The claimant had been a student at Loughborough University and was suspected by the police of rape and sexual assault. The University provided the police with the claimant’s full name, address and date of birth, all of which had previously been submitted by the claimant on a registration form. The University disclosed this information to the police in advance of a written request for the same. The claimant was subsequently arrested by the police at his address, but was never charged with either rape or sexual assault.
The claimant alleged that the disclosure of his personal information by the University in the absence of a written request and without his consent constituted i) a breach of the Data Protection Act 1998 (“DPA”) and ii) a breach of contract.
The High Court rejected both of the claimant’s arguments.
The High Court acknowledged that the first data protection principle requires all data to be processed “fairly and lawfully”. However, certain exemptions to that principle exist, including section 29 of the DPA. Section 29 allows a data controller (i.e. the University) to disclose personal data without an individual’s knowledge or consent if required in connection with the prevention or detection of crime.
The High Court decided that the section 29 exemption clearly applied in this case. Furthermore, the High Court noted that “there is nothing in section 29 which stipulates that the request must be made in writing”. Therefore, the University was not in breach of the DPA by disclosing the claimant’s personal data to the police to assist with their investigation before receiving a written request.
The claimant argued that, notwithstanding the application of section 29, the University still needed to satisfy the conditions for processing set out in Schedule 2 of the DPA. The High Court accepted this argument, but noted that the University had “plainly satisfied” paragraph 6.1 of Schedule 2, as the disclosure was necessary for the purposes of “legitimate interests” pursued by the University and the police.
This case is a rare example of a data protection dispute reaching the High Court. It confirms that organisations do not need a written request from a law enforcement body in order to disclose personal data in connection with the prevention and detection of crime. However, it is also serves as a reminder that the data protection exemptions do not provide a blanket exemption from the wider application of the DPA. In particular, data controllers should have regard to the conditions for processing as set out in Schedule 2 of the DPA and should keep clear records of the decision making process behind any disclosure of personal data made on the basis of a statutory exemption.
Watch this space…