Yesterday, the Court of Appeal achieved something that the Information Commissioner (ICO) has been trying to do for nearly a decade; to require a review of procedures that allow for the disclosure (or non-disclosure) of criminal convictions that have no relevance to employment.
For example, in the last Annual Report (2016) the previous Commissioner noted his inability to help the data subject:
“We considered a complaint from an individual who had a request for deletion of an arrest record refused. As the record would remain until the individual was 100 years old we considered that the refusal was disproportionate...” (page 24).
All I would say is that if the retention of personal data was deemed to be “disproportionate” then the processing should also be deemed to be in breach of Article 8 right; after all the Fifth Principle is linked to the Article 8 through the test of necessity explicitly found in the Principle (“personal data ..shall not be kept for longer than is necessary for that purpose....”).
However, hitherto, the ICO has a track record of not pursuing this type of enforcement action except in two cases; hopefully, this Court of Appeal will cause a review of this position as it joins four cases, three of which involved a breach of the Article 8 right (i.e. criminal offence personal data should not have been disclosed).
All four cases could have been raised as data protection assessments under the banner of unlawful processing in breach of Article 8, or that the processing of personal data was “unnecessary” for the functions of public authority (i.e. the public authority had no Schedule 2 ground for the processing).
To my mind, the judgement shows the need for the ICO to become the first port of call when personal data are processed and when the data subject claims that such processing constitutes an unlawful interference into private life by a public body. This requirement will become more important in future; for example, when the distinctly “iffy” data sharing powers in the Digital Economy Act 2017 are used by public bodies (see references).
Missing protection
The judgment sets out certain considerations used in Northern Ireland where there is an independent review scheme (with a filtering mechanism) in respect of criminal record disclosures. These considerations deserve wider currency (because they could be considered by employers as well as the police) and include:
“The nature of the position being applied for;
The seriousness of the offence(s);
How long ago the offence(s) occurred;
How many offences are being disclosed and, if more than one, whether or not they arose out of a single court hearing;
When the information would be considered for filtering (i.e. minor crimes are filtered out of disclosure, whereas more serious ones are disclosed); and
The age of the applicant at the time of the offence(s), including, in those cases where the applicant was under the age of 18 years, the need to have the best interests of children as a primary consideration".
The consequences of the absence of such a review in the cases before the Court of Appeal were clearly set out in its judgement; the Court commented:
“… in a number of cases, there is simply no mechanism for undoing the damage done by the inclusion of a conviction or caution. This is irrespective of the triviality of the circumstances, the lapse of time since the events, or the lack of its relevance to the future pursuit of the employment or other activity sought to be undertaken” (para 34).
The offences under consideration
Case 1: P committed two shoplifting offences in 1999 when suffering from undiagnosed schizophrenia. She was also homeless and failed to appear at court (a crime under the Bail Act 1976) and was therefore convicted of two offences. In 2014, some 15 years later, P wanted to be a care assistant and was told that her pattern of offending behaviour (i.e. the two convictions) meant that this was unlikely.
The Court of Appeal determined that “it is not a necessary inference that two convictions do represent a pattern of offending behaviour” and concluded “the convictions (the first theft resulting in a caution) were for theft and failing to answer bail. Although connected because of P's mental health issues, they do not reveal anything like a pattern”. Hence the Court held that the multiple conviction rule was disproportionate in its current automatic form to the interference with P’s life, especially as it did not generate any public safety issue.
Case 2: G aged 13 had had consensual anal intercourse with two boys aged 9 and 10, and was reprimanded in 2006 by the police. In 2011, he worked for an employment agency in a library of a local college and was asked for a detailed enhanced Criminal Record Check because his work involved contact with children. He withdrew from the post as he was informed that personal data describing his serious sexual offences were to be disclosed.
In this case, the Court concluded that “The critical element of this serious offending is G's age at the time; under 14, he was a child”. It added that in his case, “sexual curiosity and experimentation” should not have been equated to sexual exploitation. However, the judgment added that “had G been slightly older, even maintaining the age gap between him and the boys involved”, the Court might have come to a different conclusion.
Case 3: W was 16 years old, when in 1982 he was convicted of Actual Bodily Harm for which he received a conditional discharge. In the 31 years that had passed, W committed no further offence and made a success of his life. He wished to obtain a qualification teaching English as a second language and, to that end, in 2013, he began a training course with a view to obtaining a Certificate in English Language Teaching to Adults. However, the details of the 30+ year old offence were disclosed.
Unsurprisingly, the Court concluded that it was difficult to see how this offence “31 years on, is relevant to the risk to the public, or proportionate and necessary in a democratic society”.
Case 4: Ms Krol was seen by police hitting her 3 year old daughter as homework was not completed; as a result she was cautioned for Actual Bodily Harm. In her case, this was aggravated by later allegations of violence, of her giving a false name to the police to prevent knowledge of earlier involvement with social services, and ultimately the child was subject to the making of a care order. This retention and disclosure of personal data was held by the Court to be proportionate.
Why the need for an Article 8 enforcement?
I have long argued that the Data Protection Act is not fully equipped to protect data subjects when a public authority improperly exercises its powers. In my article (“Nine principles for assessing whether privacy is protected in a surveillance society”; see references), I raised the problems that arise for data protection enforcement if surveillance legislation states that X items of personal data are to be processed for purpose P1 for Y years, and are to be disclosed to Third Party Z for purpose P2.
In such circumstances, it is going to be very difficult for a data subject to claim that the First, Second, Third and Fifth Data Protection Principles have been breached because the enactment of surveillance legislation establishes that:
- the processing purposes (P1,P2) are lawful and compatible (i.e. the key First and Second Principle obligations are satisfied assuming the conditions for any surveillance are met);
- the disclosure of personal data, if exempt from the non-disclosure provisions, would exempt fairness and other Principles as needed (e.g. in terms of the Second Principle, the statutory gateway effectively makes the Third Party’s disclosure purpose compatible with the Data Controller’s purpose of obtaining);
- the retention of personal data satisfies the Fifth Principle because of there is a statutory obligation to retain the data; and
- the items of personal data would satisfy the Third Principle as there is a statutory obligation to process specific data (i.e. the surveillance legislation makes the data items relevant to the purpose).
In other words, the only real issue that can be tested is whether the surveillance legislation itself was “necessary” and “proportionate” in terms of Article 8 (e.g. to assess whether the “necessity” test in a chosen Schedule 2 ground for the processing is passed).
The reason why the ICO should become the enforcer arises because the protection of the Human Rights Act is not accessible to the public at large; an individual complainant has to take on the State in a David versus Goliath struggle.
So, it is in this case. Claimants P, G, W and Ms. Krol (whose collective income is likely to be less than £200,000) were taking on the Secretary of State for the Home Department (budget £12.13 billion), the Secretary of State for Justice (£7.73 billion), the Chief Constable of Surrey Police (£0.21 billion) and Commissioner of Police of the Metropolis (£3.24 billion).
In other words, it's £0.002 billion versus £23.31 billion.
This inequality of alms would be much reduced if the Information Commissioner could intervene or even threatened to intervene. After all, testing the detail of Article 8 claims before the Information Tribunal would be much cheaper for the claimant than testing them in the higher Courts where the risk of bankruptcy would be ever present.
For example, in my criticism of the Digital Economy Bill (see references), I raised the issue that disclosures to public authorities authorised by the Bill were intended not always going to be “necessary” for the functions of that public body (unbelievable! see references).
So, assuming data subject consent for the disclosure of personal data is absent and the disclosure is not necessary for the functions of the public authority then quite clearly unlawful processing in terms of Article 8 is the obvious route for data subjects seeking an assessment.
That is why the enforcement of Article 8 by the ICO is essential; it would level the playing field in many cases as described above and help ensure that public authorities do not play fast and loose with their powers.
Other Publicity
Forthcoming Amberhawk’s courses in early summer
- DP Practitioner Course: starts 6 June (Leeds) and 11 July (London)
- DP Foundation Course: starts 4 July (London)
- Next GDPR Workshop: 20 July (London)
References:
P,G,W and Ms Krol v. Secretary of State for Home Department & others ([2017] EWCA Civ 321, Court of Appeal, 3 May 2017) http://www.bailii.org/ew/cases/EWCA/Civ/2017/321.html
A previous blog in 2009 I argued that the ICO was targeting the wrong data controller when criminal records were being disclosed: Data Protection: CRB could stop misuse of irrelevant criminal data in employment vetting http://amberhawk.typepad.com/amberhawk/2009/10/data-protection-crb-could-stop-misuse-of-irrelevant-criminal-data-in-employment-vetting.html
A plea on the lines of this blog in 2010: Information Commissioner should enforce Article 8 privacy rights: http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html
Reference to the cases where the ICO has taken action re criminal records and employment (2014): Can the Commissioner enforce the correct part of the First Principle, please? http://amberhawk.typepad.com/amberhawk/2014/05/can-the-commissioner-enforce-the-correct-part-of-the-first-principle-please.html
The ICO has run the Article 8 argument in 2012 (we need a lot more of this): Information Commissioner’s enforcement proceedings links Article 8 to unlawful processing. http://amberhawk.typepad.com/amberhawk/2012/11/information-commissioners-enforcement-proceedings-links-article-8-to-unlawful-processing.html
Comment on the Digital Economy Act 2017: the data sharing issues have been side-lined because a yet unpublished Code of Practice is to provide for significant protection. There is a review of data sharing provisions in 3 years time and some truly awful Henry VIII powers have been removed. When the Code of Practice is published, I suggest you compare the content against the issues identified in my blog: http://amberhawk.typepad.com/amberhawk/2016/11/digital-economy-bill-data-sharing-provisions-undermine-parliamentary-scrutiny-and-create-privacy-ris.html
Nine principles for assessing whether privacy is protected in a surveillance society (2008): http://link.springer.com/article/10.1007/s12394-008-0002-2
Comments