How does data protection law feed into, and support, challenges to police action in the form of refusing press accreditation for a political party conference? The Divisional Court considered this in R (Segalov) v Chief Constable of Sussex Police & Chief Constable of Greater Manchester Police  EWHC 3187 (Admin).
Mr Segalov is a political journalist and commentator. For reasons best known only to himself, he wished to attend the 2017 Labour Party Conference in Brighton and wished to do so as an accredited member of the press. Accreditation was subject to police security checks. Given that Mr Segalov maintained that he had never even been arrested, still less anything more serious, by any police force at any time, he was somewhat surprised to be refused accreditation on police security grounds. As it turned out through disclosure, police records had him down as an ‘extreme left wing activist’, because he had attended a number of protests (at least some of which he maintained was only in his capacity as a journalist reporting on them).
The claimant’s judicial review was advanced on a number of grounds, of which breach of the DPA was the fifth of five. The Court accepted that Sussex Police, as the host force, had acted contrary to procedural fairness in its consideration of the application, in that it had not had in place any operative policy or criteria for assessing applications, and could and should (on the facts) have given the claimant the opportunity to make representations about the police’s concerns. The argument that an equivalent threshold to that applied in vetting for employment should have been adopted was not formally determined, but subjected to some judicial doubt in the very different context. A claim for breach of Article 8 ECHR was held not to advance matters.
The DPA claim was dealt with (perhaps surprisingly in the light of the treatment of Article 8 and of the threshold) in more detail, although the Court still expressed the view at  that it did not really advance the claimant’s case. It accepted that there was processing and of sensitive personal data.
The Court also accepted, and this is of more importance, that to the extent that the police’s conduct was contrary to public law, it was also a breach of the first data protection principle: at . The Court held that the section 29 criminal law enforcement exemption went more widely than being confined to cases of an existing criminal investigation. But acting in breach of public law would mean that there could be no likely prejudice to the section 29 purposes.
The Court accepted at  that the language of necessity in all of the Schedule 2 and 3 conditions imported the notion of proportionality, and was not to be interpreted to mean ‘indispensable’ (nor ‘convenient’), and again the role of the police was necessary in the relevant sense insofar as they acted consistently with public law.
Complaints about breaches of the third and fourth data protection principles were held to require the resolution of factual disputes unsuitable for a judicial review, and needed to be pleaded and proved and was “why DPA claims against private and public bodies are normally brought in private law under Part 7 of the CPR”, which was also likely to be the appropriate vehicle for a section 13 damages claim: at . Any such claim was to be brought separately and would be a matter for the County Court: at .
Segalov sets no worlds alight, but it is a useful reminder of how other unlawful acts may operate to generate a breach of the DPA (and thereby give rise to a damages claim unrecoverable in public law), and how the courts can be keen to run together different causes of action arising from the same facts. The reiteration that factual disputes which often arise from DPA complaints, where it adds something to the public law challenge, are not suitable for judicial review will be a useful authority for those drafting Summary Grounds and resisting permission.