protection principles and in particular would meet any of the conditions in Schedule 2. This is the more difficult of the two routes I have mentioned. As the issues were fully argued I shall say what I think about them. But there is no doubt that the commissioner's task will be greatly simplified if he is able to satisfy himself that the process of barnardisation will enable the data to be sufficiently anonymised.”

On Cranston J’s analysis, therefore, Lord Hope’s view was that if the CSA held a ‘key’ to the barnardised data that would enable it as data controller to re-identify individuals, then the CSA would need to comply with the data protection principles at the point of disclosure, even if, once disclosed, the data would not be personal data in the hands of a third party. Cranston J in Department of Health went on, however, to consider Lord Hope’s reasoning in the light of the order that Lord Hope proposed, and the Supreme Court made, in that case and concluded as follows in the paragraphs relied on by DSG in this case (again, we add emphasis):

“51.

In my view, the only interpretation open of Lord Hope's order is that it recognised that although the Agency held the information as to the identities of the children to whom the requested information related, it did not follow from that that the information, sufficiently anonymised, would still be personal data when publicly disclosed. All members of the House of Lords agreed with Lord Hope's order demonstrating, in my view, their shared understanding that anonymised data which does not lead to the identification of a living individual does not constitute personal data.

52.

In my judgment, this conclusion maintains faith with Lord Hope's reasoning. […]

53.

Secondly, the conclusion reflects the legal backdrop to the definition of personal data in the DPA, which is recital 26 of Directive, with the ambit of protection drawn in the third part of the recital so as not to apply to data rendered anonymous in such a way that the data subject is no longer identifiable…

54.

Finally, any other conclusion seems to me to be divorced from reality. The Department of Health's interpretation is that any statistical information derived from reporting forms or patient records constitutes personal data. If that were the case, any publication would amount to the processing of sensitive personal data. That would be so notwithstanding the statistical exemption in Section 33, since that exemption does not exclude the requirement to satisfy Schedule 3 of the DPA. Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them. That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics.”

Cranston J went on to hold that it had been open to the Tribunal to conclude that disclosure of the statistics requested in that case would not constitute a disclosure of personal data as they had been “fully anonymised”. Cranston J thus ultimately arrived at the same conclusion about the relevant legal principles as the Upper Tribunal did in APPGER, albeit by a different route.

In the present appeal, DSG also relies on the Information Commissioner’s Anonymisation Code of Practice (ACOP) which restates the principles from the above cases as follows:

“There is clear legal authority for the view that where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data. This is the case even though the organisation disclosing the data still holds the data that would allow re-identification to take place. This means that the DPA no longer applies to the disclosed data …”

The parties also referred us to two decisions of the European Courts which take a consistent approach to the domestic jurisprudence.

First, T-557/20 Single Resolution Board v European Data Protection Supervisor (“SRB”). This case concerned personal data held by the Single Resolution Board (“SRB”) consisting of comments from shareholders of Banco Popular about whether they should receive compensation under a resolution scheme. The SRB pseudonymised the data by giving each comment a unique alphanumeric code and then sent the comments to a third party (Deloitte). Five shareholders complained, asserting that as this was what we have categorised above as “limb (ii)” personal data SRB had acted unlawfully (paragraph 81). The General Court disagreed holding (at paragraphs 97 - 98) that it did not matter that the data was still personal data in the hands of SRB (on a limb (ii) basis), as it was not personal data in the hands of Deloitte (on a limb (iii) basis), there had been no unlawful disclosure.

Secondly, C-319/22 Gesamthverband Autoteile-Handel eV v Scania (“Scania”). This case was primarily concerned with compliance with a European Regulation on the approval and market surveillance of motor vehicles, but it included an issue about personal data. The personal data issue concerned the provision of vehicle identification numbers (“VIN”) by vehicle manufacturers to vehicle repairers (paragraph 17). The VIN is an alphanumeric code assigned to a vehicle by the manufacturer to ensure proper identification of every vehicle. It is not the same thing as the vehicle registration number (paragraph 8). The Court of Justice examined whether the VIN fell within the concept of “personal data” in article 4(1) of the GDPR, concluding:

“45 That definition is applicable where, by reason of its content, purpose and effect, the information in question is linked to a particular natural person (judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C-180/21, EU:C:2022:967, paragraph 70). In order to determine whether a natural person is identifiable, directly or indirectly, account should be taken of all the means likely reasonably to be used either by the controller, within the meaning of Article 4(7) of the GDPR, or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity (see, to that effect, judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraphs 42 and 43).

46 As the Advocate General observed in points 34 and 39 of his Opinion, a datum such as the VIN – which is defined by Article 2(2) of Regulation No 19/2011 as an alphanumeric code assigned to the vehicle by its manufacturer in order to ensure that the vehicle is properly identified and which, as such, is not ‘personal’ – becomes personal as regards someone who reasonably has means enabling that datum to be associated with a specific person.

47 It follows from point II.5 of Annex I to Directive 1999/37 that the VIN must appear on the registration certificate for a vehicle, as must the name and address of the holder of that certificate. In addition, under points II.5 and II.6 of that annex, a natural person may be designated in that certificate as the owner of the vehicle, or as a person who can use the vehicle on a legal basis other than that of owner.

48 In those circumstances, the VIN constitutes personal data, within the meaning of Article 4(1) of the GDPR, of the natural person referred to in that certificate, in so far as the person who has access to it may have means enabling him to use it to identify the owner of the vehicle to which it relates or the person who may use that vehicle on a legal basis other than that of owner.

49 As the Advocate General observed in points 34 and 41 of his Opinion, where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, which it is for the referring court to determine, that VIN constitutes personal data for them, within the meaning of Article 4(1) of the GDPR, and, indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person.”