On Lord Selsdon and the subject of criminal offending under the Data Protection Act
There was much astonishment yesterday, after a peer of the realm, the 3rd Baron Selsdon, claimed in a debate about littering in the House of Lords that he sometimes gets private information about people throwing litter from cars, and later telephones them to admonish them:
I have followed them occasionally and, for a bit of fun, have taken a note of their vehicle registration numbers. Occasionally, because I have friends in the DVLA, I manage to find their telephone number and I give them a ring
If Lord Selsdon did access information from the DVLA in this way, there may have been a breach of the Data Protection Act 1998, which requires organisations such as the DVLA to keep personal information secure
This isn’t wrong, but it overlooks that not only could it be a DPA breach, it could also be a criminal offence committed by the noble Lord and his “friends in the DVLA”. I note that the Telegraph touches on this, but doesn’t clearly explain why the criminal law might be engaged (it focuses on the DPA requirement that organisations should keep data secure).
(It should be noted that I am not accusing Lord Selsdon or his friends of committing an offence – nothing has been proven and he has so far declined to comment, while the DVLA are said to be investigating. Additionally, it does occur to me that sometimes one exaggerates when one is trying to impress one’s P̶e̶e̶r̶s̶ peers – the 3rd Baron might simply have been gilding his oratory lily.)
Nonetheless, under section 55 of the DPA a criminal offence is committed if, “without the consent of the data controller” (which here is the DVLA itself, not its individual employees), a person “knowingly or recklessly…obtain[s] or disclose[s] personal data or the information contained in personal data”. An offence will not be committed if the obtaining or procuring was necessary “for the purpose of preventing or detecting crime” or if the person acted in the reasonable belief that he had the legal right to obtain or disclose the data, or that he had the consent of the data controller, or if the obtaining or disclosing were in the public interest. What “necessary”, “reasonable belief” and “public interest” mean must be considered in light of the purposes for which the obtaining or disclosing occurred. So, for instance, if a serious crime were averted by such an action the elements of the offence might not be made out, but, distasteful and irritating as some of us find it, littering is certainly not a serious crime. Equally, someone who mistakenly thinks he has the right to obtain or disclose data might avoid the offence, but someone who says that he did it “for a bit of fun” by contacting “friends” might not.
Examples of successful prosecutions for this offence are: a letting agent and one of its directors who obtained details about a tenant’s finances from a rogue council employee; a gambling industry worker who obtained and sold gamblers’ personal details; a GP’s receptionist who obtained medical data about her ex-husband’s new wife.
The offence is also very much in the headlines following Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press, which recommended strengthening of prosecution and sentencing powers under the DPA. Some journalists are perhaps understandably concerned that the practice of investigative reporting could be compromised by too robust a statutory scheme which criminalises the obtaining or disclosure of information by unofficial means.
Lord Selsdon will no doubt be regretting his apparent throwaway remarks.