For some time, I have been advocating the creation of an explicit and unequivocal link between the Data Protection Act (DPA) and the Human Rights Act (HRA). I now think that this link already exists and that the Information Commissioner (ICO) should take up cases which involve the unlawful use or retention of personal data, where "lawfulness" is assessed in the context of compliance or non-compliance with the obligation to show respect for private and family life (Article 8(1) of the HRA).
The matter is important because “lawful” processing forms part of the text of three Data Protection Principles (1st, 2nd, 7th) and any backing-off the enforcement of “lawful processing” would degrade the protection afforded to all data subjects. Disclosure and data sharing is not included in my list of processing operations which the ICO could assess on Human Rights grounds; this is because I am not certain of the outcome and I explain this uncertainty in a footnote at the end of this blog.
Historically, the ICO is very reluctant to take on questions of lawful processing and one reason for this derives from Poll Tax and Council Tax days when Local Authorities often asked the ICO whether “it would be lawful to use the Council Tax/Poll Tax database to do XYZ”. The ICO’s answer was more or less on the lines: “The ICO cannot police all legislation that could impact on a Local Authority; the ICO will only look at this problem when there is a lawful processing issue to resolve and not before”.
Note that the very same argument would go for any Data Controller who asked: “Is it lawful to do ABC with personal data collected under the Humpty Dumpty Act 1926”. To some extent therefore I agree with the ICO’s stance: one cannot expect his office to pass judgments on every single statute ever enacted in advance of any processing of personal data.
Similarly with respect to “breach of contract” or “breach of copyright”, the ICO is reluctant to take action with respect to unlawful processing. If this were to happen, a putative civil contractual or copyright breach would be transformed into a data protection issue merely because personal data are involved.
This explains why the ICO says in his Data Protection Guide: “However, although processing personal data in breach of copyright (for example) will involve unlawful processing, this does not mean that the ICO will pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them” (from the section on "What is meant by lawful?")
However, I now think this guidance cannot apply to the Human Rights Act because the law intends the ICO to have a role in protecting the Article 8 right. This is made clear in the Directive 95/46/EC which, in Article 1, defines the purpose of the Directive in these words: “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”.
Recital 1 adds further clarification in that the Directive is a step towards “...preserving and strengthening peace and liberty and promoting democracy on the basis of the fundamental rights recognized in the constitution and laws of the Member States and in the European Convention for the Protection of Human Rights and Fundamental Freedoms”.
Recital 10 then amplifies what is meant by the “right to privacy”. It states that “... the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms”. Recital 11 then adds that “the right to privacy” in the Directive is intended to “give substance to and amplify those (provisions) contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.
I think that the above comprise pretty conclusive evidence that the legislators have linked the DPA and HRA regimes and that the ICO, as the DPA regulator, thus has a role in assessing the lawfulness or unlawfulness of the processing personal data with respect to Article 8 of the Human Rights Act.
If I am correct, then this implies that some of the excesses of a “surveillance state” could have been challenged, especially in the case of the use or retention of personal data by a public authority. So, for example, with respect to the use of Automated Number Plate Readers (see blog of 4th April), or the retention of DNA personal data - these can or could have been tested by the ICO with respect to "lawful processing".
Note that this does not mean that any action by the ICO will succeed from the data subject’s perspective. All it means that cases involving the Article 8 do not need a wealthy celebrity (e.g. Naomi Campbell), nor do they have to wait until a determined litigant surfaces (e.g. S and Marper re DNA), nor do they involve early and costly court procedures where the individual is pitted against the resources of the state (see blog of 18th November 2009).
Any data subject should be able to ask for an assessment with respect to lawful processing with respect of Article 8, for the ICO to form a view, and if enforcement follows, for the Tribunal system looking at the facts of the case before it gets into the Court system.
Enforcement of lawful processing allows the ICO can take on the mantle of protecting individual information rights and puts flesh on the bones of his new mission statement that begins with the claim that his office is “Upholding information rights in the public interest...”. If this mission statement is to mean anything, then the ICO should begin to exercise his powers that require a public authority to respect an individual’s right to private life by not excessively using or retaining his personal data.
Footnote re disclosure: any disclosure authorised by law is likely to fall within the “exemption from the Non disclosure provisions” (S.27(3) of the DPA). These provisions explicitly exempt the “lawfulness” of the processing as being a consideration, and this appears to negate the argument posited above. However, the non-disclosure exemption does not exclude the need for a Schedule 2 condition to apply to the disclosure, and that in the absence of data subject consent, such a disclosure has to pass a test of being “necessary”. This “necessity” test reintroduces the concept of “proportionality” in terms of Human Right so it might not affect the argument posited above. That is why I am not sure what the actual position is - does anyone have a view?