Data Protection: Unlawful Processing and ICO Enforcement

January 25, 2012

The Information Commissioner doesn’t usually enforce breaches of the First Data Protection Principle (which includes the requirement that ‘Personal data shall be processed fairly and lawfully …..’) if the problem relates to unlawful processing. This is because such breaches require him to understand how another piece of legislation (ie other than the Data Protection Act 1998) determines what processing of personal data is lawful or unlawful. This in turn means that the ICO has to be prepared to become an expert in the interpretation of that other law– something which is clearly difficult when data protection straddles all laws!

The issue came to the fore when Mrs Thatcher’s Community Charge proposals were replaced by the Council Tax in the early 1990s. Local authorities, having had their fingers badly burnt with the privacy issues associated with the Poll Tax register (a register of every adult in the local authority area), wanted to know the extent to which they could use the Council Tax personal data for other purposes. The Information Commissioner was inundated by questions such as: ‘would it be lawful or unlawful to use the Council Tax personal data for purpose X?’ where X was any local authority service sanctioned by a host of local government Acts and related statutory instruments.

At the end of the day, the then Commissioner decided that he was not going to answer such questions, and stated that he would look at unlawful processing only if the need arises; since then, the need has never arisen because the ICO avoids the issue.

This position has been strengthened in ICO guidance, which states, in the context of lawful processing, that the ICO may not:

‘…pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them’ (my emphasis).

The ‘Solicitors-From-Hell‘ Judgment

The Commissioner’s stated position has now become untenable because the recent judgment in The Law Society (and others) v Rick Kordowski [2011] EWHC 3185 (QB) has concluded that:

(a) the term ‘lawful’ processing in First Principle relates to that processing which is consistent with the application of any relevant law including law of confidence;

(b) the purpose of the Data Protection Directive is to implement Article 8 of the Human Rights Act – so, in theory, the Information Commissioner could consider ‘lawfulness’ in terms of Article 8.

The data controller in question (and publisher of personal data on the Solicitors from Hell web site) claimed that ‘under Article 10 of the European Convention on Human Rights, you have the right to freedom of speech and expression to voice your complaint! But it must accurate and truthful. You can complain here. RIGHT NOW! NAME and SHAME your OPPRESSOR Problem Solicitor? No need to register or even leave your name. Click on the link below and add them to our list of “Solicitors from Hell”‘.

Despite this plea for accuracy of contributions, the web site collected a vast number of unattributable or unchecked allegations concerning named solicitors, some of which alleged activities of a criminal nature. In data protection terms, the personal data on the site involved the processing of sensitive personal data.

Three complainants took up the cudgels against the publisher in order to stop the further processing of these personal data. In an uncontested action (the publisher had also lost a number of previous libel cases and was bankrupt), they argued that that the data controller had breached:

·        the First Data Protection Principle because the processing was unfair and there was no Schedule 2 condition to legitimise the processing (and, in the case of some sensitive personal data, no Schedule 3 condition)

·        the Fourth Data Protection Principle: that personal data shall be accurate and, where necessary, kept up to date

·        the Sixth Data Protection Principle: that personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998 – in particular, it was claimed that the defendant had ignored the exercise of the right to object to the processing of personal data; the Court agreed, and granted a notice under s 10(4) of the Data Protection Act 1998.

All the claims succeeded. However, the judge said (at [78]) re the First Principle and lawfulness (my emphasis):

The reference to ‘lawfully’ in the First Data Protection Principle applies to any form of conduct that is unlawful, including breach of confidence, libel, and harassment. As Patten J said in Murray v Express Newspapers Ltd [2007] EWHC 1908 (Ch) [2007] EMLR 22 at para [72]:

“It seems to me that the reference to lawfully in Schedule 1, Part 1 must be construed by reference to the current state of the law in particular in relation to the misuse of confidential information. The draftsman of the Act has not attempted to give the word any wider or special meaning and it is therefore necessary to apply to the processor of the personal data the same obligations of confidentiality as would otherwise apply but for the Act”‘.

This ability to consider lawful processing is reinforced later in the judgment (at [101]):

‘I appreciate the burden that the law may have placed in the Commissioner. And where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts … But where there is no room for argument that processing is unlawful (as is the case with the defendant, given the numerous judgments against the defendant referred to in this judgment), it seems to me to be more difficult to say that the matter is not one which could be dealt with under Part V’ [Part V is a reference to the ICO’s powers in the Act].

Another possible consequence may be the inclusion of breaches of the Seventh Principle in cases where breaches of confidence involve the unlawful use or disclosure of personal data. This is clear from the text of the Principle which requires ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data….etc ‘ (my emphasis). So if a data controller failed to secure personal data of a confidential nature (eg loss of health personal data) then a subsequent breach of confidence engages the Seventh Data Protection Principle as well as the First.

Another ‘advance’ in the judgment is the express linkage between Article 8 of the European Convention on Human Rights and data protection.[1] This implies that it is legitimate to ask the Commissioner for an assessment whether the processing is lawful in terms of Article 8. This is because the judge says (at [97]):

‘…The purpose of the [Data Protection] Directive was to give effect in the context of data protection to the Art 8 rights of the ECHR (right to respect for private life). See Recitals (8) to (12). It is a privacy statute, although its scope is limited by a number of provisions, including the definition of data in s. 1 and the application of the Act delimited in s. 5’.

In January, the Article 29 Working Party of European Data Protection Commissioners concluded that the agreement negotiated by the European Union with the USA with respect to the transfer of Passenger Name Records[2] did not ‘demonstrate the necessity and the proportionality of mass transfer and use of PNR data for law enforcement purposes’ and that, in relation to retention of such data, ‘The Working Party cannot see how these long retention periods can be substantiated and justified. It considers them to be excessive and disproportionate’.

One wonders, when the Agreement comes into force, whether the Information Commissioner will be emboldened by this judgment to assess whether or not the Agreement permits the lawful transfer of PNR data to the USA from the UK? And what about assessing those statutory instruments that permit extensive data sharing or data retention – could they become assessable by the Commission for ‘lawful’ processing as being necessary and in full accordance with Article 8?

Concluding Comment

The Commissioner had argued that the ‘Solicitors from Hell’ web site fell within the ‘domestic purpose exemption’ and, in a letter to one of the complainants, he explained this fact. The Court concluded, politely, that this advice was incorrect and, in the context of lawful processing, Tugenhadt J said (at 100]):

‘I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully.’

The last week in January saw the publication of draft EU legislation that will eventually change all the data protection regimes across Europe. I am beginning to wonder whether a far more fundamental enhancement in privacy protection is possible from this judgment and its wide interpretation of ‘lawful processing’. Clearly the judgment could have a far-reaching effect; the only issue is whether (and by how much) the Commissioner uses the power that the courts have provided to him.

Chris Pounder is a Director of Amberhawk Training Limited, a company  which delivers information law training, including that required to meet the requirements of the ISEB qualification in data protection. He has been involved with data protection since the Lindop Report in 1978 and writes the ‘Hawktalk’ blog on privacy issues:

[1] See Nine principles for assessing whether privacy is protected in a surveillance society (Parts 1 and 2) on