Child Protection and Data Protection

The spectre of Jimmy Saville casts a long shadow and now it extends to data protection, the Data Protection Act 1998 being the latest august and uniformly popular institution (following the BBC, Broadmoor and Margaret Thatcher to name just some) to suffer as a result of his actions. The perennial sight of investigations and public inquiries into historic sex abuse of children in local authority, chiefly arising out of the wider ramifications of Operation Yewtree, has provided a very ready explanation for local authorities for the need to retain child protection data.

The fifth data protection principle says data should not be kept longer than necessary for the purposes for which it is processed, whereas the reality will often be that the information of greatest significance (accusations of abuse or records of care) will only become significant after the expiry of a lot of time and the child’s growth into an adult able to confront the abuse they have suffered.

As a result, there is no consistent practice across the country. The High Court in R (C) v Northumberland County Council & ICO [2015] EWHC 2134 (Admin) was informed that authorities adopt an approach which ranges from retention until the 21st birthday, to six years after the 18th birthday, to 75 years from the date of birth, to 35 years from the closure of a case: at [10]. This obviously poses concerns about compliance with the DPA and Article 8 ECHR.

C sought the destruction of his child protection held by Northumberland CC and considered that it had been retained under the 35 year policy applicable in Northumberland for too long. C considered that a period of six years after his 18th birthday would have been the cut-off point, and the ICO agreed intervening (although the ICO copped a lot of flak from Simon J for having issued a section 42 DPA determination indicating it was ‘likely’ the Council had complied with the DPA and had subsequently changed its mind).

The judgment of Simon J is not always the easiest to follow. It appears that the key question before the Court was whether the retention for 35 years (which clearly engaged Article 8) was in accordance with the law, and if it was, whether it was proportionate. Although the judgment does not actually reason expressly in this way, it seems as though the analysis revolves around the fifth principle: if data retention does not breach the longer than necessary test, it will be in accordance with the law and it will be proportionate. This is not actually what the judgment says; it must be broadly how the analysis goes (see at [9]), and it is open to some debate whether those assumptions are correct in law or in analysis of the judgment.

Simon J held that the purpose for retaining child protection records was not limited to defending litigation, and so an adoption of six years – based on the limitation period – did not read across. The purpose was broader: it was to protect other children, to allow data subjects access in later life, and to make the information available to subsequent investigation: at [33]. The Judge was clearly influenced by the difficulty of seeing the importance of information at the time, and its significance only becoming clear through a more historical lens: at [37]. The clearest examples are, of course, Saville-esque: at [49]-[53]. A six year cut off period would, in the view of Simon J, restrict the ability of people over 24 from making a request and learning about their child protection file contents: at [45]-[47]. Simon J concluded that the Council was not required to adopt a “cumbersome and time-consuming predictive exercise” and retention would help to identify risks only seen with hindsight: at [56]. Regular review, every seven years, was considered a disproportionate use of labour: at [58]. 35 years “fell within the bracket of legitimate periods of retention”: at [61].

One can readily sympathise with the position of the Council in a case like C, which will be (with other linked agencies) between a rock and a hard place on child protection data. If they delete too quickly they risk being castigated by history for not being able to answer questions; if they don’t delete they are hoarders of sensitive and traumatic data. Simon J clearly sympathised very strongly with this. However, the structure of the reasoning is regrettably unclear. The reader is left uncertain whether Simon J has found the fifth principle complied with (probably, on the basis of a wider reading of its purposes), whether that has meant the interference with Article 8 was in accordance with the law (presumably, but query how that works where it only falls within a legitimate bracket), and how the structured proportionality analysis has been carried out. It may well not matter on the conclusions of the judgment, but it does mean it will be harder to advise on and apply in related contexts. Nor does it give much guidance as to other periods adopted; is 6 years too short and is 75 years too long? Doubtless further case law will explore the undiscovered country. In the meantime, some national guidance wouldn’t go amiss…

Paul Greatorex appeared for C, Karen Steyn QC for Northumberland and Robin Hopkins for the ICO.

Christopher Knight