Data Protection – Is an Exam Script Personal Data?

The recent case of Peter Nowak v The Data Protection Commissioner [2016 IESC 18] asks the interesting question of whether an exam script is personal data for the purposes of the Data Protection Act 1988 (as amended). This question has now been passed to the European Court of Justice for determination.BackgroundThe plaintiff was a trainee accountant who had sat and passed his first level accountancy exams set by the Chartered Institute of Accountants (“CAI”). However, he failed the Strategic Finance and Management Accounting Exam (“SFMA”) examination in the summer and autumn 2008, and again in summer of 2009. He failed again in Autumn 2009. On the 12th of May, 2010, the plaintiff submitted a data access request under s.4 of the Data Protection Acts 1988 and 2003 (“the Acts”) seeking all “personal data” held by the CAI.The CAI released 17 items to the plaintiff by letter of the 1st of June, 2010, but declined to release his examination script on the basis that it had been advised that the script was not personal data within the meaning of the Acts.By an email of the 28th of June, 2010, the Office of the Data Protection Commissioner offered some observations, and advisedMr Nowak that “exam scripts do not generally fall to be considered … because this material would not generally constitute personal data”.On 1st of July, 2010, the plaintiff submitted a formal complaint and on the 21st of July, 2010, the Office of the Data Protection Commissioner wrote to him stating inter alia:“In relation to your complaint of 1 July 2010, I must inform you that the Commissioner has examined all papers on this matter and has not identified any substantive breach of the Data Protection Acts. In accordance with Section 10(1)(b)(i) of the Data Protection Acts, we are not obliged to investigate a complaint where no substantive breach of the Acts remains to be investigated…… We have now examined fully the material that you have supplied and cannot agree that the material to which you are seeking access can be considered to be your personal data within the meaning of the Data Protection Acts as transposed from the EU Directive on data protection. ……. In relation to your complaint of 14 July 2010, I must inform you that the Commissioner has examined all papers on this matter and has not identified any matter arising for investigation under the Data Protection Acts. The material over which you are seeking to exercise a right of correction is not personal data to which Section 6 of the Data Protection Acts applies. In accordance with Section 10(1)(b)(i) of the Data Protection Acts, we are not obliged to investigate a complaint where no breach of the Acts can be identified.”In response the plaintiff commenced an appeal to the Circuit Court under section 26 of the Acts. The Office of the Data Protection Commissioner argued, and the Circuit Court judge accepted, that a special and more limited interpretation was required to be given to the word “decision” as contained in section 26 because of the terms, and structure, of section10 of the Act as amended. Judge Linnane upheld the opinion of the Commissioner that the examination script in the case was not personal data within the meaning of the Data Protection Acts.Appeal to High Court and Court of AppealThe plaintiff appealed the decision of the Circuit Court and Justice Birmingham in the High Court upheld the decision of the Circuit Court judge on all points. The plaintiff appealed the High Court decision and the Court of Appeal (Ryan P., Kelly and Irvine J.J.) delivered a short ex temporec judgment on the 24th April, 2015, in which that Court upheld the decision of the High Court on all points.On 22nd October, 2015, leave to appeal was granted on two grounds which were certified to be of general public importance:“(1) The Court of Appeal erred in law in holding the appellant was not entitled to appeal to the Circuit Court from the determination of the Data Protection Commissioner under s.26 of the Data Projection Acts 1988–2003;(2) The Court of Appeal erred in law in holding that the Data Protection Commissioner was entitled to conclude that the examination script, the subject matter of the complaint, was not personal data within the meaning of the Acts.”The court then considered a number of questions:Does an appeal lie under section 26 of the Acts from a decision of the Data Protection Commissioner that a complaint under s.10(1)(a) was frivolous or vexatious?The court looked at the case of Schrems v. The Data Protection Commissioner (Case C-362/14), 6th October 2015 which concerned an issue which was determined by the Commissioner to be frivolous and vexatious under s.10(1)(b)(i). The reasoning process leading to the conclusion that a complaint considered to be ill founded in law can, or must, be dismissed as frivolous or vexatious is instructive and casts some light on the approach taken to the interpretation of section 26.The court found that a decision that information is not personal data (and even if it is considered thereby, that the complaint is frivolous or vexatious) is a decision which is capable of appeal under section 26 of the Acts, and such a conclusion is, at a minimum, not inconsistent with the requirements of European law.The Court concluded that the Orange standard was the appropriate standard to apply here (i.e.a court can be expected to detect errors of law, and may identify serious errors in reasoning or approach) and held that the Circuit Court was not required to allow a full appeal on the merits, or the narrower appeal permitted in Dunne.Was the Examination Paper “Personal Data” within the meaning of the Acts and/or the Directive?“Personal data” is defined within the Acts as follows:“[D]ata relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”The Commissioner pointed out that this was an open book exam which contained answers to accountancy questions which would not be expected to contain any personal information relating to the plaintiff or any other exam candidate. Furthermore, the Commissioner noted insomuch as the Acts are designed to give a right of correction to an individual, it is hard to see how such a concept could be applied to an examination script, particularly in its unmarked form.  The Commissioner relied on the analysis of Advocate General Sharpston in her Opinion of 12th December, 2013, in YS v. Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v M and S (Joint cases C-141/12 and C-372/12).The Commissioner pointed out that it has recently been commented, in Kelleher, Privacy and Data Protection Law in Ireland, 2nd Ed., (Dublin, 2015) at para. 8.51, that “[t]he decision of Birmingham J in Nowak v. Data Protection Commissioner is itself consistent with that of the CJEU in YS”.The Commissioner also stated that there is no precedent for any other data protection body in Europe concluding that an examination script is personal data.The plaintiff argued that the examination paper was personal data and that it contains biometric data in that it is handwritten, and that this can constitute personal data. The Court however did not accept this. The plaintiff also pointed out that the examinations are dealt with in the grounding legislation i.e.section 4(6) of the 1988 Act.The plaintiff argued that it implicitly recognises that an examination result is personal data. He argued that if the result of an examination can be personal data, then the raw material from which that result is derived, i.e. the script, and possibly the marks or comments of an examiner on it, must also be personal data.The plaintiff relied on the equivalent United Kingdom provisions, in particular, the United Kingdom Data Protection Act 1998 which contains, at Article 9 of Schedule 7, a reference to examination scripts and provides:“Personal data consisting of information recorded by candidates during an academic professional or other examination are exempt from section 7.”The plaintiff also relied on recent academic analysis, Rosemary Jay, Data Protection Law and Practice, 3rd Ed., (2007) whereby the author made the following comment on the exemption in respect of examination scripts:“There is no test of prejudice and it appears to be an absolute exemption to subject access. It is difficult to ascertain how this can be justified under the Directive or indeed in common sense terms, given that the personal data would have been provided by the subject directly in the examination. The Commissioner in the Legal Guidance suggests that the exemption does not extend to ‘comments recorded by the examiner in the margins of the script’ which it advises should be given ‘even though they may not appear to the data controller to be of much value without the script itself’. This assumes that the scripts are covered by the Act, however if they fall outside the definition of a ‘relevant filing system’ they may not be cThe court noted that if the result of an examination is capable of being personal data, then it might be argued that the raw material by which that result is arrived at, either itself, or in conjunction with the examiner’s comments, is also personal data.  Accordingly, the Court, as a final court of appeal, applied the test set out in case 238/81 Srl CILFIT and Lanificio di Gavardo SpA v. Ministry of Health [1982] E.C.R. 3415. In that case, the CJEU held, at para. 16:“…the correct application of Community law may be so obvious as to leave no scope for any reasonable doubt as to the manner in which the question raised is to be resolved. Before it comes to the conclusion that such is the case, the national court or tribunal must be convinced that the matter is equally obvious to the courts of the other Member States and to the Court of Justice. Only if those conditions are satisfied, may the national court or tribunal refrain from submitting the question to the Court of Justice and take upon itself the responsibility for resolving it.”ConcusionJudge ‘Donnell concluded that he was not satisifed the key issue was “acte clair” or clear enough and addressed the questions to the European Court of Justice.