The Daily Mail, Dorries and Data Protection

Community Trade Mark E7490592

Our last two posts addressed the position of Nadine Dorries MP under the Data Protection Act 1998 (the “DPA”) in respect of sensitive personal data concerning her partner’s wife posted on the MP’s website in her Personal Statement to the Press (here and here).

It appears that the Personal Statement to the Press may have been made in anticipation of a story being published in the Daily Mail the following day on the MP’s new relationship. In that story the same sensitive personal data was published, raising the question of whether the Daily Mail was itself potentially in breach of the DPA.

There is one material difference between the two cases. The Daily Mail, being a news organisation, can rely on the exemption at section 32 of the DPA. This applies where the processing of personal data, including the publication of it, is done for the special purposes of journalism, literature or art.  It is not a complete exemption from the provisions of the DPA, but it does permit a journalism organisation which “reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest” to breach a data protection principle (section 32(1)(b)) to breach a data protection principle where it “reasonably believes that, in all circumstances, compliance [with the data protection principle] is incompatible [for the purposes of journalism]” (section 32(1)(c)).

Publication, it is clear, includes making the journalistic material available to the public or any section of the public by any media (from section 32(6)).

A subject of any journalistic material retains their right to bring an action for compensation, including damages for distress (section 13(2)(b)), which means that any newspaper wishing to publish must weigh up the risk of being sued under the DPA and a court finding that newspaper could not have had a reasonable belief that the publication was in the public interest.  There are extremely few cases on this point, but perhaps the most notable is the Naomi Campbell case.  She brought a case against the Mirror as a result of pictures being published of her leaving a Narcotics Anonymous meeting.  The data protection aspect of the case was thoroughly described by the Master of the Rolls, Lord Phillips, when the case was appealed to the Court of Appeal (Naomi Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373, subsequently appealed to the House of Lords [2004] UKHL 22).  At the Court of Appeal it was determined that the publication was in the public interest so that the section 32 exemption applied.  In the House of Lords the case was determined upon the basis of the balance of rights under the Human Rights Act 1998 rather than expressly dealing with the DPA, but this can be implied from section 32(1)(b) as being the balance between the right to freedom of expression and the right to privacy.

So in deciding whether the Daily Mail has breached the DPA, you have to consider, as a court would, whether there were grounds for a reasonable belief that publication of information on her partner’s wife was in the public interest.

Nadine Dorries Press Statement: enforcement and remedy

ICO Data protection cases received and closed (source ICO)

In our previous post we reviewed in the context of yesterday’s personal statement to the press by Nadine Dorries MP, whether the publication of a person’s medical condition on a website could be unlawful under the Data Protection Act 1998 (the “DPA”). If our view that there has been a breach of the DPA is supported, what are the potential consequences for Nadine Dorries MP and what remedies are available to her partner’s wife (“W”), under the DPA?

Firstly, breach of a data protection principle is not of itself a criminal offence. Nothing Nadine Dorries has done appears to be within the scope of any of the criminal offences under the DPA. The disclosures she made in her blog are even within the scope of her notification properly made to the Information Commissioner’s Office (“notification” is the accurate term for the registration of a data controller’s processing purposes required under section 17 of the DPA). So any enforcement action taken by the Information Commissioner against the MP will not include prosecution at this stage.

Nadine Dorries could still be prosecuted if she fails to comply with an enforcement notice made by the Information Commissioner, but as the nature of any enforcement notice would be an order by the Information Commissioner not to breach the relevant data protection principle again, this is unlikely. However, the current practice of the Information Commissioner’s Office is to seek undertakings from breaching data controllers that they will remedy the breach and will behave lawfully in future. Whilst enforcement by enforcement notice is described in Part V of the DPA, this practice of undertakings is non-statutory. It appears that this use of undertakings makes criminal prosecution even more unlikely, as a breach of an undertaking would then lead to an enforcement notice, not directly to a prosecution.

However, the Information Commissioner does have the ability to impose monetary penalties of up to £500,000 for serious breaches of the DPA. All the elements that give the Information Commissioner the power under the DPA to impose a monetary penalties may be present in the Nadine Dorries case: there is a deliberate breach of the first data protection principle in circumstances that would cause W distress. The question is therefore whether the breach is “serious” or the distress “substantial” for the purposes of section 55A(1) of the DPA. As required by section 55C of the DPA, the Information Commissioner has published guidance on how it would determine whether a breach warrants action under section 55A (or 55B), but this does not give sufficient assistance to be able to conclude that Nadine Dorries would be given a notice of intent to impose a monetary penalty, were the Information Commissioner to investigate this case. However, the guidance does suggest that breaches that involve medical data and distress as a result of wrongful processing of medical data are more likely to be in the serious/substantial camp.

So if the Information Commissioner takes no action, what direct remedy does W have under the DPA? It is recognised by privacy advocates that the DPA provides limited remedies to individuals. The only remedy they have for past breaches, which requires court action, is a right to compensation for damage under section 13 of the DPA. In almost all cases, this must be actual damage (i.e. recovery of costs, losses or expenses suffered or incurred as a result of the DPA breach) rather than distress. Damages for distress alone are only possible in a limited set of circumstances, which do not apply to this Nadine Dorries case unless it can be argued that the issue of a personal press statement was for the “purposes of journalism” (section 3(1) of the DPA). There is no case law on what this phrase means.  In addition, there is no recital in the Data Protection Directive 95/46/EC that gives any assistance on what this provision was intended to cover.  Therefore in our opinion it would be a brave claimant that would try to obtain damages for distress under the DPA by claiming that the issue of a statement on a blog was caught by what the DPA calls this “special purpose”.

This leads to the uncomfortable conclusion that W may have no direct DPA remedy herself, and must rely on the Information Commissioner to take action to give her some redress for the distress she may have suffered as a result of details of her alcoholism being published in breach of the DPA.  However, the development of a right to privacy under cases such as Max Mosely v News of the World [2008] EWHC 1777 (QB) or Naomi Campbell v Mirror Group Newspapers [2004] UKHL 22 show that a privacy remedy made be available as a result of judicial intervention where no statutory remedy under the DPA is provided.

Domestic purposes abuse?

Nadine Dorries MP (© http://www.TheyWorkForYou.com)

Today, Nadine Dorries MP issued on her blog a personal statement to the press. In the statement she describes how she has embarked upon a romantic relationship with an old family friend. However, the statement also includes personal statements from her new partner and her partner’s daughter. From these secondary statements the wife of the partner can be identified, and she is stated to be a long-term alcoholic and a domestic abuser.

You will note that we have not named the partner, his wife or his daughter. To do so would mean that we would be processing personal data, including sensitive personal data, about these individuals. For the reasons set out in this post, we consider that such processing, being done without the explicit consent of the wife of the partner, would be unlawful under Data Protection Act 1998 (the “DPA”).

The first question that needs to be answered in connection with the press statement is whether the DPA applies at all. Whilst the DPA would apply to our use of the partner’s family personal data, there is a question as to whether the disclosure of this information on Nadine Dorries’ blog is within the scope of the DPA. This is because section 36 of the DPA exempts processing for domestic purposes by an individual. There is no UK case law to assist in determining where the boundary lies for this domestic purposes exemption, but there can be little doubt that if the courts were asked to consider these circumstances, they would be bound by the Court of Justice of the European Union decision in Case 101/01 Bodil Lindqvist.  We would expect a UK court to apply the Bodil Lindqvist decision to find that the publication by an MP of personal data of third parties on the internet was not covered by the section 36 exemption.  Section 36 is clearly the implementation in the UK of the second limb of Article 3(2) of the Data Protection Directive 95/46/EC. The Bodil Lindqvist case facts are very similar to this Nadine Dorries case; both cases involve the publication of personal data, including sensitive personal data, on the internet in circumstances where a non-commercial, private purpose was or could be claimed. The Court of Justice was particularly influenced by Recital (12) of the Directive to decide that internet publication could not be considered to be domestic processing within the exemption at Article 3(2):

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

The next question, having decided that the DPA applies, is whether there has been any breach of the DPA by disclosing the personal statements. To comply with the First Data Protection Principle under the DPA, a data controller (in essence, the owner of the data or the one who decides what to do with it) must process the data in accordance with one of the appropriate conditions set out in two schedules to the DPA: Schedule 2 for “ordinary” personal data or Schedule 3 for sensitive personal data. For the purposes of this post, “ordinary” personal data is data which identifies an individual and which is not sensitive personal data. Sensitive personal data is defined in section 2 of the DPA as:

In this Act “sensitive personal data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Even taking the most favourable interpretation of this definition to the information disclosed about the partner’s wife, it is clear that information about her alcoholism (physical or mental health or condition) is sensitive personal data. There does not appear to be any legitimate purpose under Schedule 3 that would permit the disclosure of this information without the explicit consent of the partner’s wife. It therefore appears that the disclosure is unlawful.

Having decided that the publication of a third party’s medical condition, if it is without explicit consent, is unlawful, raises the question of the consequences. We will deal with this in our next post.