Once bitten; twice shy?

Humberside Police will forever be remembered in data protection circles for being the police force that blamed the Data Protection Act 1998 for its policy of deleting information relating to allegations about the commission of criminal offences, including those of the Soham murderer Ian Huntley (aka Ian Nixon).  Huntley was thus able to secure a position as a school caretaker despite the fact that he had been investigated in the past for sexual offences (one act of indecent assault, four acts or underage sex and three rapes – he had even been charged with rape, but the case was dropped by the Crown Prosecution Service for lack of evidence) and burglary.  His only recorded conviction was for riding a motorcycle without a licence or insurance.

The pendulum has clearly swung the other way, as Humberside and four other constabularies were the subject of separate enforcement notices from the Information Commissioner for retaining records of convictions that were spent under the terms of the Rehabilitation of Offenders Act 1974.  The constabularies appealed to the Information Tribunal.  The decision of the Information Tribunal was to uphold the Information Commissioner’s enforcement notices.  The constabularies appealed to the Court of Appeal, where they were successful. The Court of Appeal judgement has recently been published.

The Court of Appeal decided that the Information Commissioner and Information Tribunal had misconstrued the data protection principles to determine that as the records were not necessary for the “core” police purpose of the detection of crime, they should be deleted.  It was for the data controller to determine the purposes for which personal data was processed, including determining the necessary retention period for data to meet those purposes.  The only restriction in the Data Protection Act 1998 was that those purposes had to be fair and lawful, which included being communicated to the data subject (and included on the data controller’s notification/registration).

It is clear that there is continuing unease about retention of criminal records or other information by police forces, which first became evident in the cases involving indefinite retention of DNA and fingerprint information on persons who have not been charged.  This practice has been ruled to be against an individual’s right to privacy under Article 8 of the European Convention on Human Rights by the European Court of Human Rights in Strasburg (see the S and Marper -v- United Kingdom).

Whilst the constabularies are correct to apply their own judgement to the appropriate retention period for criminal records, this is a sensitive area that calls for legislative intervention. After a consultation on the retention of DNA database records, the Home Office reported in November 2009 that it is considering a limit of six years for the retention of DNA data for innocent persons, but there has been no Home Office response to the Court of Appeal case on the retention of other police records.


Public not convinced on data retention

Readers of the Metro may have already seen that a survey by PoliticsHome.com has found that there was little public support for the retention of communications data by communications providers.

In the current data protection environment, we are not surprised.

Nothing gets in the way of "National Security"

Some of our team, as members of the Society of Computers and Law, argued in the SCL’s response to the Home Office consultation on the Data Retention Regulations that the Home Office had not made out a coherent case for the introduction of a 12 month data retention period for all communications data.  Why 12 months, when the Data Retention Directive allowed for anything up to 24 months, for example?

We had a number of other issues, including about the continuing problems concerning access to any retained data, but none of them were addressed by the Home Office.  Liberty had similar concerns

It’s all too late now.  In the current climate, anything done in the name of “national security” goes through.  The final regulations were made on 2 April and come into force on 6 April.