This blog shows that the current furore concerning access to a rape victim’s phone, relying on consent of a rape victim, sits uneasily with a data protection analysis. I also point out that there appears to be three forms of “consent” floating around in the GDPR/Data Protection Act 2018 (“DPA2018”) framework.
First of all, the relevant part of the DPA2018 to consider is the law enforcement elements, as access to the victim’s phone is by the police or prosecutors in relation to an investigation of a very serious criminal offence. As the information accessed relates to an individual’s sex life, any processing relates to “sensitive processing” as defined in Section 35(8) of DPA2018.
Section 35(4) and (5) state that “sensitive processing” is justified in two alternative cases:
Case 1: “where the data subject has given consent to the processing for the law enforcement purpose”, and
Case 2: where (a) “the processing is strictly necessary for the law enforcement purpose” and (b) “the processing meets at least one of the conditions in Schedule 8”.
For completeness, both Cases require that the “controller has an appropriate policy document in place” (see Section 42 of DPA2018); this policy documents describes safeguards for the data subject (and other processes). Schedule 8 reinforces the requirement that the processing is, for example, “necessary for the administration of justice” (or “necessary for the exercise of a function conferred on a person by an enactment or rule of law … for reasons of substantial public interest”).
The CPS press release justifies the use of victim consent by stating that:
“The new consent forms being rolled out by police are intended to achieve a consistency of approach nationally, so complainants are not treated differently in different forces. They replace those which were already been used in some forces. They are designed to bring clarity around the process and to give victims an understanding of how their data might be used so they can have confidence to come forward and support a prosecution”.
“It is not true that complainants in rape cases must automatically hand over personal data on their digital devices or run the risk of the prosecution being dropped. Mobile phone data, or social media activity, will only be considered by the police when relevant to an individual case….”
However, the CPS appear to have overlooked that Case 1 and Case 2 (specified above) are alternatives. So, if the data subject consents to the processing via Case 1 then there is no need to consider Case 2. In this way, Case 1 could allow for processing that does not need to be “strictly necessary for the law enforcement purpose” (my emphasis) as required by Case 2.
Or in other words, Case 2 limits the access to a rape victim’s phone to circumstances that are “strictly necessary”; reliance on Case 1 widens access to a victim's phone in circumstances that cannot meet those strict necessity requirements.
Similarly, Section 35(2) states that:
“The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority”. (my emphasis on “or”)
The use of the word “or” makes consent an alternative to necessary processing. It follows, again, that reliance on consent allows for processing does not need to be necessary for purposes of a competent authority.
This reinforces my conclusion that a data protection analysis sits very uneasily with CPS consent procedures.
Processing by consent is a viable option
I am not saying that the use of consent by the CPS is unlawful or wrong; it is just opens up the possibility for processing circumstances that should not be opened up.
One suspects this position has arisen because there is no definition of “consent” in Part 3 of the Law Enforcement part of the DPA2018 nor in the parent Law Enforcement Directive 2016/680; however, the Recitals to this Directive do refer to “consent”. To complicate matters, there is a definition of “consent” in Part 4 (which relates to processing of personal data by the spooks) and “consent” as defined in Article 4(11) of the GDPR (as amplified by Article 7 and related GDPR Recitals).
Recital 35 of Directive 2016/680 states that where the law “require or order natural persons to comply with requests” (for personal data) then “the consent of the data subject, as defined in Regulation (EU) 2016/679, should not provide a legal ground for processing personal data by competent authorities”. This is because “Where the data subject is required to comply with a legal obligation, the data subject has no genuine and free choice, so that the reaction of the data subject could not be considered to be a freely given indication of his or her wishes”.
However “This should not preclude Member States from providing, by law, that the data subject may agree to the processing of his or her personal data for the purposes of this Directive, such as DNA tests in criminal investigations or the monitoring of his or her location with electronic tags for the execution of criminal penalties”. This “provision by law” is what the Government have delivered in Section 35 of the DPA2018.
Recital 37 of Directive 2016/680 adds to limits on consent when processing is “particularly sensitive” (e.g. “sensitive processing” as defined by the DPA2018). Such processing “should also be allowed by law where the data subject has explicitly agreed to the processing that is particularly intrusive to him or her. However, the consent of the data subject should not provide in itself a legal ground for processing such sensitive personal data by competent authorities.”
In other words, there is an implication in these Recitals that “consent” for sensitive processing for law enforcement purposes is valid in limited circumstances but not in general. There is no equivalent of Article 7 of the GDPR and the ability for the data subject to withdraw consent.
The ICO states in her Law Enforcement DPA2018 Guidance that the meaning of consent “aligns with GDPR and it must be unambiguous and involve a clear affirmative action”. I am not sure about the ICO’s conclusions here; I think consent means what it meant under the DPA1998 (i.e. it includes the no-choice consent position which the GDPR has specifically excluded).
In conclusion, however, there appears to be three forms of consent that applies in the DPA2018. There is “GDPR consent” supported by Article 7 and withdrawal of consent; there is “spooky consent” which relates to Part 4 of the DPA2018 (in Section 84(2)) and finally an “unspecified consent” that applies for Part 3 which is different to the other two forms of consent.
Quite a consensual mess really.
References
CPS Press release on the access to phones: https://www.cps.gov.uk/cps/news/handing-over-mobile-phone-data-rape-prosecutions (There is no reference to a data protection analysis in the Press Release but there is a commitment to “continue to work with victim groups and the Information Comissioner's Office to ensure our approach offers the necessary balance between the requirement for reasonable lines of inquiry and the complainant’s right to privacy”.)
Reference added after publication
The ICO made contact after the blog was published and made the following statement: “The ICO has an ongoing investigation into use of data extraction technology on the mobile phones of suspects, victims and witnesses. We are also currently looking at concerns raised around the collection, secure handling and the use of serious sexual crime victims’ personal information. A separate investigation will be tracking the journey victims’ information takes through the criminal justice system, from allegation, through disclosure and onto any compensation application that may be made. This is to identify areas where victims’ information is most vulnerable or where processing may be excessive and disproportionate. These are ongoing investigations and we will be reporting on the outcomes in due course".
The ICO has a blog about the issue: Access to serious sexual crime victims’ personal information – how much is too much? https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/access-to-serious-sexual-crime-victims-personal-information-how-much-is-too-much/
Upcoming Data Protection/FOI qualification courses (May to July)
- BCS Data Protection Foundation (3 days; London-May 21-23)
- BCS FOI Practitioner course; London (6 days starts 4 June).
- BCS Data Protection Practitioner, London (6 days starts June 11 or July 16).
- BCS Data Protection Practitioner Upgrade/Conversion (2 days; London, July 23 & 24).
Details on www.amberhawk.com or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.