The High Court in Bangura v Loughborough University [2016] EWHC 1503 decided that Loughborough University had acted lawfully when it provided a copy of a student’s registration form to the police – in contravention of its privacy policy – to assist their investigations into complaints of sexual assault and rape.

Facts

The claimant had been a student at Loughborough University and was suspected by the police of rape and sexual assault. The University provided the police with the claimant’s full name, address and date of birth, all of which had previously been submitted by the claimant on a registration form. The University disclosed this information to the police in advance of a written request for the same. The claimant was subsequently arrested by the police at his address, but was never charged with either rape or sexual assault.

The claimant alleged that the disclosure of his personal information by the University in the absence of a written request and without his consent constituted i) a breach of the Data Protection Act 1998 (“DPA”) and ii) a breach of contract.

Decision

The High Court rejected both of the claimant’s arguments.

The High Court acknowledged that the first data protection principle requires all data to be processed “fairly and lawfully”. However, certain exemptions to that principle exist, including section 29 of the DPA. Section 29 allows a data controller (i.e. the University) to disclose personal data without an individual’s knowledge or consent if required in connection with the prevention or detection of crime.

The High Court decided that the section 29 exemption clearly applied in this case. Furthermore, the High Court noted that “there is nothing in section 29 which stipulates that the request must be made in writing”. Therefore, the University was not in breach of the DPA by disclosing the claimant’s personal data to the police to assist with their investigation before receiving a written request.

The claimant argued that, notwithstanding the application of section 29, the University still needed to satisfy the conditions for processing set out in Schedule 2 of the DPA. The High Court accepted this argument, but noted that the University had “plainly satisfied” paragraph 6.1 of Schedule 2, as the disclosure was necessary for the purposes of “legitimate interests” pursued by the University and the police.

As regards a possible breach of contract, the High Court ruled that the University’s registration documents did not purport to incorporate its privacy policy. Accordingly, there could be no breach of contract. As a non-contractual document, the High Court held that the purpose of the privacy policy was to articulate the processes which the University generally intended to adopt; the processes themselves were not invariable.

Comment

This case is a rare example of a data protection dispute reaching the High Court. It confirms that organisations do not need a written request from a law enforcement body in order to disclose personal data in connection with the prevention and detection of crime. However, it is also serves as a reminder that the data protection exemptions do not provide a blanket exemption from the wider application of the DPA. In particular, data controllers should have regard to the conditions for processing as set out in Schedule 2 of the DPA and should keep clear records of the decision making process behind any disclosure of personal data made on the basis of a statutory exemption.

This case also highlights the importance of using clear language – whether in the underlying contractual documentation or in the privacy policy itself – to explain whether a privacy policy is intended for guidance purposes only or whether it is intended to create legally binding obligations. The importance of all organisations that process personal data having a clear, comprehensive and user friendly privacy policy in place cannot and should not be underestimated.

Watch this space…

The Information Commissioner will publish updated guidance on privacy policies later this year following a public consultation in March 2016. We anticipate this guidance will also explain how to comply with the new privacy policy information requirements set out in the European General Data Protection Regulation due to come into force in May 2018.