MEDIA AND COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
MR JUSTICE JULIAN KNOWLES
Between :
GEOFFREY DRIVER | Claimant |
- and - | |
CROWN PROSECUTION SERVICE | Defendant |
Aaminah Khan (instructed by Forbes Solicitors) for the Claimant
Brynmor Adams (instructed by GLD) for the Defendant
Hearing dates: 8-9 December 2021
APPROVED JUDGMENT
Mr Justice Julian Knowles:
Introduction
The Claimant brings a claim against the CPS in the following causes of action: (a) breach of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) (the GDPR), alternatively, breach of the Data Protection Act 2018 (DPA 2018); (b) misuse of private information (MPI); (c) breach of the Human Rights Act 1998 (HRA 1998). An extension of time is necessary for the human rights claim. A pleaded claim in negligence is no longer pursued.
The claim arises out of an email sent by a CPS lawyer to a member of the public in June 2019 about a criminal investigation in which the Claimant was a suspect. The Claimant says, first and foremost, that this was a breach of the GDPR and/or the DPA 2018 because it constituted the unlawful processing of his personal data.
At the time the alleged data breach occurred the GDPR had direct effect in domestic law. This case is therefore unaffected by Brexit. Following the UK’s withdrawal from the EU, the GDPR was replaced by the UK GDPR. The UK GDPR is the GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (SI 2020/1586).
To be clear, in this judgment, when I refer to the GDPR, I am referring to it in its original (EU) form, and not to the UK GDPR.
The Claimant seeks damages not exceeding £2,000 and declaratory relief. The CPS denies liability.
The Claimant has been involved in local politics for many decades. He was first elected to Lancashire County Council (one of the largest in the country) in 2005, and became leader of the Opposition in 2008-2009. He was then leader of the Council from 2009 to 2013; leader of the Opposition from 2013 to 2017; and leader of the Council again from 2017 to 2021. He was awarded the CBE in 2013 for services to local government. He is plainly a well-known figure in Lancashire politics.
In 2014, he became a suspect in a local government corruption investigation called Operation Sheridan. The precise details of the investigation do not matter, although I will give a bare outline of it in a moment. It is being carried out by the Lancashire police.
Following two years of investigation, in March 2016, the Claimant was informed by the police that he was being excluded from the investigation, and that he was no longer a suspect.
There is in evidence an exchange of emails between the Claimant and Lancashire police in March 2016 which will be relevant to the Claimant’s misuse of private information claim. On 20 March 2016 the Claimant wrote to Superintendent Halstead (the Head of Serious and Organised Crime in the Lancashire Constabulary):
“Hi Superintendent Halstead
Further to our discussion on Thursday 17th March, would you be prepared to issue the following statement to the press ?
‘Lancashire Constabulary has undertaken a thorough investigation into allegations it received from Lancashire County Council and we can confirm that County Councillor Geoff Driver has been completely exonerated. We thank County Councillor Driver for his full co-operation throughout this inquiry.”
The following day, Superintendent Halstead replied:
“Good afternoon Councillor,
I have held a strategy meeting today with our Corporate Communications department and discussed the content of my briefing with you and your legal representatives last Thursday. I have reiterated to them that as the SIO of Operation Sheridan I have accepted the responsibility for ‘putting the record straight’ in relation to your role within the investigation, the fact that we have established your innocence and also that you have fully cooperated throughout.
The professional advice I have been given, is that Lancashire Constabulary have never actually named, nor confirmed that you were part of the investigation, and I have been reminded that I have taken a strong stance on this by way of policy. Consequently it would be unique for the Constabulary to now proactively make a statement in which we name you, to every monitoring media outlet.
Could I suggest by way of a compromise, that you choose the media platform you feel is most appropriate best deliver the message and you contact them directly, therefore accepting the personal responsibility of publicly naming yourself. I would then, as I suggested I would, make a formal reply to them including the suggested content listed below.
I hope you appreciate the need for caution from the Constabulary perspective and see this as a way of ultimately delivering the same message but in a subtly but importantly different way.”
The same day, the Claimant replied:
“Hi Superintendent Halstead,
Thank you for your email. I understand your dilemma and I have therefore sent the attached press release to The Lancashire Telegraph, the Lancashire Evening Post, BBC North West and Radio Lancashire. I would be most grateful if you would respond to any enquiries they make along the lines set out in my email below.”
The Claimant’s Press Release read:
“PRESS RELEASE BY COUNCILLOR GEOFF DRIVER CBE
I have been informed by Lancashire Constabulary that after their lengthy investigation into allegations made by Lancashire County Council, they are satisfied I am entirely innocent of any wrongdoing.
I am now in discussion with my legal advisers as to the best course of action to take against those individuals who have knowingly made false, malicious and libellous allegations against me and I shall therefore not make any further comment at this time.”
The Claimant’s Press Release was extensively covered in the local media. A headline from the Lancashire Evening Post from around this time gives the flavour:
“Tory chief takes legal advice after police probe dropped
Conservative opposition leader is no longer subject to investigation over One Connect”
Matters did not end there, however. In or around May 2017, the Claimant became aware of allegations that he had conspired to pervert the course of justice and/or intimidated witnesses in the Operation Sheridan investigation. He was arrested, and a search warrant was executed at his home on 22 May 2017. Search warrants were also executed at a number of other suspects’ houses.
The Claimant’s involvement in Operation Sheridan, and the 2017 allegations, were referred to in R (Fitzgerald) v Preston Crown Court and Chief Constable of Lancashire Police [2018] EWHC 804 (Admin), which was a judicial review brought by one of the other suspects, Gerard Fitzgerald, in respect of the lawfulness of the search warrant, and related matters. At the time, he was the Chief Executive Officer of Liverpool City Council (LiCC) and had previously been Chief Executive Officer of Lancashire County Council (LaCC) from 2008 – 2011.
At [20]-[25] the Court said:
“20. The application form completed by the police ran to 29 pages with another 27 pages of appendices. D.C. Fishwick was questioned by HHJ Altham for the best part of a day and the transcript of her evidence comprises another 52 pages. It is not easy to summarise this material, presented as it was to the Judge as an impenetrable, discursive mass lacking a discernible sense of order. Understandably, the police are concerned to comply with their duty as to disclosure; but the answer to that obligation does not lie in simply "throwing" material at the Court in the manner in which it was done in this case. We have, though, considered the application to see whether – despite the failures of presentation – it complied with the statutory requirements or whether any of Mr Bowers' grounds of challenge should succeed.
21. The application identified two offences in connection with which the warrants were sought: conspiracy to pervert the course of public justice contrary to common law ("conspiracy to pervert"); and witness intimidation contrary to the Criminal Justice and Public Order Act 1994, s.51. In the event, HHJ Altham was not satisfied that there was evidence that witness intimidation had taken place and Mr Bird on behalf of the police did not seek to support the warrant by reference to that offence.
22. So far as conspiracy to pervert was concerned, the application had to explain the underlying offence whose investigation, it was said, was endangered by the conspiracy. This underlying offence was in essence fraud on and, effectively, corruption in local government – in Mr Bird's phrase what was said to be a case of "jobs for the boys". This underlying police investigation was called "Operation Sheridan". It began in 2013 following an investigation by a firm of solicitors (DAC Beachcroft) of an aborted procurement exercise relating to the potential outsourcing of Lancashire County Council's vehicle fleet to BT. As already mentioned, BT by then had a joint venture with LaCC - OCL. The solicitors' review had been critical of Mr Geoffrey Driver, the Leader of LaCC and Philip Hassall, then Chief Executive of LaCC. The application explained that Operation Sheridan had widened to include alleged criminality within Liverpool City Council and the Merseyside Pension Fund ('MPF'). As we have said, the Claimant was the Chief Executive of LiCC and Mr McElhinney was the Chief Executive Officer of a joint venture, LDL, between BT and LiCC.
23. As already foreshadowed, the underlying offences under investigation in Operation Sheridan were not the indictable offences relied upon to justify the grant of the search warrants; in simple terms, the essence of the conspiracy to pervert went to conduct threatening the underlying investigation. The flavour of the application appears from the paragraphs which follow.
24. As the application put it,
‘Turning to the grounds for this application, circumstances essentially revolve around recent activity by Mr Driver, including his sending emails to a principal witness in the wider case, Ian Young which led to Mr Young [LaCC Director of Governance Finance and Public Service and LaCC's senior lawyer] making a complaint to police alleging a deliberate and concerted campaign to intimidate him as a key witness in both criminal and on-going civil proceedings linked to the criminal case.
Following on from this complaint, evidence has now been gathered which shows that between 2013 and 2015, Mr Driver in collusion with Philip Hassall, Mr David McElhinney and Gerard Fitzgerald was involved in activity directed toward a number of principal witnesses (Ruth Lowry [a former LaCC County Treasurer and auditor], Ian Fisher [another former County Treasurer for LaCC], Gill Kilpatrick [at one time LaCC's County Treasurer and then LaCC's Chief Executive by 2016] and Jennifer Mein [a LaCC councillor]) which was clearly designed to intimidate, belittle and undermine them both professionally and, crucially, as witnesses in the investigation.’
25. Reliance was placed on email traffic and telephone contact between the four suspects. The emails were summarised in Appendix A to the application. One of these emails in 2014 had an attachment of an email exchange between the Claimant and Mr Driver. The subject matter appears to be a dispute between LaCC and the Claimant concerning a relocation allowance which had been paid to the Claimant when he came to work for LaCC and whether he was required to repay it on his departure after a relatively short time (we return to the issue of the relocation fee dispute below). None of the other emails appear to come from the Claimant so far as it is possible to tell from the unredacted parts.”
The judgment also went into some detail about the evidence (eg at [36]), thereby putting it into the public domain.
In August 2018, following further investigation, Lancashire police referred a file to the Defendant for their consideration. A brief statement to that effect was made by a spokesperson for the police, who stated that the file related to eight individuals. They were not named. This development was reported in the press, with the articles expresslylinking the press statement to the Claimant and the other suspects in Operation Sheridan.
For example, an article in the Lancashire Telegraph of 24 August 2018 reported on this development in Operation Sheridan. I think I should set out the full text of this article, given the issues arising in this case.
The headline read: ‘Lancashire County Council fraud investigation: four more involved.’ There was then a photograph of the Claimant sitting at his desk with the caption, ‘Geoff Driver at his desk with his Clarets mug and mouse mat.’ (The reference to the Clarets was to Burnley FC).
The text of the article was as follows:
“FOUR more men are being investigated by police over claims of fraud at Lancashire County Council.
The news was revealed as a file on the five-year ‘Operation Sheridan’ inquiry was sent to the Crown Prosecution Service in London.
In May last year, four men were arrested in connection with the probe and bailed on suspicion of perverting the course of justice and witness intimidation.
They were Cllr Geoff Driver, the leader of Lancashire County Council, the authority’s former Chief Executive Ged Fitzgerald; his successor Phil Halsall; and former One Connect chief executive David McElhinney.
They were not arrested on suspicion of fraud and all four deny any wrongdoing.
Operation Sheridan is an investigation into a £5m tender awarded to One Connect ltd, a joint venture between the council and BT.
The file sent to the CPS today covers the whole scope of the inquiry and the police revealed today that it related to eight men between 56 and 73, not just the four arrested last year.
It is understood that any decision on charging and prosecution is likely to take a considerable period of time.
Cllr Driver said this morning: ‘I have no comment to make’.
A police spokesman said today: ‘In September 2013 Lancashire County Council referred to Lancashire Constabulary some allegations of financial irregularity.
‘An investigation was launched and following a complex and lengthy enquiry a file of evidence has now been submitted to the Crown Prosecution Service for consideration.
‘The investigative bail period has now been suspended as a result of the file being submitted.
‘We have submitted evidence relating to eight individuals. We will not give any further details about those individuals other than to say they are all men aged between 56 and 73.
Cllr Driver, Mr Fitzgerald, Mr Halsall and Mr McElhinney remains (sic) subject to bail conditions but are no longer required to attend police stations on a regular basis.
A CPS spokesman said: ‘We received a file of evidence from Lancashire Police in relation to allegations of fraud.
‘This is a complex file which will now be considered in accordance with the Code for Crown Prosecutors and a decision will be made in due course.’”
There are other, similar, articles from other Lancashire newspapers in the evidence. The Liverpool press also covered the story.
In my judgment, any reasonable reader with even a rudimentary understanding of criminal procedure would inevitably have realised from this press coverage that the file had been sent to the CPS for it to decide whether anyone should be charged with a criminal offence – in other words, whether criminal proceedings should be commenced. The article I have quoted specifically made reference to a ‘decision on charging’, and to the investigation having been suspended pending a decision. Those statements could only mean one thing, namely, that the police regarded the investigation as being at an end, and that it was now for the CPS to decide whether any charges should be brought.
The Code for Crown Prosecutors (October 2018 Edition, readily available at https://www.cps.gov.uk/publication/code-crown-prosecutors) begins:
“The Code for Crown Prosecutors is a public document, issued by the Director of Public Prosecutions, that sets out the general principles Crown Prosecutors should follow when they make decisions on cases.
Is there enough evidence against the defendant?
When deciding whether there is enough evidence to charge, Crown Prosecutors must consider whether evidence can be used in court and is reliable and credible, and there is no other material that might affect the sufficiency of evidence. Crown Prosecutors must be satisfied there is enough evidence to provide a ‘realistic prospect of conviction’ against each defendant.
Is it in the public interest for the CPS to bring the case to court?
A prosecution will usually take place unless the prosecutor is sure that the public interest factors tending against prosecution outweigh those tending in favour.”
I will deal with the Claimant’s evidence later, but he told me that even in light of these press reports he did not know the file had been sent to the CPS for a charging decision. He thought it was just part of further discussions between the police and the CPS. However, a one minute phone call with his solicitor would have been enough for him to have been told – as any competent solicitor would have told him – that the reason the file must have been sent was for a charging decision to be taken, and that the likely possible outcomes were: a decision to charge him with a criminal offence; a direction to the police to carry out further enquiries; or a decision not to charge him and to take no further action.
It is therefore apparent that as a consequence of events between 2016 and 2018, there was plenty of material in the public domain linking the Claimant to Operation Sheridan and stating more or less in terms, that the police file which had been sent to the CPS in August 2018 related to him (and others), and had been sent so that the CPS could decide whether charges should be brought, in accordance with the Code for Crown Prosecutors.
I turn to the email which gives rise to this claim.
Approximately ten months later, on 5 June 2019, a CPS lawyer, Julia Graham, a Senior Specialist Prosecutor in the CPS’s Specialist Fraud Division in Manchester, sent an email to a member of the public, Paul Graham (no relation) apparently in response to an enquiry from him, providing an update on Operation Sheridan. As I shall show in a moment, it appears he may have had an axe to grind about the Claimant because of an unrelated matter.
This email said:
“Dear Mr Graham,
Thank you for your correspondence of 1 May 2019. I apologise for the delay in this response.
A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration. At this stage I am unable to provide you with any more detail.”
It is not known what precise enquiry Mr Graham had made of the CPS, because it has been unable to locate his original email. However, it is common ground that Mr Graham was just a member of the public – he had no involvement, directly or indirectly, with Operation Sheridan. For example, he was not a witness, nor an alleged victim.
Some six months later, on 5 December 2019, in the run up to the 2019 general election, Mr Graham circulated Ms Graham’s email to a number of recipients, including the general election candidates for the Pendle constituency, some of whom were political opponents of the Claimant. He also sent it to the well-known BBC journalist Jeremy Vine, and another person believed to be a journalist. The Claimant was copied into this email, thereby making him aware of the email from Ms Graham to Mr Graham of June 2019. He had not previously known about it.
Mr Graham’s December email read:
“Dear All,
Firstly, please read below.
This is a topic that grabbed my attention earlier this year after Geoff Driver put in a complaint against me to Lancashire Care NHS Foundation Trust.
This was after I peacefully protested at County Hall regarding the cuts to the Lancashire Health and Well-Being Service.
It could be that Geoff Driver is entirely innocent, as he claims.
The fact is that millions of £’s have already been spent investigating the alleged fraud and witness intimidation.
To my knowledge Geoff is still on bail; this is mainly because the CPS doesn’t have the resource (sic) to get this case to court.
This needs to be resolved either Geoff is innocent or guilty.
We cannot have the leader of Lancashire County Council on bail for fraud and witness intimidation.
If elected, please can you do your part resolving this case once and for all.
Best regards,
Paul Graham”
After the Claimant became aware of the Defendant’s email, on 16 December 2019 he complained to the Defendant. He said the disclosure contained within it had or would cause him serious embarrassment.
In a response dated 25 February 2020, after the complaint had been referred to the Defendant’s Information Access team, who deal with complaints and alleged breaches of the DPA 2018, and the CPS Departmental Security Unit (DSU), the Defendant accepted that the email had been a breach of the DPA 2018.
The CPS’s letter to the Claimant read:
“I refer to your email of 16 December 2019, and request for the CPS complaints procedure, where you have asked to make a complaint as to the conduct of Julia Graham.
…
I have treated your complaint as one amounting to a Data Protection Act breach, ie details of yourself, and your alleged involvement in Operation Sheridan, being sent to a third party. Due to the nature of your complaint, the matter was referred to the CPS Departmental Security Unit (DSU).
…
The particular breach which was referred was in relation to the response given by Julia Graham to an email from Mr Paul Graham, the Office Manager of Literacy Solutions.
You have stated that she has no right to pass on information regarding your case to a third party and that this would be a serious breach of the Data Protection Act.
In determining whether a matter should be referred thereafter to the Information Commissioners Officer (ICO) (sic), the DSU first need to consider whether or not a breach has occurred in the first instance. Thereafter, on considering the details of each breach on its own facts, a decision is made whether it should be referred to the ICO.
The DSU has concluded, after reviewing this matter, that a breach has occurred, and that the email should not have been sent to Mr Paul Graham.
On considering whether a matter should thereafter be forwarded to the ICO the DSU would need to establish the likelihood, and severity, of the breach and result of risk to a person’s rights and their freedoms. The adverse consequences of a breach needs to be considered and assessed as to how serious or substantial these are.
DSU have carefully considered the breach and, as mentioned above, whilst they are satisfied a breach has occurred, the circumstances in this case do not meet the referral criteria to the ICO.
I would like to assure you, however, that whilst this matter has not been referred to the ICO the breach has been taken extremely seriously. I have spoken directly to the reviewing lawyers dealing with Operation Sheridan and drawn their attention to this issue and have re-enforced the correct procedures which should take place.
Any future correspondence will be handled appropriately in the future.
I can only apologise for the breach occurring in the first instance.
I hope that this letter explains the actions which has taken place and the decision as a result of this complaint.”
The Claimant issued proceedings in this matter in or about September 2020. In November 2019 the CPS filed a Defence denying liability.
The Defendant now seeks to resile from its admission that the June email was a breach of the DPA 2018 (see Defence, [8]). This is on the primary basis that the email did not contain any personal data of the Claimant. The Defendant also contends that: even if the email contained the Claimant’s personal data, the processing was lawful; that the email did not imply that the Claimant was to be charged; and that the information it contained was already in the public domain. The Defendant also disputes that the email contained private information and that there was a reasonable expectation of privacy in respect of it.
The issues to be determined
It seems to me that the following are the principal issues which fall for determination:
Whether the GDPR or the DPA 2018 governs the data protection claim (assuming there had been processing of personal data under either regime);
Whether Ms Graham’s email of 5 June 2019 contained the Claimant’s personal data;
If so, whether the Defendant contravened the GDPR and/or DPA 2018 in sending the email to Mr Graham;
Whether the email contained private information relating to the Claimant, in respect of which he had a reasonable expectation of privacy and if so, whether the sending of the email was a misuse of the Claimant’s private information;
If the Claimant’s claims, or any of them, are established, the appropriate remedy.
The Claimant’s evidence
The only witness to give live evidence was the Claimant. He adopted his witness statement of 20 August 2021 as his evidence in chief.
He described his local government background including, most recently, having been leader of Lancashire County Council between 2017 and 2021.
He then set out much of that which I set out earlier about Operation Sheridan and the police’s interest in him in 2016 and 2017, including his arrest and the search under warrant of his home in May 2017.
He said at [4]-[5]:
“4. These events generated a considerable amount of media interest both locally and nationally ranging from newspaper articles, online publication, radio and television reports. My involvement and arrest have therefore been in the public domain for some time. There was a judicial review in the High Court brought by one of the suspects, into the lawfulness of search warrants. A number of the articles referred to the file being passed from the police to the Defendants. At no stage was it ever suggested that I was to be charged with any offences. I was extremely concerned about the possibility of being charged. Being a suspect and having been arrested was worrying but I was able to continue with my life and work knowing I was only under investigation and confident that the police would eventually recognise that I had not committed any criminal offence just as they did in March 2016. The fact that the investigation had been ongoing since 2013 and some considerable time had passed since my original arrest, no charges had been brought which confirmed my view that the Police recognised I had not committed any criminal offences. The lengthy delay with no progress also led the public to believe that the matter had concluded and I was concerned that this leak by the CPS would bring it into the public domain again.
5. It therefore came as a disappointment when I was copied into an email dated 5th December 2019, which had been sent from Julia Graham … to Paul Graham at an organisation called Literacy Solutions on the 5 June 2019. I have no idea whether they are related.”
After setting out Ms Graham’s email, the Claimant said this:
“6. The email to Mr Graham was providing him with an update on the progress of Operation Sheridan, which stated that a ‘charging file had been referred from the Operation Sheridan investigation team to the CPS for consideration’. The reference to a ‘charging file’ led me to fear that formal charges were likely to be brought against me.
7. Although my arrest and the investigation had been published widely in the media there had never been any suggestion that I would be formally charged, and that remains the case. The reference to a ‘charging file’ was a significant development in the investigation. The information had been sent to other Election candidates in the Pendle constituency, who I considered to be political opponents. It was also sent to Jeremy Vine a BBC journalist and another journalist called Inspector Digit.
8. There has been a lot of interest in the investigation, which has been reported widely in the media, radio and television. I have protested my innocence throughout, both my friends, acquaintances, colleagues and the media. The prospect of being charged and facing a lengthy trial was a significant change and was very worrying and distressing to me and my family. I was ashamed it had come to this and brought to the attention of my political opponents. It was acutely embarrassing. The prospect of this getting out into the wider media and onto national television was terrifying.”
He concluded:
“10. In April 2020 I consulted my GP who prescribed daily medication to relieve the anxiety and depression I was suffering from the original arrest and investigation followed by the CPS leak. After regular consultations, my doctor advises that I still need the medication, which I continue to take.”
It is right to point out, however, that no medical evidence has been served by the Claimant. As I will address later, he seeks damages for distress but not for any personal injury.
In some supplementary questions from Ms Khan, the Claimant took me, as an example of how he said his political opponents had exploited matters, to an election leaflet from January/February 2021 from a political opponent which referred to his arrest.
He was then cross-examined by Mr Adams for the Defendant.
He said he had become aware he was suspect in February 2014 when the police contacted him. He knew the investigation was about corruption in local government. In 2016, as a result of a request from him, Lancashire police had made a statement saying he was no longer a suspect. He had wanted the police to set the record straight.
He confirmed that in May 2017 he had been arrested for conspiracy to pervert the course of justice, and then arrested for fraud in November 2017.
He was shown the Fitzgerald judgment and agreed that the initial investigation in 2013 by an outside firm of solicitors (DAC Beachcroft) into a procurement exercise by Lancashire County Council had been critical of him. The Fitzgerald judgment had been reported in the press.
He was then shown an article from the Lancashire Post of 23 August 2018, which referred to him and others having been re-bailed, and then went on to quote a police spokesman as saying:
“In September 2013 Lancashire County Council referred to Lancashire Constabulary some allegations of financial irregularity.
An investigation was launched and following a complex and lengthy enquiry a file of evidence has now been submitted to the Crown Prosecution Service for consideration.
The investigative bail period has been now been suspended as a result of the file being submitted.”
He said that although he was not named in this article, he knew on 23 August 2018 that the police had passed a file to CPS. He knew it was for the CPS to consider the evidence. He agreed with Mr Adams that any reasonable person would understand the relationship between the CPS and police is that the CPS decide whether to prosecute. He said, however, he merely thought that the police were carrying out further discussions with CPS. He did not consider he was going to be charged. He said as far as he was concerned, this could have been just further contact between the police and CPS. He knew there had been lots of contact during the investigation. He said he did not know for sure that the file had been sent for a charging decision to be taken, and that contact had continued. He said that he had not considered the Code for Crown Prosecutors.
It was put to him that the ‘decision’ referred to in the press articles from around this time could only have been to a charging decision by the CPS. He replied, ‘That may or may not have been as you described it.’
He agreed that by December 2019 he knew the CPS had received several files from the police. He agreed that although the press articles had, for example, referred to eight suspects but not named them, he knew full well that he was one of them: ‘They did not name me but they did not need to.’
He said his bail had been ended in June 2020 following a complaint. At that stage he had not been charged, nor told that no further action would be taken. The CPS had not taken a decision either way. He expected the latter outcome.
In relation to Ms Graham’s email, he said that:
“I understood this meant a file had gone from the police. It was public knowledge as a consequence of the August 2018 articles that a file had gone to CPS. I understood ‘for consideration’ meant that a charge might be imminent because this was the first time I had seen ‘charging’ as an adjective against the file. This was the first time that had been used. The word ‘for consideration’ was more significant because of the word ‘charging’. Until I saw this I was certainly fairly confident I was not going to be charged when I saw this it eroded my confidence.
It did add something different – it eroded my confidence about not being charged. It was the use of the word ‘charging’ in an email from a Senior Specialist Prosecutor, it suddenly worried me significantly.”
He agreed that he had had solicitors since 2014 and that he could have asked them about matters. (He was not asked to waive privilege about any advice he might have sought or received on this issue).
In relation to Mr Graham’s email from December 2019, the Claimant identified the recipients as: Azhar Ali, the Labour leader on Lancashire County Council and general election candidate; Andrew Stephenson, the Conservative general election candidate (who had been the MP for Pendle since 2010; he was re-elected in 2019); Gordon Lishman, the Liberal Democrat candidate; Jeremy Vine, and another person believed to be a journalist. He said he did not think that the BBC had covered the story, but he worried that they might have done so, given that Lancashire County Council is the fourth largest in the country.
He agreed that Mr Graham had been pressing for a resolution to the investigation, which was a sentiment he broadly agreed with, but it was the fact that he had included the CPS’s email which concerned him. He said that he believed Mr Graham’s motivation was hostility towards him.
He agreed that he was not aware of any reporting of the Ms Graham’s email, and that the election leaflet from early 2021 (which I referred to earlier) had not made reference to it.
He reiterated that the use of the words ‘charging file’ was ‘significantly distressing to me and my family’, as was the sending of it to journalists.
In re-examination he said that when he first received the CPS email and saw the word ‘charging’, that was the first time he thought that, despite his confidence, he might be charged. But it was also the fact that the email had been circulated to his political opponents and media, he feared it would become a national issue which would lead to adverse publicity for him and his family.
The parties’ cases
The Claimant’s submissions
On behalf of the Claimant, Ms Khan submitted that the sending of the June 2019 email constituted the unlawful processing of the Claimant’s personal data. She said it was probably best regarded as processing for law enforcement purposes, so that (as I will explain in a moment), the applicable regime is the DPA 2018 and not the GDPR.
She said there was no doubt sending the email was ‘processing’ under the Act. She said that the email contained the Claimant’s personal data because the reference to Operation Sheridan was an identifier which, in conjunction with the material in the public domain about it, allowed him to be identified as one of the people about whom the charging file related. Mr Graham had been able to identify the Claimant from it.
Ms Khan further submitted that the processing had been unlawful under Part 3 of the Act, as being in breach of the first, second and sixth data protection principles.
In relation to the claim for misuse of private information, Ms Khan said I should apply the two stage test in McKennitt v Ash [2008] QB 73, [11], namely:
“First, is the information private in the sense that it is in principle protected by article 8? If 'no', that is the end of the case. If 'yes' the second question arises: in all the circumstances, must the interest of the owner of the private information yield to the right of freedom of expression conferred on the publisher by article 10 ?”
Ms Khan said that the June email contained private information covered by Article 8(1), and that the Claimant’s Article 8(1) rights outweighed the Defendant’s Article 10 rights because there was no necessity for it to have been sent to a member of the public with no interest in the investigation.
On the human rights claim, Ms Khan accepted that an extension of time was required, but said that I should extend time on the basis that the CPS had been on notice of the human rights clam since 27 April 2020, when it was raised in correspondence.
Finally, Ms Khan invited me to make an appropriate award of damages to mark the Claimant’s distress arising from the data breach (s 169, DPA 2018), the misuse of his private information, and the breach of his human rights.
The Defendant’s submissions
Mr Adams said that the CPS was entitled to withdraw its earlier admission that the June email breached the DPA 2018, and that it did so. It now denied there had been a data breach.
He accepted, like Ms Khan, that if the June email contained personal data, then the processing in question had been done for law enforcement purposes and so the applicable legal regime was the DPA 2018. However, he denied that it contained such data. But if, contrary to this position, the email did involve the processing of personal data relating to the Claimant, it was lawful and in accordance with the data protection principles in Part 3 of the DPA 2018. What was in the email did not name the Claimant and was in the public domain. It did not ‘relate’ to the Claimant.
In relation to the MPI claim, Mr Adams denied that the Claimant had a reasonable expectation of privacy in relation to the information contained in the email because it was in the public domain, and had been so for some time. Even if he did, the email was a justified and minimal interference with Mr Driver’s privacy, given the narrow circulation.
In relation to the human rights claim, Mr Adams said that no purpose would be served in extending time, as in reality it added nothing to the MPI claim.
As to quantum, he said no damages should be awarded because the Claimant had suffered no loss. His evidence was that he had already been suffering from anxiety and depression following his arrest in 2017, and there was no evidence that the 2019 emails caused him any additional distress.
Discussion
The data protection claim
As I have said, the Claimant’s case is that the sending of the email in June 2019 by Ms Graham to Mr Graham was the unlawful processing of his personal data contrary to the GDPR and/or the DPA 2018.
I think the first issue I should determine is whether, on the assumption that the June 2019 email from Ms Graham to Mr Graham did involve the processing of the Claimant’s personal data (which, as I have said, is in issue), it was done for law enforcement purposes.
If it was, then the GDPR does not apply by virtue of Article 2(2)(d), which excludes law enforcement processing from the scope of the GDPR, and the relevant legal regime is Parts 1 and 3 of the DPA 2018, which do apply to processing for law enforcement purposes, and implement the Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016). Part 3 applies to law enforcement processing by ‘competent authorities’ (as listed in Sch 7 of the DPA 2018). It is common ground that the Director of Public Prosecutions (DPP) (the Head of the CPS) is a competent authority.
If it was not, then the email involved general processing that is covered by the GDPR and implemented in domestic law by Part 2 of the DPA 2018.
Section 31 of the DPA 2018 provides:
“For the purposes of this Part, ‘the law enforcement purposes’ are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
Section 32 defines a controller for the purposes of Part 3 (law enforcement processing) as:
“the competent authority which, alone or jointly with others – (a) determines the purposes and means of the processing of personal data, or (b) is the controller by virtue of subsection (2).”
Section 32(2) states:
“Where personal data is processed only – (a) for purposes for which it is required by an enactment to be processed, and (b) by means by which it is required by an enactment to be processed, the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.”
The Claimant’s position is that that the processing was done for law enforcement purposes. On behalf of the Defendant, Mr Adams submitted in his Skeleton Argument at [56] that if the June 2019 email did, contrary to his primary position, involve the processing of personal data then it was ‘better characterised’ as having been done for law enforcement purposes because the making of a statement about the status of a charging file can be regarded as incidental to the CPS’s primary function (the prosecution of criminal offences), by maintaining public confidence, and therefore entailed processing for that purpose.
I think that that is right, and I will therefore proceed on the basis that the relevant legal regime is the DPA 2018.
In fact, as Ms Khan rightly observed, there is little material distinction between the data protection principles applicable to general processing of personal data in the GDPR and those applicable to processing it for law enforcement purposes in Part 3 of the DPA 2018.
The next question is whether the June 2019 email contained the Claimant’s personal data. If it did, then there is no doubt that the act of sending the email was ‘processing’ by virtue of s 3(4)(c) and (d), which include within the definition of processing, ‘(c) retrieval, consultation or use, (d) disclosure by transmission, dissemination or otherwise making available.’
Personal data is defined in s 3(2):
“’Personal data’ means any information relating to an identified or identifiable living individual (subject to subsection (14)(c))”.
Section 3(14)(c) is not relevant in this case.
Section 3(3) states that (emphasis added):
“(3) ‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
An individual can only show that information is his personal data if he is identifiable from the sentence in question, and it ‘relates to’ him in the sense explained by the Court of Appeal in Durantv Financial Services Authority [2004] FSR 28 [28] (Auld LJ); Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 [2018] QB 256 [61-66] (Lewison LJ): see Aven v Orbis Business Intelligence Limited[2020] EWHC 1812 (QB), [24] (Warby J). In Farrand v, the Information Commissioner and the London Fire and Emergency Planning Authority [2014] UKUT 0310 (AAC) at 18, Upper Tribunal Judge Jacobs stated that:
“The important issue is whether the data can be related to a living individual, not whether that person can be identified from any particular part of the data.”
In Durant, Auld LJ said at [28]:
“It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity. A recent example is that considered by the European Court in Criminal Proceedings against Lindquist, Case C-101/01 (6th November 2003), in which the Court held, at para. 27, that "personal data" covered the name of a person or identification of him by some other means, for instance by giving his telephone number or information regarding his working conditions or hobbies.”
In Ittihadieh, [61]-[66], which concerned the Data Protection Act 1998, Lewison LJ said:
“61. Mr Pitt-Payne QC, for the University, submitted that the definition of ‘personal data’ consists of two limbs:
i) Whether the data in question "relate to" a living individual and
ii) Whether the individual is identifiable from those data.
This is inherent in the form of the definition in the DPA. I agree, and the point is, in my judgment, even clearer in the definition of "personal data" in the Directive, where the definition is clearly split between two clauses.
62. Since the DPA is intended to give effect to the Directive, it is convenient to begin with the EU jurisprudence. The expression ‘personal data’ ‘undoubtedly covers the name of a person in conjunction with his telephone details or information about his working conditions or hobbies’ as well as information that a person has been injured and is on half time; (Case C-101/01) Criminal Proceedings against Lindqvist [2004] QB 1014; or his name and address: (Case C-553/07) Rotterdam v Rijkeboer. The same is true of the name, date of birth, nationality, gender, ethnicity, religion and language, relating to a natural person, who is identified by name, although it does not apply to legal analysis: (Joined Cases C-141/12, C-372/12) YS v Minister voor Immigratie. A person's name and salary also amounts to ‘personal data’: (C-465/00) Rechnungshof v Osterreichischer Rundfunk [2003] 3 CMLR 10. An image of a person recorded by a camera is also his personal data: (Case C-212/13) Ryneš v Úrad pro ochranu osobních údaju [2015] 1 WLR 2607 at [22]. Mr Pitt-Payne submitted, and again I agree, that these cases are concerned with the ‘identifiability’ limb of the definition.
63. The question what amounts to ‘personal data’ has also been considered in a number of domestic cases. The first of significance is Durant v Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 28. Following unsuccessful litigation against Barclays Bank Mr Durant made a complaint to the FSA. That too was unsuccessful. He then made a SAR with which the FSA partially complied. However, the FSA refused to reveal information in four categories of file, some of which contained references to Mr Durant. The leading judgment was that of Auld LJ. He considered that the question of the scope of the definition of ‘personal data’ turned on the meaning of the phrase "relate to" in the phrase ‘data which relate to a living individual’: see [24]. Thus Auld LJ was not concerned with the question whether Mr Durant could be identified from the data. If his name was mentioned, clearly he could be. What was at issue was whether the data ‘related to’ him. At [27] he referred to the purpose of section 7 as being to enable a data subject to check whether the data controller's processing of his personal data unlawfully infringes his privacy. It was not ‘an automatic key to any information … in which he may be named or involved.’ He also pointed out the focus of the DPA on ready accessibility of information. He concluded at [28]:
‘Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.’
64. Mummery LJ simply agreed with Auld LJ and Buxton LJ began his concurring judgment by saying that he, too, agreed with Auld LJ. In my judgment the view expressed by Auld LJ corresponds closely with the view expressed by Advocate General Sharpston in YS v Minister voor Immigratie at [55]:
‘I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.’
65. Edem v The Information Commissioner [2014] EWCA Civ 92 was another case of a complaint to the FSA. Mr Edem complained that the FSA had inadequately regulated a financial institution. He wanted to know the names of the officials who had dealt with his complaint. He applied for this information under the Freedom of Information Act 2000. The FSA refused to disclose the names on the ground that the names were the ‘personal data’ of the officials in question within the meaning of the definition in the DPA (which was imported into the Freedom of Information Act). At [13] Moses LJ said that there was ample authority that ‘a person's name, in conjunction with job-related information, is their personal data.’ Moses LJ then turned to the question why the FTT had reached a contrary conclusion. They had applied the two ‘notions’ which Auld LJ had described in Durant at [28], but Moses LJ held that they were wrong to do so, adding: ‘There is no reason to do so. The information in this case was plainly concerned with those three individuals.’ He also approved the following statement in the Information Commissioner's Guidance:
"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."
66. Beatson and Underhill LJJ agreed. I do not see any conflict between these two cases. What Mr Edem wanted was a specific piece of information, namely the names of the officials who dealt with his case. The question was whether the three officials were identifiable from these data. Plainly they were. What Mr Durant wanted was any document in which he was mentioned. His error was the submission that the contents of any document in which he was mentioned were, without more, his personal data. It is the context in which these two requests were made that explains the difference in outcome between the two cases (although I observe that in both cases disclosure was refused). I agree with both Mr Pitt-Payne and Mr Milford, for the Information Commissioner, that the fact that in Durant Mr Durant was asking for information about himself, and that in Edem Mr Edem was asking for information about third parties is irrelevant to the definition of ‘personal data’. HHJ Harris QC was wrong to think otherwise.”
Ms Khan submitted that the concept of personal data is a broad concept, calling for a wide interpretation. See referred me to the Article 29 Working Party Opinion on the Concept of Personal Data WP 136 4/2007, p4. Whilst this guidance was drafted in relation to the former EU law regime given effect to in the DPA 1998 (namely, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; the Working Party was established pursuant to Article 29) Ms Khan said that it was still relevant to the DPA 2018. I note that Warby J relied on the Working Party’s work as an interpretive tool in Aven, [27]-[29] (a case under the DPA 1998):
“27. It is fair for Mr Millar to submit that the claim is one that calls for the faithful interpretation and application of a statutory code (construed in the light of the Directive). But the statutory definition of personal data on which he relies, does not provide the answer to the question. I quote the relevant parts of s 1(1):
‘data’ means information which –
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose …
‘personal data’ means data which relate to a living individual who can be identified -
(a) from those data or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
…
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;”
28. This wording identifies some criteria, such as “relate to”, and “can be identified from …”, but it contains nothing that assists on the question of how to approach the identification of the data to which those criteria are to be applied. It certainly does not demonstrate or indicate that where a claimant complains of a document, an item-by-item approach to the contents of that document must be adopted. In those circumstances, the Court must look to the DPA and Directive as a whole for guidance, and may also look to extraneous sources for approaches that have been adopted in other, related contexts. That is what I did when a similar issue arose in the “de-listing” case, NT1 v Google LLC [2018] EWHC 799 (QB) [2019] QB 344. The claimant sought an order requiring the defendant to remove from search results returned by using the claimant’s name information contained in newspaper articles and book extracts about an old, rehabilitated criminal conviction. One aspect of the claimant’s case was that the information was inaccurate, contrary to the Fourth Principle. Mr Tomlinson QC, appearing for the claimant, initially argued that for this purpose that the Court should look, not at the natural and ordinary meaning of a document, but rather at each discrete “item of information”. He moved away from that position in the course of the trial, and I rejected it.
29. I concluded that the right approach was to look at the articles and book extracts as a whole, and interpret any element of them by reference to the meaning that the ordinary reader would take from that element, read in its full context. My reasons were set out in detail at [80-84]. It is unnecessary to set them out here. In summary I concluded, and it remains my view, that support for this approach can be found in aspects of the DPA itself, the work of the Article 29 Working Party, domestic authority on the application of the DPA and its predecessor (the Act of 1984), and the logic and common sense to be found in the law of meaning in defamation.”
Ms Khan also referred me to the ICO’s detailed guidance on what constitutes personal data (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/can-we-identify-an-individual-indirectly/), in which it is stated that:
“It’s important to be aware that information you hold may indirectly identify an individual and therefore can still be personal data. If so, this means that the information is subject to the UK GDPR.”
and further that:
“Sometimes, whether someone can be identified may depend on who may have access to the information and any other information that can be combined with it. It’s important to be aware that you may hold information, which when combined with other information held outside of your organisation, could lead to an individual being indirectly identified or identifiable.”
It is right to observe, in agreement with Rosemary Jay, Data Protection Law and Practice (5th Edn), [2-010], that whether a person is ‘identifiable’ can be a difficult question. But I do not consider this to be such a case. I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision. This is so whether one takes the ‘biographical approach’ or the ‘obviously about’ approach discussed in Ittihadieh. For anyone, for the police to send a file of evidence about them (whether alone, or with others) for a decision on charge, is a significant life event which very much has him or them as its focus. Ms Khan was right to say the mention of Operation Sheridan in the email was an ‘identifier’. The Claimant accepts that the email in question did not contain his name, however Operation Sheridan only had eight suspects, including the Claimant. The fact that the Claimant was a suspect in Operation Sheridan was already in the public domain at the time of the sending of the email, as I have said, and had been so since March 2016. Personal data can relate to more than one person and does not have to relate exclusively to one data subject, particularly when the group referred to is small.
The best evidence that the email contained the Claimant’s personal data is that Mr Graham was able to identify the Claimant as being one of the persons to whom the file in question related. It is that which is what prompted his own email in December 2019 urging the recipients to take action to speed up the CPS’s decision making process on whether or not to prosecute the Claimant.
I therefore resolve this issue in the Claimant’s favour.
The next question is whether the Defendant’s processing was lawful.
Section 34 of the DPA 2018 provides:
“34 Overview and general duty of controller
(1) This Chapter sets out the six data protection principles as follows -
(a) section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
(b) section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
(c) section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
(d) section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
(e) section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
(f) section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
(2) In addition -
(a) each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
(b) sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.
(3) The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.”
This section therefore imposes a duty on the DPP as a controller to comply with the data protection principles. The principles said to have been breached in this case are: (a) the first data protection principle (s 34(1)(a) and s 35); (b) the second data protection principle (s 34(1)(b) and s 36); and (c) the sixth data protection principle (s 34(1)(f) and s 40).
Section 35, 36 and 40 provide:
“35 The first data protection principle
(1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
(2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either -
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
(3) In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
(4) The first case is where -
(a) the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and
(b) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(5) The second case is where—
(a) the processing is strictly necessary for the law enforcement purpose,
(b) the processing meets at least one of the conditions in Schedule 8, and
(c) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(6) The Secretary of State may by regulations amend Schedule 8 -
(a) by adding conditions;
(b) by omitting conditions added by regulations under paragraph (a).
(7) Regulations under subsection (6) are subject to the affirmative resolution procedure.
(8) In this section, ‘sensitive processing’ means -
(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) the processing of data concerning health;
(d) the processing of data concerning an individual’s sex life or sexual orientation.”
36. The second data protection principle
(1) The second data protection principle is that—
(a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and
(b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.
(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that -
(a) the controller is authorised by law to process the data for the other purpose, and
(b) the processing is necessary and proportionate to that other purpose.
(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.
…
40. The sixth data protection principle
The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, ‘appropriate security’ includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).”
Dealing with first data protection principle, I will assume for now that the email to Mr Graham was lawful and not, for example, the unlawful misuse of private information. The key question here, it seems to me, is whether sending the email satisfied the condition of necessity in s 35(2)(b). There is no question of the Claimant having consented. If the processing was not ‘necessary’, then it breached the first data protection principle and was ipso facto unlawful.
The test of ‘necessity’ under s 35(2) is a strict one. In Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), [45], Warby J held in a subject access request case that:
“The test of necessity is a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest”.
This test was confirmed to be correct in the context of Part 3 of the DPA 2018 in R (Elgizouli) v Secretary State of the Home Department (Information Commissioner and others intervening) [2021] AC 937, [8]-[9], [210]. The case concerned the provision of personal data via mutual legal assistance to the United States in circumstances where the information might be used in criminal proceedings which could lead to the imposition of the death penalty. The transfer of the data was argued to be unlawful, inter alia, under Part 3 of the DPA 2018. Lady Hale said at [8]-[9]:
“8. Part 3 of the 2018 Act makes provision about the processing of personal data by competent authorities for “the law enforcement purposes” and implements the European Union’s Law Enforcement Directive (Directive (EU) 2016/680) (“the LED”) (section 1(4)). That Directive is therefore a legitimate aid to the interpretation of the 2018 Act. The law enforcement purposes listed in section 31 include the investigation, detection and prosecution of criminal offences. Chapter 5 of Part 3 deals with the transfer of personal data to third countries or international organisations. Sections 73 to 76 set out the general conditions which apply to such transfers (section 72(1)(a)). The data controller cannot transfer personal data unless three conditions are met (section 73(1)(a)). Condition 3 need not concern us, because Condition 1 was not met and it is arguable that Condition 2 could never be met.
9. Condition 1 is that the transfer is necessary for any of the law enforcement purposes (section 73(2)). In Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), Warby J held (in the context of restricting the subject’s right of access to his personal data) that: “The test of necessity is a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest” (para 45). The parties agree that the same test applies in this context. This obviously requires the data controller to address his mind to the proportionality of the transfer.”
At [210] Lord Carnwath said, by reference to Guriev, that it was common ground that the test of necessity was a strict one.
Corporate Officer of the House of Commons v JC [2008] EWHC 1084 (Admin), concerned the right of access under the Freedom of Information Act 2000 to information about an allowance payable to MPs with constituencies outside London known as the ACA. At [41]-[43], Latham, P said:
“41. No one would disagree that the address of each individual's private residence is personal data, and represents an aspect of private and family life, but a residential address is an aspect of private life which may not be very private at all. So, for example, MPs are required to disclose an address when seeking nomination for election. This address is published in the electoral process. Usually it will be the constituency address of the candidate and its publication inevitably diminishes its private nature. Other professions and occupations may require notification of and public access to a residential address. Thus, company directors are required to provide a residential address available to those who search the register of companies. Everyone eligible to vote must have his or her address recorded in the register of electors, full versions of which are available for public scrutiny in local libraries and local government offices. The reality is that an individual who is determined to discover a residential address of an adult law-abiding citizen is likely to be able to do so by one legal means or another, and where the person concerned is the holder of a public office and in the public eye, such an inquiry is likely to be easier.
42. None of this is intended to suggest that the disclosure of an individual's private address under FOIA does not require justification. In the present case, however, there was a legitimate public interest well capable of providing such justification. Thus, for example, there is evidence which suggests that one MP claimed ACA for a property which did not exist, and yet further evidence may demonstrate that on occasions MPs claiming ACA were letting out the accommodation procured from the ACA allowance.
43. In essence Mr Giffin's argument was that the justification relied on was not sufficiently weighty to make the disclosure of these addresses necessary in all circumstances. It was common ground that "necessary" within schedule 2 para 6 of the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. We note the explanation given by the court in The Sunday Times v United Kingdom (1979) 2 EHRR 245 paragraph 59:
‘The court has already had the occasion …to state its understanding of the phrase "necessary in a democratic society" the nature of its functions in the examination of issues turning on that phrase and the manner in which it will perform those functions.
The court has noted that, while the adjective ‘necessary’, within the meaning of article 10(2) is not synonymous with ‘indispensable’, neither has it the flexibility of such expressions as ‘admissible’, ‘ordinary’, ‘useful’, ‘reasonable’ or ‘desirable’ and that it implies the existence of a ‘pressing social need.’”
In Stone v South East Coast Strategic Health Authority [2006] EWHC 1668 (Admin), [60], a case on the DPA 1998, Davis J said:
“60. It is clear in this case – and is conceded on behalf of Mr Stone at this stage of the argument – that a condition in Schedule 2 is satisfied: viz. paragraph 5(2) of Schedule 2 ("The processing is necessary… for the purpose of any other functions of a public nature exercised in the public interest by any person"). It is common ground that the word "necessary", as used in the Schedules to the 1998 Act, carries with it the connotations of the European Convention on Human Rights: those include the proposition that a pressing social need is involved and that the measure employed is proportionate to the legitimate aim being pursued.”
The burden of showing that the disclosure was necessary on the Defendant as the controller: ST (a child) and RF v L Primary School [2020] EWHC 1046 (QB), [71].
Adopting this approach, I have concluded that the Claimant has proved that the Defendant has failed to show that the disclosure to Mr Graham in June 2019 was necessary. Paragraph 14 of its Defence is as follows:
“… it is denied that the email of 5 June 2019 contained any personal data of the Claimant, that the Claimant’s personal data was thereby disclosed or that the Defendant acted unlawfully as alleged or at all. If which is denied, the email of 5 June 2019 contained any personal data of the Claimant or involved the processing of the same, such processing was lawful for the legitimate purpose of maintaining public confidence in the investigation and prosecution of alleged criminal offences. The Defendant maintained adequate safeguards including that it did not name the Claimant, it did not otherwise confirm that the charging file that it had received related to him, and it did not disclose any information that was not already in the public domain.”
I agree with the Claimant’s submission that whilst the Defendant has put forward this purported justification that it had a legitimate purpose of maintaining public confidence in the investigation and prosecution of crime, it has failed to show that there was any necessity – any pressing social need - for this member of the public, on this occasion, to be updated about the case in the way that Ms Graham updated Mr Graham, which resulted in him attempting to (I infer) harm or embarrass the Claimant politically, including by attempting to bring the existence of a charging file to national media attention.
I do not wish to criticise Mr Graham, especially as he has not given evidence and his initial enquiry cannot now be traced. However, it is clear to me that he had no legitimate interest in being individually updated about the progress of decision making on Operation Sheridan. In the words of Lord Donaldson MR in R v Monopolies and Mergers Commission ex parte Argyll Group plc [1986] 1 WLR 763, 773, albeit said in a different context, he was no more than ‘a meddlesome busybody’ who appears to have been motivated at least in part by some past and unrelated grievance against the Claimant. There was no legitimate reason for him to forward Ms Graham’s email to the people he did. They held no power or sway over the CPS, or any ability to speed up its decision making process, or influence it in any way. The CPS is an independent body answerable to the Attorney General and through him, to Parliament: s 3, Prosecution of Offences Act 1985.
There is also no evidence from Ms Graham or the CPS. That means that: (a) there is no evidence that she considered asking Mr Graham why he was enquiring, or what interest he had in Operation Sheridan; (b) that she considered the appropriateness of answering his apparently random enquiry when he had no particular ‘need to know’ as to the status of the investigation; (c) no evidence that she considered proportionality at all; (d) no evidence that she considered whether there was a ‘pressing social need’ to answer Mr Graham’s query; (e) no evidence about whether what she did was, or was not, in accordance with the CPS’s policy on answering specific queries about ongoing investigations and enquiries from members of the public; (f) no evidence that she considered telling Mr Graham that if she answered his query, then the answer was confidential to him and should not be forwarded on.
I accept that it can be a legitimate function of the police and the CPS to keep the public at large updated about how far enquiries have reached. But in this case there had been public statements to the media in August 2018 about Operation Sheridan which fully and appropriately briefed the public on the matter. Unless and until a charging decision was taken, there was no pressing social need for anything further to be said.
I therefore conclude there was a breach of the first data protection principle.
For the same reasons, I have concluded that there was also a breach of the second data principle. The data on the Claimant, namely that the CPS had received a charging file from the police, was collected for one law enforcement purpose, namely, the investigation and prosecution of crime. That fact was disclosed to Mr Graham for another, ancillary, purpose, namely the maintenance of public confidence in the investigation and prosecution of crime. But for that disclosure – in other words, that processing - to be lawful, it had to be necessary and proportionate: see s 36(3)(b). For the reasons already given, in my judgment the disclosure to Mr Graham was not necessary.
I have also concluded that there was a breach of the sixth data protection principle. The CPS has failed to show that it had in place appropriate organisational measures to protect against unauthorised or unlawful processing. I come back to the absence of evidence from the CPS. It has failed to show it had anything by way of policies dealing with how it should react if random members of the public made enquiries about live and ongoing investigations.
The highest it can be put on behalf of the CPS is its response of 25 February 2020 to the Claimant’s complaint, which stated that the relevant department had spoken to the reviewing lawyers dealing with Operation Sheridan, drawn their attention to this issue and:
“… re-enforced the correct procedures which should take place. Any future correspondence will be handled appropriately in the future.”
What those ‘correct procedures’ were remains unevidenced. Also, the fact that they had to be ‘re-enforced’ strongly suggests they had not been effective to date.
For all of those reasons, I uphold the Claimant’s data protection claim. The Defendant was right to admit the data breach in its letter of 25 February 2020.
Misuse of private information
I turn to the Claimant’s MPI claim. The principles are as follows.
Article 8 of the Convention provides:
“Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Article 10 provides:
“Freedom of expression
1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent states from requiring the licensing of broadcasting, television or cinema enterprises.
2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.”
Where a court is considering a claim for misuse of private information, it has to decide the two McKennitt issues which I set out earlier, but for convenience will set out again(at[11]):
“First, is the information private in the sense that it is in principle protected by article 8? If 'no', that is the end of the case. If 'yes' the second question arises: in all the circumstances, must the interest of the owner of the private information yield to the right of freedom of expression conferred on the publisher by article 10 ?”
More recently, in Bloomberg LP v ZXC [2022] 2 WLR 424, [26], the Supreme Court said:
“26. It has at all times been common ground that liability for misuse of private information is determined by applying a two-stage test. Stage one is whether the claimant objectively has a reasonable expectation of privacy in the relevant information. If so, stage two is whether that expectation is outweighed by the publisher’s right to freedom of expression. This involves a balancing exercise between the claimant’s article 8 right to privacy and the publisher’s article 10 right to freedom of expression.”
In Murray v Express Newspapers Limited [2009] Ch 481, [35]-[36], Sir Anthony Clarke MR explained the first question in the following way
“35 … The first question is whether there is a reasonable expectation of privacy. This is of course an objective question. The nature of the question was discussed in Campbell v MGN Ltd. Lord Hope emphasised that the reasonable expectation was that of the person who is affected by the publicity. He said, at para 99: "The question is what a reasonable person of ordinary sensibilities would feel if she was placed in the same position as the claimant and faced with the same publicity." We do not detect any difference between Lord Hope's opinion in this regard and the opinions expressed by the other members of the appellate committee.
36. As we see it, the question whether there is a reasonable expectation of privacy is a broad one, which takes account of all the circumstances of the case. They include the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher.”
In Sicri v Associated Newspapers Limited [2021] 4 WLR 9, [61], [64(2) and (3)], Warby J made a number of points about the first question.
There must be an objective assessment of whata reasonable person of ordinary sensibilities would feel if he orshe were placed in the same position as the claimant and facedwith the same publicity.
The extent to which the information was in the public domain is one of the circumstances to be taken into account. But although it is possible for information that began as private tobecome so well-known that it has entirely lost its private nature, the question of whether that has happened is one of fact and degree: ETK v News Group Newspapers Ltd [2011] 1 WLR 182, [10(3)]; ZXC v Bloomberg LP [2020] 3 WLR 838, [49] (CA). In that context:
‘... there is potentially an important distinction between information which is made available to a person's circle of
friends or work colleagues and information which is widely published in a newspaper …’
See Lord Browne of Madingley v AssociatedNewspapers Ltd [2008] QB 103, [61], (Sir Anthony Clarke MR, giving the judgment of the Court), citedby Simon LJ in ZXC (CA), [48].
Courts have recognised that the tort of misuse ofprivate information differs from the law of confidentiality; it protects not only thesecrecy of private information but also the intrusion associated with its publication,and may apply even if the information is already public to some extent: see PJS v News Group Newspapers Ltd [2016] AC 1081, [57-62], where Lord Neuberger said:
“57. If PJS’s case was simply based on confidentiality (or secrecy), then, while I would not characterise his claim for a permanent injunction as hopeless, it would have substantial difficulties. The publication of the story in newspapers in the United States, Canada, and even in Scotland would not, I think, be sufficient of itself to undermine the claim for a permanent injunction on the ground of privacy. However, the consequential publication of the story on websites, in tweets and other forms of social network, coupled with consequential oral communications, has clearly resulted in many people in England and Wales knowing at least some details of the story, including the identity of PJS, and many others knowing how to get access to the story. There are claims that between 20% and 25% of the population know who PJS is, which, it is fair to say, suggests that at least 75% of the population do not know the identity of PJS, and presumably more than 75% do not know much if anything about the details of the story. However, there comes a point where it is simply unrealistic for a court to stop a story being published in a national newspaper on the ground of confidentiality, and, on the current state of the evidence, I would, I think, accept that, if one was solely concerned with confidentiality, that point had indeed been passed in this case.
58. However, claims based on respect for privacy and family life do not depend on confidentiality (or secrecy) alone. As Tugendhat J said in Goodwin v News Group Newspapers Ltd [2011] EMLR 27, para 85, “[t]he right to respect for private life embraces more than one concept”. He went on to cite with approval a passage written by Dr Moreham in Law of Privacy and the Media (2nd ed (2011), edited by Warby, Moreham and Christie), in which she summarised “the two core components of the rights to privacy” as “unwanted access to private information and unwanted access to [or intrusion into] one’s … personal space” - what Tugendhat J characterised as “confidentiality” and “intrusion”.
59. Tugendhat J then went on to identify a number of cases where “intrusion had been relied on by judges to justify the grant of an injunction despite a significant loss of confidentiality”, namely Blair v Associated Newspapers Ltd (10 March 2000, Morland J), West v BBC (10 June 2002, Ouseley J), McKennitt v Ash [2006] EMLR 10, para 81 (Eady J), X & Y v Persons Unknown [2007] EMLR 290, para 64 (Eady J), JIH v News Group Newspapers Ltd [2011] EMLR 9, paras 58-59 (Tugendhat J), TSE v News Group Newspapers Ltd [2011] EWHC 1308 (QB), paras 29-30 (Tugendhat J) and CTB v News Group Newspapers Ltd [2011] EWHC 1326 (QB), para 23 (Eady J), to which can be added CTB v News Group Newspapers Ltd [2011] EWHC 1334 (QB), para 3 (Tugendhat J), Rocknroll v News Group Newspapers Ltd [2013] EWHC 24 (Ch), para 25 (Briggs J), and H v A (No 2) [2015] EWHC 2630 (Fam), paras 66-69 (MacDonald J).
60. Perusal of those decisions establishes that there is a clear, principled and consistent approach at first instance when it comes to balancing the media’s freedom of expression and an individual’s rights in respect of confidentiality and intrusion. There has been not even a hint of disapproval of that approach by the Court of Appeal (although it considered appeals in McKennitt [2008] QB 73 and JIH [2011] 1 WLR 1645). Indeed, unsurprisingly, there has been noargument that we should take the opportunity to overrule or depart from them. Accordingly, it seems to me that it is appropriate for this Court to adhere to the approach in those cases. Not only do they demonstrate a clear and consistent approach, but they are decisions of judges who are highly respected, and, at least in the main, highly experienced in the field of media law and practice; and they were mostly decided at a time when access to the internet was easily available to the great majority of people in the United Kingdom.
61. The significance of intrusion, as opposed to confidentiality, in these decisions was well explained in the judgment of Eady J in CTB [2011] EWHC 1326 (QB), where he refused an application by a newspaper to vary an interlocutory injunction because of what he referred to as “widespread coverage on the Internet”. At para 24 he said that “[i]t is fairly obvious that wall-to-wall excoriation in national newspapers … is likely to be significantly more intrusive and distressing for those concerned than the availability of information on the Internet or in foreign journals to those, however many, who take the trouble to look it up”. As he went on to say in the next paragraph of his judgment, in a case such as this, “[f]or so long as the court is in a position to prevent some of that intrusion and distress, depending upon the individual circumstances, it may be appropriate to maintain that degree of protection”.
62. The same approach was taken by Tugendhat J in a later judgment in the same case, CTB [2011] EWHC 1334 (QB), when refusing a further application to lift the interlocutory injunction after the applicant’s name had been mentioned in the House of Commons. At para 3, having accepted that it was “obvious that if the purpose of this injunction were to preserve a secret, it would have failed in its purpose”, he said that “in so far as its purpose is to prevent intrusion or harassment, it has not failed”. Indeed, he regarded the fact that “tens of thousands of people have named the claimant on the internet” as confirming, rather than undermining, the argument that ‘the claimant and his family need protection from intrusion into their private and family life’.”
On the question of information in the public domain, Gatley on Libel and Slander (13th Edn) says this at [23-009] (footnotes omitted):
“The role of the concept of the ‘public domain’ in misuse of private information has been a matter of much deliberation, culminating in an important ruling of the Supreme Court in PJS v News Group Newspapers Ltd. Even if seemingly private in nature, there will usually be no reasonable expectation of privacy in information that is already in the public domain. This principle has carried over to some extent to the claim for misuse of private information from that for breach of confidence. The determination as to precisely when information will be deemed already to be in the public domain is more nuanced in this new context, however; it is less automatic in the context of privacy than confidentiality of government secrets. The matter will often be a question of degree. There is a qualitative difference, for instance, between information being in the public domain by reason of an individual appearing physically in a public place with the natural exposure to others present that this brings, and the publication of photographs disclosing that information in newspapers or on a social media account with millions of followers, such as to render it universally accessible and, in effect, known. Similarly, the fact that information is known to some people does not mean that wider publication would have no significant effect. Another similar factual scenario arises increasingly often in the context of the reproduction in the mainstream media of personal information published on social networking websites.
At some point, however, it appears to be accepted that the general availability of some given information will preclude the possibility of any reasonable expectation of privacy. For instance, in Mosley v News Group Newspapers Ltd - a case in which the online article containing the offending information had already been viewed several hundred thousand times and a video more than 1.5 million times before the claimant sought an interim injunction—both items were held to be incontrovertibly in the public domain such that no interim order enjoining further publication was available. In contrast, in Weller v Associated Newspapers Ltd, the court was presented with a complaint regarding the publication in a newspaper and online of the unpixellated faces of the children of a well-known musician. Evidence showed that there had previously been an array of publications concerning the children, including some reference to the children in newspaper and other interviews, personal tweets regarding the family (some of which had been picked up and republished by national newspapers), other online publications by different members of the family circle, publication of photographs in a book, and a single modelling appearance of one of the children in a teen magazine. Despite this, Dingemans J concluded that the children retained a reasonable expectation of privacy over publication of photographs showing their faces, “one of the chief attributes of their respective personalities”.
A range of additional factors may influence the determination of whether information is sufficiently in the public domain so as to rule out a claim for misuse of private information. These include whether the information has been published in othe jurisdictions, the extent to which “jigsaw” revelation allows the general public access to new information, the conduct of the publisher, the specificity of any information already in the public domain, and the passage of time.
A further issue with regard to the public domain concerns whether the test should be that information is actually known by a sufficiently large number of people in the given audience, or whether it is enough that it is merely accessible in theory to them. In Spycatcher, Lord Goff suggested a criterion of “general accessibility”. Other judges have approached the matter differently, and concluded that the mere fact that information is generally accessible somewhere in public records or from some other esoteric source will not be enough to disqualify the information from being private. The same point can be made with regard to unheralded publication in an obscure location on the internet. It is submitted that Lord Goff’s concept of “general accessibility” should therefore in this context be understood as meaning ‘being known or readily knowable to a substantial number of people’.”
If the first question is answered positively then the court has to go on to consider the second question. This requires the application of Article 8(2), and when freedom of expression is involved, the court must undertake a balancing exercise to decide whether in all the circumstances the interests of the owner of the private information (in this case, the Claimant) must yield to the right to freedom of expression conferred on the publisher (in this case, the Defendant) by Article 10.
How this balancing exercise is to be carried has been explained in a number of cases. In Re S (A Child) [2005] 1 AC 539, [17], Lord Steyn said:
“First, neither article (8 or 10) has as such precedence over the other. Secondly, where the values under the two articles are in conflict, an intense focus on the comparative importance of the specific rights being claimed in the individual case is necessary. Thirdly, the justifications for interfering with or restricting each right must be taken into account. Finally, the proportionality test must be applied to each.”
In PJS, [20], Lord Mance summarised the relevant principles as follows:
“(i) neither article has preference over the other, (ii) where their values are in conflict, what is necessary is an intense focus on the comparative importance of the rights being claimed in the individual case, (iii) the justifications for interfering with or restricting each right must be taken into account and (iv) the proportionality test must be applied: see eg In re S (A Child) (Identification: Restrictions on Publication) [2005] 1 AC 593, para 17, per Lord Steyn, with whom all other members of the House agreed; McKennitt v Ash [2008] QB 73, para 47, per Buxton LJ, with whom the other members of the court agreed; and Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB) at [28] per Eady J, describing this as a 'very well established' methodology. The exercise of balancing article 8 and article 10 rights has been described as 'analogous to the exercise of a discretion': AAA v Associated Newspapers Ltd [2013] EWCA Civ 554 at [8].”
Also of assistance is Baroness Hale's analysis in Campbell v MGN Ltd [2004] 2 AC 457, [140]-[141], where she explained that when two Convention rights are in play 'the proportionality of interfering with one has to be balanced against the proportionality of restricting the other.' This involves:
“… looking first at the comparative importance of the actual rights being claimed in the individual case; then at the justifications for interfering with or restricting each of those rights; and applying the proportionality test to each.”
In conducting this balancing exercise, it is clear that it is not sufficient simply to consider whether publication is in 'the public interest' in some general sense. I must balance the public interest in favour of publication (if any) against the public interest in maintaining the right to privacy by reference to the specific facts in question and the nature of the public interest said to justify publication.
The principle that – as a starting point - a suspect in a criminal investigation has, in general, a reasonable expectation of privacy was confirmed in Richard v BBC and South Yorkshire Police [2018] 3 WLR 171, [248], and more recently in ZXC, [146].
In Richard, Mann Jsaid at[248]-[251]:
“248. It seems to me that on the authorities, and as a matter of general principle, a suspect has a reasonable expectation of privacy in relation to a police investigation, and I so rule. As a general rule it is understandable and justifiable (and reasonable) that a suspect would not wish others to know of the investigation because of the stigma attached. It is, as a general rule, not necessary for anyone outside the investigating force to know, and the consequences of wider knowledge have been made apparent in many cases (see above). If the presumption of innocence were perfectly understood and given effect to, and if the general public was universally capable of adopting a completely open- and broad-minded view of the fact of an investigation so that there was no risk of taint either during the investigation or afterwards (assuming no charge) then the position might be different. But neither of those things is true. The fact of an investigation, as a general rule, will of itself carry some stigma, no matter how often one says it should not. This was acknowledged in Khuja v Times Newspapers Ltd [2017] 3 WLR 351 (the PNM case re-named in the Supreme Court). The trial judge had acknowledged that some members of the public would equate suspicion with guilt, but he considered that members of the public generally would know the difference between those two things (see para 32). Lord Sumption was not so hopeful. He observed:
"Left to myself, I might have been less sanguine than he was about the reaction of the public to the way PNM featured in the trial."
249. In the same case the minority Justices (Lords Kerr and Wilson) quoted from Cobb J's observations in Rotherham Metropolitan Borough Council v M [2016] 4 WLR 177, with approval.
"Then Cobb J quoted from a leading article in The Times on 19 October 2016 as follows:
'False rape and abuse accusations can inflict terrible damage on the reputations, prospects and health of those accused. For all the presumption of innocence, mud sticks.'
In the end Cobb J concluded that the restriction orders against identification of the men should be continued indefinitely. He said, at para 46:
'I have reached the firm conclusion that there is no true public interest in naming the four associated males, against whom, in the end, no findings have been sought or made. [Their] article 8 rights … would be in my judgment significantly violated were they to be publicly exposed in the media as having been implicated to a greater or lesser degree, but not proved to be engaged, in this type of offending.'
These observations seem to us to show great insight and to resonate strongly with the facts of the present case."
250. These judicial remarks demonstrate at least some of the reasons why an accused should at least prima facie have a reasonable expectation of privacy in respect of an investigation. They are particularly appropriate to the type of case referred to there (of which, of course, the present case is an instance) but they are generally applicable, to varying extents, to other types of cases.
251. That is not to say, and I do not find, that there is an invariable right to privacy. There may be all sorts of reasons why, in a given case, there is no reasonable expectation of privacy, or why an original reasonable expectation is displaced. An example was given by Sir Brian Leveson in the extract quoted above, and others can be readily thought of. But in my view the legitimate expectation is the starting point. I consider that the reasonable person would objectively consider that to be the case.”
Sir Brian Leveson’s example was given in his Report following his Inquiry into the Culture, Practices and Ethics of the Press, [2.39]:
“2.39. I would endorse the general views of Commissioner Hogan-Howe and Mr Trotter on this issue [viz the police briefing the press on suspects]. Police forces must weigh very carefully the public interest considerations of taking the media on police operations against Article 8 and Article 6 rights of the individuals who are the subject of such an operation. Forces must also have directly in mind any potential consequential impact on the victims in such cases. More generally, I think that the current guidance in this area needs to be strengthened. For example, I think that it should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press nor the public.”
In ZXC, Lords Hamblen and Stephens, speaking for a unanimous Supreme Court, said:
“The courts below were correct to hold that, as a legitimate starting point, a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation and thatin all the circumstances this is a case in which that applies and there is such an expectation.”
Having established the relevant legal principles, I turn to the facts before me.
Whilst a reasonable expectation of privacy in relation to a police investigation is the starting point, on the particular and somewhat special facts of this case, I am unable to conclude that by June 2019 such an expectation subsisted in relation to the information that the CPS were considering a charging decision in relation to the Claimant.
First, the investigation had been ongoing for some years. It had been widely reported. The Claimant himself made this clear in his evidence. It had been covered by all the branches of the media, namely, print, radio and television. As I set out earlier, in March 2016, following his exchange with Superintendent Halstead, the Claimant had chosen to name himself publicly as having been a target of Operation Sheridan. Superintendent Halstead was at pains to make clear that the police had scrupulously observed the Claimant’s expectation of privacy by not naming him as a suspect, and even though the Claimant had invited them to name him by way of exoneration, they did not wish to do so. Therefore, they left it to him, if he so chose, to identify himself, which is what he did when he issued the Press Release. Therefore, in March 2016 the Claimant waived his right of privacy that he had been a target of Operation Sheridan.
There is an argument that, given that waiver, there could be no ongoing reasonable expectation of privacy about any information relating to Operation Sheridan. In other words, it could be argued that the Claimant could not waive his privacy rights for some purposes (which suited him), but not for other purposes. However, I am prepared to assume that despite his waiver, his right to privacy did subsist, as a matter of principle at least, in some categories of information about the investigation.
After that came his arrest in 2017 and the Fitzgerald litigation. This put further information about Operation Sheridan, and the Claimant’s role within it, into the public domain. I accept that the Claimant did not initiate this litigation, but the inevitable consequence was that substantial further detail was made available about the alleged wrongdoing which the police were investigating, and the specific allegations against the Claimant. Therefore, viewed objectively, this further eroded any expectation of privacy in relation to Operation Sheridan.
Then, in August 2018, came the reporting that a file had been passed to the CPS by the police. The articles linked the file to Operation Sheridan (‘Operation Sheridan is an investigation … The file sent to the CPS today covers the whole scope of the inquiry …’) The Claimant accepted, as is obvious, that it was by then well-known that he was a target of Operation Sheridan (largely because of his voluntary choice in March 2016 to so identify himself). The article I quoted earlier expressly referred to a charging decision and to the investigation having been suspended. A CPS spokesperson referred to the file being considered in accordance with the Code for Crown Prosecutors which, as I have said, is the Code which governs when charges can be brought. There was a reference to a charging decision taking some time. Although this was a comment by the newspaper, rather than a quote from the police or CPS, it was prefaced by the words, ‘It is understood that any decision …’, strongly implying that the source was someone linked to the process who was in a position to say that, either within the police or the CPS.
Hence, as I have already concluded, any reasonable reader would have realised from this that the file had been passed to the CPS for it to consider whether to charge the Claimant and the other Operation Sheridan suspects in accordance with the Code for Crown Prosecutors.
As the Defendant points out, the Claimant must have known about this development because he was asked for a comment, which he declined to give.
I turn to the question whether Mr Graham, and those to whom he sent his December email, would already have known that the CPS were considering a charging decision; in other words, whether the emails told them something which they did not already know.
I know that I must not speculate. But equally I am entitled to draw inferences, and I cannot shut my eyes to the blindingly obvious. I infer that Mr Graham must have known, before he received the reply from the CPS, that it was considering a charging decision in relation to the Claimant. Although we do not have his enquiry, I think that must have been the case from all of the earlier reporting. But even if I am wrong about that, I also conclude that it is even more overwhelmingly likely that the political candidates to whom Mr Graham sent his email (and the CPS email) would also have known full well what stage the investigation had reached by December 2019, and what the CPS were considering. By then Operation Sheridan had been running for many years and generated much publicity. It was obviously a major Lancashire political story. In 2019 the Claimant was the leader of the Council. The Labour candidate was a County Councillor. Those active in politics in Lancashire, in particular Parliamentary candidates, could not have failed to know the CPS were considering whether to charge the Council’s leader following such a long-running and high profile corruption investigation.
At bottom, this was a very limited disclosure to people who were, I find, overwhelmingly likely already to have known what the situation was, because of earlier widespread reporting. The CPS email therefore added little or nothing to that which was already known. Mr Adams described the disclosure as ‘minimal’, and I am inclined to agree with that description.
I accept the media recipients of the December email may not have been in the picture to the same extent, but there is no evidence that anyone to whom the email was sent ever actually read it, let alone did anything about it. Unlike many such cases where this issue has arisen, this was not publication to the world at large, but to a small group many of whom, if not all of whom, knew about the potential for criminal charges.
I find it hard to accept that the words ‘charging decision’ came as a surprise to the Claimant, in the way that he claimed in his evidence. If they did, then this was a clear case of Nelsonian blindness, and of the Claimant choosing not to see that which was obvious. The significance of developments in August 2018 was clear at the time. As I have already indicated, a brief phone call to his solicitor would have made matters even more clear to the Claimant. Having by 2019 been under investigation for the best part of five years, the Claimant must, it seems to me, have had a clear enough understanding of the prosecution process to understand the significance of the development in August 2018. If he did not then, as I have said, it is because he chose to look the other way.
For these reasons, having had regard to all of the relevant circumstances (per Murray, [36]), I have concluded that the Claimant has failed to show that he objectively had a reasonable expectation of privacy in relation to the relevant information.
It follows that I do not need to consider the second McKennitt question. The MPI claim falls at the first hurdle.
The claim under the Human Rights Act 1998
The claim under the Human Rights Act 1998 was brought beyond the one year limitation period imposed by s 7(5)(a). Section 7(5)(b) provides that the Court can extend this for such a longer period as it ‘considers equitable having regard to all the circumstances.’
The claim is brought for an alleged violation of Article 8(1). However, for the reasons I have given in relation to the MPI claim, the information which was disclosed carried no expectation of privacy and so Article 8(1) was not engaged.
It follows that the human rights claim would be bound to fail, and so no purpose would be served by extending time, and I decline to do so.
Remedy
I have upheld the Claimant’s data protection claim but rejected his MPI and human rights claims. I turn, then, to the question of the appropriate remedy.
Ms Khan invited me to make an award of damages pursuant to s 169(5) of the DPA 2018, which provides:
“169 Compensation for contravention of other data protection legislation
(1) A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2 )Under subsection (1)—
(a) a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b) a processor involved in processing of personal data is liable for damage caused by the processing only if the processor -
(i) has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii) has acted outside, or contrary to, the controller’s lawful instructions.
(3) A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4) A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5) In this section, ‘damage’ includes financial loss and damage not involving financial loss, such as distress.”
Ms Khan invited me to make an award of damages commensurate with the Claimant’s distress and injury to feelings. She accepted that there were few reported cases on quantum for breaches of data protection legislation, and that assessing damages in this area was ‘not an exact science.’
I am unable to accept the Claimant’s evidence about the effect he said the emails had upon him and his characterisation of them, and what he said they had led him to believe, especially in [6]-[8] of his witness statement, which I set out earlier. On no fair reading did they suggest that he would be charged. Nor was it reasonable for him to fear from the June email that ‘formal charges were likely to be brought against me’. On no reasonable view could it be regarded as representing a ‘significant development’ or a ‘significant change’. As I have explained, whilst it was a breach of the DPA 2018, the email did no more than repeat that which had been in the public domain since August 2018. If seeing the words ‘charging decision’ did come as a surprise to the Claimant, that was through his own fault because, as I have said, he turned his face away from the obvious when the announcement was made by the police and CPS in August 2018, and he did not take the advice which he could easily have taken.
I am prepared to accept that the Claimant would have experienced a very modest degree of distress upon discovering that the CPS’s email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him. But for the reasons I have given I reject his evidence that it represented some fundamental sea-change in the complexion or likely outcome of Operation Sheridan, such that it could reasonably or properly have caused him anything like the level of anguish which he claimed. I accept he consulted his GP in 2020 as he said, but I am unable to conclude this was as a result of the emails rather than, for example, of the stress of having been under police investigation, by then, for six years or so. Ms Khan accepted that this was not a personal injury claim, and that there was no medical evidence. There is also the point made by the Defendant that the Claimant’s own evidence was that he had been suffering from anxiety and depression since his arrest.
Conclusion
Given all of the circumstances, I consider that this data breach was at the lowest end of the spectrum. Taking all matters together in the round, I award the Claimant damages of £250. I will also make a declaration that the Defendant breached the Claimant’s rights under Part 3 of the DPA 2018. I invite the parties to draw up an order.