Category Archives: personal data

ICO: powers to enforce over dead people’s information?

The Information Commissioner’s Office (ICO) has announced that it will not be taking action against Lancashire Police in relation to their disclosure of private information during their investigation into the tragic case of Nicola Bulley.

This is unsurprising, and, objectively, reassuring, because if the ICO had brought enforcement proceedings it would almost certainly have been unlawful to do so. In blunt terms, the ICO’s relevant powers are under laws which deal with “personal data” (data relating to a living individual) and when the police disclosed information about Nicola, she was not living.

There is no discretion in these matters, and no grey areas – a dead person (in the UK, at least) does not have data protection rights because information relating to a dead person is, simply, not personal data. Even if the police thought, at the time of the disclosure, that Nicola was alive, it appears that, as a matter of fact, she was not. (I note that the ICO says it will be able to provide further details about its decision following the inquest into Nicola’s death, so it is just possible that there is further information which might elucidate the position.)

Unless the ICO was going to try to take enforcement action in relation to a general policy, or the operation of a general policy, about disclosure of information about missing people (for instance under Article 24 of the UK GDPR), then there was simply no legal power to take action in respect of this specific incident.

That is not to say that the ICO was not entitled to comment on the general issues, or publish the guidance it has published, but it seems to be either an empty statement to say “we don’t consider this case requires enforcement action”, or a statement that reveals a failure to apply core legal principles to the situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, personal data, police