Crime Reduction - Helping to Reduce Crime in Your Area

The following is a report of a presentation given by Mr Jonathan Bamford, Assitant Information Commissioner, at the inaugural Information Sharing Network Conference, 10 September 2001.

<< Back to conference contents

Mr Bamford said that 1998 had been a vintage year for legislation. The Crime and Disorder Act 1998 was there to protect individuals from criminality and disorder; the Data Protection Act was passed in 1998, a piece of legislation to protect individuals in different ways, to protect their privacy, how their information was handled, to set certain legally enforceable standards about who gained access to personal information and what it was used for; and the Human Rights Act hit the statute book in 1998 as well, another piece of legislation aimed at protecting individuals. These might seem conflicting pieces of legislation; the aims of the Crime and Disorder legislation envisaged information sharing to deal with its statutory objectives, in direct opposition to other legislation which had provisions guaranteeing a right to a private life, and which restricted what could happen to personal information about individuals. Certainly, there was a tension there, and it was not easy to try and reconcile the various elements.

He hoped to identify the things that really mattered in data protection terms, and needed to be addressed in terms of information sharing, so that the information shared had an effect on the guilty rather than causing any collateral damage. Annex A set out some considerations. Once there was a statutory power, the normal standards in data protection laws imposed some sort of proportionate safeguards in terms of information exchange. It had been agreed that further guidance was needed concerning the powers in the Crime and Disorder Act, and that the key to this was to establish information sharing protocols setting out the ground rules.

The Data Protection Act 1998 replaced the 1984 Data Protection legislation, so its concepts had been around for quite a while. It provided for a regulatory regime for the processing of information relating to individuals, including all the sorts of things that could be done with that information. Traditionally the 1984 Act really only bit on information processed on computer, but the 1998 legislation included anything which related to individuals who were identifiable (so CCTV images were included). Aggregated statistical data was not included.

The starting point should be to share information which did not relate to identifiable individuals. A number of interesting tools had been developed to try to utilise depersonalised information as far as possible.

At the heart of data protection legislation there were eight data protection principles which essentially set the legally enforceable standards which anybody who processed information about individuals had to follow. These principles applied to the processing of personal data on the Internet, just as to any other processing. They were expressed in general terms – detailed interpretation was left to the regulator (and the courts) – allowing the regulator to develop a jurisprudence. In the UK, they were an enforceable standard. Whilst actual enforcement in every case of use of the Internet was not realistic, they provided a basis for a good data protection approach by every data user. Personal data should be:

• processed fairly and lawfully;

• obtained only for specified and lawful purposes and further processed only in a compatible manner;

• adequate, relevant and not excessive;

• accurate and up to date;

• kept for no longer than necessary;

• processed in accordance with the rights of data subjects;

• kept secure;

• transferred outside the European Economic Area only if there was adequate protection.

The bureaucratic elements of data protection law included the need to register or notify, which meant that in the crime and disorder areas people needed to know who were the legal entities who controlled personal data, and those legal entities needed to be notified to the Commissioner. The annex had more information on notification.

The first principle dealt with what was done with information when obtained from an individual. What did the individual understand was going to happen to their details, how was it going to be used, how was it going to be disclosed? The wording there now was slightly different than it used to be. The old data protection principle had talked about processing personal data fairly and lawfully. But now the law went on to say you could not actually process personal data at all unless you met certain conditions in two schedules in the data protection legislation, schedule 2 and schedule 3. Schedule 3 related to processing data of a sensitive nature, such as people’s ethnic origin, sex life, health, criminality, trade union membership, for which certain conditions had to be met, called legitimacy of processing conditions. A basis for processing by a public authority might be a statute, as for example functions specified in the Crime and Disorder Act. Section 17 or 115 of that legislation would provide a basis for processing under the Data Protection Act, but it was important not to go outside those permitted statutory activities.

Fair and lawful obtaining were key areas for information sharing and how wide it could be. The basic philosophy enshrined in data protection law was that individuals, when providing information to somebody, had an understanding how that was going to be used and disclosed. If that was not obvious to people then it should be explained, and in some instances if this non-obvious use of disclosure was of a particular nature then the individuals should consent to its disclosure to other people. This was important when one looked at the various people, individuals, who could be caught up in information sharing activities. The duties owed in terms of fairness might be far greater to a third party who was not actually involved in any criminality than say to an offender. A victim would have greater say in terms of fairness about what could happen to their information than for example an individual who was an offender. It could not be argued that a young offender’s details should only be passed on to a youth offending team on the basis of that offender’s consent. The offender should be made aware that the information was passed on, but the action need not be grounded on consent. But if perhaps as part of the restorative justice schemes, the details of a victim needed to be passed to the youth offending team, it was up to the body who originally obtained the information to seek the consent of that victim for the disclosure of their details. There were some cases under the 1984 legislation which gave guidance on these duties of fairness, which made clear that whilst fairness was the paramount consideration in terms of handling information about individuals, it was not the only consideration, which was why he was able to say that offenders might be treated differently from victims in terms of information being shared.

The legislation gave some interpretative provisions of fair processing and fair obtaining. As far as practicable the data subject should be made aware of the identity of the data controller, the purpose the data was going to be processed for, and other information that was necessary to render the processing fair. Standards in information sharing protocols enabled those sorts of issues to be thought about coolly and calmly and consistently, looking at where these balances of interest lay. Complaints often arose because people did not really understand how their information had been used or how it had been passed on. For example, a local authority ran a drugs drop-in counselling centre, but there was nothing there to make clear it was run by the local authority. When information was passed from the centre to the social services department, the clients who were availing themselves of these services felt aggrieved, because they thought they were receiving medical treatment from medical practitioners, they had not really understood who they were dealing with. These sorts of things had to be established when people shared information on a voluntary basis.

Other legal duties existed. The common law duty of confidentiality particularly affected social services and the medical profession in terms of how they could disclose information. It had to be lawful. If information was disclosed which was subject to the Data Protection Act in a breach of a duty of confidentiality, then that became a breach of the Data Protection Act because it would be unlawful processing. Defects in those sorts of areas could be remedied on the basis of freely given consent.

Article 8 of the Human Rights Act was the one most closely associated with the Data Protection Act, which was respect for the private life of individuals. It was not an absolute right but a qualified right; there were instances when it was possible to interfere with an individual’s right to have respect for their private life, but any interference had to be proportionate to the evil being addressed.

Public bodies needed to have legal powers to do things. Section 115 essentially remedied a defect in powers for the relevant authorities listed there, but it was not an absolute power. Disclosure had to be necessary or expedient for the purposes of the Crime and Disorder Act. This did not mean that there was a legal requirement to make a disclosure. There were some situations where there was a legal duty to disclose, for example the Inland Revenue had powers to force employers to give them details of their employees so that they could all be taxed, but the normal data protection standards such as fairness, applied. Section 17 did not give carte blanche; it included a test of reasonableness.

The second data protection principle was about personal data being used only for specified or lawful purposes and not being disclosed or processed in a way that was incompatible with those purposes. Any person had the power to disclose information to:

• a relevant authority or person acting on its behalf;

• a relevant authority was:

  • Chief Officer of Police

  • Police Authority

  • Local Authority

  • Probation Committee

  • Health Authority

• “in any case where the disclosure was necessary or expedient for the purposes of any provision of” the Crime & Disorder Act 1998.

The purpose(s) could be specified in a notice given in accordance with the fair processing requirements or in a notification. In determining whether a disclosure was compatible it was necessary to look at the original purpose for which the information was communicated to the body that had it in the first place. For example, a head teacher was asked by those interested in youth offending to provide details of all pupils at that school who suffered from attention deficiency syndrome. This information had been provided by parents because a child was on medication and went away on a school trip. The original purpose of the information was for the care of the child, to make sure he got his medication while he was away on a school trip; it was not then appropriate to be used in an unrelated context. Issues of confidentiality and compatibility arose. There were some exemptions in data protection laws on a case by case basis for personal data processed for crime and taxation purposes, in a case where it would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. Other specific provisions in the Act dealt with disclosures which were required by law, but Section 115 did not require disclosure, it remedied defects in powers. There were elements where information could be given in connection with legal proceedings, so if an ASBO was on the cards and information had been given in connection with the formulation of that, then that would be a basis for disclosing under this particular exemption.

One of the primary areas for information sharing protocols and agreements, was to deal with the other data protection principles that were there, to make sure that data was adequate for its purpose, that if it came from different bodies you could actually identify the right D Smith. That it was relevant, it was what was needed, that it was not excessive, that it was kept accurate and up to date, that it was not held for longer than was necessary for the purpose. Situations sometimes arose where the providing body held information for a particular purpose and deleted it, but other recipients continued to hold it because the retention period was different. Individual’s rights of access had to be respected and information had to be kept secure. There were rights to compensation for individuals where they suffered as a result of a contravention of the data protection principles.

Information sharing protocols should ensure that data was kept up to date, that it was not excessive, that it was not irrelevant for the purposes it was needed for.

Basically what was needed were standards for sharing information, ones which people could follow, which were accepted, which dealt with the need: was personal information needed, if so, what was the basis on which it was obtained, where was it obtained from, what duties were owed to individuals, how were these discharged, was consent necessary, how much information was needed, what was the minimum necessary, the principle, how was that kept accurate and up to date, how long was it going to be kept for, what security should be put in place, who would provide access if somebody asked for it?

In summary, he urged people to embrace data protection standards and incorporate them into their protocols for sharing information. Some subjective judgements had to be made, and national standards could help people make those judgements because of the benchmarks against which they were set. The Information Commissioner would do whatever she could to make sure that when tool kits came forward for dealing with information sharing and crime and disorder matters, from the data protection point of view they would be the sharpest tools in the shed, and that they were clear and understandable. Everyone working in the public sector needed to maintain public confidence in their activities, and this was one way to do it. The website http://www.dataprotection.gov.uk/ was available for reference.

<< Back to conference contents