FLINT logo
Families Link International
Tel:0781 886 1724
home | issues | policies | family groups | courts | court reporters | research | law | contacts | donations | Useful Quotes |

Law - Effects of Durant

In a landmark ruling brought by Masons the Court of Appeal has held that the mere mention of a data subject in a document did not amount to "personal data" within the meaning of the Data Protection Act 1998 (the "Act"). This will significantly curtail the right of employees to demand information by means of a data protection request.
In Durant v Financial Services Authority [2003] EWCA Civ 1746, following an unsuccessful dispute with his former bank, Mr Durant asked the Financial Services Authority (FSA) to investigate the bank's conduct. The FSA carried out an investigation after which Mr Durant wished to obtain a copy of a particular document from the FSA which would have assisted his case against the bank.
The meaning of "personal data"
The Court of Appeal held that the investigations by the FSA related to Mr Durant's complaint against the bank and not to Mr Durant himself and thus was not "personal data" under the Act. The court ruled that "the 1998 Act would only be engaged if, in the course of investigating this complaint, the FSA expressed an opinion about Mr Durant personally, as opposed to an opinion about his complaint".
The Court went on to say that information will not constitute personal data simply because it is retrieved from a computer search against an individual's name. Instead, the information must be relevant or proximate to the data subject as distinct from matters which he may have been involved in and affect the individual's privacy, whether in his personal or family life, business or professional capacity. Thus the mere fact that a document is retrievable by reference to an individual's name does not entitle him to a copy of it under the Act.
Personal data held in manual files
The court of first instance and the Court of Appeal have now confirmed that the narrow interpretation of a "relevant filing system" is a correct one. There are 2 tests in the Act for a relevant filing system, namely:
1. Does the file form part of a structured set? - i.e. does it have the individual's name on the cover or some other characteristic relating to the individual, and if so
2. Is the file sufficiently internally structured so that specific information about a particular individual is readily accessible?
Accordingly the following guidance emerges. A relevant filing system is limited to a system:
in which the files are structured or referenced so as to clearly indicate whether the information contained within is capable of amounting to personal data of an individual; and
which has a sufficiently detailed means of readily indicating whether the file contains information relating to an individual and where in that file, the information is held.

The ruling will have an impact on an employee's right to receive copies of information such as personnel files, e-mails and other records unless the document is 'personal' and directly refers to that individual.
An employee's right to gain access to information is also drastically restricted if the information is held in manual files. If the documents are not structured by reference to the individual then the disclosure provisions of the Act are not triggered. Similarly, a manual filing system which requires an individual to sort through the documents to look for the personal data falls outside of the scope of the Act.
Finally, this case greatly curtails an employee's ability to indulge in fishing expeditions prior to litigation by making subject requests under the Act.
Code of Practice to change after personal data gets redefined
Durant v Financial Services Authority
Court of Appeal restricts scope of Data Protection Rules
* * * * * This is a hugely important decision on the scope and application of the Data Protection Act 1998 (the DPA). The case followed a subject access request made by Mr Durant against the Financial Services Authority (FSA). The FSA investigated Durant's complaint against Barclays but closed its investigation without informing Durant of its outcome, acting under statutory confidentiality obligations.
The FSA refused Durant access to its investigation documents and papers disclosed to it by Barclays. The Court of Appeal upheld the County Court ruling that Durant was not entitled to access to the documents under the DPA.Ê
The Court of Appeal ruled on two key issues under the DPA: the definition of 'personal data'; and the extent to which manual filing systems are covered by the 1998 Act.
Key points
'Personal data' is the most important concept in the DPA, as the obligations on data controllers, and the rights of data subjects (including the right to obtain access to data), apply only to personal data. The Court of Appeal's restrictive approach reduces the whole scope of the DPA.
Uncertainty around the interpretation of this term previously led many data controllers to take a cautious approach, in some cases going so far as to class as 'personal data' any document that refers to an individual by name. Such an approach increased the burdens imposed by the DPA, in particular the burden of responding to data subject access requests.
The Court of Appeal rejected the argument that a document contains personal data merely because an individual is named in it. The information has to be biographical to a significant extent and the data subject must be the focus of the information.
On this view, the information held by the FSA on Durant's complaint was not personal data, and access did not have to be provided.
The 1998 Act extended previous legislation to cover manual as opposed to simply electronic filing systems. According to the Court of Appeal, manual records are caught only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system.
The appropriate test for determining whether manual records fall under the DPA is whether:
- they contain files that are structured and referenced in such a way as to clearly indicate at the outset of a search whether specific information capable of amounting to personal data on the data subject is held within the system, and, if so, in which file or files it is held;
- and which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.
The Court of Appeal urged a 'sensible and practical' interpretation of the DPA, which minimised the time and cost associated with data access requests.
In this case, while the FSA's files contained folders bearing Durant's name, they were structured in date order and contained a range of documentation, some of which was clearly not personal data. Any personal data could only be identified by a manual trawl through the files.
The requirement to leaf through a number of files to see what and whether information qualifying as personal data is contained in the files exceeded the scope of the DPA.
What you should do
- Make sure your data protection officers and HR staff are aware of this important ruling
- Review your data protection policy, especially any definition of personal data, and your internal guidance on responding to data protection requests
- Consider whether your manual filing systems fall within the scope of this ruling. You may wish to ensure that documents that clearly contain personal data are held in specific files or parts of files.
While this may mean that the documents are disclosable, it will be easier to respond to access requests; watch out for the Information Commissioner's Codes of Practice being revised in light of this decision.

The contents on these pages are provided as information only. No responsibility or liability is accepted by or on behalf of FLINT for any errors, omissions, or misleading statements on these pages, or any site to which these pages connect, whether provided by FLINT or by any organisation, company or individual. No mention of any organisation, company or individual, whether on these pages or on other sites to which these pages are linked, shall imply any approval or warranty as to the standing and capability of any such organisations, companies or individuals on the part of FLINT. All rights reserved.