Mr Nowak was a trainee accountant who passed first level accountancy examinations and three second level examinations set by the Institute of Chartered Accountants of Ireland (‘the CAI’). However, Mr Nowak failed the Strategic Finance and Management Accounting examination, which allowed candidates to make use of documents (an open book examination).

After he had failed that examination for the fourth time, in the autumn of 2009, Mr Nowak submitted a challenge to the result of that examination. After that challenge was rejected in March 2010, he submitted, in May 2010, a data access request, under Section 4 of the data protection legislation, seeking all the personal data relating to him held by the CAI. By letter of 1 June 2010, the CAI sent 17 documents to Mr Nowak, but refused to send to him his examination script, on the ground that it did not contain personal data, within the meaning of the data protection legislation.

Mr Nowak then contacted the Data Protection Commissioner with a view to challenging the reason given for the refusal to disclose his examination script. In June 2010 the Data Protection Commissioner replied to him by email to state, inter alia, that ‘exam scripts do not generally fall to be considered [for data protection purposes] … because this material would not generally constitute personal data’.

That reply from the Data Protection Commissioner was followed by correspondence between Mr Nowak and the Commissioner which culminated, on 1 July 2010, in Mr Nowak submitting a formal complaint. By letter of 21 July 2010, the Data Protection Commissioner informed Mr Nowak that, after consideration of the case, he had identified no substantive contravention of [the data protection legislation] and that, in accordance with Section 10(1) (b)(i) of that legislation, which covers frivolous or vexatious complaints, there would be no investigation of the complaint. The letter stated, further, that the material over which Mr Nowak sought to exercise ‘a right of correction is not personal data to which Section 6 of the [data protection legislation] applies’.
Mr Nowak brought an action against that decision before the Circuit Court. That court held that the action was inadmissible on the ground that, since the Data Protection Commissioner had not initiated an investigation of a complaint, there was no decision against which legal proceedings could be brought. In the alternative, that court held that the action was unfounded, since the examination script did not constitute personal data.
Mr Nowak brought an appeal against the judgment of that court before the High Court, which upheld the decision. The judgment of the High Court was, in turn, upheld by the Court of Appeal. The Supreme Court, which allowed an appeal against the judgment of the Court of Appeal, held that the action brought by Mr Nowak against the decision of the Data Protection Commissioner was admissible. However, the Supreme Court is uncertain whether an examination script can constitute personal data, within the meaning of Directive 95/46, and therefore decided to stay the proceedings and to refer to the Court of Justice of the European Union (CJEU) a number of questions for a preliminary ruling.

Consideration by CJEU

It is not disputed that a candidate at a professional examination is a natural person who can be identified, either directly, through his name, or indirectly, through an identification number, these being placed either on the examination script itself or on its cover sheet. Contrary to what the Data Protection Commissioner appears to argue, it is of no relevance, in that context, whether the examiner can or cannot identify the candidate at the time when he/she is correcting and marking the examination script.

For information to be treated as ‘personal data’ within the meaning of Article 2(a) of Directive 95/46, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person. It is also undisputed that, in the event that the examiner does not know the identity of the candidate when he/she is marking the answers submitted by that candidate in an examination, the body that set the examination, in this case the CAI, does, however, have available to it the information needed to enable it easily and infallibly to identify that candidate through his identification number, placed on the examination script or its cover sheet, and thereby to ascribe the answers to that candidate.

Accordingly, if information relating to a candidate, contained in his or her answers submitted at a professional examination and in the comments made by the examiner with respect to those answers, were not to be classified as ‘personal data’, that would have the effect of entirely excluding that information from the obligation to comply not only with the principles and safeguards that must be observed in the area of personal data protection, and, in particular, the principles relating to the quality of such data and the criteria for making data processing legitimate, established in Articles 6 and 7 of Directive 95/46, but also with the rights of access, rectification and objection of the data subject, provided for in Articles 12 and 14 of that directive, and with the supervision exercised by the supervisory authority under Article 28 of that directive.
The CJEU held that: Article 2(a) of Directive 95/46/EC must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision.

Why is this decision important?

The concept of “personal data” is rarely out of the news these days. The rise of social media and cases such as Schrems v Facebook are testing the boundaries of the collection, storage and use of personal information. The General Data Protection Regulation (GDPR), which becomes enforceable from 25 May 2018, will replace Directive 95/46/EC and enhance protection for individuals in this area. All employers should be taking advice on the impact of GDPR in their organisation.