Durant v Financial Services Authority

Durant v Financial Services Authority
Durant v Financial Services Authority
Court	Court of Appeal
Full case name	Michael John Durant v Financial Services Authority
Decided	8 December 2003
Citation(s)	[2003] EWCA Civ 1746; [2004] FSR 28
Transcript(s)	BAILII
Court membership
Judge(s) sitting	Auld LJ ; Mummery LJ ; Buxton LJ
Keywords
	data protection, personal data

Last updated April 05, 2023

Durant v Financial Services Authority [2003] EWCA Civ 1746 is a judicial decision of the English Court of Appeal in relation to the provisions of the Data Protection Act 1998.^[1]^[2] The case is one of the leading appellate decisions in relation to the application of that Act.^[3]

Facts

Mr Durant had been a customer of Barclays Bank. There was litigation between Mr Durant and the bank in 1993, which he lost. Subsequently, he has sought disclosure of various records in connection with the dispute giving rise to that litigation, records which, the Court of Appeal recorded "he believes may assist him to re-open his claims against it and/or to secure an investigation of its conduct". In about July or August 2000, he sought the assistance of the Financial Services Authority (the "FSA") to obtain this disclosure. The FSA investigated his complaint against the Bank, eventually closing that investigation in March 2001, without informing Mr Durant of its outcome, pursuant to its obligation of confidentiality under sections 82 to 85 of the Banking Act 1987. In October 2000, Mr Durant complained about that refusal to the FSA's Complaints Commissioner, who adjudicated upon and dismissed that complaint.

In September and October 2001, Mr Durant made two requests to the FSA under section 7 of the Data Protection Act, seeking disclosure of personal data held by it, both electronically and in manual files. In October 2001 the FSA provided Mr Durant with copies of documents relating to him that it held in computerised form, disclosure that went beyond his entitlement under the Act, which is to have communicated to him in an intelligible form "information constituting any personal data" of which he was the subject. However some of the documents were redacted so as not to disclose the names of others. The FSA later made further disclosure of computerised material. But the FSA refused the whole of his request for information held on manual files on the ground that the information sought was not "personal" within the definition of "personal data" in section 1(1) of the 1998 Act, and that, even if it was, it did not constitute "data" within the separate definition of that word in section 1(1)(c). The FSA has since maintained that refusal, which encompasses four categories of file.

Judgment

Lower courts

Mr Durant's application originally came before District Judge Rose who refused to make an order for further disclosure against the FSA. That decision was appealed to His Honour Judge Zeidman QC sitting in the Edmonton County Court, who dismissed that appeal. With the leave of Ward LJ, Mr Durant further appealed to the Court of Appeal.

Court of Appeal

for the purposes of the appeal the FSA provided copies of the relevant documents to the Court. The Court of Appeal also received as fresh evidence a (second) witness statement from an associate in the Enforcement Division of the FSA about its filing system and various files and documents to meet certain points raised for the first time in the appeal.

The main decision was given by Auld LJ, who commenced by noting that the primary objective of the 1995 Data Protection Directive, upon which the Act was based, was to protect individuals' fundamental rights, notably the right to privacy and accuracy of their personal data held by others ("data controllers") in computerised form or similarly organised manual filing systems.

The Court of Appeal held^[4] that the appeal raised four important issues of law.

The personal data issue – What makes "data", whether held in computerised or manual files, "personal" within the meaning of the term "personal data" in section 1(1) of the 1998 Act so as to entitle a person identified by it to its disclosure under section 7(1) of the Act – more particularly in this context, to what, if any, extent, is information relating to the FSA's investigation of Mr. Durant's complaint about Barclay's Bank within that definition?
The relevant filing system issue – What is meant by a "relevant filing system" in the definition of "data" in section 1(1) of the 1998 Act, so as to render personal information recorded in a manual filing system "personal data" disclosable to its subject under section 7(1) – more particularly here, was the FSA's manual filing such a system so as to require it to disclose to Mr. Durant from those files information that would, if it were in computerised form, constitute "personal data" within section 1(1)?
The redaction issue – Upon what basis should a data controller, when responding to a person's request for disclosure of his personal data under section 7(1), consider it "reasonable in all the circumstances", within the meaning of that term in section 7(4)(b), to comply with the request even though the personal data includes information about another and that other has not consented to such disclosure?
The discretion issue – By what principles should a court be guided in exercising its discretion under section 7(9) of the Act to order a data controller who has wrongly refused a request for information under section 7(1), to comply with the request?

Personal data

In relation to the personal data issue, the Court of Appeal considered the narrow scope applied to personal data in Criminal Proceedings against Lindquist, Case C-101/01 of the European Court of Justice. That case held "that 'personal data' covered the name of a person or identification of him by some other means, for instance by giving his telephone number or information regarding his working conditions or hobbies." Accordingly, the Court held that simply because the FSA's investigation of the matter emanated from a complaint by Mr Durant, that does not of itself render information obtained or generated by that investigation, without more, his personal data.^[5]

Relevant filing system

The court accepted two fundamental points:^[6] first, that the protection given by the legislation is for the privacy of personal data, not documents, the latter mostly retrievable by a far cruder searching mechanism than the former; and second, of the practical reality of the task that the Act imposes on all data controllers of searching for specific and readily accessible information about individuals. Furthermore, to constitute a "relevant filing system" a manual filing system must: 1) relate to individuals; 2) be a "set" or part of a "set" of information; 3) be structured by reference to individuals or criteria relating to individuals; and 4) be structured in such a way that specific information relating to a particular individual is readily accessible. Accordingly, this requires a filing system so referenced or indexed that it enables the data controller's employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is located and to locate the relevant information about him within the file or files, without having to make a manual search of them.

Redaction

In relation to the redaction issue the Court also sided with the FSA. Auld LJ held that parliament could not have intended that courts in applications under section 7(9) should be able routinely to second-guess decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed.^[7] To so interpret the legislation in that manner would only encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act.

Discretion

The Court noted that based upon its prior conclusions, the issue of discretion was no longer relevant. However, Auld LJ did proceed to comment that "I say only that I agree with the recent observations of Munby J in Lord, at para. 160, that the discretion conferred by that provision is general and untrammelled, a view supported, I consider, by the observations of the European Court in Lindquist, at paras. 83 and 88, to which I have referred".

Buxton LJ gave a short concurring judgment.

Footnotes

↑ "Durant v Financial Services Authority". 5RB. Retrieved 31 January 2017.
↑ "Durant v Financial Services Authority (Disclosure) [2003] EWCA Civ 1746 (08 December 2003)". Practical Law. Retrieved 31 January 2017.
↑ "Definition of Personal Data: Durant Revisited". Act Now Training. Retrieved 31 January 2017.
↑ At paragraph 20.
↑ At paragraph 30.
↑ At paragraph 45.
↑ At paragraph 60.

Related Research Articles

Freedom of information laws allow access by the general public to data held by national governments and, where applicable, by state and local governments. The emergence of freedom of information legislation was a response to increasing dissatisfaction with the secrecy surrounding government policy development and decision making. In recent years Access to Information Act has also been used. They establish a "right-to-know" legal process by which requests may be made for government-held information, to be received freely or at minimal cost, barring standard exceptions. Also variously referred to as open records, or sunshine laws, governments are typically bound by a duty to publish and promote openness. In many countries there are constitutional guarantees for the right of access to information, but these are usually unused if specific support legislation does not exist. Additionally, the United Nations Sustainable Development Goal 16 has a target to ensure public access to information and the protection of fundamental freedoms as a means to ensure accountable, inclusive and just institutions.

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

A criminal record, police record, or colloquially RAP sheet (Record of Arrests and Prosecutions) is a record of a person's criminal history. The information included in a criminal record and the existence of a criminal record varies between countries and even between jurisdictions within a country. In most cases it lists all non-expunged criminal offences and may also include traffic offences such as speeding and drunk driving. In some countries the record is limited to actual convictions (where the individual has pled guilty or been found guilty by a qualified court, resulting in the entry of a conviction), while in others it also includes arrests, charges dismissed, charges pending and charges of which the individual has been acquitted.

The Canada Revenue Agency is the revenue service of the Canadian federal government, and most provincial and territorial governments. The CRA collects taxes, administers tax law and policy, and delivers benefit programs and tax credits. Legislation administered by the CRA includes the Income Tax Act, parts of the Excise Tax Act, and parts of laws relating to the Canada Pension Plan, employment insurance (EI), tariffs and duties. The agency also oversees the registration of charities in Canada, and enforces much of the country's tax laws.

The Freedom of Information Act, 5 U.S.C. § 552, is the United States federal freedom of information law that requires the full or partial disclosure of previously unreleased or uncirculated information and documents controlled by the U.S. government, state, or other public authority upon request. The act defines agency records subject to disclosure, outlines mandatory disclosure procedures, and includes nine exemptions that define categories of information not subject to disclosure. The act was intended to make U.S. government agencies' functions more transparent so that the American public could more easily identify problems in government functioning and put pressure on Congress, agency officials, and the president to address them. The FOIA has been changed repeatedly by both the legislative and executive branches.

Discovery, in the law of common law jurisdictions, is a pre-trial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from the other party or parties by means of discovery devices such as interrogatories, requests for production of documents, requests for admissions and depositions. Discovery can be obtained from non-parties using subpoenas. When a discovery request is objected to, the requesting party may seek the assistance of the court by filing a motion to compel discovery.

The Data Protection Act 1998 was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

The Freedom of Information Act 2000 is an Act of the Parliament of the United Kingdom that creates a public "right of access" to information held by public authorities. It is the implementation of freedom of information legislation in the United Kingdom on a national level. Its application is limited in Scotland to UK Government offices located in Scotland. The Act implements a manifesto commitment of the Labour Party in the 1997 general election, developed by David Clark as a 1997 White Paper. The final version of the Act was criticised by freedom of information campaigners as a diluted form of what had been proposed in the White Paper. The full provisions of the act came into force on 1 January 2005.

<i>Privacy Act</i> (Canada) Canadian federal legislation (1983)

The Privacy Act is the federal information-privacy legislation of Canada that came into effect on July 1, 1983. Administered by the Privacy Commissioner of Canada, the Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals.

Richardson v. Perales, 402 U.S. 389 (1971), was a case heard by the United States Supreme Court to determine and delineate several questions concerning administrative procedure in Social Security disability cases. Among the questions considered was the propriety of using physicians' written reports generated from medical examinations of a disability claimant, and whether these could constitute "substantial evidence" supportive of finding nondisability under the Social Security Act.

Rockwell International Corp. v. United States, 549 U.S. 457 (2007), is a United States Supreme Court case in which the Court examined the "original source" exception to the "public-disclosure" bar of the False Claims Act. The Court held that (1) the original source requirement of the FCA provision setting for the original-source exception to the public-disclosure bar on federal-court jurisdiction is jurisdictional; (2) the statutory phrase "information on which the allegations are based" refers to the relator's allegations and not the publicly disclosed allegations; the terms "allegations" is not limited to the allegations in the original complaint, but includes, at a minimum, the allegations in the original complaint as amended; (3) relator's knowledge with respect to the pondcrete fell short of the direct and independent knowledge of the information on which the allegations are based required for him to qualify as an original source; and (4) the government's intervention did not provide an independent basis of jurisdiction with respect to the relator.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) is a decision by the Court of Justice of the European Union (CJEU). It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.

R v Spencer, 2014 SCC 43 is a landmark decision of the Supreme Court of Canada on informational privacy. The Court unanimously held that internet users were entitled to a reasonable expectation of privacy in subscriber information held by Internet service providers. And as such, police attempts to access such data could be subject to section 8 of the Charter of Rights and Freedoms.

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

Smith v Lloyds TSB Bank plc[2005] EWHC 246 was a judicial decision of the English High Court relating to the Data Protection Act 1998.

The Official Information Act 1997 is a Thai act which guarantees the people's right to have full access to government information. It was approved by the Thai National Assembly in July 1997 and entered into application on 8 December 1997.

Padfield v Minister of Agriculture, Fisheries and Food [1968] UKHL 1 is a United Kingdom administrative law case, concerning judicial review.

R (Evans) v Attorney General is a 2015 decision of the Supreme Court of the United Kingdom. It concerned a request for disclosure of communications passing between Charles, Prince of Wales and various government departments.

The Illinois Freedom of Information Act, 5 ILCS 140/1 et seq., is an Illinois statute that grants to all persons the right to copy and inspect public records in the state. The law applies to executive and legislative bodies of state government, units of local government, and other entities defined as "public bodies". All records related to governmental business are presumed to be open for inspection by the public, except for information specifically exempted from disclosure by law. The statute is modeled after the federal Freedom of Information Act and serves a similar purpose as freedom of information legislation in the other U.S. states.

Byers v Saudi National Bank[2022] EWCA Civ 43 is a decision of the English Court of Appeal in the long running litigation between the liquidators of SAAD Investments Company Limited and various parties relating to the alleged defrauding of the insolvent company by one of its principals.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Durant v Financial Services Authority". 5RB. Retrieved 31 January 2017.

[2] "Durant v Financial Services Authority (Disclosure) [2003] EWCA Civ 1746 (08 December 2003)". Practical Law. Retrieved 31 January 2017.

[3] "Definition of Personal Data: Durant Revisited". Act Now Training. Retrieved 31 January 2017.

[4] At paragraph 20.

[5] At paragraph 30.

[6] At paragraph 45.

[7] At paragraph 60.

[1]

[2]

[3]

[4]

[5]

[6]

[7]