Category Archives: law enforcement

April 11, 2025 · 5:03 am

Retaining data for journalistic purposes?

This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.

It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.

Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.

That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.

But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.

The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.

At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Information Commissioner, law enforcement, offences, police

Tagged as , , ,

February 22, 2023 · 8:24 am

Monitoring of lawyers by the state

In the Commons on Monday Robert Jenrick, minister for immigration, said, in the context of a debate on the implications of the violent disorder outside a hotel providing refuge for asylum seekers, in Knowsley on 10 February, and in answer to a question about why no “small boats bill” has been introduced into Parliament

this is one of the most litigious areas of public life. It is an area where, I am afraid, human rights lawyers abuse and exploit our laws at times, and where the courts have taken an expansive approach in the past. That is why we must get this right, but we will be bringing forward that legislation very soon

When pressed on his reference to abuse of the law by lawyers, and asked “how many solicitors, advocates and barristers have been reported by the Home Office in the last 12 months to the regulatory authorities”, Mr Jenrick replied

We are monitoring the activities, as it so happens, of a small number of legal practitioners, but it is not appropriate for me to discuss that here.

This is a remarkable statement, both in its lack of detail and in its potential effect. The prospect of the monitoring of lawyers by the state carries chilling implications. It may well be that Mr Jenrick had no intention of making what could be interpreted as an oppressive statement, but words are important, and words said in Parliament carry particular weight.

It may also be that the “monitoring” in question consists of legitimate investigation into potential criminality by that “small number” of lawyers, but if that was the case, why not say so?

But “monitoring”, in itself, must be done in accordance with the law. If it is in the context of a criminal investigation, or surveillance, there are specific laws which may apply.

And to the extent that it involves the processing of personal data of the lawyers in question (which, inevitably, it surely must, when one considers that “processing” means, among other things “collection, recording, organisation, structuring or storage” performed on personal data) the monitoring must comply with applicable data protection laws).

As a fundamental general principle, processing of personal data must be transparent (see Articles 5(1)(a), 13 and 14 UK GDPR, or, for law enforcement processing, section 44 of the Data Protection Act 2018 (DPA), or, for Intelligence Services Processing, section 93 of the DPA.

There are qualifications to and exemptions from this general principle, but, in the absence of circumstances providing such an exemption, a data subject (here, the lawyers who are apparently being monitored) should be made aware of the processing. The information they should receive includes, among other things: the identity and the contact details of the person directing the processing; the legal basis and the purposes of the processing, and; the recipients or categories of recipients of the personal data.

We tend to call the notices we receive under these provisions “privacy notices”. Those of us who have practised data protection law for a long time will remember the term “fair processing notice” which is arguably a better term. Whatever one calls them, though, such notices are a bedrock of the law – without being aware of the processing, and the risks, rules, safeguards and rights in relation to it, data subjects cannot properly exercise their rights.

With all that in mind, has the Home Office – or whoever it is who is directing the monitoring of the “small number of lawyers” – informed them that they are being monitored? If not, why not?

Returning to my earlier comments about the oppressiveness of comments to the effect that, or the giving of a perception that, the coercive powers of the state are being deployed against lawyers by monitoring them, one wonders if the Information Commissioner should take steps to investigate the background to Mr Jenrick’s comments.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Home Office, human rights, Information Commissioner, law enforcement, monitoring, privacy notice, surveillance, transparency

Tagged as , , , ,

June 28, 2021 · 1:19 pm

UK adequacy confirmed

To no great final surprise, the European Commission has adopted its adequacy decisions in respect of the UK.

Here’s a piece by me on the Mishcon de Reya website.

Leave a comment

Filed under adequacy, Data Protection, Europe, GDPR, international transfers, law enforcement

Tagged as , ,

December 3, 2020 · 8:12 am

Litigation disclosure != subject access disclosure

I’m not a lawyer, yet alone a Scottish lawyer, but a recent judgment, on data protection matters, from Sheriff A Cubie in the Glasgow and Strathkelvin Sheriffdom has significance beyond Scotland (and, of course, data protection law – by which we mean the General Data Protection Regulation (GDPR), or from 1 January 2021, the UK GDPR, and the Data Protection Act 2018 (DPA) – apply across the UK).

The issue before the court was whether data protection obligations, which might in general militate against disclosure of personal data, override disclosure obligations in general court proceedings. The basic answer, and one that most data protection practitioners and lawyers understand, is that they don’t. Article 6(1)(c) of the GDPR makes clear that processing is lawful if it is necessary for compliance with a legal obligation to which a controller is subject. More specifically, paragraph 5 of Schedule Two to the DPA says that the bulk of the GDPR provisions conferring rights on data subjects and obligations on controllers simply “do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.”

The Sheriff was faced with a situation [which sounds like a line from a Western] of possible contempt of court by an unnamed Scottish Council in social work referral proceedings concerning children. Upon receipt of an application (in Scottish law, a “motion for specification of documents”), which it had not opposed, the Council had disclosed social work records to solicitors for the mother in the proceedings, but subjected the records (apparently having received internal legal advice) to substantial redaction of personal data, of the sort which would have taken place if the records had been required to be disclosed under an Article 15 subject access request.

The Sheriff “invited” a senior Council officer and someone from its legal department to answer his enquiries as to how the redactions came to be made. At that hearing, it transpired that the disclosure exercise had been passed to the Council’s Data Protection Officer to deal with – that officer had sought advice from the Council’s legal department, which advised that the exercise should be treated as if it was redaction for the purposes of a subject access request. Before the court, the Council apologised unreservedly, and announced that it had begun an internal investigation into how it had happened.

Nothing earth-shattering, and this post is not to suggest that sometimes it might be necessary to redact personal data during litigation disclosure, but an interesting observation about the risks of confusing or conflating disclosure regimes.

And I end by noting that the Sheriff himself fell into error: he cites at several points, subject access provisions from part 3 of the DPA. Part 3 deals with law enforcement processing under Directive 2016/680, and has no relevance here. The subject access right emanates from, and is full described in, Article 15 GDPR.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, law enforcement