Compliance with governmental requests for information raise a minefield of different laws, but data protection/privacy rights hold special pitfalls
Determining when the sharing of personal data is legal can be a complicated exercise. Yet, the impetus for governmental agencies to collect and share more and more information is at an unprecedented high. In the EU, this is no more true than in respect of efforts to bolster the fight against crime and terrorism by remedying deficiencies in the exchange of intelligence information with international partners, such as the US. Much of this information may be generated by organisations in the private sector and requested by agencies directly from them.
Over this year, we have seen a number of key initiatives in this area, some of which have already been covered in this blog. These include the new Safe Harbour agreement on transatlantic personal data exchange (discussed here), as well as agreement on the gathering and sharing of airline passenger name records (PNR) data (discussed here). In related news, we have seen an evolution in the EU legal stance on the retention of communications data following its exchange by the private sector to governmental agencies. In the not too distant future, it is anticipated that the European Commission will propose new rules that promote more harmonisation of the legal framework governing data retention for public reasons to a higher standard of privacy and data protection rights than previously implemented by the EU member States. This trend follows the judgement of the Court of Justice of the EU (CJEU) in Digital Rights Ireland (DRI) in 2014. (Previous posts on this issue by Sophie can be found here and here). More recently, we have received the Opinion of the Advocate General (AG) of the CJEU (in Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, Joined Cases C-203/15 and C-698/15, 19 July 2016). The case is being heard in response to a referral request by the English Court of Appeal about interpretation of the DRI judgement and the extent to which it applies to national laws: in essence, is a general obligation to retain data compatible with EU law? In brief, the AG opined that EU Member States could impose general bulk data retention obligations on providers of electronic communications services for the purpose of fighting serious crime, provided that a number of minimum conditions are satisfied (for more, see the summary in the accompanying press release here). The final decision by the CJEU will, of course, have implications for all EU Member States that have adopted or are planning on adopting national laws on data retention. We will report on this decision once it is made available.
Back in the UK, other recent news about finding an appropriate and just balance in law between privacy and data protection, and other public interests and rights, when it comes to information sharing for intelligence purposes, as well as retention of that information, is raised by the UK Investigatory Powers Bill currently making its way through Parliament. This Bill includes several provisions clarifying the circumstances under which UK security and intelligence agencies can share information on UK citizens with requesting foreign intelligence services.
For organisations, compliance with a smorgasbord of legal requirements must be considered before information is shared. These include, inter alia, consideration of any domestic laws on confidentiality, competition law, as well as intellectual property rights. Nonetheless, where personal data or private information is shared, more than ever compliance with data protection law and human rights law (where applicable) should be at the top of the compliance agenda for any organisations operating in the EU. Human rights law compliance includes consideration of, not just the right to privacy, but also the right to protection of personal data as set out in the EU Charter of Fundamental Rights. These fundamental rights are guaranteed by EU Member State national constitutional systems and their obligations under the European Convention of Human Rights (ECHR)).
Set against this backdrop, two cases heard recently by English courts illustrates issues that can arise regarding compliance with data protection law when personal data are shared with law enforcement agencies. The first case was heard by the High Court in Bangura v Loughborough University  EWHC 1503 (QB). The High Court ruled that Loughborough University acted lawfully under the Data Protection Act 1998 (DPA) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. It was alleged by the claimant (Mr Bangura) that the University was acting in contravention of its data protection policy – and in infringement of the DPA – by supplying the form containing his personal data to the police before a written request for the form was received.
The High Court rejected the claimant’s arguments under the DPA. Specifically, it held that section 29 of the DPA does not state that a request for information must be made in writing, and that there was a legitimate interest in the University disclosing his personal data to the police (bearing in mind the seriousness of the alleged crimes for which Bangura was under investigation). As a reminder, section 29(3) of the DPA permits a data controller to disclose personal data without an individual’s knowledge or consent (an exemption from Principle 1 of the DPA), where the disclosure is for the prevention or detection of a crime, the apprehension or prosecution of offenders, or for taxation purposes. Interestingly, the Court also held that the disclosure was not a breach of contract by the University, as neither the registration document nor the policy purported to incorporate the policy as part of the contract between the student and the University.
Another case – focusing on the legality of a data requester’s actions – concerns the disclosure of information to the Metropolitan Police and Greater Manchester Police regarding an investigation of one of its employees. (Unfortunately, a decision is not available – albeit that the case has been reported widely in the press, e.g. on the BBC website here). In summary of the facts, after a police employee went on holiday while on sick leave, senior police officers used powers designed to investigate crimes to obtain personal data on their colleague. This included approving an application to an airline seeking details of her air travel for the last five years, which referred to a fictitious Act of Parliament as the basis for the request. A request was also made for information from the National Border Targeting Centre, a division within the UK Border Force that collects information on people leaving and entering the country. In both cases, personal data was subsequently shared with the police.
After learning of the data requests, the officer under investigation brought a civil action against both police forces, including claims for breaches of the DPA and the Human Rights Act 1998 (HRA), as well as misuse of confidential information, which was heard in front of the Central London County Court. While both forces denied liability initially, shortly before the trial both admitted that the data requests breached both the HRA and the DPA (remember, in the UK, data protection rules apply to the domestic processing of personal data by police, such as between police forces- as will soon be the case in all the EU Member States in a few years – see our posts here and here). The judge hearing the case is reported to have commented the officers involved did not appear to have any appreciation or understanding of the laws that regulate their conduct in this area. The judge also upheld the claim for misuse of private information.
Lessons learnt from both cases in relation to the perspective of the recipients of an information request for law-enforcement purposes are as follows:
- In relation to the second case, it highlights how even the most official-looking request for information from a public agency needs to be considered carefully by the recipient of the request to ensure the legality of the basis on which personal data is being sought. In particular, when private information is requested, the request must be in compliance with the HRA and its mandate for public bodies to respect its right to privacy (as derived from Article 8 of the ECHR – the right to respect for private and family life). In particular, the sharing of information in this context must pursue a legitimate aim; it must also be necessary and proportionate to achieve that aim. The latter requirement is an especially important point when it comes to considering whether the scope of an information request made is reasonable – i.e. it should not be a fishing exercise! (For background, the EU Article 29 Data Protection Working Party previously published an opinion (01/2014) on the application of necessity and proportionality concepts and data protection within the law enforcement sector. The opinion analyses how the European Court of Human Rights has interpreted necessity and proportionality and considers how these concepts link to data protection).
- In relation to the first case, by comparison, even if the authority asking for the information may be pursuing a legitimate interest and acting within their powers – the one doing the sharing must be confident that they would be acting legally in acting upon the request (albeit that there is no suggestion that voluntary disclosure from private organisations provides a way out for law enforcement agencies acting illegally in the exercise of their information-requesting investigatory powers). Prospective data sharers must ensure that that they would be acting in compliance with data protection rules where personal data (as defined in Section 1 of the DPA) are requested. Under the DPA, disclosure of personal data must be justified with reference to the conditions in Schedule 2, and where sensitive personal data is involved, Schedule 3. To note, under the DPA, it is a data controller who bears responsibility for compliance in this respect (section 4(4)) but it is worth noting that, once the GDPR is adopted in May 2018, data processors will be put on an equal footing with data controllers and bear the same responsibility.
To help organisations determine their data protection obligations under the DPA, the ICO has provided guidance on data sharing in compliance with the DPA aimed at organisations that plan to disclose personal data. These include: a data-sharing Code of Practice; and, two data-sharing Checklists (one for systematic data sharing schemes, and the other for one-off requests). They are designed to provide practical guidance in relation to the sharing of personal data between public authorities and private organisations, but also between public authorities, and to promote good practice. In brief, the ICO’s approach advocates transparency, such that where organisations may have to disclose personal data , they should make this clear to their customers by explicitly stating so in their privacy notices. The ICO recommends that a privacy notice should “at least tell the individual – who you are; – why you are going to share personal data; and – who you are going to share it with – this could be actual named organisations or types of organisations”. [Presumably, privacy notes should also include express wording whether the policy is to have contractual force. It is not unreasonable to expect that a court might hold – not only that a privacy notice is part of a contract – but also that a DPA breach constitutes a sufficiently serious breach of contract to justify termination under the contract if it is felt to go to the heart of the agreement!]
Notwithstanding, the ICO’s Code of Practice is not at odds with the decision in the first case described above. This is because the ICO goes on to say that, “in certain limited circumstances the DPA provides for personal data, even sensitive data, to be shared without the individual even knowing about it” – including for crime and taxation purposes – which would exempt an organisation processing personal data from the fairness requirements of the DPA. However, the ICO provides the caveat that this is “only to the extent that applying these provisions would be likely to prejudice the crime and taxation purposes”:
For example, the police might ask an organisation to give them information about an ex employee who they suspect of being involved in a serious assault. If informing the ex-employee that they have given the police this information would tip the individual off and be likely to prejudice the investigation, because the suspect might abscond for example, then the organisation could rely on the exemption and wouldn’t have to tell the individual about the disclosure of information. (page 19)
In general (non-confidential) information sharing situations, the ICO recommends that data sharing agreements be concluded between requester and recipient. The ICO suggests that such agreements should include a requirement to comply with the DPA, duties of confidentiality and obligations to store the data securely, including appropriate warranties and rights of termination for legal breaches. Before an agreement is reached, the ICO also recommends that a Privacy Impact Assessment should be carried out. In this respect, the Code includes a number of specific recommendations on risk assessment, the nature of the data to be shared, the information to be provided to data subjects, the measures a data controller should take to ensure data standards, data security and the data subjects’ rights of access, etc.
Finally, any post regarding information-sharing laws in the UK would not be complete without mentioning the soon-to-become-law Digital Economy Bill, which was laid before the Parliament this summer. This Bill follows in the wake of a UK governmental consultation on data sharing within the public sector earlier in the year, focusing on data held by public sector organisations and how data is accessed and used, including how data sharing can be enabled. The Bill sets out a suite of measures intended to improve the delivery of public services (clauses 29-68), including a proposal for a new Data Sharing Code of Practice. One such measure aimed at improving government data and digital services is a single gateway for use by specified public authorities to share personal data for tightly constrained reasons set out in draft regulations. In this respect, the government has published a draft Digital Government (Disclosure of Information) Regulations 2016, which set out the authorities that can rely on the gateway and the circumstances in which they can do so (public service delivery, combatting debt in the public sector and fraud against the public sector). It also specifies conditions for linking de-identified data in safe settings that prevent disclosure of personal data, including ensuring that anyone who accesses or processes data for any function under this power is subject to an accreditation process and giving the UK Statistics Authority easier secure access to data (clauses 56 to 68).
Addendum: On 7 October 2016, the Central London County Court awarded the former police officer (the subject of the second case mentioned above) £9,000 in damages for privacy and data protection law breaches – see here.