Once bitten; twice shy?

Humberside Police will forever be remembered in data protection circles for being the police force that blamed the Data Protection Act 1998 for its policy of deleting information relating to allegations about the commission of criminal offences, including those of the Soham murderer Ian Huntley (aka Ian Nixon).  Huntley was thus able to secure a position as a school caretaker despite the fact that he had been investigated in the past for sexual offences (one act of indecent assault, four acts or underage sex and three rapes – he had even been charged with rape, but the case was dropped by the Crown Prosecution Service for lack of evidence) and burglary.  His only recorded conviction was for riding a motorcycle without a licence or insurance.

The pendulum has clearly swung the other way, as Humberside and four other constabularies were the subject of separate enforcement notices from the Information Commissioner for retaining records of convictions that were spent under the terms of the Rehabilitation of Offenders Act 1974.  The constabularies appealed to the Information Tribunal.  The decision of the Information Tribunal was to uphold the Information Commissioner’s enforcement notices.  The constabularies appealed to the Court of Appeal, where they were successful. The Court of Appeal judgement has recently been published.

The Court of Appeal decided that the Information Commissioner and Information Tribunal had misconstrued the data protection principles to determine that as the records were not necessary for the “core” police purpose of the detection of crime, they should be deleted.  It was for the data controller to determine the purposes for which personal data was processed, including determining the necessary retention period for data to meet those purposes.  The only restriction in the Data Protection Act 1998 was that those purposes had to be fair and lawful, which included being communicated to the data subject (and included on the data controller’s notification/registration).

It is clear that there is continuing unease about retention of criminal records or other information by police forces, which first became evident in the cases involving indefinite retention of DNA and fingerprint information on persons who have not been charged.  This practice has been ruled to be against an individual’s right to privacy under Article 8 of the European Convention on Human Rights by the European Court of Human Rights in Strasburg (see the S and Marper -v- United Kingdom).

Whilst the constabularies are correct to apply their own judgement to the appropriate retention period for criminal records, this is a sensitive area that calls for legislative intervention. After a consultation on the retention of DNA database records, the Home Office reported in November 2009 that it is considering a limit of six years for the retention of DNA data for innocent persons, but there has been no Home Office response to the Court of Appeal case on the retention of other police records.

Data Protection Fines – Deutsche Bahn syle

The Berlin data protection registrar (Berliner Beauftragter für
Datenschutz und Informationsfreiheit) has completed an investigation into employee monitoring by Deutsche Bahn, the German federal railway company.  On 16 October 2009 he imposed a fine on Deutsche Bahn of  €1.1 million.  The company had fourteen days to appeal the fine, but a  press release
from the Berlin regulator dated 23 October 2009 suggests that Deutsche Bahn have accepted the fine.

Amongst other infringements, the company had been found to have monitored hundreds of thousands of employee e-mails and searching their computer hard drives. During 2006 and 2007 all employee external email accounts were monitored. This was a major scandal in Germany when the story first broke, which led the Deutsche Bahn CEO at the time, Hartmut Mehdorn to announce his resignation in March 2009, to be replaced by former Daimler executive Ruediger Grube.

In contrast, if Network Rail and all the train operating companies in the UK were found to have breached the Data Protection Act 1998 in a similar way, the most the Information Commission could do is impose upon them an enforcement notice.  Only if this notice were breached could the relevant company be prosecuted and fined a paltry £5,000.  Fining powers are included in the Data Protection Act 1998 (ss. 55A-55E), but these have yet to be brought into effect by the Government.

Data protection: where are the fines?

Regular readers of this blog (thank you!) will know that we consider the Information Commissioner’s lack of enforcement and regulatory powers to be a serious deficiency in the UK’s data protection and privacy law.

To emphasise the point yet again, the Information Commissioner has published details of the enforcement notices issued against 14 construction companies arising out of the misuse of personal data collected and sold by Ian Kerr trading as the Consulting Association. There are some big names listed in the Information Commissioner’s press release. The enforcement notices demand that the construction companies stop using Ian Kerr personal data, and comply with certain obligations that they already had under the Data Protection Act 1998.

Despite these serious breaches, there are no fines or compensation orders, as the Information Commissioner does not have the power to award fines or make orders. Have the construction companies got away with their blatant breach of the Data Protection Act 1998? Perhaps, but at least the enforcement notices contain an interesting final warning. In setting out in the notices that the construction companies must comply with certain data protection obligations, the Information Commissioner has ensured that any further breach of these obligations would also be a breach of the relevant enforcement notice.

Breach of an enforcement notice is a criminal offence. In addition, where that offence “has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly” (section 61(1) of the Data Protection Act 1998).

The officers of the 14 construction companies subject to these Ian Kerr enforcement notices ought to bear this in mind.

To fine, or not to fine: that is the question

Compare and contrast the following recent data protection cases:

1.  HSBC: fined, after discount, over £3m by the FSA.

2.  Ian Kerr: prosecuted and fined £5,000.

3. Highland Council: asked to give undertaking to get its laptops encrypted.

The HSBC case highlights yet again the lack of enforcement powers given to the Information Commissioner under the Data Protection Act 1998.  It also highlights the lack of regulatory powers the ICO has to set data protection rules.  After all, HSBC was fined by the FSA for breach of FSA rules, not for breach of any legislation.

This is demonstrated in the Ian Kerr case.  Although this involved systematic and blatant breaches of the data protection principles, including in respect of the processing of sensitive personal data (trade union membership), the prosecution was for the offence of not being notified to the Information Commissioner.  However, a fine at the top of the scale was imposed by the court.

When no statutory offences have been committed, the Information Commissioner must fall back on the enforcement notice powers and the more recent innovation of getting data controllers to volunteer undertakings rather than be made the subject of an enforcement notice, as shown by Highland Council. 

The Highland Council case on the face of its facts may be argued to be a little harsh.  It concerned the theft of 2 password-protected laptops from a locked office.  The laptops had personal data for over 1,400 individuals, including sensitive personal data (medical information).  The key point, however, is that the laptops were unencrypted.  This is yet another reminder that no-one using unencrypted laptops for personal data should expect any leniency from the Information Commissioner if they go missing.

Snooping and vetting

At Charles Russell we have a generic data protection email address – feel free to drop us a question for a short, informal reply:
dataprotection@charlesrussell.co.uk.

So it’s a little ironic in the week of the Ian Kerr Enforcement Notice (concerning an unlawful personnel vetting service – see ICO press release here), our dataprotection email box is getting filled with spam containing this:

Spam Vetting Service

Needless to say, we won’t be using this service.