Privacy & Information Security Law Blog

On September 7, 2011, the United Kingdom Information Tribunal published a decision that appears to resolve the long-running uncertainty regarding the extent to which anonymized personal information may be disclosed under the UK’s Freedom of Information legislation. The UK’s FOIA was introduced and applicable to most of the UK in 2000, with equivalent law following for Scotland in 2002.

Under the law, a government authority is not required to provide information requested under FOIA if it is “personal data” and its disclosure would breach UK data privacy principles. The problem, however, has been that information is considered “personal data” if the organization that holds it can continue to identify the individual, taking into account all of the information the organization maintains or that is likely to come into its possession. Even if an organization anonymizes information before disclosing it as statistical data, the organization itself usually is able to link the anonymized information back to individuals. Accordingly, anonymized data has retained its status as “personal data,” that is not subject to disclosure under the UK FOIA.

For years, this personal data exception has befuddled UK courts. The first case on anonymization and disclosure reached the House of Lords in 2008, with three members of the House issuing judgments. Baroness Hale delivered a robust minority view that the test should be whether disclosing the information would allow the recipient to identify individuals, but the majority followed Lord Hope’s lengthy opinion suggesting that the data must be sufficiently altered so as to be anonymous to the controller before it can be disclosed. This case seemed to indicate that a public body would never be able to disclose anonymized information under FOIA unless it was able to ensure that the original information was no longer personal data, at which point the information presumably would be useless to the requesting party, and the controller likely would be in breach of its obligations to maintain proper records. The specter of that outcome raised so much concern that, in a case heard a few months later, the senior division of the Information Tribunal took the unusual step of declining to follow the majority view of the House of Lords, and applied Baroness Hale’s minority view instead.

 In early 2011, the issue resurfaced before the High Court in a case concerning a request for disclosure of late term abortion statistics. The request was refused on the grounds that the information would still be personal data in the hands of the government department involved, even if it was disclosed in a form that rendered it anonymous to third parties. The High Court held that it was bound to follow the previous majority opinion of the Lords, but applied a rather creative interpretation of that earlier holding to find that the information could be disclosed in this case because individuals could not be identified using the statistics sought by the requesting party.

In short, the High Court’s current position appears to be that if a data controller removes enough identifiers from a copy set of personal data to ensure the controller itself is unable to translate the anonymized copy back into personal data, then the anonymized copy can be disclosed to a third party pursuant to a FOIA request. The fact that the controller may still maintain an original set of identifiable information is not relevant to the determination of whether the anonymized copy may be disclosed. Notwithstanding the black letter definition in the law, this approach seems to have been adopted as a workable way to achieve the appropriate result.

Although the High Court’s decision is UK-specific, the outcome of this case may be of wider interest given current debates regarding the importance, and difficulty, of anonymizing personal data.