On 12 October, the Information Tribunal issued its first judgment on the Data Protection Act 1998. The lengthy, 95 page judgment, upholds the right of the police to retain old conviction data, but requires the police to ensure that access to this data is limited to police personnel.
The case echoes, at a national level, the debate which is taking place at a European level in relation to retention of communications data i.e. how to reconcile demands of the security services with privacy and data protection concerns.
The case of The Chief Constables of West Yorkshire, South Yorkshire and North Wales v The Information Commissioner relates to extremely old conviction data held about three individuals. In all cases the conviction data related to offences committed by the individuals as juveniles or young adults. Since these offences, the individuals concerned had not been convicted of any further offences.
The first individual, SY, was convicted of actual bodily harm in 1979 when SY was then about 15. SY discovered that the information was still held on the police national computer when he made a complaint about a neighbour to Nottinghamshire police. In the case of investigating SY’s complaint, information about SY’s convictions was released by South Yorkshire police to Nottinghamshire police.
WY was convicted of a number of motor vehicle related offences between 1978 and 1979 when he was then between 17 and 19 years old. WY now wished to apply for US citizenship and was concerned that the fact of these convictions would be disclosed, which would be prejudicial to his application.
The final set of conviction data related to NW who was convicted of theft in 1967 when then 17 or 18. NW became aware that the information was still held when he applied for a job which led to an enhanced disclosure certificate being issued by the Criminal Records Bureau.
In all three cases, the records were held under a system known as the “weeding rules”. Under these rules, it is police practice to retain records when custodial sentences have been awarded which, when aggregated, are in excess of six months. Where this trigger is met, records are kept until the individual’s death or for 100 years. (The weeding rules also set out separate procedures for maintaining records relating to offences of indecency, sexual offences, violence and trafficking and importation of drugs).
As the brief factual summary above shows, the significance of information being retained is that it may be released not just to the police but to others, for example, in the event of a complaint to the police, to overseas immigrations officials and in the context of job applications where an enhanced disclosure certificate is sought from the Criminal Records Bureau.
The Information Commissioner argued that retention of conviction data in these cases, where the data was old, related to relatively minor offences, and there had been no subsequent convictions, breached the fifth data protection principle (personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes) and the third data protection principle (personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed). The Information Commissioner suggested, during the course of the proceedings, that he might accept a compromise whereby the information was retained by the police for police purposes only, but was not available for release to other organisations, as had happened here.
The police, by contrast, argued that it was operationally necessary for them to retain conviction data on a broad basis; that it would be technically difficult for them to restrict access to the data and to carry out any form of regular review and weeding; and that a change in the Police Act 1997 would be required to allow them to retain information for police purposes and not release it to the kinds of organisations concerned here.
The Tribunal’s decision
The Information Tribunal’s judgment does not completely vindicate either the Information Commissioner or the Chief Constables concerned. The Tribunal accepted that the Chief Constables had made out a case for retaining the information for police purposes. However, the Information Tribunal required the Chief Constables to ensure that, within six months, the data would not be open to inspection other than by Chief Officers of Police. In other words, the Information Tribunal accepted the compromise solution put forward by the Information Commissioner, referred to during the proceedings as a “step down” model.
The data protection principles are expressed in very broad, general terms. It is often difficult to come up with clear rules to implement them and setting retention periods is frequently an issue of concern to clients. The Information Tribunal itself seems to have had difficulty in grappling with this. Its judgment states two conflicting principles – firstly that retention of conviction data must be assessed on a case by case basis and that the Information Tribunal’s decision itself is limited to the particular facts before it; but secondly, that there was a need for precise guidelines for the police which would set out “instructions” for the deletion and retention of records, as opposed to general principles set out in previous guidance, which police forces found difficult to apply in practice.
The Tribunal also expressed dissatisfaction with the proceedings behind the case. The Tribunal stated that both the Information Commissioner and the Chief Constables had presented “sparse and over-generalised” positions, including statements of principle which had not been substantiated. The Information Tribunal also commented adversely on the lack of factual information in the three cases. Partly, this is due to the fact that, although the police had retained limited conviction data about individuals, they were unable to produce any additional information as to the background of those convictions – whether by case reports, police notebooks or similar. This meant that neither the Chief Constables, nor the Information Commissioner, nor the Tribunal itself was in a position to assess whether there were particular factual circumstances which could have affected the retention decision in these particular cases. The difficulties faced by all of the parties involved in the proceedings were compounded by the fact that there was a need to protect the anonymity of the individuals concerned – so that it was not feasible to cross examine the individuals so as to obtain information about the convictions which would be readily accepted by all parties.
On balance, when there was a question of erring on the side of the police or the Information Commissioner, the Information Tribunal tended to defer to the police, taking the view that they should have primary responsibility for determining matters relating to operational policing.
Finally, the Information Tribunal also set out certain high level guidelines for the police to incorporate when implementing system changes to the police national computer. The Tribunal stipulated that the police national computer must be able to allow for the following:
- proper deletion of data subject records;
- automation of record culling procedures using a variety of prompts – e.g. age; conviction data; time elapsed etc;
- ability to limit access to users who meet criteria specified by relevant bodies – the default should be that individuals are not allowed access unless specifically authorised;
- ability to amend users’ details where access criteria change; and
- ability to amend the criteria used by the system to reflect changing circumstances.