Kololo v Commissioner of Police for the Metropolis

This is the hearing of a claim by the Claimant, Ali Babitu Kololo (“Mr Kololo”), against the Defendant, the Commissioner of Police of the Metropolis (“the Commissioner”). Mr Kololo claims that the Commissioner has wrongly refused a data subject access request made pursuant to section 7 of the Data Protection Act 1998 (“DPA”). The Commissioner claims that Mr Kololo’s request is an abuse of process because it is said to be an improper attempt to use the DPA to circumvent provisions of the Crime (International Co-Operation) Act 2003 (“CICA”) and says that the Court should in any event, as a matter of discretion, refuse to order compliance with the request.

On 11 September 2011 David Tebbutt was murdered at the Kiwayu Safari Village Resort in Kenya and his wife Judith Tebbutt was kidnapped and taken to Somalia. Mrs Tebbutt was released in March 2012. It was alleged, and Mr Kololo denied, that he had directed the Somalian kidnappers to the place where Mr and Mrs Tebbutt were sleeping. Mr Kololo was arrested on 11 September 2011.

As the incident involved the murder and kidnapping of British nationals the Metropolitan Police Service deployed police officers, fingerprint and ballistics experts, and forensic scientists to Kenya. Detective Superintendent Hibberd (now Detective Chief Superintendent Hibberd) led the team and made a witness statement dated 19 June 2012 in the course of the proceedings and gave evidence at Mr Kololo’s trial.

Mr Kololo was convicted after a trial at Lamu Magistrates’ Court. It appears that evidence was heard on various days between 25 April 2012 and 3 April 2013. Submissions were then made by prosecution and defence and Mr Kololo was convicted on 29 July 2013 of robbery with violence and kidnapping. He was sentenced to death. The evidence shows that there is a de facto moratorium on the carrying out of the death penalty in Kenya.

Mr Kololo is appealing against his conviction and sentence on a number of grounds. The grounds of appeal against conviction include grounds that: he did not have a lawyer during parts of the proceedings; his ability to follow the proceedings was compromised because he did not have an interpreter for his language; the alleged confession evidence was inadmissible; there were issues about disclosure; and there are issues about Mr Kololo’s connection to black tanga shoes which appeared to have made footprints near the scene of the killing and kidnap and which were exhibited during the trial.

As was common ground at the hearing it is not for this Court to comment in relation to Mr Kololo’s conviction or grounds of appeal against conviction or sentence.

Mr Kololo, acting through his lawyer in Kenya, instructed lawyers to act on his behalf in London. Data subject access requests were made to the Home Office, Foreign and Commonwealth Office and the Metropolitan Police Service (“MPS”) in connection with proposed judicial review proceedings.

The Home Office and Foreign Commonwealth Office provided data pursuant to those requests but the MPS refused. The judicial review proceedings were not pursued against the MPS.

However a further subject access request was made on behalf of Mr Kololo by letter dated 4 August 2014, received by the MPS on 14 August 2014. The request sought “all records relating to Mr Kololo”. The letter also made it clear that the information was required urgently because it was believed “that the information requested could prove crucial to Mr Kololo’s case and be used to avoid a death sentence being carried out”. The request was refused by the MPS by letter dated 11 September 2014 on the basis that it constituted an abuse of process.

This hearing was expedited because it appears that sometime later this month there will be a directions hearing in Kenya in relation to Mr Kololo’s appeal. The evidence from Mr Kololo’s lawyer in Kenya is that any application to rely on fresh evidence should be made at that directions hearing.

I am very grateful to Mr Turner QC and Ms Proops for their helpful submissions. I should record that it is common ground that, notwithstanding that Mr Kololo has not been to the United Kingdom, the fact that data relating to him is held by the Commissioner means that this Court has jurisdiction to order compliance with the request.

It appears that the main issues in this case are whether the making of the subject access request is an abuse of process and whether the Court ought, as a matter of discretion pursuant to section 7(9) of the DPA, refuse to direct the Commissioner to comply with the subject access request because it was made for an improper purpose.

The DPA gave domestic effect to the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data” (“the Directive”). The second Recital to the Directive recorded that data processing systems must “whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy”.

Section 1(1) of the DPA defines “personal data” as meaning data which “relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into possession of, the data controller, and includes any expression of opinion about the individual".

Section 2 defines “sensitive personal data” as including data consisting of information as to “the commission or alleged commission by him of any offence”.

Section 7(1) provides that “an individual is entitled (a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller ... (c) to have communicated to him in an intelligible form (i) the information constituting any personal data of which that individual is the data subject, and (ii) any information available to the data commissioner as to the source of those data

Section 7(9) provides “If a court is satisfied on the application of any person who has made a request under ... this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with that request”.

Section 14 provides that if data is shown to be inaccurate the Court may order rectification or erasure of that data.

Exemptions are provided for in Part IV of the DPA. Section 27(5) provides “except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information”.

Section 28 of the DPA provides certain exemptions for the purposes of safeguarding national security. Section 29 of the DPA provides certain exemptions for the purposes of “the prevention or detection of crime” and “the apprehension or prosecution of offenders”.

The Crime (International Co-operation) Act 2003 (“CICA”) makes provision in section 13 for overseas courts or prosecuting authorities to request “assistance in obtaining evidence in a part of the United Kingdom”.

The forty-first Recital to the Directive emphasised the right of an individual to verify the accuracy of data relating to him. In YS v Minister voor Immigratie (Cases C- 141/12 & C-372/12) [2015] 1 CMLR 18 the European Court of Justice emphasised, at paragraph 44, by reference to the forty-first Recital to the Directive that “the protection of the fundamental right to respect for private life means ... that that person may be certain that the personal data concerning him are correct and that they are processed in a lawful manner”.

The European Court of Justice in Criminal Proceedings against Lindqvist (Case C- 101/01); [2004] QB 1014 emphasised that the balance between rights which might compete with data protection rights were for member state authorities to determine.

In R(Lord) v Secretary of State for Home Department [2003] EWHC 2073 (Admin) Munby J. noted, at paragraph 160, that the exercise of discretion in one case may throw little if any light on how it should be exercised in another and recorded that the applicant in that case was doing nothing wrong in seeking more information than he would have been entitled to under the common law. He referred to the discretion being “general and untrammelled’.

In Durant v Financial Services Authority [2004] FSR 28 Auld LJ, in obiter statements which it is common ground are useful, referred to the purposes of the DPA at paragraph 27 noting that the provisions enabled the data subject to check whether processing unlawfully infringed privacy but were not an automatic key to any information, readily accessible or not, of matters in which the data subject may be named or involved.

I was shown examples of subject access requests being refused as a matter of discretion where other means of requesting the documents were more appropriate, see Ezsias v Welsh Ministers (unreported 23 November 2007) and Guidance by the Information Commissioner recognising that the Courts might not always order compliance with subject access requests.

Reference was also made to R(Omar) v Secretary of State for the Foreign and Commonwealth Office [2013] EWCA Civ 118; [2014] QB 112 where the Norwich Pharmacal procedure was held not to apply where the provisions of CICA might be used. As was noted at paragraph 10 the issue in that appeal was “whether Norwich Pharmacal relief is excluded where a statutory regime covers the ground”. The extensive differences between CICA and Norwich Pharmacal were noted. The approach to interpretation when considering the relationship between a statutory remedy and a common law remedy was noted in paragraph 24 of the judgment. CICA provided for ministerial discretion, national security and Crown service. This meant that there was no room for a complementary common law procedure for obtaining evidence relevant to overseas criminal proceedings.

I note that the statutory regime under the DPA was not considered in R(Omar). It was in reliance on R(Omar) that it was submitted on behalf of the Commissioner that this subject access request amounted to an abuse of process and should be refused.

Mr Kololo made a witness statement dated 21^st February 2015 in which he acknowledged at paragraph 6 that the most important thing for him at the moment was his ongoing criminal appeal against conviction and his death sentence but he continued that "I want to know what information the Metropolitan Police hold on me and what they are doing or have done with it. I want to know who they have shared it with and for what purpose. I worry about the way in which they have used or may use the personal information they collected on me Mr Kololo also went on to say that he had been told that he might be able to apply to Court to stop the Metropolitan Police from doing something with the material which might cause him or his family damage or distress.

It is apparent that Mr Kololo’s principal aim is to have a response to his subject access request in the hope that it might provide him with material which might be used for the purposes of his appeal. That much is apparent from the request for expedition. It is also apparent that his evidence about the Commissioner holding material causing him or his family damage or distress is speculative.

However, in order for any data which Mr Kololo might obtain from the Commissioner to be of any assistance to Mr Kololo on his appeal, it is likely that Mr Kololo will want to try and point to inaccuracies in the data. I should note that it is not for this Court to determine whether there any inaccuracies in the data and the Court cannot do so without having seen the data.

It is common ground that section 7(9) gives the Court a discretion whether to order the data processor to comply with the subject access request. This is "general and untrammelled" but it is also common ground that such a discretion should be exercised to give effect to the statutory purposes of the DPA and be proportionate.

In my judgment the making of the subject access request in this case is not an abuse of process. The decision in R(Omar) related to the use of a common law remedy where there was a co-existing and appropriate statutory remedy by way of CICA and where the common law remedy did not provide exemptions for national security and other relevant matters. The DPA makes specific provision for exemptions for national security and for the investigation and prosecution of crime, unlike the common law Norwich Pharmacal procedure. There is nothing to indicate that, in this case, CICA should be an exclusive remedy.

I should note that in this respect I have not found the reference to the provisions of section 27(5) of the DPA to provide the complete answer to the Commissioner’s case that they were submitted, on behalf of Mr Kololo, to be. It was said that because section 27(5) provides that “the subject information provisions shall have effect notwithstanding any enactment or rule of law... ” the doctrine of abuse of process could not be relevant because CICA was an “enactment” and abuse of process was a “rule of law” and the subject information provisions should therefore have effect. This submission is correct as far as it goes, but the subject information provisions include section 7(9) of the DPA. As is apparent section 7(9) of the DPA provides the Court with discretion to refuse to order compliance. This means that if I had found Mr Kololo’s request to be an abuse of process by reason of CICA I would have refused to order compliance as an exercise of discretion.

I therefore turn to consider whether I should order compliance with the subject access request. In my judgment this is an appropriate case in which to order compliance. This is because a purpose for which Mr Kololo is making the subject access request is to determine whether there are inaccuracies in the data. This means that Mr Kololo (or his legal representatives) is making the subject access request to verify the accuracy of the data. This is so even though verifying the accuracy of the data is unlikely to be of assistance to Mr Kololo for his appellate proceedings. However if the data is not accurate Mr Kololo (or his legal representatives) may seek to correct any inaccuracies in the data. This might, depending on the inaccuracies, be of assistance to Mr Kololo for his other purposes.

It is apparent that verifying data is a proper statutory purpose from the Recital to the Directive, and in particular the forty first Recital, which was specifically referred to in YS. It is also apparent that correcting inaccuracies in data is a proper statutory purpose. This appears from the statutory rights set out in section 14 of the DPA to rectification of data. Therefore, in my judgment, ordering compliance with the subject access request in this case will accord with the purposes of the DPA. I note that the existence of collateral proceedings, in which it is proposed to use the verified or corrected data, does not, of itself amount to a reason to refuse compliance. This is apparent from, among other judgments, the decisions in YS and R(Lord).

In my judgment, given that Mr Kololo has been sentenced to death (albeit that the sentence is the current subject of a moratorium) ordering the Commissioner to comply with the subject access request is proportionate.

There is nothing in the evidence before me to suggest that the existence of CICA makes, in the particular circumstances of this case, the making of the subject access request inappropriate. It is apparent that no CICA request has yet been made, and it will take time to make such a request. There is nothing to suggest that such a request would assist Mr Kololo in verifying data.

It was apparent that because the Commissioner had defended these proceedings on the basis that the request was an abuse of process there had not been detailed consideration of the exemptions in section 29 or other relevant exemptions. In order to ensure that proper points (if there are any) may be taken in relation to the exemptions I will, as discussed with counsel at the hearing, record that this ruling requiring the Commissioner to comply with the subject access request may be met with a refusal to disclose specific data by reference to section 29 (although Ms Proops did not think such an eventuality likely in this case) or other relevant exemptions. In such an event a further hearing may be necessary.

Mr Kololo had asked for a declaration to the effect that the Commissioner had acted unlawfully in refusing to comply with the subject access request. In circumstances where I am ordering compliance with the subject access request the granting of the declaration adds nothing to the claim, and might, at worst, be misinterpreted.

For the detailed reasons given above Mr Kololo’s subject access request is not an abuse of process, and I order the Commissioner to comply with the subject access request made by Mr Kololo.