Data-sharing arrangements between one controller and another proliferate across all sorts of processing contexts, aimed at all sorts of purposes. If those arrangements are to comply with the GDPR and/or DPA 2018, they need to be structured so as to ensure that the data-sharing satisfies the data protection principles. This includes having ‘appropriate technical and organisational measures’ in place. So far, so clear. But how do you assess whether your measures are ‘appropriate’? And if push comes to shove, how will a court approach that assessment?
There’s not much case law on this so far, but last week’s judgment of the Court of Appeal (Lady Justice Andrews giving judgment on behalf of the Court) in M v Chief Constable of Sussex Police  EWCA Civ 42 sheds light on the Courts’ approach, at least in the law enforcement context. The judgment is here: M v Chief Constable of Sussex.
M was a vulnerable teenager who, while under the age of 18, had had over 50 run-ins with police, for anti-social behaviour and incidents of violence and so on, in the Brighton & Hove area. Sussex Police shared information about her (and others) with the Brighton & Hove Business Crime Reduction Partnership (‘BCRP’) for the purposes of BCRP’s ‘exclusion notice scheme’. The scheme involves BCRP sharing certain personal data with its members to enable them, should they so wish, to prohibit troublesome persons from entering their commercial premises. BCRP made a 12-month exclusion order in respect of M in 2017-18.
The Court accepted that, in principle, this information-sharing by Sussex Police was lawful: “it is important for the police to be able to engage in meaningful dialogue and share information with local businesses with a view to safeguarding against the risks of criminal and anti-social behaviour” (para 5). The issue was not with the principle of data-sharing in this context, but with whether that sharing complied with the data protection principles, particularly in light of M being under the age of 18, and in light of certain special category data about her that had been shared.
We are of course in law enforcement territory here; this is governed not by the GDPR, but by the Law Enforcement Directive 2016/680 (‘LED’), as implemented in Part 3 of the DPA 2018. That said, the data protection principles, set out in sections 34-40, are for the most part (leaving aside transparency duties) very similar to those under the GDPR.
For ‘sensitive processing’ (see section 35(8): health, sex life, biometric data and other familiar Article 9 GDPR stuff), the controller needs to have in place an ‘appropriate policy document’ that ‘explains the controller’s procedures for securing compliance with the data protection principles’ and explains its retention and erasure policies for sensitive data: see section 42 DPA 2018. Again, this largely mirrors the GDPR, as implemented in Part 2 DPA 2018: see Part 4 of Schedule 1 for the appropriate policy document bits.
M argued that Sussex Police breached the data protection principles because its governance arrangements – particularly its Information Sharing Agreement (‘ISA’) with BCRP – were inadequate for securing compliance with those principles. In other words, M argued that Sussex Police did not have in place appropriate organisational measures for safeguarding against unlawful processing, contrary to the sixth data protection principle.
In the High Court, Lieven J dismissed that challenge (save for a discrete ‘sensitive processing’ aspect – see below). The Court of Appeal upheld her judgment. The overall package of governance controls – the ISA, the Legitimate Interest Assessment, BCRP’s Constitution and Code of Practice, Sussex Police’s privacy notice – constituted appropriate safeguards as to what information was shared with whom, on what grounds, accessible to which (vetted) individuals, and so on.
These sorts of assessment are of course to a large extent fact specific: for an insight into the kinds of governance features that sufficed for Sussex Police, see para 106 of the judgment. Of perhaps wider interest is the way the Court of Appeal approached this task of assessing the appropriateness of the organisational measures Sussex Police and BCRP had implemented.
The Court cited CLG and others v Chief Constable of Merseyside Police  EWCA Civ 836 and Various Claimants v WM Morrisons Supermarket Plc  EWHC 3113 (QB). It concluded that the right approach was a substantive and ‘holistic’ one (see para 93). In other words, don’t hone in so much on the details of any one document in the suite of governance arrangements, but assess the overall package in the round. On that basis, the conclusion was this (para 115):
“The Judge was entitled, standing back, to take the view she did that so long as the nature of the data shared remains as in the LIA, and the safeguards she had identified exist as to onwards transmission, the sharing is proportionate, and the Respondent had demonstrated compliance with the requirements of the DPA 2018…”
That holistic approach was, the Court concluded, the right one under the LED, which (like the GDPR) did not seek to dictate in any granular way what ‘appropriate’ organisational measures look like. Appropriateness is a “requisite minimum standard” (para 102), which does not lend itself to judicial micro-management. See para 87:
“The text of the LED is accurately transposed into Part 3 of the DPA 2018, and it is not prescriptive about the measures that must be taken, so long as they are “appropriate”. It does not attempt to micro-manage how a data controller complies with its requirements”.
In a similar vein, the ‘appropriate policy document’ was indeed ‘appropriate’: it did not, but did not need to, deal exclusively with sensitive processing. You don’t need different iterations of your governance documents for different types of data. Instead, what matters is substance over form (see paras 99 and 103).
Meaning of data concerning ‘sex life’
Before the High Court, Sussex Police’s data-sharing arrangements were found wanting in one respect, namely inadequate measures for ensuring the lawful sharing of data describing M as at risk of child sexual exploitation. The High Court held that this was ‘sensitive processing’ (or, in GDPR terms, special category data). Sussex Police successfully cross-appealed on that point. The Court of Appeal concluded that this item of personal data was not data concerning M’s sex life. See para 132:
“… the natural understanding of that expression is that it relates to someone’s own sexual behaviour, preferences, and lifestyle choices in that area, not to the fact that they are or have been at risk of being sexually abused or exploited by others. It is also difficult to envisage why data about the existence of that type of risk would be regarded as deserving of special protection and requiring specific justification which might act as a fetter on its dissemination”.
See also para 136:
“All these matters are essentially concerned with personal autonomy in terms of sexual identity, lifestyle choices and behaviour. The fact that someone is at risk of being sexually abused or exploited could be viewed as the diametric opposite of what was intended to be protected under this heading. The behaviour which led to someone taking the view that the risk exists may be a different matter.”
Other notable take-aways
There are a number of other important observations and conclusions in the Court of Appeal’s judgment.
First, there is some discussion of the controller/processor status of the parties to this data-sharing arrangement (paras 41-42). Correctly, the conclusion was that Sussex Police and BCRP were both controllers.
Secondly, the Court of Appeal held (at paras 129-130) that BCRP employees did not receive data as members of public, but only in their BCRP capacities – therefore, M’s data could not be said to have been disclosed to the public.
Thirdly, an obiter but interesting point on quantum (para 140): the High Court had awarded M damages of £500 for the contravention in respect of data about her sex life. As discussed above, the Court of Appeal overturned the High Court on that point: no ‘sensitive processing’, so no contravention. However, if there had been a contravention in this respect, “the Judge was right, for the reasons that she gave in her supplementary judgment, to make a nominal award in the sum of £500” (para 140).
So, lots of very illuminating nuggets here. Let’s see how the Court’s approach in M plays out in other, very different contexts.