This is one of a series of articles appearing on OUT-LAW this
week to celebrate Data
Protection Day 2008.
The House of Lords will rule on what exactly is meant by the
term 'personal data', while the European Court of Human Rights will
decide whether the police can retain details of non-criminals
on the UK's national DNA database.
These are vital questions which could alter the boundaries of
the rules governing what law enforcement agencies and companies
will be able to do with the increasing amounts of personal
information they are processing.
The House of Lords will rule on a case about what counts as
personal data. Currently data protection law is shaped by a
ruling by the Court of Appeal in a case involving Michael Durant,
where the Court ruled that 'personal data' should be defined
narrowly, meaning that only those personal data that related
to a particular individual counted as 'personal data'.
The case which House of Lords will consider pits the Common
Services Agency (CSA) of the NHS in Scotland against the Scottish
Information Commissioner (SIC), Kevin Dunion.
A researcher in the Scottish Parliament had asked for
statistical data relating to childhood leukaemia in Dumfries and
Galloway, broken down by census wards. The NHS decided that as the
statistics, in many cases, showed there was one incident of
childhood leukaemia per census ward, the figures were so low that
to release the statistical data would relate to a particular
individual, living in an certain geographical area, with a specific
disease. This was personal data, the NHS argued.
The SIC, with the eventual support of the Scottish court
disagreed, ruling that the statistic of one for a census ward
related to a census ward and not to an individual. It followed that
the information was not personal data and should be published under
the Scotiish FOI procedures.. So when the Lords rule, its judgment
will hopefully resolve any lingering doubt as to what 'personal
data' really means.
A different but equally fundamental issue will be addressed by
the European Court of Human Rights (ECHR) when it looks into the
case of Michael Marper.
Marper's DNA was taken and an entry made in the national DNA
database when he was arrested in 2001 following a domestic
disturbance. He was never charged with a crime, but the sample and
database entry were retained by the police.
After a series of legal tussles over the police's retention of
the DNA information, the House of Lords concluded the parts of the
Human Rights Act that relate to privacy did not apply to the
indefinite retention of Marper's DNA sample and related data. A
reference to the European Court of Human Rights (ECHR) was made
after this judgment.
Because the Human Rights Act did not apply in this case, the
House of Lords did not need to consider any data protection
obligations in its judgment. But the ECHR has said that these data
protection obligations arel central to the data retention issues
raised by the case.
The overlap between human rights and data protection has never
actually been defined, so this case could present the ECHR with an
opportunity for clarifying how these laws interact with each other
and with private and family life.
There is a possibility that the two pieces of legislation could
become interlinked in a precise way, with data protection
obligations becoming a quantifiable extension of the human
rights legal framework. This would strengthen the position of data
protection principles enormously and would mean that a breach of a
data protection obligation could also give rise to a claim that the
individual's human rights have been infringed.
By Dr Chris Pounder
Dr Chris Pounder is the editor of the Pinsent Masons
publication Data Protection Quarterly and runs data protection
training for organisations across the UK. This is
one of a series of articles appearing this week to celebrate Data
Protection Day. Find out how to win the textbook on data
protection.
