[2024] UKUT 287 (AAC)

Our interpretation is also consistent with the domestic and European authorities that we have discussed at paragraphs 78 – 85 above. For the avoidance of doubt, we do not accept that this caselaw is determinative of the construction of DPP7 in the way that Mr Pitt-Payne initially suggested. We accept that there cannot be a direct read across; the context was different as we emphasise below. None of these cases were concerned with DPP7 or with analogous provisions. All of these cases involved a controlled disclosure of a known data set to identified third parties.

The domestic authorities (APPGER, Department of Health and Miller) were concerned with FOIA and whether requests for disclosure of specific data could be resisted on the section 40 ground that the data in question constituted “personal data”. Unsurprisingly, in a context where data had been anonymised to all but the data controller, the courts determined that the question of whether the requested information amounted to “personal data” had to be looked at from the recipient’s perspective (limb (iii)) and, as it could not lead to recipients identifying living individuals, it was not personal data from the point of disclosure (paragraphs 78 – 81 above). The alternative interpretation that the data was “personal data” for these purposes simply because the data controller alone retained the means of identification would have very substantially restricted the FOIA disclosure provisions; and was described by the Upper Tribunal at paragraph 128 in APPGER as “absurd” (paragraph 78 above).

The European cases were concerned with the legality of disclosing particular information to particular third parties. SRB was concerned with an alleged infringement of article 15 of Regulation 2018/1725 in that the complainants had not been informed that their personal data might be disclosed to Deloitte. Accordingly, the focus was again on whether the data was anonymised from Deloitte’s perspective; the General Court holding that “it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’” (paragraph 97). Scania was concerned with whether vehicle manufacturers were legally obliged to disclose certain information, including VINs, to independent operators; whether this material amounted to “personal data” within the meaning of GDPR was to be assessed by reference to the means of identification reasonably available to the independent operators.

As our above reasoning indicates, our focus has been on the terms of the relevant DPA 1998 provisions, read in the light of the Directive. However, the domestic and European caselaw is significant for a number of inter-related reasons. Firstly, these authorities establish that in instances of pseudonymisation, the same information may be personal data in the hands of the data controller (who retains the key to the identifying material), but not personal data in the hands of a third party, if the third parties do not have the means to access the additional information that the data controller holds which enables the identification of living individuals. Secondly, the cases show that whether the data that is said to constitute personal data is to be considered from a limb (ii) or a limb (iii) perspective, will depend upon the nature of the statutory obligation and the processing under consideration. (Whilst the terms of recital 26 of the Directive contemplate account being taken of the means of identification available to the controller and to other persons, this does not mean, as Mr Lockley suggested, that both perspectives are taken into account in every instance; it will depend upon the context.) Thirdly, the authorities indicate that if outside of the hands of the data controller, no living individual can be identified from the data, then at the moment of disclosure the information loses its character as “personal data”.

Accordingly, when considering in relation to DPP7 whether ATOMS have been taken to protect against the particular risk of “unauthorised or unlawful processing of personal data”, it is necessary to construe this risk in light of these principles, As the risk to be guarded against is the risk of data processing by third parties, the question of whether personal data is involved is to be judged from the perspective of the data that the third parties can access (rather than the entirety of the data held by the data controller), that is to say from a limb (iii) perspective (if the limb (i) definition is not met).