Retention and disclosure of police caution data infringe Article 8

The European Court of Human Rights yesterday handed down a Chamber judgment in M.M. v United Kingdom (Application no. 24029/07) declaring that the arrangements for the indefinite retention of data relating to a person’s caution in a criminal matter and for the disclosure of such data in criminal record checks infringe Article 8 of the ECHR. Although the Court recognised that there might be a need for a comprehensive record of data relating to criminal matters, the indiscriminate and open-ended collection of criminal record data was unlikely to comply with Article 8 in the absence of clear and detailed statutory regulations clarifying the safeguards applicable and governing the use and disposal of such data, particularly bearing in mind the amount and sensitivity of the data. 

The case arose from a family dispute in Northern Ireland in the course of which the applicant, a grandmother, took her grandson away from his parents for two days before returning him unharmed. This resulted in her receiving a caution for child abduction in November 2000. In 2003 the police advised her that her caution would remain on record for only five years, i.e. until 2005. However, following the Soham murders and the Bichard report, there was a change of policy whereby any convictions and cautions where the victim was a child would be kept on record for the offender’s lifetime. 

Until 1 April 2008, requests for disclosure of criminal record data in Northern Ireland were made on a consensual basis. Disclosure took place in accordance with well-established common law powers of the police. Provisions of the Police Act 1997, introduced in England and Wales in 2006, were applied to Northern Ireland in 2008. Section 113A required a criminal record certificate to be issued on request and payment of a fee, to include details of all cautions and convictions whether spent or not, if the request was for stated purposes including that of assessing the suitability of persons to work with children and vulnerable adults.

Disclosure of the applicant’s caution caused her to be turned down for jobs as a family support worker in the social care field. She complained that the indefinite retention and disclosure of the caution data infringed her ECHR rights.

The Court noted that both the storing of information relating to an individual’s private life and the release of such information come within the scope of Article 8 § 1. The question was whether the police records contained data relating to the applicant’s “private life” and, if so, whether there had been an interference with her right to respect for private life. The data was both “personal data” and “sensitive personal data” within the meaning of the Data Protection Act 1998 and “personal data” in a special category under the Council of Europe’s Data Protection Convention. Although a person’s criminal record was public information, systematic storing of data in central records made them available for disclosure long after the event. As a conviction or caution receded into the past, it became a part of the person’s private life which had to be respected. The applicant’s voluntary disclosure of the caution to her prospective employer did not deprive her of the protection afforded by the Convention where employers were legally entitled to insist on disclosure. Thus Article 8 applied, and the retention and disclosure of the caution amounted to an interference.

To decide whether the interference could be justified under Article 8 § 2, the Court considered the legislation and policy applicable at the relevant time and since. It highlighted the absence of a clear legislative framework for the collection and storage of data and the lack of clarity as to the scope, extent and restrictions of what in Northern Ireland were originally common law powers of the police to retain and disclose caution data. There was also no mechanism for independent review of a decision to retain or disclose data. The provisions of the Police Act 1997 which came into force in Northern Ireland on 1 April 2008 created some limited filtering arrangements in respect of disclosures. However, in providing for mandatory disclosure under section 113A, no distinction was made on the basis of the nature of the offence, the disposal in the case, the time which had elapsed since the offence or the relevance of the data to the employment sought.

 The Court decided that the cumulative effect of these matters was an insufficiency of safeguards in the system to ensure that data relating to the applicant’s private life had not been, and would not be, disclosed in violation of her right to respect for her private life, and therefore the retention and disclosure of data was not “in accordance with the law” for the purpose of Article 8 § 2. The Court therefore did not go on to determine whether the interference was “necessary in a democratic society” for one of the stated aims, or whether there had been any infringement of Articles 6 and 7.

 Charles Bourne



The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.


The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.


The question of the extent to which those working within the national health service should have access to patient data is a difficult one to resolve. On the one hand, permitting widespread access can potentially enable health service provides to provide more efficient, ‘joined up’ health-care to patients. On the other hand, there will always be concerns that too much access increases the risk that patient data, which is obviously sensitive personal data for the purposes of s. 2 of the Data Protection Act 1998, will be misused and/or inadvertently disclosed to third parties. We have seen this debate unfolding not least in respect of the Spine database project which is aimed at achieving a comprehensive centralised database of NHS patient records. The British Medical Association amongst others have alreeady expressed concern that the system is being rolled out too quickly (see further this article from the Guardian earlier this month). Today, reports are surfacing in the media that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data (see further this BBC article which suggests hospital porters, IT staff and administrators have all been permitted access to patient data). This kind of story is only going to fuel concerns that the quest for efficiency in patient treatment requires too high a price to be paid in terms of compromising the privacy rights of patients.


The question of whether and to what extent local authorities can or should share information about individuals thought to pose a risk to children is often a very difficult one to answer in practice. Failure to disclose the information may expose the authority to claims that it has not acted in accordance with its duties to safeguard children’s interests. On the other hand, sharing the information may expose the authority to claims that it has acted in excess of its powers and has otherwise breached the individual’s right to privacy under Article 8 ECHR. In the recent case of H & L v X City Council and Y City Council [2010] EWHC 466 (Admin), the Administrative Court considered this question in a case involving the disclosure of information by a local authority about a severely disabled man (H) who been convicted of indecent assault on a child. In this case, the council had made a variety of disclosures to organisations with which H was involved. It had also adopted a policy of considering on a case by case basis whether it should make disclosure of information relating to H to organisations with which he became involved in the future. In addition, the local authority had a policy of disclosing information to H’s personal care assistants, purportedly to protect any children those carers may bring into contact with H.

In a judgment which recognised the very strong imperative in favour of protecting children’s interests, Judge Langan QC held that the policies of disclosure to organisations with which H was involved constituted a proportionate interference with H’s Article 8 right to privacy and was otherwise lawful. In reaching this conclusion, the judge took into account the fact that the disclosures were fairly guarded in nature; were not made in lurid terms and did not go beyond what was required for the purpose of making a measured communication. The judge similarly held that the policy of notifying other organisations with which H came into contact in future on a case-by-case basis was a reasonable, proportionate and otherwise lawful policy. However, the judge took issue with the authority’s policy of notifying H’s care assistants. He held that this was a disproportionate measure, particularly in view of the facts that: two of the three long-term carers had no children; there was a ‘no children at work’ provision in the relevant employment contracts and, further, the terms of the disclosures would raise suspicions in the minds of the carers which was more grave than H’s past conduct justified. In reaching his conclusions on the various policies adopted by the council, the judge plainly had in mind the recent important Supreme Court judgment in R(L) v Commissioner of Police of the Metropolis [2009] 3 WLR 1056, where the Supreme Court held that it was no longer right to assume that priority must be given to the need to protect the vulnerable over the right to respect for the private life of the individual. What this case perfectly illustrates is the highly fact-sensitive approach which needs to be adopted in any case where the local authority is contemplating sharing information for child protection purposes. Tim Pitt-Payne appeared on behalf of the local authority

Home Office publishes response to its consultation on communications data

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.


The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.


A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.


As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.


Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.