Information sharing given the green light
A teenager has failed in a judicial review of how information on her was shared between Sussex Police and Brighton & Hove Business Crime Reduction Partnership [BCRP].
The teenager identified only as M, because she was aged under 18 when the case began, and so was allowed to remain anonymous, argued that the safeguards for disclosing personal information to the BCRP were inadequate and unlawful.
She also challenged an award of £500 in damages she had received because the original hearing had decided that the police had breached her rights by giving the BCRP information about risks of sexual exploitation was inadequate. M argued that the award was not enough.
The police cross-appealed on the grounds that the judge in the original hearing in the High Court – Justice Lieven - had been wrong to find there had been a disclosure of ‘sensitive personal information’ about M's sex life which breached the Data Protection Act and her Human Rights.
In M, R (On the Application Of) v The Chief Constable of Sussex Police [2021] EWCA Civ 42 the Court of Appeal dismissed M’s challenge to the size of the financial award. But they allowed the police to cross-appeal.
M challenged the lawfulness of safeguards in the Information Sharing Agreement made between the BCRP and the police. At that time the BCRP had just over 500 members and its main function was, and remains, the management of an exclusion notice scheme, prohibiting offenders from entering members' premises.
The partnership passed on information about individuals to its members via a secure intranet site and mobile application although only about 240 members had actually chosen to have access to this data. M was given an exclusion notice in November 2017 and was subject to a year-long exclusion notice.
At the cross-appeal Lady Justice Andrew and two other judges, said the main question for the High Court had been whether the information sharing agreement met the requirements of Part 3 of the Data Protection Act 2018. She said: “In a well-structured, careful and clearly expressed judgment, Justice Lieven [the original judge] held that, although there was room for improvement, on a holistic assessment, the Information Sharing Agreement read together with its appendices and a Legitimate Interest Assessment…did provide sufficient safeguards and effective measures, including technological measures, to meet those requirements.”
M had argued that the agreement was not appropriate for processing sensitive personal data relating to children [under 18] as the safeguards were inadequate to prevent wider dissemination.
Lady Justice Andrews concluded: “[Lieven] was entitled, standing back, to take the view . . . . that so long as the nature of the data shared remains as in the legitimate interest assessment, and the safeguards she had identified exist as to onward transmission, the sharing is proportionate, and the [police] had demonstrated compliance with the requirements of the Data Protection Act 2018.”
M also argued that sharing of her bail conditions with BCRP members amounted to ‘making them public’ which is prohibited under Section 49 of the Children and Young Persons Act 1933.
Rejecting this part of M’s challenge too, Lady Justice Andrews said: “In my judgment, Lieven's analysis was patently correct…the correct dividing line is not between internal communications within public authorities, and all other communications; or between police officers or others carrying out a public function, and civilians; but between private communications and publications to the general public.” [editor’s italics]. In the original hearing the judge had held that sharing bail conditions was limited to BCRP members and that any employees or third party contractors who received information did so in their employment capacity and subject to sufficient safeguards. Thus they were not ordinary ‘members of the public’ by virtue of being members of the BCRP.
She also said the original judge had been wrong to find that informing the BCRP that M was at risk of child sexual exploitation was disclosure of her sex life and thus an unlawful as sensitive personal data. Indeed she concluded that the police had never informed the BCRP of this fact and the original judge had misread an email upon which she partly based her conclusion.
Allowing the police cross-appeal Lady Justice Andrews said: “[Justice Lieven] was therefore wrong to find that there had been a breach of M's data protection rights under the DPA 1998 and of her rights under Article 8 [of the] European Convention on Human Rights and to grant declaratory relief.”
This meant there was no basis for the award of damages to M. It also strengthens the case for data sharing between police forces and business crime reduction partnerships provided they are covered by robust data sharing agreements.