Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes
Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.
Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.
With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that
…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.
The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
3 responses to “Up a gum tree”
What an interesting and thought-provoking piece, Jon.
It made me stop and muse for a few minutes, and this is where I came to:
The law contains frameworks to assist the police in the conduct of their investigative activities. For example, where police are lawfully on premises, they are empowered to seize anything on the premises — including the production of electronically-held material — which s/he has reasonable grounds for believing to be evidence in relation to an offence. (s19(1) and s19(3), Police and Criminal Evidence Act 1984).
Although unclear, the article’s reference to a warrant probably means a reference to s8 Police and Criminal Evidence Act 1984, which empowers a JP to grant a search warrant for material “likely to be of substantial value … to the investigation of [an] offence”, in circumstances where the police would not be granted lawful access to the premises in question, to be able to exercise their s19 power. (If personal information is considered to be “special procedure” material, on the basis that it is held subject to an undertaking of confidence (arguable, rather than absolute, in my view, for “normal” personal data), the procedure is slightly different, being under Schedule 1 rather than s8, but a statutory framework still exists.)
I would need to double-check, but I have a feeling that there is a slightly different regime for Scottish warrants, requiring a signature from an English magistrate in addition to a Scottish court.
The interplay between these (and other) powers and s29 of the Data Protection Act is interesting.
s29, of course, merely permits a controller to disclose the information, but does not require it. However, the decision to disclose is not unqualified, as the exemption only applies in certain circumstances. In my view, the test, in the case of s29, is not quite as the title of your excellent piece perhaps indicates: rather than being a test of “necessity”, the required standard is that a failure to disclose would “be likely to prejudice” one or more of the purposes in s29(1)(a)-(c). This can be contrasted, for example, with s35, where the test for exemption from the non-disclosure provisions for purposes connected with legal proceedings is that such disclosure is “necessary” for those statutory purposes.
Since a different phrase was used, it is reasonable to interpret the standards as being different. The distinction between “necessity” — a very high threshold — and “likely to prejudice” — a lesser one — is exemplified in the ICO’s guidance on s29. (https://ico.org.uk/media/for-organisations/documents/1594/section-29.pdf) On page 2, the ICO attempts to put “prejudice” into more common parlance, equating it with “significantly harm”. Of course, a court may take a different view as to the appropriate test, but it seems that it is less than the stringency of necessity.
Would, then, a failure by Gumtree to disclose, voluntarily, the personal information, be likely to prejudice / significantly harm a police investigation?
My understanding is that, yes, there is a degree of work involved in obtaining a warrant under s8 of PACE, but it is not a particularly substantial threshold. Since this power is available to the police, can a failure to choose to disclose reliant on s29 really be considered to be likely to prejudice an investigation, if the police have accessible powers? It strikes me that this is almost — perhaps actually — saying that expecting the police to use their statutory powers amounts to “significant harm” to an investigation, which feels odd. And, of course, if expecting the police to use the powers granted to them does not mean that the investigation would be likely to be prejudiced, the exemption under s29 does not apply.
The converse presents an interesting situation too: what if the police felt that a judge would not grant them a warrant under s8/Schedule 1? If a court is not willing to grant a warrant, in what position does that place a data controller? Should a controller be worried in acting voluntarily, in circumstances where a court is not willing or able to act?
If the police can exercise powers, can the threshold of “likely to prejudice” be met? In extreme situations — life and death, perhaps, where spending any time on getting a warrant or travelling to premises could hinder the investigation — possibly so, but, more generally, I suspect it might be questionable?
A final thought is that, where a controller discloses in reliance on s29, the controller assumes liability. If the controller has made an error, and the disclosure is not likely to prejudice an investigation, the controller is on the hook, as with any other breach of the non-disclosure principles, subject to the usual caveats around risk of the data subject bringing a claim or likelihood of the ICO seeking to enforce.
However, there is risk on a controller in exercising s29, and, for this reason, a controller is highly likely to need to ask questions when approached by the police asking for disclosure “under s29”, to understand the nature of the investigation (to be sure, as far as a controller ever can be, that it is a genuine police investigation), the likelihood that prejudice would arise if data were not disclosed and information to assess whether the prejudicial nature is relatively serious, the minimum set of data which could be disclosed without a likelihood of prejudice and so on, all after evaluating that the requestor is, in fact, who they say they are. Of course, it might be reasonable to expect a company which could receive a fair few requests under s29 to have a process in place for handling this, but it is perhaps not quite the same as “ask and you will receive”.
Thanks for the interesting article. Neil, thanks for the excellent response setting out the points and the responsibility the Data Controller has in applying the exemption. For many data protection officers this can be treated lightly and without thought often assuming or fearing that if they stand on the principles they will give the DPA a bad name. For those who would bend the law to avoid being “obstructive” or a “jobsworth” you have to ask whether they would want the law bent to protect someone else’s reputation when their personal data and life is on the line.
The police, by the way have no compunction in insisting on the appropriate evidence regarding likely prejudice when they receive a similar request.
I will be interested to see how the case is resolved.
Well of course it was resolved when the bicycle was sold on, so disposing of any evidence of the alleged crime. In a case like this, where stolen goods are (allegedly) being fenced, time is of the essence.