Sometimes a case comes along which, whether through range of issues or over-enthusiastic pleading, seems to touch on more or less every data protection provision going. To this end, at least for the DPA 1998, we give you the lengthy treatise of Sales LJ that is: Cooper v National Crime Agency [2019] EWCA Civ 16.
Cooper ended up in the Court of Appeal from more than one route. Mr Cooper was an employee of the Serious Organised Crime Agency (“SOCA”, now the National Crime Agency), who got drunk on a night out in Hove – where, to be fair, there is little else to do – became disorderly and was accused of assaulting a police officer. The next day, he told Sussex Police that he was employed by SOCA and informed his line manager of what had happened when bailed. Entirely unsurprisingly, SOCA took a dim view. It asked Sussex Police for the underlying evidence and interview transcript in order to consider a misconduct investigation and whether it reached a level triggering notification of the IPCC (now the IOPC). Sussex Police supplied the material. SOCA dismissed Mr Cooper for gross misconduct, relying on the material provided, in advance of the criminal trial. He was subsequently convicted by the Magistrates’ Court, but the conviction was quashed on appeal to the Crown Court on the basis that it could not be excluded that a head injury Mr Cooper had obtained in the scuffle had caused his behaviour.
Mr Cooper brought proceedings against SOCA in both the Employment Tribunal and the County Court, the latter for breach of the DPA (a DPA claim against Sussex Police having been settled). The Tribunal dismissed the unfair dismissal claim and, in particular, refused to accept that there was available complaint of procedural unfairness based on breach of the DPA in receiving the evidence where such a claim was not pleaded and had not been raised in the disciplinary proceedings. The EAT dismissed the appeal in relation to the DPA. The County Court dismissed Mr Cooper’s DPA claims, which concerned more or less every principle and paragraph going, and also held that the damages claim for £880,000 for loss of employment and damage to future employment prospects would have failed anyway because SOCA would have investigated the incident themselves in any event, with the co-operation of Sussex Police and/or by attending the criminal proceedings and noting the evidence given. The Court of Appeal accordingly had before it joined appeals from the EAT and the County Court.
Sales LJ robustly introduced the analysis of the County Court appeal saying that it was “entirely unsurprising that when SOCA was provided by Sussex Police with the information which is in issue in these proceedings, SOCA should wish to use it to get to the bottom of what had happened”: at [83]. So far, so common-sensical. SOCA, thought Sales LJ, had complied with the data protection principles even without needing to rely on the partial exemption in section 35(2) DPA for legal proceedings. What follows is a trot through much of Schedules 1-3 of the DPA.
The Court confirmed that when the DPA uses the term “necessity”, it means “reasonable necessity”: at [89]-[93]. This is, as Sales LJ pointed out, what Lady Hale held in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55, and he expressly endorsed the now well-established summary of legal principles set out by the Upper Tribunal in Goldsmith International Business School v Information Commissioner [2014] UKUT 563 (AAC) (still, unaccountably, not generally known as the ‘Knight principles’). As a general statement of law, that is of importance.
Other parts of the judgment can be summarised more briefly. Sales LJ held that:
- A DPA claim does not automatically mean Article 8 ECHR are engaged or interfered with, and if there is to be reliance on Article 8 it must be pleaded and proved: at [94].
- It was necessary for SOCA to carry out its own investigation; it could not simply wait for the criminal trial to see what came from that. It had to determine the propriety of Mr Cooper’s continued employment as well as whether the IPCC needed to be notified: at [96].
- A term in the SOCA employment contract agreeing to the processing of sensitive personal data to assess compliance with SOCA policies was sufficient to give consent for the purposes of condition 1 of Schedule 2 and explicit consent for the purposes of condition 1 of Schedule 3: at [98]-[102], [116]. This appears to have been challenged chiefly by reference to the construction of the contract. It would surely be the case that under the GDPR such an approach to consent would be much more difficulty, despite Sales LJ holding that consent could be determined by the usual process of contractual interpretation. The comment that consent is an objective notion, depending on the outward manifestation of it, is less difficult to accept.
- Application of SOCA’s policies and the following of the contractual disciplinary policy meant that the processing was necessary for the performance of a contract under condition 2 of Schedule 2: at [103].
- The processing was necessary for SOCA to comply with its legal obligations, which included public law obligations to: (a) comply with legitimate expectations created by the terms of its policies; (b) comply with the Tameside duty of reasonable inquiry; and (c) comply with an agreement with the IPCC entered into under a statutory duty, to inform the IPCC of recordable conduct matters: at [104].
- Processing necessary for conferred functions (condition 5(b) of Schedule 2) encompassed SOCA’s functions of engaging staff, managing them and implementing appropriate policies to that end, and the fact of a contract existing did not cause the statutory functions to cease (giving outsourcing as an example): at [105], [107]. This also satisfied condition 7(1)(b) of Schedule 3: at [122].
- Condition 5(d) was also met by reason of SOCA’s various functions under its agreement with the IPCC, which were plainly in the public interest: at [108]-[113].
- Condition 6(1) of Schedule 2 was also met. SOCA had legitimate interests in maintaining high conduct standards, comply with IPCC agreement obligations, and investigating the propriety of continued security clearance. No pleaded legitimate interest of Mr Cooper’s was interfered with, and SOCA’s outweighed any in any event: at [114]-[115].
- In relation to the suggestion, by reference to condition 2(1) of Schedule 3, that rights under a contract are not rights “conferred or imposed by law”, Sales LJ doubted that was right without deciding the point because it is the law which gives force to an agreement: at [118].
- Disciplinary proceedings are not legal or prospective legal proceedings for the purposes of condition 6(a) of Schedule 3 and the judge had been wrong so to hold: at [119]. As a result, section 35(2)(a) could not be relied upon: at [126].
- The legal rights and duties of SOCA in relation to its misbehaving employee and how to deal with that were sufficient to engage condition 6(c) of Schedule 3: at [121]. To this extent, section 35(2) was also engaged: at [126].
- However, because section 35(2) only applied to disclosures of personal data and not making other use of it, it had little relevance to the claim: at [127].
- Fairness was an additional and wider requirement for the purposes of the first data protection principle, but no particularised additional fairness complaint had been pleaded: at [87], [123].
- When considering the purpose limitation of the second data protection principle, one must look at the purpose for which the data was obtained by the controller, and not any purpose of a third party controller (Sussex Police) by whom it was earlier obtained. That controller-focus was borne out by paragraphs 5 and 6 of Part II of Schedule 1, and by the practical point that a controller may have no idea and no way of establishing the purpose for which a third party from whom it receives the data originally obtained it: at [128]-[132].
- The County Court had rightly dismissed the damages causation argument, explaining why SOCA would have proceeded with disciplinary proceedings in any event. It would have been extraordinary for Sussex Police to refuse to co-operate with a SOCA conduct investigation, and the evidence made public in both criminal hearings was more than sufficient to warrant dismissal: at [137]-[139].
There is, accordingly, a detailed and fairly masterly analysis of a very large part of the DPA structure and how it works, adopting a pretty expansive interpretation in favour of (at least) a public sector data controller. Much of that reasoning, with a few caveats here and there, will be applicable across to the DPA 2018 and the GDPR.
Unlike his forebears from whom the name derives, Mr Cooper may not be inclined to roll out the barrels at the result, but data protection practitioners will be more likely to do so.
Christopher Knight