26 January 2004
When data protection can kill: Information Commissioner Richard Thomas speaks out on Ian Huntley – and makes a plea for common sense. By Jon Robins
Who was it earlier this month that accused the Data Protection Act (DPA) of being “convoluted and stuffed full of junk”? While the description lacked the necessary venom for tabloids such as the Daily Express (for which it was the “killer law” that was “meant to protect us… but is now costing lives”), it could have been one of the growing band of critics for whom the 1998 legislation has become yet another illustration of “political correctness gone mad”.
In fact, it was the Information Commissioner himself, Richard Thomas, who despite being appointed under Section 6 of the aforementioned legislation, is clearly no fan.
One broadsheet leader last week declared that it was turning into “a winter of discontent” for data protection, after the legislation was blamed in relation to the Soham murders and then for the deaths of two South London pensioners whose gas had been cut off. Thomas, the former head of public policy at Clifford Chance, is not denying the criticism of it. “But if it is, it’s a short winter of discontent,” he reckons.
“We’ve had some very unfair criticism, especially in the couple of weeks before Christmas, but now I feel that it’s very important to set the record straight,” the Information Commissioner told The Lawyer. While Thomas is not overly keen on the legislation, he is, unsurprisingly, an enthusiastic advocate for the principles at the heart of the DPA. In particular, he is conscious that its positive role in resisting the powers of “a surveillance society”, with its “growing problems of identity theft and the buying and selling of personal information”, might becomes lost in the midst of all the bad press.
“I want to make sure that no one loses sight of the fundamental importance of privacy and safeguarding personal information,” he says. “People’s lives can be seriously damaged when inaccurate information is used or falls into the wrong hands, or when there’s a lack of security. I was very concerned that the benefits of data protection were being sidelined, but we now feel we’re getting widespread recognition as to its benefits.”
Well, that remains to be seen. Thomas, who prior to his time at Clifford Chance was director of consumer affairs at the Office of Fair Trading (OFT) and head of public affairs at the National Consumer Council (NCC), has promised a package of measures this month. The Information Commissioner’s Office (ICO) will bolster the Data Protection Helpline, commit to more guidance for organisations and avoid as far as it can the legalese that dogs the act. Demystifying the legislation for public and business appears to be Thomas’s number one goal – he flags up the Court of Appeal’ s own unflattering view of the “cumbersome and inelegant piece of legislation”, as expressed last year. “I agree,” he says. When he was at the NCC he was the author of Plain English for Lawyers. He promises to avoid such phrases as “data subject” and “Schedule 2 basis for processing”. “I don’t go to the pub and hear people talking about ‘data subjects’; they talk about ‘men’, ‘women’ and ‘people’, and we have to use that kind of language,” he adds.
The Soham case
While the media might have declared open season on data protection, the consensus from lawyers is that the recent spate of high-profile cases reveals little about deficiencies in the legislation (apart from its notorious impenetrability) and a lot about the failure on the part of business and Government to grasp what it is all about. Or, as Thomas suspects, a self-serving refusal to come to terms with it. “It’s ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable,” he says.
It was following the conviction of Ian Huntley for the murders of Jessica Chapman and Holly Wells that Humberside police were lambasted for destroying vital information on the child killer. David Westwood, Humberside chief constable, said the DPA had prevented officers from keeping hold of details of the allegations against Huntley in the Grimsby area before he moved to Soham. The day before Thomas spoke to The Lawyer, Sir Michael Bichard opened his inquiry into how Huntley got his job with children despite having been accused of nine sex crimes, including four rapes, and the indecent assault of an 11-year-old girl. Consequently, he is limited in what he can say about Soham.
Keith Wotherspoon, a data protection specialist at Freshfields Bruckhaus Deringer, comments: “Under the Data Protection Act, personal data is not allowed to be ‘kept for longer than is necessary’. That’s it – one line.”
However, the Association of Chief Police Officers (Acpo) has its own data protection code of practice, which is published with the approval of the ICO, and has a foreword by Thomas’s predecessor Elizabeth France. Under the Acpo guidelines, information about alleged sex crimes can be kept by forces even if someone has not been convicted. With regards to criminal allegations, the guidelines state that it is “not possible to lay down strict criteria for the removal of data from criminal intelligence records”. It continues: “The need to retain or remove such information can only be judged from the nature of the information, and whether it is necessary, lawful, proportional and relevant to its purpose.” Information should be reviewed on a regular basis and at least every 12 months.
The Information Commissioner was reported to be “astonished” when Westwood claimed at the time that the legislation required forces to delete information about individuals that had not led to a conviction. “Frankly, we couldn’t understand what the chief constable was saying,” he now says.
Wotherspoon reckons that there might be a case for “sharper guidance” to be published by the watchdog. But, as always with data protection, a balance has to be struck. “From a privacy point of view, if your neighbour alleges that you threatened him with assault and the police investigate the matter and you’re never charged, you don’t want that data to come up again some years later when no charge was ever pressed,” he says. “It’s the balance between the right to privacy and not to have data kept longer about someone than is absolutely necessary, and the right of the general public to be protected against people who might have criminal tendencies.”
Other police forces have managed to strike a different balance, though. “The Metropolitan Police has really long retention policies, and if they don’t find it a problem, why do Humberside?” asks Ruth Boardman, a data protection expert at Bird & Bird. But, judging by the recent skirmish between Acpo and the watchdog, it is not an easy call. A statement from Acpo said that the ICO had recently taken preliminary enforcement action against two police forces “over retention of conviction data, including for example offences of assault occasioning bodily harm”. It continued: “We are concerned that deletion of such data would significantly undermine the ability of the Criminal Records Bureau to help employers safeguard the interests of children in particular.”
Failing to communicate
In the British Gas case, the legislation was blamed following a recent inquest into the deaths of George Bates and his wife Gertrude, who were both over 80 years of age. They were found dead at their home several weeks after British Gas cut off their supply after they had failed to pay their £140 bill. Harry Metcalfe, general manager of communications at British Gas, told the inquest on the Monday before Christmas (22 December 2003) that 10 attempts were made to contact the couple before the supply was switched off. He also argued that, since the 1998 act was passed, British Gas was prohibited from passing information to social services as it was not allowed to disclose information on debt without the customer’s consent. A couple of days later British Gas put out a press release making it clear that the legislation did not prevent it passing on details of vulnerable people to social services. To the evident frustration of the Information Commissioner, that was largely ignored. “If big organisations want us to help them establish criteria, then so be it,” says Thomas. “But the act simply requires ‘fair processing’; now, how could it possibly be fair to leave someone without any assistance when they’ve been disconnected?”
In particular, the DPA has an exception allowing for processing of any personal data “in order to protect the vital interests of the data subject”. According to Wotherspoon, the common example cited is a person who suffers a road accident abroad and a UK hospital cannot obtain consent to release their medical records. “The difficulty for someone like British Gas is deciding when it’s in the ‘vital interests’ of someone, as they must cut off thousands of customers every week. How do you know if someone’s a vulnerable customer?” he says. It is not an easy assessment to make unless the utility company starts to gather more information about, for example, the age of its customers, which of course would have its own data protection implications. Wotherspoon says: “I think that this type of accident could well happen again, because utility companies don’t want to have to ask customers for more information about their circumstances. And you can’t really know their circumstances beyond the fact that they haven’t paid their bill for six months or a year.”
Thomas is quick to make the point that the data protection rules for companies such as British Gas does not give them a “carte blanche”. “It puts limits on what can or can’t be done,” he says. “If British Gas wanted to pass on the names and addresses of everybody disconnected to a credit company, who then mailshot people saying ‘Borrow money from us’, I’d be outraged and would come down on any utility company who did that like a ton of bricks.” Although the information watchdog is committed to providing guidance, Thomas adds that it would be “unrealistic for the ICO to prepare guidance for every eventuality”. “These are common sense matters. It’s common sense that you can tell social services and common sense that you can’t tell a bank,” he adds.
Burden and expense
It is less clear where Thomas, the consumer champion, stands on the pro-business line taken by the Court of Appeal in last month’s landmark case of Durant v FSA. The appeal judges sought to prevent an “unjustifiable burden and expense” being imposed on commerce by limiting the information that is protected by the DPA.
Michael Durant was a former customer of Barclays Bank. He unsuccessfully sued the bank in 1993 and then sought disclosure by the FSA through data subject access requests under the DPA of records relating to the dispute.
Companies frequently complain that they have been besieged by such requests since the DPA came into force three years ago. “In particular, disgruntled employees are using them tactically as a weapon in the armoury in litigation,” comments Christine Jenner, an employment lawyer at Macfarlanes. “This ruling has now limited that considerably. For businesses that have previously thought that, just to be safe, they had to give them absolutely everything that referred to their name, Durant has now made it clear that it has to be personal data and biographical in nature.” According to the solicitor, one recent request, costing the person who made the request the standard £10, prompted a review of between 30 and 40 files, putting the client to “inordinate time and expense”.
Lord Justice Auld ruled that, for information to amount to personal data, it had to be biographical “in a significant sense”. “[That] is, going beyond the recording of the putative data subject’s involvement in a matter or event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised,” he added.
The appeal judges also ruled on what qualified as a “relevant filing system”, and whether it covered manual filing as opposed to simply computer files. They ruled that files should “be structured in such a way that specific information relating to a particular individual is readily accessible”. Again, this will have a considerable limiting impact on requests. “There has to be the same standard of sophistication of accessibility in a computerised record,” Jenner adds.
According to Boardman at Bird & Bird, this restrictive approach will be welcome news for HR departments and for the likes of insurance companies and banks, which hold large amounts of such data. But she also argues that it is “out-of-step” with approaches to data protection at the European Commission and the European Court of Human Rights.
The ruling leaves a couple of very big questions hanging over the subject access regime. On the personal data point, Wotherspoon asks whether contact databases with lists of names and addresses are caught. “If not, a lot of businesses are going to be freed from some heavy obligations under the act,” he comments. With manual records, he wants to know if they will largely fall outside the legislation “contrary to what was intended by the act”. He adds: “The whole idea was that data protection always covered computerised records, but the act was amended because it was thought to be a back door for avoiding protection to keep information on manual record.”
Thomas, despite his strong consumer background, professes to be happy with the line taken by the court. He acknowledges both Wotherspoon’s concerns and promises that they will be covered by his forthcoming guidance. He is working on yet more guidelines on the case and hopes to publish it “as soon as possible”.
So does the recent barrage of criticism, and Thomas’s misgivings about the legislation, make a case for reforming the law? And he points out that there is no prospect of new legislation “due to the pressures of parliamentary time”. “I want to make sure that people are clear about the principles,” he says. “People might be frightened by some aspects of it, but when you get to the basics it’s a matter of common sense.”