Judicial Review M v Chief Constable of Sussex Police
1. The Claimant - M - brought a case for Judicial Review [JR] against the Chief Constable of Sussex claiming that the sharing of information between the police force and a local business crime reduction partnership [BCRP] was in contravention of:-
a. the Data Protection Act 1998 [DPA 1998]
b. the Data Protection Act 2018 which includes GDPR [DPA 2018]
c. Article 8 of the European Convention on Human Rights [ECHR]
d. Section 45 of the Youth Justice and Criminal Evidence Act 1999 [YJCE 99].
e. Section 49 of the Children & Young Persons Act 1933 [CYPA 33]
The local BCRP was cited as an ‘interested party’.
2. The Claimant was described in Court as a vulnerable 16 year old girl who had gone missing from home on a large number of occasions and was excluded from school. She had convictions for shoplifting and assault and the police had recorded over 50 incidents of violence, theft or anti-social behaviour in the sixteen months preceding the JR. She had also been assessed by the local authority as being at risk of child sexual exploitation [CSE].
3. The Claimant advanced two separate issues. Firstly, that the Information Sharing Agreement [ISA] between Sussex Police and the BCRP breached the DPA 2018 [and DPA 1998] because it failed to provide sufficient safeguards to prevent the unlawful processing of the Claimant’s sensitive personal data. Secondly, that there had been an unlawful and disproportionate disclosure of the Claimant’s sensitive personal data [called special category data under the DPA 2018].
4. The gist of the case was that, collectively and individually the contravention of all these Acts was causing the Claimant damage and distress which her solicitor had previously suggested could be remedied by an apology, cessation of the sharing of her data and unspecified financial compensation. Originally the Claimant’s solicitor wanted to stop the dissemination of her data by the BCRP but, not being a public body and hence not subject to JD, when the case went to the High Court it concentrated only on the sharing of data from the police to the BCRP. However, the Claimant’s solicitor effectively alleged that the BCRP was not a fit recipient of the data.
5. As with most BCRPs once information is received from the police [or any reliable source] elements of it are shared with members via the industry-standard Littoralis DISC system. But no specific details of incidents involving offenders are shared with members. The judge determined that the police and the BCRP were joint data controllers and that, for Sussex Police’s decision to share data with BCRP to be lawful they had to be satisfied that the BCRP had in place sufficient safeguards about onward transmission.
6. The Claimant’s solicitor had originally tried to claim that the BCRP was sharing his client’s data with literally thousands of people in an indiscriminate fashion. The judge however, accepted that access to DISC was controlled and limited [in this case to fewer than 250 people] and it was her view that there were sufficient safeguards. Importantly she accepted that while sharing data on DISC was not “water-tight” the security the system presents e.g. end-to-end encryption, password protection etc, are proportionate considering the nature of the personal data shared.
7. In coming to her conclusions the judge took into account that the only data shared with members on DISC consists of an offenders name, photograph, date of birth, the type of offence they are known for [usually summarised in one or two words] and, in this particular case, the offender’s court-imposed bail conditions. It was the latter that the Claimant alleged contravened section 49 of the CYPA 33 and section 45 of the YJCE 99.
8. The CYPA 33 states that: -
“any matter relating to any child or young person concerned in proceedings [in a youth court] shall . . . . not be included in any publication if it is likely to lead members of the public to identify him as someone concerned in the proceedings”.
And the YJCE 99 is similar but refers to “the public at large” rather than “members of the public”. The judge however, took the view that BCRP members were not ‘members of the public’ because they had been subject to a separate procedure [i.e. membership of the BCRP and agreement to its terms & conditions] which differentiated them from a member of the public. Although it is unlikely that Sussex Police will continue to share the court bail conditions of juveniles, the judge’s direction makes it clear that doing so, and the subsequent sharing with BCRP members, would not be against the law.
9. The judge raised the following issues in deciding whether the safeguards are sufficient protect the Claimant’s rights and comply with DPA 2018 -
a. the nature of the data that can be shared under the agreement
b. the provisions as to who it can be shared with and control over any onward sharing
c. the requirements for the training and vetting of recipients of the data; and
d. the degree to which the specific interests of children are factored into the proportionality exercise.
e. the reason or justification for the sharing.
10. In her considerations of the above, weight was attached to the fact that BCRP staff receiving information from the police are vetted to National Police Vetting Level 2. It would be wise for all BCRPs to ensure that at least their managers are vetted to this level. She also concluded that in reality the people who are most likely to be using the data once shared by BCRP on DISC are security guards. Since they are obliged to hold SIA licences [which includes Disclosure Barring Service vetting] if there was a case of inappropriate onward transmission of the data, or the individual using it in an inappropriate or unlawful manner, then that would be directly relevant to whether their SIA licence was revoked or not renewed.
11. All this highlights the importance of BCRP members being obliged to sign up to data integrity protocols, the requirement to re-self-certify at regular intervals, exercising caution when granting members access to DISC [how do you check that they warrant access?] and regularly ‘cleaning’ the DISC database by deleting members who haven’t logged on for some time e.g. six weeks.
12. Perhaps the most interesting part of the judge’s direction was that, while she concluded that there has to be a process by which the interests of children and young persons are specifically considered she did not conclude that the DPA 2018 itself requires specific separately listed safeguards for children. Despite not being a DPA requirement, police forces and especially BCRPs would be wise to either have a specific policy on processing children’s data or not to process it at all. Furthermore the Legitimate Interests Assessment [LIA] accompanying any policy on children should not just concern itself with the effects of exclusion on the individual but also wider holistic impacts on, and the wellbeing of, the child.
13. The judge also made it abundantly clear that an offender does not forfeit their rights under DPA 2018 because they have engaged in criminal or anti-social behaviour.
14. A perhaps controversial element of the judgment was the conclusion that a photograph is biometric data and hence classed as special category data [or sensitive personal data under the 1998 Act] putting it in the same category as ethnicity, medical data, fingerprints and sexual orientation etc. The DPA 2018 restricts what special category data can be processed and also calls for greater safeguards to be in place. However, whether or not a photograph is ‘biometric’, and hence special category data, is a moot point. The strict definition under GDPR is:-
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”
But there is a welter of legal opinion that suggests that photographs are not subject to any ‘technical processing’ that would make them biometric. Unlike face-recognition software which maps an individual's facial features mathematically and stores the data as a faceprint using algorithms to compare a live capture [photograph] with a faceprint.
15. Indeed Recital 51 of the GDPR states: -
“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person” [author’s italics].
16. Nevertheless, if a High Court judge says that photographs are special category data you would be unwise to ignore it or to argue. BCRPs need to have good reasons and a lawful basis for processing such data and they need to be documented. GDPR gives special protection to special category data and there are limited lawful reasons for sharing such data. The closest for BCRP purposes is because it is in the public interest; make sure your Personal Data Processing document includes it.
17. The conclusion of the JD was that the information sharing agreement between the police and the BCRP was valid and lawful and the alleged contravention of all but one of the other Acts was also dismissed. The judge decided that there was a breach of the Claimant’s rights under the DPA 1998 by Sussex Police sharing information with the BCRP about her vulnerability and risk of sexual exploitation. The irony of that is that fifteen months before the Judicial Review stories had appeared in the local newspaper and The Sun and The Mirror about the Claimant going missing from home and being seen in the company of an older man – the inference being obvious. Her vulnerability to sexual exploitation was later confirmed to the BCRP in writing by the Claimant’s own solicitor, not by Sussex Police.
The full judgement can be found at http://www.bailii.org/ew/cases/EWHC/Admin/2019/975.html