A Deletion Too Far: Huntley, Soham and Data Protection

In a press release from the Office of the Information Commissioner, Richard Thomas criticised recent use of the data protection legislation to excuse administrative failures: “It is ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable”.[1] He was of course referring to the well-publicised case of Humberside Constabulary, which blamed the Data Protection Act 1998 for its failure to retain information on its systems. In the subsequent media scrum following the conviction of Huntley for the murder of Holly Wells and Jessica Chapman, David Westwood, the Chief Constable of Humberside, defended Humberside Constabulary’s data deletion practices and argued that it had been necessary to delete the nine separate sexual allegations made against Huntley from its electronic database because of the requirements of the DPA 1998. This interpretation of the DPA 1998 by the Chief Constable was not universally shared.

The government has now established an independent inquiry to be headed by Sir Michael Bichard to investigate the child protection procedures within Humberside and Cambridgeshire Constabulary. The Bichard Inquiry will have a remit to review Humberside and Cambridgeshire Constabulary’s working practices, including practices relating to record keeping, and to submit a report to the Home Secretary.

In light of the public disagreement between the Information Commissioner and the Chief Constable of Humberside, was the Chief Constable misguided or mistaken in failing to understand the true meaning of the deletion requirements under the DPA 1998 or is the DPA 1998 fatally flawed?

Requirement to Delete

Sensitive personal data as defined in the DPA 1998 includes any personal data consisting of the commission or alleged commission by an individual of any offence. This is the type of sensitive personal data that would have been stored and processed by Humberside Constabulary.

The key principle under the DPA 1998 which relates to deletion or storage of personal data or sensitive personal data is the fifth data protection principle. This is specified in Part I of Sch 1 to the DPA 1998 and requires a data controller such as Humberside Constabulary to ensure that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.

There is no additional guidance in the DPA 1998 on the interpretation of this fifth data protection principle. This is sensible, as the length of time will vary depending on the nature of the processing. In the Huntley case, Humberside Constabulary would have been entitled to keep his personal data as long as it was necessary for the purpose that was being undertaken by them (ie prevention and detection of crime). In fact, the Information Commissioner recently indicated that “it’s for the police to decide what purposes they’re holding information for, and as long as they are holding it for legitimate purposes, such as the investigation or prevention of crime, they can hold information in some cases for a very long time indeed.” [2]

This is the correct approach. Even if extensive guidance had been provided by the Information Commissioner or Parliament on the operation of the fifth data protection principle, the data controller must have sole responsibility to determine the “shelf life” for the types of personal or sensitive personal data in keeping with its legitimate business purposes.

Right to Prevent Processing

In any event, a data subject (such as Huntley) would have the right under the DPA 1998, s 10 to ask a data controller (such as Humberside Constabulary) to cease processing personal data by submitting a written notice that such processing (ie storage or disclosure) would be likely to cause damage or distress.

A Section 10 notice would not be appropriate where one of the following conditions under Schedule 2 (paragraphs 1 to 4) were to apply:

· where a data subject has given consent

· where the processing is necessary for the performance of a contract to which the data subject is a party

· where the processing is necessary for compliance with a legal obligation other than an obligation imposed by contract

· where the processing is necessary to protect the vital interests of a data subject.

A data subject is entitled to compensation where he has suffered damage or distress because of any failure to comply with the DPA 1998 and where a data controller has not taken reasonable care to prevent such damage or distress.[3] If a court considers that the personal or sensitive personal data in a police database is inaccurate, the court can order a data controller to rectify, block, erase, or destroy such data.[4]

Alternatively, a data subject may request the Information Commissioner under the DPA 1998, s 42 to investigate whether any particular processing operation carried out by a data controller is likely to breach the provisions of the DPA 1998. The Information Commissioner is entitled to undertake an assessment if the request raises a matter of substance. In some cases, a detailed investigation of the data controller’s actions may not be carried out. If the Information Commissioner undertakes an assessment then the data subject will be fully informed of any action taken by the Information Commissioner as a result of the request.

Protecting the Public

It is worth mentioning that the Chief Constable of Humberside would have legitimate grounds to continue processing such sensitive personal data relating to allegations of criminal acts, whether or not they have been pursued through to arrest or conviction. It is clear that Schs 2 and 3 to the Act and the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417) provide potential justification for such processing in addition to the grounds mentioned above:

· sch 2, para 5(d) – where the processing is necessary for the exercise of any other functions of a public nature exercised in the public interest by any person

· sch 3, para 7(b) – where the processing is necessary for the exercise of any functions conferred on any person by or under an enactment

· SI 2000/417, para 1 – where the processing is in the substantial public interest; or is necessary for the purposes of the prevention or detection of any unlawful act

· SI 2000/417, para 10 – where the processing is necessary for the exercise of any functions conferred on a constable by any rule of law.

In effect, even if a Section 10 Notice is issued by a data subject, these additional grounds entitle a data controller to take a balanced view of the interests of alleged and actual criminals, their victims and potential victims and to continue processing.

ACPO Code of Practice

The Association of Chief Police Officers (ACPO) code of practice for data protection was issued on 15 October 2002[5] (the Code) and fully supported by the then Information Commissioner, Elizabeth France.

The Code recommends that police forces have a duty “to ensure that personal information is periodically reviewed and information that is no longer required is removed (weeded)”.[6] There are different regimes for the deletion of information relating to acquittals, convictions, cautions, police reprimands and final warnings. For example, the Code permits a superintendent to authorise the retention of records for a period of five years in cases where an offence relates to a sexual allegation but the defendant or suspect is acquitted or where the case is discontinued due to a lack of corroboration or consent by the victim provided that identity is not an issue. The retention period can be extended beyond the initial five years, where such retention is justified due to concern that the defendant or suspect may apply for future employment involving substantial access to vulnerable persons and that the information will be necessary on the grounds of the prevention and detection of crime in the future.[7]

As Chris Fox, President of ACPO, noted, “.we do need to remember that there are already new arrangements in place for such vetting requests. The police service and others have not stood still over the past decade. ACPO was amongst those who argued for the creation of the Criminal Records Bureau which is now in place, and a national system of intelligence gathering, the National Intelligence Model (NIM), is being adopted by all forces. Technology has also moved on; forces are much better equipped than previously to deal with the vast amount of data collected on crimes and offenders”.[8]

Whilst the DPA 1998 does not specify a time limit, according to the Code a previous decision of the Data Protection Tribunal (now re-named the Information Tribunal) has held that “information should not be retained on the grounds that it may possibly become relevant in the future”.[9]

Future Developments

Following the widespread criticism of the Humberside Constabulary’s actions, the Information Commissioner issued a press release identifying certain measures that would be taken to simplify the application of the DPA 1998.[10] The new measures include the following:

· the provision of quicker responses to organisations concerned with the interpretation of the DPA 1998

· the development of practical and user-friendly guidance for organisations

· the request for further responses to the ‘Making Data Protection Simpler’ public consultation

· the pledge to ensure that all communications issued by the Office of Information Commissioner be in plain English.

The Home Office has also urged police forces to review their record-keeping following a year-long study into police record-keeping by HM Chief Inspector of Constabulary. The Home Office has been concerned that the police have not been entering information relating to offences or convictions promptly into the Police National Computer. In order to combat such poor record-keeping, the Home Office is proposing to establish a statutory code of practice setting out standards on police record-keeping. This code of practice is due to be implemented in late Spring 2004.

Conclusion

Commonsense should have prevailed in relation to the deletion of data by Humberside Constabulary. Humberside’s alleged practice of deleting sensitive personal data on a monthly basis seems injudicious in the absence of specific guidance under the DPA 1998. As John Reid, the Health Secretary put it succinctly “the whole point of these regulations is to protect people’s privacy, it is not to put their lives in danger”.[11] With hindsight, it is possible to see that, if a police force has access to information about a series of unproven allegations, this information may be relevant to future investigations by any police force and indeed other bodies, such as organisations tasked with responsibility for young or vulnerable people.

It is a sad reality that the murder of Holly Wells and Jessica Chapman may not have been prevented even if Humberside Constabulary had not deleted Huntley’s personal data and passed such information on to the school authorities. Huntley was not the caretaker at the girls’ school but at a neighbouring college. The girls came to Huntley’s notice through the girls’ relationship with Maxine Carr. The dissemination of such intelligence from Humberside to Cambridgeshire Constabulary may have resulted in a speedier arrest but not necessarily the prevention of the two murders.

We will have to await the conclusion of the Bichard Inquiry to see whether it confirms the views expressed by the Information Commissioner or whether the Chief Constable’s position at Humberside is tenable. It is to be hoped that the ACPO code of practice on data protection will be revised in the light of any recommendations from the Bichard Inquiry.