On the Friday, 3 October 2013 edition of the BBC programme “Question Time”, Mehdi Hasan (left), a journalist for the Huffington Post, criticised the Daily Mail (video here). Subsequently, the Daily Mail published details of an application letter Mehdi Hasan had written to the paper for a journalist position, suggesting that Mehdi had not always been so critical.
Was this publication in breach of the Data Protection Act 1998?
Firstly, if the Daily Mail had the personal information about Mehdi Hasan legitimately, then there is a journalism exemption under section 32 of the Act that would enable the paper to publish non-sensitive personal data for journalistic purposes.
The more interesting question is, “Was the personal data on Mehdi Hasan being processed (stored) by the Daily Mail legitimately prior to it having any journalistic purpose?” Note that the application letter was sent in July 2010, over 3 years ago.
On the facts in the public domain, the most likely answer to this question is, “No”.
The reason is that under the Data Protection Act 1998, personal data can only be retained by a data controller (data owner) for as long as it is required for a particular business purpose or purposes (see Data Protection Principles 2 and 5). Arguably, once a job applicant has been rejected, there is no further business purpose justifying retaining that applicant’s personal data. Claims arising out of discrimination or other employment-related claims as a result of unlawful handling of a person’s application for employment must be made within 6 months of the event giving rise to a claim. This is therefore the standard retention period for personal data concerning unsuccessful applicants. However, where an applicant has agreed upon request by the potential employer that his or her details can be retained on file for consideration for other positions, then clearly this 6 months period can be extended.
The 6 months retention rule is not laid down in any law or regulation. This is derived from the limitation period for bringing claims in the Employment Tribunal and the guidance on retention of applicants’ details set out in the Information Commissioner’s Employment Practices Code (see the ICO employment webpage for links). Where a data controller has a legitimate business purpose for retaining that information, then as well as communicating that purpose to the applicant, the applicant’s information data can be retained for as long as is necessary for that purpose. It is difficult, however, to see under what circumstances information about unsuccessful job applicants needs to be retained for over 3 years by a prospective employer.
However, the real issue here is that even if the publication of details of Mehdi Hasan’s application letter were in breach of the Data Protection Act 1998, Mehdi would have no effective remedy under the Data Protection Act 1998, unless he suffered actual loss or damage, in which case he could sue for these losses or damages, together with damages for distress (as the breach arguably involved a breach of the journalism ‘special purpose’ provisions). It is unlikely that Mehdi suffered any loss or damage, but merely embarrassment.