Exam scripts are personal data, says the AG, when the purpose it is to identify and record the performance of a particular individual; but that doesn’t mean you can go back and change your answers!
On 20 July 2017, the EU Court of Justice’s Advocate General (AG) Kokott delivered her opinion in Peter Nowak v Data Protection Commissioner, Case C-434/16. The main issue in this case is whether a handwritten examination script is the candidate’s personal data within the meaning of Article 2(a) of the Data Protection Directive.
Briefly, the facts. Mr Nowak, the candidate in a 2009 exam he failed as a trainee to the Institute of Chartered Accountants Ireland (CAI), seeks access to his examination script on the basis of a data subject right’s right of access to information about his/her personal data, as laid down in Article 12 of the Data Protection Directive as implemented in the Irish Data Protection Act 1988 (DPA). Access would enable him to challenge the result. After the CAI refused his 2010 subject access request, Nowak made a complaint to the Irish Data Protection Commission (DPC). Both bodies concluded that exam scripts are not personal data. The DPC stated that the exam script in question merely contained answers to accountancy questions written during an open book exam. Moreover, the DPC held that Nowak’s complaint was “frivolous and vexatious” indicating that, after having reviewed the information, no substantive contravention of the data protection legislation had been identified.
It was this refusal to investigate that was appealed to the Irish courts by Nowak, arguing that his exam script does amount to personal data as it contains comments and marks of the examiner and, indeed, his biometric data in the form of his handwriting. Furthermore, he claimed that if data protection law treats his exam results as personal data, then it follows that the “raw material” from which the exam results are derived (e.g. the examiner’s comments) is also personal data. [To note, the script was assumed to be part of a ‘filing system’ despite it not being saved as part of an electronic one because it was accessible according to specific criteria, such as being ordered alphabetically].
The Irish Supreme Court decided to refer two questions of law to the CJEU: ‘(1) Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data within the meaning of Data Protection Directive? (2) If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?’
In short, the AG opines that a handwritten exam script, including any of the examiner’s corrections, that is capable of being ascribed to an examination candidate constitutes personal data – at least in the circumstances of this case (the context-dependent analysis by the AG is important here).
The AG starts by noting the very wide scope of the Directive and its varied personal data coverage, as implemented in the Irish DPA (personal data is defined here in a similar way to section 1(1) of the UK DPA as: “[D]ata relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”).
A more specific analysis then follows. In respect of Nowak’s argument that the exam script contains his biometric data in the form of handwriting, and thus is personal data as providing indications of the identity of the script’s author, interestingly the AG is quick to dismiss this argument. She states (para.30): “The question whether such a handwriting sample is a suitable means of identifying the writer beyond doubt is of no importance for its classification as personal data. Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt. For that reason, neither is it necessary to determine whether the handwriting should be regarded as biometrical information” (my emphasis). In other words, in isolation (outside a context), handwriting doesn’t tell us anything. Yet surely the definition of personal data under the Directive and the DPA includes other information (e.g. by which someone’s handwriting might be linked to them in particular) to be taken into account. Is the AG too quick in her dismissal here?
So what is the context that the AG considers most relevant for what she terms “the classification” of a script as personal data? It is worth repeating the relevant part of the opinion in full here (para 19ff, my emphasis):
“The present Irish Data Protection Commissioner takes the view that an examination script, in particular when the use of one’s own reference material is allowed, does not constitute personal data. That view may be correct, in general, when an assessment is made, in isolation, of the solution to examination exercises. Since examination exercises are normally formulated in abstract terms or relate to hypothetical situations, answers to them are not liable to contain any information relating to an identified or identifiable individual. Although the questions raised by the Supreme Court actually appear to address only the solution, i.e. ‘information recorded … by a candidate’, it would not be sensible to end the analysis there. That is because… an examination script contains not only information about the solution to certain exercises but links that solution to the individual examination candidate who produces the script. The script is a documentary record that that individual has taken part in a given examination and how he performed. … Whether a script consists of one’s own composed answers or the selection of specified answers in a multiple choice procedure is of as little importance for the classification of an examination script as incorporating personal data as the possibility in the present case of being able to use certain material (an ‘open book examination’). It is true that the extent of the link between an examination candidate and his performance in an examination increases according to the extent to which he has to formulate the answers himself. That is because the formulation of one’s own solution is not confined merely to reproducing information that has been learned but also shows how the examination candidate thinks and works. However, in every case, the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate.”
Woven into this analysis, and subsequent paragraphs, are valuable insights into how the AG determines the concept of identification (in that data must identify or be identifiable of a person to which it relates in order to be deemed personal data legally).
- First, the AG confirms what we already know that the fact that a script does not bear an exam candidate’s name, but instead contains an identification number or bar code, is sufficient for the existence of personal data to be found from which the data subject may be considered indirectly identifiable. This is despite the fact that, as the AG later points out, importance is placed on examiners not finding out the ‘real-word’ identity of the candidates, in order to exclude conflicts of interest or bias.
- Second, the AG uses a novel argument about what people do (with respect to their exam results) in order to justify a finding that evidence of exam performance is personal data. See the comment, “The personal connection to that performance is …shown in the fact that examination candidates often include their most important examination results in their CVs”.
- Third, the AG extends this type of justification further by commenting that, “this is the correct conclusion is also shown, moreover, in the fact that an examination candidate has a legitimate interest, based on the protection of his private life, in being able to object to the processing outside the examination procedure of the examination script ascribed to him. An examination candidate does not have to accept that his script can be disclosed to third parties or published without his permission”. Interestingly here, a comparison can be made with definitions of privacy (such as the one found in the UK Lindrop Report on Data Protection 1978) linked to the interest of a data subject to determine for himself/herself what data relating to him/she should be known to what other persons, and upon what terms as to the use which those persons may make of those data. The AG is alluding to the fundamental objective of data protection law in protecting the rights and freedoms of individuals, specifically their right to privacy.
More teleological interpretation of the concept of personal data follows when the AG comes to discussing the purpose of the right to data access in general terms. The AG refers to Recital 41 of the Directive explaining the purpose of the right of access (“any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing”) and comments that the purpose of this right so defined does not preclude the classification of an exam script as personal data. In other words, the AG is addressing the argument that, if a right to access is allowed on the facts of this case, the exam candidate could seek the correction of incorrect exam answers pursuant to their right to rectification post-access. The AG states (para. 32ff):
“First, it must be remembered that the issue of right of access is only secondary in this case, where the main issue is in fact the interpretation of the concept of ‘personal data’. As the Commission rightly pointed out at the hearing, a number of additional requirements of the Data Protection Directive are linked to this concept… the classification of information as personal data cannot be dependent on whether there are specific provisions about access to this information which might apply in addition to the right of access or instead of it. Further, neither can problems connected with the right of rectification be decisive in determining whether there exists personal data. If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive, even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best.”
The AG also contradicts the arguments of the DPC on another point. She opines that the personal data incorporated in an examination script is not confined to the exam result, the mark achieved or even points scored for certain parts of an examination (which merely summarises the examination performance), but also potentially extends to any examiner corrections on the script (which, incidentally, could also potentially contain personal data of the examiner themselves). This is because “the purpose of comments is the evaluation of the examination performance and thus they relate indirectly to the examination candidate” and (later) “[p]recisely because of that close link between the examination script and any corrections made on it, the latter also are personal data of the examination candidate”. Notably, however, the AG also feels the need to fall back on a secondary identification-related argument that has nothing to do with purpose: “The organisation holding the examination is also able to identify the candidate without difficulty and link him with the corrections once it receives the marked script back from the examiner”. Might not the same argument have been used in relation to Nowak’s handwriting?
Returning again to a teleological line of reasoning, however, again her analysis extends beyond this point. She further explains that “the primary purpose” of a right of access to examiner corrections “would be to inform the examination candidate about the evaluation of particular sections of his script”. Comparisons are drawn here with the CJEU’s ruling in an earlier case (the YS decision) where the Court held that a draft legal analysis related to an asylum application was not personal data under the Directive and, therefore, a right of access to such document was not established. In that case, the CJEU found that although the analysis may contain personal data, it does not in itself constitute such data (being “information about the assessment and application by the competent authority of that law to the applicant’s situation”). [Of note, the DPC relied on previous analysis in the opinion by CJEU AG Eleanor Sharpston in this YS case, where she stated that, “Only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.”]. The CJEU judgement went further, however, in justification, arguing that extending the right of access to the legal analysis would not serve the Directive’s purpose of guaranteeing the protection of the applicant’s right to privacy with regard to the processing of data relating to them. It would only guarantee a right of access to administrative documents, which is not covered by the Directive.
Going back to the opinion under discussion, AG’s Kokott recognises the latter argument but she also comments that, “[t]he possibility of circumventing the examination complaint procedure is not, by contrast, a reason for excluding the application of data protection legislation. The fact that there may, at the same time, be additional legislation governing access to certain information is not capable of superseding data protection legislation. At most it would be admissible for the individuals concerned to be directed to the simultaneously existing rights of information, provided that these could be effectively claimed”.
The reason for this difference in approach between the two cases is explained by the AG under a heading ‘Rectification of data’ (and, in particular, para. 36ff):
“rectification would be conceivable if it were the case that the script inaccurately or incompletely recorded the examination performance of the data subject. For example, such a situation would arise if … the script of another examination candidate had been ascribed to the data subject, which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost. Furthermore, the possibility cannot be excluded that an examination candidate may have a legitimate interest at a later date in having personal data incorporated in the script erased under Article 12(b) of the Data Protection Directive, i.e. in having the script destroyed. Such an interest might be assumed at the latest when the script has lost any probative value in terms of checking the examination result because the relevant time limits have expired. This right of erasure again presupposes recognition of the incorporation of personal data in the script”.
Ultimately, however, the AG argues that the aims of the right of access cannot be limited to aims related to rectification, erasure, or blocking. Its purpose goes further. This is because data subjects generally have a legitimate interest in finding out what information about them is processed by the controller, and over the passing of time, in knowing whether their script is being retained. The AG says that, “[t]hat right, too, presupposes that the incorporation of the examination candidate’s personal data in the script is recognised”.
In conclusion, using the AG’s arguments, wouldn’t the YS decision have been concluded differently? Couldn’t it be argued that the asylum seeker also had a legitimate interest in finding out what information about them was being processed by the controller? More broadly, does this new opinion mark a potential shift by the Courts towards a more teleological rationale for when personal data is found in lieu of a purely ‘identificatory’ analysis and/or one focused on the literal interpretation of the phrase (any data) “relating to” (a living individual)?
We await more clarification once the CJEU’s final ruling is due later this year. One thing is clear. This case will be an important determinative factor for the scope of the definition of personal data, which to date has been given a very broad interpretation, in particular in the opinion of the Article 29 Working Party. To leave the final word to the AG herself:
“Although the Data Protection Directive will shortly be repealed by the General Data Protection Regulation, which is not yet applicable, the latter will not affect the concept of personal data. Therefore, this request for a preliminary ruling is also of importance for the future application of the EU’s data protection legislation.”
I couldn’t have said it better myself!