In June 2021 CCTV images showing health secretary Matthew Hancock, kissing his former aide, Gina Coladengelo were leaked to the Sun.
Following the leak, the ICO received a report of a data breach from EMCOR Group Plc which provides CCTV services for the Department of Health and Social Care (DHSC). Within the report, EMCOR submitted that the CCTV images were taken from a DHSC CCTV system without the consent of either EMCOR or the DHSC.
As part of the investigation, the ICO searched two residential properties believed to be connected to the breach. Personal computer equipment and electronic devices were seized. The ICO faced some criticism following the raid of the two properties with the Sun calling it an “outrageous abuse” that could deter whistleblowers from coming forward.
At the time of the raids, Steve Eckersley, Director of Investigations at the ICO however commented:
“It’s vital that all people, including employees and visitors to public buildings, have trust and confidence in the protection of their personal data captured by CCTV. In these circumstances, the ICO aims to react swiftly and effectively to investigate where there is a risk that other people may have unlawfully obtained personal data. We have an ongoing investigation into criminal matters and will not be commenting further until it is concluded.”
ICO’s findings
Following the above, the ICO has now concluded their criminal investigations.
The ICO found insufficient evidence to prosecute the two people suspected of unlawfully obtaining and disclosing the CCTV footage from the DHSC.
The ICO felt that given the seriousness of the report and the wider implications for the security of information across the Government they felt they had a legal duty to carry out an impartial assessment of the evidence available to determine whether there had been a breach of law.
Forensic analysis of the footage revealed that the leaked CCTV was likely obtained by someone recording the CCTV screen on a phone. During their raid, the ICO seized six mobile phones. It however transpired that none of them contained the CCTV footage in question.
After taking legal advice, the ICO concluded that there was insufficient evidence to charge anyone with a criminal offence under the Data Protection Act 2018 (DPA 2018).
Relevant law
Section 170 of the DPA 2018 makes it clear that:
“(1) It is an offence for a person knowingly or recklessly—
(a)to obtain or disclose personal data without the consent of the controller,
(b)to procure the disclosure of personal data to another person without the consent of the controller, or
(c)after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”
If you are found to be in breach of Section 170 of the DPA 2018, you are therefore committing a criminal offence. As matters stand, a breach of Section 170 is punishable by way of a fine.
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us