Does the dropping of criminal charges against police officers under data protection and computer misuse legislation open the door to investigation of their employer’s civil liabilities?
The BBC reports that criminal charges have been dropped against three Nottinghamshire police officers. The charges appear to have been originally brought under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 (CMA), and, according to the Police Federation it seems they were dropped because
prosecutors had found issues with training and advice on data protection for officers
Under section 55 of the DPA it is an offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data. But the elements of the offence are not made out if the person doing this acted, for instance, in the reasonable belief that he or she had a lawful right to obtain or disclose the data, or if the obtaining was necessary for the purpose of preventing or detecting crime. Similarly, the offence of unauthorised access to computer material under section 1 of the CMA is only committed if the person knows that the access is unauthorised. If inadequate training and advice on access to data is given to employees of a data controller, then it will be difficult – as this story seems to reveal – to bring prosecutions. Effectively, the mens rea element of the offence is lacking.
However, perceptive readers of this blog might have noticed something: if incidents of inappropriate access to personal data have occurred, as appears to have been the case here, and the individuals accessing the data have been inadequately trained, does that not raise issues about the employer’s (the data controller’s) compliance with the seventh data protection principle in Schedule One of the DPA? This provides that
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data
The Information Commissioner’s Office (ICO) has repeatedly stressed that appropriate staff training is essential for compliance with the seventh principle. The ICO has the power, under section 55A of the DPA, to serve a civil monetary penalty notice on a data controller which has seriously contravened the DPA, where the contravention is of a kind likely to cause substantial damage or substantial distress. One wonders whether the ICO will now look into Nottinghamshire Police’s compliance with the Act, in view of the fact that incidents serious enough to bring now-dropped criminal charge took place, and the fact that they appear to have taken place against a background of inadequate staff training.
informationrightsandwrongs 
It may be worth noting that the ICO served an Enforcement Notice on Nottinghamshire Police in July 2013 that included a requirement for training for all officers associated with a collaborative project with with other forces. The two incidents may well be unconnected, but Nottinghamshire clearly need to demonstrate that they have a grip on training and wider DP compliance.
29 January 2014
Dear Information Rights and Mr Turner,
I have been informed by the ICO that there had been breach of Principle 7 in regards to a matter, but that the organisation was simply not reprimanded and yet there were serious consequences arising out of it. The ICO simply asked the organisation to be more careful in future!
To me it seems almost pointless complaining to the ICO in the first place.
I wonder if I am alone?
Thank you very much for bringing this to our attention.
Rosemary Cantwell
Hi Rosemary
Sorry for the delay in replying. For better or worse the law does give the ICO considerable discretion regarding what action to take in the event of an alleged contravention of the DPA. COmplaints can have some effect, but if the ICO chooses not to take action there is little that a complainant can do. Individuals do have their own rights under the Act though, and section 13 allows an aggrieved person to seek compensation through the courts (I am not pretending for an instant that that is necessarily easy or straightforward).
Pingback: Data Protection – civil and criminal action in tandem | inforightsandwrongs
Pingback: Some observations on the MoJ £180,000 data protection “fine” | informationrightsandwrongs