The Lord Chief Justice’s welcome call for a modern ICT system for the courts of England and Wales does, at the same time, raise concerns about the data protection compliance of the current systems
If a representative of a public sector data controller, responsible for processing huge amounts of manual and electronic sensitive data (of all categories), were to concede that their systems for handling this data “were recognised as outdated more than 15 years ago” it would – one imagines – raise a few eyebrows in Wilmslow. Outdated systems are, by default, systems which are unlikely to indicate compliance by the relevant data controller with the seventh data protection principle:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
A serious contravention of the obligation to comply with that principle can lead to monetary penalty notices to a maximum sum of £500,000, as many data controllers know to their cost.
But such a concession is just what the Lord Chief Justice of England and Wales appeared to make at the Annual Lecture of the Society of Computers and Law on 20 May in London. In his lecture he referred to
re-entering information on different systems, using and holding paper files, diaries that are manual and unreliable telephonic and video communications
He spoke of how
Once papers are misfiled they are lost. In a number of parts of the country it is difficult to find people to do the filing at a wage which HMG is prepared to pay
Save for using Outlook, judges have no electronic filing system for their administration. Outside the most senior Judiciary, very little clerical support is available for the judges
All of this is enough to make most data security and data protection officers have sleepless (and screamful) nights.
In fairness to Lord Thomas, a) he was reflecting his own personal views, and b) his lecture, which laid out the history of how things had got to this state, was admirably aimed at seizing an opportunity to modernise. However, it did make me wonder how the judicial system appears to have largely avoided the steely enforcement glare of the Information Commissioner. I think this is probably, in part, because it is highly complicated when looked at through the lens of the Data Protection Act 1998 (DPA). The DPA distinguishes between data controllers and data processors, with former attracting all the legal obligations and liabilities under the Act. A data controller is, by section 1(1) of the DPA
a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Applying this to the situations which obtain in the court system is not an easy task (although it isn’t uniquely difficult – the distinction between data controller and processor is a notoriously complex, and perhaps increasingly artificial, one to establish). It seems to me that, with the sorts of personal data being processed as part of a legal claim or trial before a court, there may be multiple data controllers doing different things with the same or similar data – the parties, their legal representatives, the court staff, and the judiciary are those which immediately come to mind. In such circumstances we are probably talking about data controllers in common (“where data controllers share a pool of personal data, each processing independently of the other”*).
What is certain is that the Judicial Office for England and Wales considers the judiciary to be data controllers at least for some personal data and some acts of processing which take place within the court system. In a document entitled “Judicial Responsibilities and the Data Protection Act 1998” it says that
It is now acknowledged that individual judicial office-holders are data controllers in circumstances in which they determine the purpose for which and the manner in which any personal data is processed. This is so in relation to data processed in the exercise of any judicial functions
And another document “IT and Information Security Guidance for the Judiciary” contains generally sensible advice to judiciary on ICT security, but fine words butter no parsnips, and if the reality, as suggested by the Lord Chief Justice’s lecture (and, indeed, anecdotal evidence I have seen and heard) does not match up to the intentions of that document, then it would point to potentially serious contraventions of the DPA.
In April 2013 the Information Commissioner’s Office published the summary outcome of a data protection audit it had performed – by consent – on HM Courts and Tribunals Service. The audit gave the ICO “reasonable assurance” but one notes that it focused on data protection governance, training, and subject access requests, and did not appear to encompass security. And, for the reasons discussed earlier in this post, HMCTS are only one of the data controllers in play in the court system. In the rather unlikely event that the ICO decided to seek to audit them, would judges pass so easily?