Death and the DPA

Posted on | by Christopher Knight

Death may be the great leveller, but does it also bring to an end an appeal brought under section 28(4) of the Data Protection Act 1998 against a national security certificate issued by the Secretary of State? The answer of the Upper Tribunal in Campbell v Secretary of State for Northern Ireland [2018] UKUT 372 (AAC) was: Yes.

Mr Campbell had made, whilst alive, a subject access request in respect of the official records held about his internment without trial in Northern Ireland in the 1970s. In response to that SAR, the Secretary of State issued a certificate under section 28(2) that exemption from the rights contained in the DPA was “required for the purpose of safeguarding national security”. Mr Campbell, again whilst still alive, appealed that certificate, as he was entitled to do, under section 28(4) and the appeal was transferred to the Upper Tribunal.

About three months after the appeal was lodged, Mr Campbell died. His widow sought to maintain the appeal, which had been selected as one of three test cases for a cohort of around 100 others in respect of which similar certificates had been issued. The Secretary of State objected that Mr Campbell’s case could not survive his demise.

The Upper Tribunal found the issue difficult, but agreed. It held that an appeal under section 28(4) is a personal right which cannot survive that person’s death to the benefit of his estate. The appeal itself may be a procedural one, but it arises only in the context of the attempted exercise of rights in respect of personal data (under section 7 in this case), and personal data is defined by reference to living individuals. No SAR could be made on behalf of a deceased person, and no certificate could be issued. The section 28 appeal could not have a free-standing life of its own in the absence of the personal data rights which were dependent on there being a living data subject.

Such section 28(4) appeals are rare, and the issue arising in Campbell even rarer, such that the judgment is an interesting read for those thinking about the practical application of data protection law and the personal nature of the rights conferred.

Christopher Knight