CFI 051/2018 and CFI 085/2018 The Dubai Financial Services Authority v (1) The Commissioner Of Data Protection (2) Anna Waterhouse
CFI 051/2018 and CFI 085/2018 The Dubai Financial Services Authority v (1) The Commissioner Of Data Protection (2) Anna Waterhouse
June 01, 2020  Court of First Instance -Judgments
Claim No. CFI 051/2018 and CFI 085/2018
THE DUBAI INTERNATIONAL FINANCIAL CENTRE
COURTS
IN THE
COURT
OF FIRST INSTANCE
BEFORE JUSTICE SIR RICHARD FIELD
IN THE MATTER OF AN APPEAL UNDER ARTICLE 37(1) OF
DIFC
LAW No. 1 of 2007 (THE DATA PROTECTION LAW) AND JUDICIAL REVIEW UNDER PART 42 OF THE COURT
RULES
BETWEEN
THE DUBAI FINANCIAL SERVICES AUTHORITY
Appellant
and
THE COMMISSIONER OF DATA PROTECTION
Respondent
ANNA WATERHOUSE
Interested Party
JUDGMENT
Introduction
1. There are before the
Court
two sets of related proceedings. First, there is an appeal by the Dubai Financial Services Authority (the “
DFSA
”) under Article 37 (1) of the Data Protection Law (Law No. 1 of 2007) (the “
DPL
”) from the decision of the Commissioner of Data Protection (the “
Commissioner
”) dated 20 June 2018 that the DFSA contravened Article 17 of the DPL by refusing to comply with a Subject Access Request (the “
SAR
”) served on it by the Interested Party (“
Ms Waterhouse
”). Second, there is an application by the DFSA for judicial review of the direction the Director made in Ms Waterhouse’s case as to the steps he ordered the DFSA to take in response to Ms Waterhouse’s SAR.
The relevant background
2. The DFSA is established by Article 7 of the Regulatory Law and by Article 8 (3) thereof has as one of its major functions the prevention, detection and restraint through appropriate means including the imposition of sanctions of conduct that causes or may cause damage to the reputation of the DIFC or financial services industry in the DIFC. Under Articles 78 and 90 it has respectively the power to conduct investigations and impose sanctions and make directions.
3. Ms Waterhouse was Head of Legal & Compliance Middle East and North Africa for Deutsche Bank AG (“
DB
”) from 1 October 2007 to 5 March 2014. She was authorised by the DFSA to perform the Licensed Functions of Compliance Officer, Money Laundering Reporting Officer and Senior Manager. DB was a DFSA Authorised Firm.
4. In 2012 the DFSA began an investigation into DB and certain individuals connected to it. In February 2014, this investigation was expanded to include suspected breaches dating back to 2011 of DFSA administered legislation and certain DB employees, including Ms Waterhouse.
5. In October 2014, the DFSA’s enforcement arm produced a report setting out its investigatory findings so far and pursuant to a Decision Notice dated 29 March 2015 the DFSA took action against DB for contraventions of DFSA administered legislation and breaches of DFSA Rules.
6. On or about 29 April 2015, Ms Waterhouse was given a copy of the report setting out the findings of the investigation together with a copy of the materials referenced in the report. These materials comprised six lever arch files of documents ordered chronologically covering relevant events from 2011 to 2013 and copies of transcripts of all interviews undertaken by the DFSA referred to in the report. The chronological documents in the six files were compiled from a much larger number of documents that were gathered during the investigation. In total, there were approximately 300 lever arch files of documents and information produced to the DFSA during the course of the investigation.
7. On 10 January 2016, the DFSA’s Decision Making Committee (the “
DMC
”) served on Ms Waterhouse a notice setting out the decision it proposed to make in her case including its proposed findings of fact and sanction. Ms Waterhouse was also given a copy of the materials that the DMC had considered. Pursuant to her right to do so, over the ensuing 15 months Ms Waterhouse made a series of representations designed to persuade the DMC not to issue a final decision to take enforcement action against her. In addition, at the request of Ms Waterhouse’s counsel, DFSA Enforcement provided further information up to the point at which it was felt that the information being sought was beyond the scope of the DFSA’s investigation.
8. On 22 June 2017, the DMC served on Ms Waterhouse a Decision Notice stating that for the breaches of DFSA administered legislation identified in paragraph 10 below it was going to impose a financial penalty of US$100,000 and to restrain her from performing any functions in connection with the provision of financial services in or from the DIFC. The Decision Notice referred to the materials the DMC had considered copies of which had already been disclosed to Ms Waterhouse.
9. The background to the DFSA’s Decision Notice was that DB and its employees within the Private Wealth Management (“
PWM
”) team serving the Middle East and Africa had breached regulatory requirements in providing the regulated financial services of Advising on Financial Products and Credit and Arranging Credit or Deals in Investments in a way which was undisclosed to the DFSA and which did not comply with the requirements set out in the DFSA Rulebook. Around 40% - 50% of the PWM employees’ emails had involved Advising and/or Arranging and the failure to comply with the DFSA Rulebook extended to approximately 583 PWM clients over the period 1 January 2011 to 30 June 2013.
10. The DFSA’s case against Ms Waterhouse was that she gave false or misleading information to the DFSA on several occasions, with knowledge that it was false or misleading or with recklessness as to whether or not that was the case and she had failed over a substantial period to correct false or misleading information provided by herself or others, and in consequence she had: (i) failed to act with integrity, contrary to GEN Rule 4.4.1, Principle 1, Integrity; (ii) failed to exercise due care and skill, contrary to GEN Rule 4.4.2, Principle 2; (iii) failed to deal with the DFSA in an open and co-operative way and failed to disclose appropriate information, contrary to GEN Rule 4.4.4, Principle 4, Relations with the DFSA; and (iv) had contravened Article 66 of the Regulatory Law which prohibits provision of  information which is false, misleading or deceptive to the DFSA.
11. On 23 July 2017, Ms Waterhouse referred the DFSA Decision Notice to the Financial Markets
Tribunal
(the “
FMT
”), a body established under the DIFC Regulatory Law that hears and determines references to review decisions of the DFSA. When conducting such references, the FMT conducts a de novo full merits review of the DFSA decision and can take into account any relevant new evidence that comes to light after the DFSA's original decision. In the ensuing FMT proceedings, Ms Waterhouse denied the factual allegations made against her and advanced the defence that the DFSA investigation was an abuse of process.
12. The FMT’s decision was issued on 12 August 2019. It dismissed the abuse of process defence and found that Ms Waterhouse had failed to be frank and candid with the regulator about serious regulatory issues and was therefore in breach of GEN Rules 4.4.1, 4.4.2 and 4.4.4 as alleged by the DFSA. There was no finding of dishonesty against Ms Waterhouse, rather one of recklessness. Publication of the decision was restrained by an order of this Court until 12 December 2019 which came after the hearing of the instant proceedings. A number of the details that are given in this paragraph and paragraphs 9 to 11 above are derived from the FMT’s decision.
13. By a letter dated 2 August 2017, Ms Waterhouse served the SAR under Article 17 DPL on the DFSA.  Article 17 confers on a “Data Subject” the right, inter alia, to obtain from a “Data Controller” upon request: (a) confirmation whether or not “Personal Data” relating to him or her is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the “Recipients” or categories of Recipients to whom the Personal Data are disclosed; (b) communication in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and (c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law.
14. It is common ground that Ms Waterhouse was a Data Subject and the DFSA was a Data Controller.
15. In her letter of 2 August 2017, Ms Waterhouse requested in respect of the period 1 October 2011 to the “
present date
”:
(a) Emails, reports, notes of meetings, letters or other documents that referred to her by my name in the content of subject heading which: (i) passed between employees of the DFSA (internal communications); or (ii) passed between the DFSA and any third parties (whether sent or received); or (iii) passed between the DFSA and witnesses interviewed by the DFSA in the course of their investigation into her concerning her role at Deutsche Bank.
(b) Emails, reports, notes of meetings, letters or other documents from which she can be readily identified, but which did not expressly refer to her by name in respect of each category of data set out at (i) – (iii) above.
She also stated that any deleted items should be restored and provided to her and requested that once personal data within the scope of the request had been identified she be provided with a hard or electronic copy of the information constituting personal data and (1) a description of the data; (2) an explanation of the purpose for which the data was processed; (3) identification of the source or sources of the data; and (4) identification of to whom the data had been sent or may be disclosed.
16. By letter dated 10 August 2017, the DFSA declined to provide the personal data sought by Ms Waterhouse1 citing Article 39 (2) DPL which disapplies Articles 11-13 and 17 if the application of those Articles would be likely to prejudice the proper discharge by the entities therein mentioned, including the DFSA, of their powers and functions under any laws they administer. In declining to provide the personal data sought by Ms Waterhouse the DFSA stated that her request for disclosure of information directly concerned the exercise by the DFSA of its powers in relation to her conduct during her former role as Compliance Officer, Money Laundering Reporting Officer and Senior Manager of Deutsche Bank in the DIFC. Accordingly, if the DFSA was to provide the information requested this would prejudice the proper discharge of its regulatory powers and functions.
17. Due to a problem with the email address
DFSAdataprotection@dfsa.ae
, Ms Waterhouse only received the DFSA’s letter of 10 August 2017 on 24 September 2017.
18. On 14 November 2017, Ms Waterhouse lodged a complaint with the Commissioner citing the rejection of the SAR by the DFSA. As stated in paragraph 1 above, the Commissioner’s decision that the DFSA had contravened Article 17 DPL by refusing to comply with Ms Waterhouse’s SAR was issued on 20 June 2018.
19. It is common ground that the DFSA’s appeal to this Court against the Commissioner’s decision is in the nature of a de novo hearing. It is therefore unnecessary to rehearse the Commissioner’s reasons for his decision beyond the summary that follows below.
20. At the time the Commissioner’s decision was issued on 20 June 2018, the FMT proceedings were well under way, there having by then been a CMC on 8 January 2018 and three days of hearings in the period 28 – 30 April 2018.  The Commissioner held that the DFSA had failed to establish it would suffer real and substantial prejudice within Article 39(2) if it had to comply with the SAR. The prejudice relied on – diversion of time away from enforcement duties; the potential for creating the impression that the DFSA could be tied up with duties under the DPL and discouraging third parties to give full and frank disclosure -- did not amount to real or actual prejudice because: (a) no details of prejudice were provided when the DFSA responded to the SAR; (b) the appearance was given that the DFSA prioritised its duties under the Regulatory Law over those it had under the DPL; and (c) discouragement of full and frank disclosure was not a problem because confidential information from third parties could be redacted. The DFSA had wrongly assumed that for the public good it should not be bogged down with the tedious details of dealing with SARs when it was trying to protect the public from wrongdoers. The specific interest inherent in Article 17 to serve a SAR outweighed the public interest relied on by the DFSA. With regard to the issue of proportionality that arose from the words “without excessive delay or expense” in Article 17, the cost, time and effort for the DFSA to disseminate the data requested was not a sufficient reason to do no search at all. Proportionality was only relevant to how far the search should go to provide relevant information. If there were any possibility (as was the case here) that the DFSA came to enforcement decisions during the DMC process based on misleading, partial or inaccurate data that may not have been brought to light by disclosure in the DMC or FMT proceedings, the requirement to respond properly to the SAR overrides the time, cost and effort that may be required on the part of the DFSA. This is because Ms Waterhouse faced serious lifelong and professional consequences as a consequence of negative enforcement findings against her. The DFSA should have designed its systems to search and produce information requested by data subjects. Further and in any event, the DFSA not having raised the question of proportionality when it responded to the SAR, it could not raise this issue now retrospectively.
21. The Commissioner directed that the DFSA did not have to disclose information disclosed in the DMC and FMT proceedings or deleted emails or search the physical hard drives of the devices of employees or deal with potential future disclosure to recipients or categories of recipients.
22. In regard to the DFSA’s contention that the information it held in Lever Arch Files did not constitute “Personal Data” because it was not held in a “Relevant
Filing
System,” the Commissioner held that if the DFSA wished to persist with this contention it should do so when responding to the SAR and in this regard should have regard to the ICO Guidance on what constitutes a relevant filing system and Recital 26 of the European Directive 95/46.
23. On 4 July 2018, the DFSA applied to the Commissioner under Article 33 (6) of the DPL, requesting him to review the direction he made in his decision and to review the 300 odd lever arch files of documents assembled during the DFSA’s investigation which included DB and certain individuals including Ms Waterhouse to form a view whether they constituted a “relevant filing system”.
24. On 8 October 2018, the Commissioner issued his decision on the DFSA’s review application declining to conduct the requested review. In the Commissioner’s opinion, the grounds for review were more suited for an appeal or judicial review proceedings and he noted the grounds for review advanced by the DFSA “had also been largely replicated in [the DFSA’s] Grounds of Appeal.”
The legal framework
25. The DPL was closely modelled on the UK Data Protection Act 1998 (the “DPA”) which was enacted to give effect to the European Directive 95/46 (“the European Directive”). The definitions of particular terms are set out in Schedule 1 of the DPL. The DPA was amended by ss. 69 – 72 and Schedule 6 of the UK Freedom of Information Act 2000, these provisions coming into force on 1 January 2015.
26. The DPA was replaced by the UK Data Protection Act 2018 which gave effect to the European General Data Protection Regulation.
27. The provisions contained in the DPL that are of particular relevance to these proceedings are:
(a) Article 8 (obligation on data controllers2 to process personal data3 “in accordance with the Data Subject’s Rights”);
(b) Article 17 (right of data subject to request access to personal data held by a data controller);
(c) Articles 22 and 26 (the establishment of the office of Data Commissioner and the Commissioner’s powers, functions and objectives);
(d) Article 33(1) (power of the Commissioner to issue a direction to a data controller who has contravened the DPL by refusing to comply with a SAR in breach of Article 17);
(e) Article 34 (right of a data subject to complain to the Controller of a contravention of the DPL);
(f) Article 37 (right of a data controller who is found to contravene the DPL or a direction of the Commissioner to appeal to the DIFC Court);
(g) Article 39(2) (disapplication of Articles 11, 12, 13, 14 and 17 to the DFSA and other DIFC bodies).
28. It is necessary to set out Articles 17 and 39 (1) and (2) verbatim.
Article 17
Right to Access to and Rectification, Erasure or Blocking of Personal Data
A Data Subject has the right to obtain from the Data Controller upon request, at reasonable intervals and without excessive delay or expense:
(a) confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
(b) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and
(c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law.
Article 39
General Exemptions
(1) The
DIFCA
Board of Directors may make Regulations exempting Data Controllers from compliance with this Law or any parts of this Law.
(2)  Without limiting the generality of Article 39(1), Articles 11,12,13,14 and 17 and 18 shall not apply to the DFSA, DIFCA and the
Registrar
if the application of these Articles would be likely to prejudice the proper discharge by those entities of their powers and functions under any laws administered by the DFSA, DIFCA and the Registrar, including any delegated powers and functions insofar as such powers and functions are designed for protecting members of the public against:
(a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other banking and financial activities and services, including insurance and reinsurance services, financial markets and financial and monetary brokerage services; or
(b) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services.
29. The sections in the unamended DPA that are of particular relevance are section 7 (1), (2), (8) and (9) and section 8 (2):
7(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled—
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of—
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form—
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data, and
(d) …
(2) A data controller is not obliged to supply any information under subsection (1) unless he has received—
(a) a request in writing, and
(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
(3) – (7) …
(8) Subject to subsection (4), a data controller shall comply with a request under the foregoing provisions of this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
8 (2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless—
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise;
and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
The relevant authorities
30. It was common ground that decisions of the courts of England and Wales on comparable provisions in the DPA to those in the DPL were of persuasive assistance in these proceedings but not binding authority. The following are the principal authorities relied on by the parties.
R (On the Application of Alan Lord) v The Secretary of State for the Home Department [2003] EWHC 2073 (Admin).
31. Here, a Category A prisoner (being the claimant) applied to the English High Court under section 7(9) of the DPA for an order that the Home Secretary be directed to provide him with copies of six Category A reports addressing the question whether he should be moved to a lower category of prisoner. The application was made in response to the Home Secretary having refused the claimant’s request under s.7(1) of the DPA to be supplied with these documents.
32. To the extent relevant to these proceedings, the wording of s. 7(1) of the DPA and the wording of Article 17 of the DPL are in substantially similar terms.
33. The key question to be decided4 on the s.7 (9) application was whether s. 7(1) was exempted from application under s. 29(1)5 of the DPA which provided in material part:
Personal data processed for any of the following purposes –
(a) the prevention or detection of crime;
(b) the apprehension or prosecution of offenders, or
(c ) …
are exempt from … section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
34. In paragraph 83 of the judgment, Munby J (the judge) referred to the following passage at [96] in the judgment of Lord Phillips MR in
Campbell v MGN Ltd [2002] EWCA Civ 1373 at [96]
where the Court of Appeal of England and Wales (“EWCA”)  held that, where a data controller is responsible for the publication of hard copies that reproduce data that has previously been processed by means of equipment operating automatically, the publication forms part of the processing and fell within the scope of the DPA.
In interpreting the Act it is appropriate to look to the Directive for assistance. The Act should, if possible, be interpreted in a manner that is consistent with the Directive. Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman. A purposive approach to making sense of the provisions is called for.
35. The judge held in [94] that the words “in any case” in s. 29(1) DPA are to be read as meaning “in any particular case” so that it was for the data controller to show that one of the statutory objectives is likely to be prejudiced in the particular case. (These words do not appear in s. 39(2) DPL.)
36. Turning to the phrase “is likely to be” in s. 29(1) DPA, the judge held at [100] that “likely” connotes a degree of probability where there is a very significant and weighty chance of prejudice to the identified public interests. The degree of risk must be such that there "may very well" be prejudice to those interests, even if the risk falls short of being more probable than not.
37. In [122], the judge made it clear that s. 29 (1) DPA requires that the issue of whether disclosure is likely to prejudice the prevention of crime has to be determined in relation to the particular and individual case in which disclosure is being sought, but he went on to say that this does not mean that one can simply ignore the consequential effect that disclosure in the particular case may have on others.
38. Fairly characterised, the Home Secretary’s case was that the policy of non-disclosure of Category A reports is necessary in every case because anything less would be likely to prejudice the detection and prevention of crime [106]. The Home Secretary had not sought to make good his case by reference to anything peculiar to or specifically referable to the claimant: his claim was based on the asserted need, in order not to prejudice the legitimate section 29(1) DPA objectives, to impose a general policy confining disclosure in effect to what is contained in “gists” prepared in accordance with
ex p Duggan
[1994] 3 All ER 277 and
ex p McAvoy
[1998] 1WLR 790. For the reasons submitted by counsel for the claimant, the case advanced on behalf of the Home Secretary that disclosure of Category A reports risked: (i) attacks on the prison staff who produced the reports; (ii) a lack of frankness in reports; and (iii) prejudice to the efficacy of the Category A review system, was unsustainable [125].  Those reasons were as follows.
39. Category A prisoners were not a homogenous group and it was only in respect of one sub–class of the category that disclosure might impact adversely on the detection or prevention of crime: those Category A prisoners whose dangerousness was liable to manifest itself in attacks on, threats to or intimidation of staff. As to this, a targeted form of non–disclosure would properly protect report writers from the risks presented by the sub–class who do pose a threat and equally protect the integrity of the Category A review system. The procedure for parole reviews provided for full disclosure as the general rule, subject to specific, targeted non-disclosure and the same approach should be adopted in the case Category A reviews. In particular cases, information could be withheld such as information relating to security, surveillance and monitory techniques and prisoners would know that such information would not be disclosed.
40. The judge emphasised that he was not saying every Category A prisoner would in every case be entitled to see the full contents of his Category A reports. There would be cases in which the Secretary of State would be able to rely upon section 29 (1) as justifying less than complete disclosure. All the judge was saying was that the Home Secretary’s present policy of blanket non–disclosure could not be justified under section 29 (1) DPA. What section 29 (1) DPA required was a more selective and targeted approach to non–disclosure, based on the circumstances of the particular case [126].
41. The judge then considered the effect of s. 7(4)(a) and (b) and s. 7(5) DPA. Under these provisions (they have no counterpart in the DPL), unless it was “reasonable in all the circumstances” for the Home Secretary to comply with the claimant’s request without the consent of the prison officers and other persons who had made Category A reports, his obligation was to communicate so much of the information sought as can be communicated without disclosing the identity of the other individuals concerned, whether by the omission of names or other identifying particulars or otherwise.
42. In the judge’s view there had to be a balancing of the interests of prisoners that concerned their liberty and the privacy interests of individuals who could be identified from the information sought under s. 7(1) (including the expectation that such individuals might have of confidentiality) and the balance could be held by a system of targeted disclosure [147-148].
Durant v Financial Services Authority [2003] EWCA Civ 1746
43. The data subject in this case (the claimant) sought disclosure from the FSA which at his request had investigated his complaint against Barclays Bank in the FSA’s supervisory role. The claimant had sued Barclays and lost and sought disclosure of information in the belief that it would help re-open his claims against Barclays. The FSA closed its investigation without informing the claimant of the outcome, as it was entitled to do. In response to the claimant’s s. 7(1) DPA request, the FSA disclosed copies of documents held in computerised form but it refused to disclose information held on manual files on the ground that it was neither “personal” nor “data” in the sense of forming part of a “relevant filing system”. This information consisted of the claimant’s letters of complaint to the FSA and the investigation of that complaint. The claimant applied to a District
Judge
under s.7(9) DPA whose refusal to order the disclosure sought was appealed to a County Court Judge whose dismissal of the appeal was appealed to the
EWCA
.
44. The lead judgment of the EWCA was given by Auld LJ who said in [26] that the intention of the Directive is to enable an individual to obtain his personal data, that is, information about himself, from a data controller’s filing system.
45. At [27]-[31], Auld LJ said:
[27] In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is [it] to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify…
[28] It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree … In short, [personal data] is information that affects his privacy, whether in his personal or family life, business or professional capacity …
[29] This narrow meaning of personal data derives, not only from its provenance and form of reproduction in section 1(1), but also from the way in which it is applied in section 7. That section, picking up the definition of "data subject" in section 1(1), sets out the basic entitlement of an individual to access to personal data "of which …[he] is the data subject"…
[30] Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA's own conduct in investigating that complaint – is "personal data" within the meaning of the Act. Just because the FSA's investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains "personal data" or as to whether it is part of a "relevant filing system", the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act…
[31] In short, Mr. Durant does not get to first base in his claim against the FSA because most of the further information he sought, whether in computerised form or in manual files, is not his "personal data" within the definition in section 1(1). It is information about his complaints and the objects of them, Barclays Bank and the FSA respectively. His claim is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by considerations of relevance…