Striking the balance: sensitive personal data and law enforcement
On 19 January 2021, the Court of Appeal handed down an important decision regarding data protection and law enforcement. Bianca Venkata evaluates the judgment.
On 19 January 2021, in The Queen (on the application of M) v The Chief Constable of Sussex Police, Brighton & Hove Business Crime Reduction Partnership  EWCA Civ 42 the Court of Appeal has handed down a decision regarding part 3 of the Data Protection Act 2018 (“DPA”) which is concerned with the processing of personal data for law enforcement purposes.
The unanimous judgment, delivered by Lady Justice Andrews, is the first of its kind to examine Part 3 of the DPA. The judgement considers the safeguards for the processing of “sensitive data” for law enforcement purposes under section 42 of the DPA, as well as the first and the sixth data protection principles in Part 3 of the DPA:
- section 35(1) requirement that processing be lawful and fair
- section 40(1) requirement that purposes of processing be specified, explicit and legitimate.
The data protection principles give effect to Article 4(1) of the Law Enforcement Directive 2016/680 (“Directive”).
The case concerned a vulnerable minor (“M”) who had convictions for shoplifting and assault, as well as a history of going missing from her home. The Sussex Police Constabulary (“Police”) shared information regarding M with the Brighton & Hove Business Crime Reduction Partnership (“Partnership”).
M brought judicial review proceedings against the Police for sharing sensitive personal data with the Partnership in breach of the DPA, the General Data Protection Regulation 2016/679 (“GDPR”) and the Directive
The key issues for the Court of Appeal to consider where:
- whether the information sharing agreement (“Agreement”) between the Police and the Partnership met the safeguards in Part 3 of the DPA and the Directive;
- whether previous email disclosures of information from the Police to the Partnership breached the DPA and the Directive.
The Court’s Decision
At first instance, Mrs Justice Lieven dismissed M’s claim regarding the Agreement but upheld M’s claims that two emails sent from the Police to the Partnership, which disclosed M’s risk of sexual exploitation, breached the DPA and Directive, and awarded M £500 compensation. M appealed in relation to the quantum of damages and the Police cross-appealed regarding the finding that it had breached the DPA and the Directive.
The Court of Appeal unanimously dismissed M’s appeal and upheld the Police’s appeal.
The Court of Appeal judgment succinctly sets out what it describes as the “labyrinthine” law in the field of data protection.
The Court of Appeal said that the Agreement contained important safeguards regarding the sharing of sensitive personal data such limitations on images that could be sent, only permitting the processing of offender data from the age of 14 years, and making the processing of children’s data subject to a legitimate interest assessment.
The Court of Appeal rejected M’s argument that there was a special level of protection in relation to processing the data of vulnerable children. The Court noted that whilst the GDPR contained express provisions regarding children’s vulnerability to data misuse there was no such provision in part 3 of the DPA or the Directive. Instead there was just one category of sensitive data.
Nor did the Court of Appeal accept M’s argument that following a transfer of personal data from the Police to the Partnership, that the Police remained a data controller, and thus retained responsibility for the transferred data. Rather, once the data was transferred the Partnership became the data controller.
The Court of Appeal overturned the High Court’s finding that the Police had breached the DPA and the Directive in sending two emails to the Partnership. Section 2 of the DPA states that “sensitive personal data” includes information as to the data subject’s “sex life” and “the commission or alleged commission…of any offence”. The Court of Appeal held that information that M was at risk of sexual exploitation did not constitute personal data regarding “sex life” and so was not sensitive personal data. The Court of Appeal expressly referred to the need to avoid a “chilling effect” whereby charities could be discouraged from reporting risks of sexual exploitation due to the procedural requirements of processing sensitive data.
The judgment should be welcomed as a sensible means of facilitating information sharing between law enforcement bodies. It can be seen as striking the appropriate balance between the public and private interest in safeguarding sensitive information and ensuring effective law enforcement. Bodies who have robust information sharing protocols in place can share information safe in the knowledge that they are not thereby breaching the DPA, Directive or the GDPR. Given the broad similarity in the data protection principles across the DPA, as noted by the Court of Appeal, it is likely that bodies who are not in the law enforcement field, can also take comfort from the judgment.
Find Out More
Bianca Venkata has a keen interest in data protection law. She was junior counsel to the Dubai International Financial Centre Information Commissioner in data protection proceedings against the Dubai Financial Service Authority. Bianca regularly advises on data protection issues including in the employment law field.
If you would like to discuss any of the issues covered in this article please contact Bianca Venkata directly or via her practice management team; Matt Sale (+44 (0)20 7427 4910) or Peter Foad (+44 (0)20 7427 0807).
Barristers: Bianca Venkata
Categories: News | Employment