Driver v Crown Prosecution Service [2022] EWHC 2500 (KB)
Mr Driver was a well-known figure in local politics and had been the suspect in a long running police investigation into alleged corruption, known as Operation Sheridan. The police concluded their investigation and passed the file to the CPS for a decision on the charging of 8 suspects (including Mr Driver).
A member of the public, Paul Graham, asked the CPS to provide an update on Operation Sheridan. On 5 June 2019, a CPS lawyer, Julia Graham, sent an email to Mr Graham in response to his request for an update (Email). Ms Graham confirmed to Mr Graham that the charging file had been referred from the Operation Sheridan investigation team to the CPS for consideration.
In the run up to the 2019 general election, Mr Graham circulated the Email to several recipients including Mr Driver’s political opponents and BBC journalist, Jeremy Vine.
Mr Driver brought a claim against the CPS for breach of GDPR and/or the Data Protection Act 2018 (DPA 2018), misuse of private information, and breach of his Article 8 Rights. Mr Driver sought damages not exceeding £2,000 and declaratory relief. The CPS denied liability. Within this blog, I have purely focused on the data protection element of Mr Driver’s claim.
Data protection claim
It was Mr Driver’s position that by sending the Email the CPS had unlawfully processed his personal data in contravention of the GDPR/DPA 2018. Mr Justice Knowles identified that the first issue to be determined was whether the GDPR or the DPA 2018 would govern the data protection claim.
If the processing was for the purpose of law enforcement, GDPR would not apply and instead, the appropriate legislation would be Parts 1 and 3 of the DPA 2018. It was the CPS’s position that if the Email did involve the processing of personal data (which they denied) it was done for law enforcement purposes as the Email was sent incidentally to the CPS’s primary function. Mr Justice Knowles agreed with this interpretation and therefore concluded that the appropriate regime would be the DPA 2018.
The second issue for determination was whether the Email contained Mr Driver’s personal data. Personal data is defined in Section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.
Section 3(3) of the DPA 2018 confirms that an identifiable living individual:
“means a living individual who can be identified directly or indirectly, in particular by reference to – (a) an identifier such as name, an identification number, location data or an online identity, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual”.
Mr Justice Knowles took the view that the Email did contain Mr Driver’s personal data. Reference to Operation Sheridan in the Email was an identifier and therefore Mr Driver could be indirectly identified as one of the 8 suspects in accordance with the definition within Section 3(3) of the DPA 2018. Mr Justice Knowles also took the view that the best evidence that the Email contained Mr Driver’s personal data was the fact that Mr Graham had been able to identify Mr Driver as one of the individuals to whom the file related to.
Ordinarily, you would then need to consider whether the data had been processed in line with the definition present within the DPA 2018. Mr Justice Knowles considered that as he had found that the Email did contain personal data there was no question that the data had been processed by sending the Email.
The third issue for determination was whether the processing of the Email was lawful. Mr Driver claimed that the CPS was in breach of the First Principle, Second Principle, and Sixth Principle:
First Principle -(Section 35 of the DPA 2018) which confirms that data can only be processed lawfully if the data subject has given consent or the processing is necessary.
Second Principle – (Section 36 of the DPA 2018) which confirms that the purpose for which personal data is collected on any occasion must be specific, explicit, and legitimate.
Sixth Principle – (Section 40 of the DPA 2018) which confirms that data must be processed in a manner that ensures appropriate security of the data.
The CPS had claimed that it had a legitimate purpose of maintaining public confidence in the investigation and prosecution of crime. Mr Justice Knowles accepted that it can be a legitimate function of the police and the CPS to keep the public updated. However, in August 2018 there had been a public statement about Operation Sheridan which had appropriately briefed and updated the public.
Until a charging decision had been made there was no need for anything further to be said to the public. Mr Justice Knowles, therefore, concluded that the Defendant had failed to show that the Email was necessary and was therefore in breach of both the first and second principles. The CPS had failed to show a pressing social need for this specific member of the public (being Mr Graham) on this specific occasion to be updated about the case.
Mr Justice Knowles also concluded that there had been a breach of the sixth principle. He found that the CPS had failed to show that it had in place appropriate organisational measures to protect against unauthorised or unlawful processing.
By virtue of the above, Mr Justice Knowles found that there had been a data breach in contravention of the DPA 2018. He however considered it to be at the lowest end of the spectrum and awarded Mr Driver damages in the sum of £250. He also made a declaration that the CPS breached Mr Driver’s rights under Part 3 of the DPA 2018.
Comment
This case is a helpful summary of the law in relation to the processing of data for the purpose of law enforcement.
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us