Durant v Financial Services Authority

JurisdictionEngland & Wales
CourtCourt of Appeal (Civil Division)
JudgeLORD JUSTICE WARD,Lord Justice Auld:
Judgment Date08 December 2003
Neutral Citation[2003] EWCA Civ 573,[2003] EWCA Civ 1746
Docket NumberB2/2002/2636,Case No: B2/2002/2636

[2003] EWCA Civ 1746

IN THE SUPREME COURT OF JUDICATURE

COURT OF APPEAL (CIVIL DIVISION)

ON APPEAL FROM HIS HONOUR JUDGE ZEIDMAN, QC, IN THE EDMONTON COUNTY COURT

Before

Lord Justice Auld

Lord Justice Mummery and Lord Justice Buxton

Case No: B2/2002/2636

Between:
Michael John Durant
Appellant
and
Financial Services Authority
Respondent

(Transcript of the Handed Down Judgment of Smith Bernal Wordwave Limited, 190 Fleet Street London EC4A 2AG Tel No: 020 7421 4040, Fax No: 020 7831 8838 Official Shorthand Writers to the Court)

Lord Justice Auld:
1

Mr. Michael John Durant, the claimant and appellant, seeks disclosure of information that he claims to be personal data relating to him held by the Financial Services Authority ("the FSA") under section 7 of the Data Protection Act 1998 ("the 1998 Act"). The FSA has provided him with some information in response to his requests for it, but he seeks further disclosure. The outcome of the appeal turns in part on the proper interpretation of certain provisions of the Act governing an individual's right to disclosure of his personal data held by others within the provisions of the Act and in part on the propriety of the Judge's findings of fact in the light of that interpretation.

2

The appeal is brought with the permission of Ward LJ, from a decision of His Honour Judge Zeidman, QC, at the Edmonton County Court on 24 th October 2002 dismissing Mr. Durant's appeal against the refusal by District Judge Rose, to order the FSA to make the further disclosure sought. In granting permission, Ward LJ directed the FSA to provide for our inspection under section 15(2) of the Act copies of all the documents or information that the FSA has declined to disclose to Mr. Durant. The FSA has provided those copies to the Court. We have also received as fresh evidence a (second) witness statement of Mr. Daniel Davies, an associate in the Enforcement Division of the FSA, about its filing system and various files and documents to meet points raised for the first time in this appeal.

The legislative scheme

3

The 1998 Act was enacted, in part, to give effect to Directive 95/46/EC of 24 th October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data ("the 1995 Directive"). It should, therefore, be interpreted, so far as possible in the light of, and to give effect to, the Directive's provisions. In Campbell v. MGN [2002] EWCA Civ 1373, [2003] QB 633, CA, Lord Phillips of Worth Matravers, MR, said at para. 96:

"In interpreting the Act it is appropriate to look to the Directive for assistance. The Act should, if possible, be interpreted in a manner that is consistent with the Directive. Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman. A purposive approach to making sense of the provisions is called for."

4

The primary objective of the 1995 Directive is to protect individuals' fundamental rights, notably the right to privacy and accuracy of their personal data held by others ("data controllers") in computerised form or similarly organised manual filing systems (Recitals (1), (2), (3), (10) and (25)), whilst at the same time facilitating the free movement of such data between Member States of the European Union. There is inevitably a tension between those two primary objectives at an inter-state level, as Lord Hoffmann observed in R v. Brown [1996] AC 543, HL, at 557A-C. That tension is not so evident in the domestic setting for which the Act provides, in particular, in the right of access to personal data. However, the Act contains its own tension in the obligation that it also imposes on data controllers to respect the right of privacy of others whose names may figure in the personal data of an individual seeking access to it.

5

The starting point in this legislative trail (see Recital (11) to the 1995 Directive) is the Convention For The Protection Of Individuals With Regard To Automatic Processing Of Personal Data (1981) (Cmnd. 8341) ("the 1981 Convention"), about which Lord Hoffmann was talking in Brown. As its title indicates, it was concerned only with computerised data, and the Data Protection Act 1984 ("the 1984 Act") to which it gave rise was similarly confined. The 1995 Directive, however, extended the scheme of protection to personal data held in manual files if they were of a similar level of sophistication to that provided by computerised records (Recital (15) Article 2(c)). Article 12, headed "Right of Access", provides:

"Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of … automated decisions

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort".

6

The purpose of the 1998 Act was to provide for the regulation of the processing, including the obtaining, holding, use and disclosure by "data controllers" of "personal data" held or to be held electronically or, if held in manual files, as part of "a relevant filing system", all as defined in section 1(1) of the Act.

7

Section 7(4)-(6) of the 1998 Act provides an individual with a right of access to "personal data", entitling him to know whether a data controller is processing any of his personal data and, if so, to be told what it is, its source, why it is being processed and to whom the data are or may be disclosed. He is not entitled to information about his personal data which necessarily, that is, notwithstanding possible redaction, involves disclosure of information relating to another individual, either as a subject or the source of the information, without that other's consent or unless it would be reasonable in all the circumstances for him to have it without that consent.

8

The core of a data subject's entitlement to access to his personal data is to be found in sections 7(1) and 8(2), which, so far as material and subject to other provisions of section 7 to which I shall return, provide:

"(1) …an individual is entitled –

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of -

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

(c) to have communicated to him in an intelligible form –

(i) the information constituting any personal data of which that individual is the data subject, and (ii) any information available to the data controller as to the source of those data, and

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.".

"8(2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise;

and where any of the information referred to in section 7(1)(c) (i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms."

The facts

9

It will help to introduce the important issues of principle to which this appeal gives rise by first giving a short account of the factual context in which they arise. The FSA is the single regulator for the financial services sector in the United Kingdom, acting under powers currently conferred by the Financial Services and Markets Act 2000 ("the 2000 Act"). It assumed responsibility for the supervision of banks in June 1998. Until December 2001, when the 2000 Act was fully implemented, the FSA had exercised that supervision under the Banking Act 1987 ("the 1987 Act"). In the course of its regulatory work it received and receives much information about companies, firms and individuals which, by section 348 of the 2000 Act, it is obliged to treat as confidential. However, section 27(5) of the 1998 Act overrides that obligation in respect of requests for "personal data" under section 7, which, as I have indicated, requires all data controllers, including the...

To continue reading

Request your trial
60 cases
8 firm's commentaries
  • International Fraud & Asset Tracing (3rd Edition), England & Wales
    • United Kingdom
    • JD Supra United Kingdom
    • 5 March 2015
    ...terms this may bring the review of the hard copy document within the scope of the DPA). See Auld LJ’s comments in Durant v FSA [2003] EWCA Civ 1746. If the organisation is a public authority, then all manual documents and fi les it controls that include information relating to living, identi......
  • Scope for damages for data protection violations in the UK widened by the Court of Appeal
    • United Kingdom
    • JD Supra United Kingdom
    • 28 April 2015
    ...8 of the Charter provides for an additional right – to the “protection of personal data”. 10) Durant v Financial Services Agency [2003] EWCA Civ 1746. 11) The Working Party on the Protection of Individuals with regard to the Processing of Personal Data was set up by set up by Article 29 of ......
  • Court Of Appeal Confirms A Person's Name Constitutes Personal Data
    • United Kingdom
    • Mondaq United Kingdom
    • 5 March 2014
    ...of Appeal previously interpreted the application of this definition in the case of Durant v Financial Services Act [2003] EWCA Civ 1746 [2011] 1 Info LR 1 (Durant). Paragraph 28 of Auld LJ's judgment provided two notions to be used to determine if information is personal data. The first was......
  • Weekly Financial Services Regulatory Update - 20.04.12
    • United Kingdom
    • Mondaq United Kingdom
    • 14 May 2012
    ...First-tier Tribunal, however, by applying the principle established by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that to be excluded under s.40(2) the personal information must also affect the person's privacy (either in his personal or family life, b......
  • Request a trial to view additional results
2 books & journal articles
  • Digital Citizenship and the Right to Identity in Australia
    • United Kingdom
    • Federal Law Review Nbr. 41-3, September 2013
    • 1 September 2013
    ...Law Journal 1277; Lynn M LoPucki, 'Human Identification Theory and the Identity Theft Problem' (2001) 80 Texas Law Review 89. 43 [2003] EWCA Civ 1746 [30]. 44 The English legislation is framed in terms of data, whereas the Australian privacy legislation refers to information. The definition......
  • Control over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez
    • United Kingdom
    • The Modern Law Review Nbr. 78-3, May 2015
    • 1 May 2015
    ...this right.45 The Court’s refusal to incorporate the subjective element of40 See for instance, Durant vFinancial Services Authority [2003] EWCA Civ 1746 at [28] per Auld LJ.41 R (on the application of AB) vSecretary of State for the Home Department [2013] QB 3453 at [16].42 Judgment of 15 D......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT