On 4 December 2008, the ECHR ruled that the UK Government's policy of retaining DNA samples of individuals suspected but then not convicted of a crime was a breach of the Article 8 right of respect for personal and family life that could not be justified on the grounds of the prevention of disorder or crime. This emphasises the obligation on data controllers and processors to consider not just specific individual statutory obligations but also the rights of the data subjects in the round.
When individuals are arrested and charged with a criminal offence, the police take samples of their DNA and fingerprints. All such samples are systematically and indefinitely retained to allow reference to them in future criminal investigations, even if the accused are subsequently not convicted. Here, the police had refused to destroy such samples from two individuals, who then sought a review of that decision. All the UK courts up to the House of Lords concluded by majority that, although the samples were clearly very sensitive, their retention by the police was not an interference with the individuals' Article 8 right. Even if it was, that interference was justified in all the circumstances.
At the ECHR, all sides agreed the information contained in the samples was clearly "sensitive personal data" as defined in the DPA and associated Directive, even if it was reduced to a scientific profile which could only be interpreted by a computer when it was stored in the database. The court also noted the practical difficulties such individuals faced when seeking to remove their data from the database in question.
The court appreciated that the data had contributed to the detection and prevention of crime. However, considering all the arguments in the round, it came to the conclusion that the retention of samples of individuals not convicted of a criminal offence was a disproportionate interference with their Article 8 rights.
Implications of the judgment for UK data protection
This ruling will obviously have the largest impact on the police and the associated agencies who access and process the samples contained in this specific database. This includes approximately 56 non-governmental entities such as telecoms providers. Whilst the Government has not yet announced how it will implement the court's judgment, such data controllers should review as soon as possible any data they have independently retained from the database and take steps to ensure they are no longer processing data relating to unconvicted individuals. They should also review their existing data management guidelines on the breadth and accuracy of data collected, its retention and its storage to ensure there is no other unjustifiable processing and that the existing processing does accurately match their legitimate commercial aims.
However, the ruling also has wider-ranging implications for any data controller managing a large database of personal data, particularly where that data does not already fall within the definition of "sensitive" under the DPA. Concerns about that statutory definition have already been raised, on the grounds that it does not match the commercial reality of certain types of data whose processing could have a dramatic impact on the data subject. Financial data is the clearest example of this, and unauthorised processing can result in large financial losses for the data subject. Whilst the definition could be amended, it would be very difficult for it to exhaustively cover all commercial situations. Thus, any data controller who unjustifiably processes data which could be considered to interfere with a subject's private life could now also be criticised and sanctioned for a breach of the subject's Article 8 rights, in addition to breaches of the DPA and other relevant regulatory legislation. Controllers must also be aware of a data subject's common law rights and, in particular, his or her general right of confidentiality of any data which is of a confidential nature.
Thus, all data controllers are advised to review their existing data management structures to ensure they are meeting their data protection obligations. Processing should go no further than their specific and reasonable commercial aims. Agreements with external data processors should also be reviewed and monitored, and controllers should pay particular attention to any third party data to ensure that the data has been properly assessed before it comes into their possession.