R (on the application of M) v Chief Constable of Sussex  EWCA Civ 42 is an important decision from the Court of Appeal regarding an information sharing agreement (“ISA”) between a police force and a local business crime reduction partnership (“BCRP”). The ISA was held not to breach the Data Protection Act 2018 (“DPA”) and the sharing of information that revealed a vulnerability to child sexual exploitation (“CSE”) was held not to be in breach of data protection rights. The case indicates the approach that the courts may take when asked to scrutinise information sharing agreements and policy documents where the police seek to share data with other organisations for the purpose of reducing crime and disorder.
M was a vulnerable young person with previous convictions for shoplifting and assault, who had been reported to the police for violence, theft, and anti-social behaviour and assessed as being at risk of CSE. She was 16 years old at the time of the first instance judgment.
The police force had shared data relating to individuals, including M, with the BCRP for law enforcement purposes. It could only be accessed by certain BCRP employees. The BCRP’s principal function was to manage an exclusion notice scheme which prohibited persons from entering its members’ commercial premises. Decisions as to such notices were made by its management committee, which also determined what information to share with its members according to its own data sharing policy.
The police disclosed to the BCRP M’s name, date of birth, photograph and bail conditions, and linked her to a police operation directed at vulnerable young women who were allegedly involved in anti-social and/or criminal behaviour in the local area. The BCRP made an exclusion order in relation to M in 2017. She applied for judicial review of the lawfulness of the safeguards for disclosing sensitive personal data to the BCRP under an ISA.
The Court of Appeal (Andrews LJ giving the judgment of the Court) held that the ISA met the requirements of Part 3 of the Data Protection Act (“DPA”) 2018. The police force was the data controller when the information was passed to the BCRP, and Part 3 DPA therefore applied to it: the BCRP could not be a joint controller of the data because it was not a “competent authority” (under the Law Enforcement Directive (“LED”). The obligations of a data controller which is not a competent authority will be governed by the GDPR/Part 2 DPA, but not the LED/Part 3 DPA.)
However, once the BCRP received the information, it became a data controller in its own right. Controllers were required to implement the “appropriate technical and organisational measures” required under Part 3 DPA. There was no requirement in the body of the LED or Part 3 to have “specific safeguards” in respect of the data (or sensitive data) of children; and Part 3 was not prescriptive about the necessary measures, so long as they were “appropriate”.
The only information that could be shared under the ISA in respect of a person aged 14-17 was the individual’s name, date of birth, photographic image, address, and offences against BCRP members. On that basis, the ISA was held to have satisfied the requirements of Part 3, s.42(2) DPA. An Appendix to the ISA, and a legitimate interest assessment, provided sufficient safeguards to address concerns regarding the dissemination of M’s photograph.
Members of the BCRP, their employees and third-party contractors did not receive the information concerning M’s bail conditions as “members of the public”, but in a private capacity, subject to contractual and other constraints limiting its use and precluding it from coming into public circulation. The correct dividing line was not between internal communications within public authorities, and all other communications; or between police officers or others carrying out a public function, and civilians; but between private communications and publications to the general public: see . The rights of the child/young person were sufficiently taken into consideration when the decision was taken by the BCRP to disseminate the information to its members.
On the force’s cross-appeal, the Court held that there was no expanded definition of “sex life” in the DPA. The natural understanding was that it related to someone’s own sexual behaviour, preferences, and lifestyle choices in that area, not to the fact that they were or had been at risk of CSE. It was difficult to envisage why data about such a risk would be regarded as deserving of special protection and requiring specific justification, which might act as a fetter on its dissemination. The judge had therefore been wrong to find that informing the BCRP that there was intelligence that M was at risk of CSE was disclosure of her “sexual life” and thus unlawful disclosure of sensitive personal data and a breach of M’s data protection rights under the DPA 1998 and her rights under Article 8 of the European Convention on Human Rights (‘ECHR’): see  to .
This case was slightly unusual, in that the police relied upon the ISA as constituting both the appropriate policy document and the Data Impact Assessment to meet the requirements of Part 3 DPA. The ISA, appropriate policy document, and Data Impact Assessment will often be different documents.
It will also typically be necessary to lead evidence as to data protection policies and systems, including officer training, to demonstrate compliance with all of the data protection principles and to show data protection by design and default.
Nevertheless in this case, the force was able to demonstrate compliance with the data protection regime and satisfy the Court that the information-sharing, which on the facts of this case had crime reduction as its aim, had been lawful. In doing so, the court made the following observations:
(i) The entirety of the protections had to be considered holistically; it was not appropriate to “micro-manage” how a data controller complies with its requirements – see  and ;
(ii) The courts should consider “form over substance”. What matters is the substance of relevant data protection policies or appropriate policy documents, that they explain the controller’s procedures for securing compliance with the data protection principles and the controller’s policies as regards the retention and erasure of such data .
(iii) Whereas an appropriate policy document for sensitive processing must explain what the relevant sensitive data procedures are, the adequacy of those procedures is addressed under different provisions .
(iv) There is no requirement that separate policies and procedures be followed for different types of data, or for the data controller to have a range of ISAs depending on the nature of the data to be shared. The Information Commissioner’s own guidance stated, “… you do not need a separate policy document for each condition or processing activity – one document can cover them all. You may reference policies and procedures which are relevant to all the identified processing” -.
(v) The level of nominal damages for a breach resulting in no or few consequences would be £500 .