Following the Matt Hancock affair, Sun editor-in-chief Victoria Newton went public to state that she would go to jail before providing the name of the whistleblower who leaked details to the newspaper.

Thomas Cattee

Thomas Cattee

It was initially reported that police are not investigating Hancock for a Covid-19 breach, and that No.10 will not launch an enquiry into who leaked the footage. This was reportedly to avoid going after the whistle blower who reported the wrongdoing. Further, (before its involvement) the Metropolitan police originally said that, given the public interest in disclosure, they made decide public interest would not be served by prosecuting.

However, on 15 July 2021 the Information Commission’s Office (ICO) raided two homes and seized computer equipment (reportedly with Scotland Yard also involved). ICO officials are now examining laptops and mobile phones seized in the raids with a view to bringing a prosecution under section 170 of the Data Protection Act, which relates to personal data being obtained unlawfully.

This is on the basis that Emcor, the company that provides CCTV services to the Department of Health and Social Care, had reported a data breach. This action was justified by Steve Eckersley, the ICO’s director of investigations, who said: 'It’s vital that all people, which includes the employees of government departments and members of the public who interact with them, have trust and confidence in the protection of personal data'. Mr Eckersley added:'In these circumstances, the ICO aims to react swiftly and effectively to investigate where there is a risk that other people may have'.

Indeed, free speech campaigners have accused the data watchdog of putting its 'credibility on the line' after the raids. In contrast, Eckersley said after the raids 'It’s vital that all people… have trust and confidence in the protection of their personal data captured by CCTV'.

The IPO’s own guidance states that 'Privacy and freedom of expression are both fundamental rights that are equally vital to our society, democracy and way of life. But they can sometimes appear to be in conflict with each other. Our data protection laws aim to reconcile these rights and achieve a crucial balance'.

'We recognise that journalists’ activities are under increasing scrutiny and the sector is experiencing pressure imposed by new business models and competition from new platforms. Now, more than ever, it’s important that clear and practical guidance on what the law requires is readily available'.

In 2014, in response to a recommendation made by the Leveson Inquiry and after extensive consultation in the media sector, the ICO produced detailed guidance on data protection and journalism under the previous Data Protection Act 1998. Whilst the GDPR and Data Protection Act 2018 brings new provisions that media organisations will have to get to grips with, the basic principles remain unchanged.

With regards to whistleblowers, under ICO guidance for a disclosure to be protected, the concern must fit a set of criteria. The criteria most relevant here is where the worker reasonably believes an activity involves a criminal offence a breach of a legal obligation. A disclosure will not qualify if a worker commits an offence by making it, or if the information is subject to legal professional privilege (or a claim to confidentiality between a claimant and professional legal adviser in Scotland).

However, ICO’s rule also says that anyone reporting concerns to the media could lose whistleblower protection (stating 'if you have not followed internal procedures, whistleblowing to the media… will generally be considered an unreasonable course of action'). In this case, the story was broken by The Sun newspaper. Why there is this distinction between reporting to the media is not immediately clear. It can be argued that this could result in a situation where, due to fear by a whistle blower of no protection, disclosure of information which is in the public interest is not made, and of course the public would be none the wiser. It is a dangerous situation where people may feel compelled to keep potentially important information under wraps. In this case the hypocrisy has been revealed - although at what price is yet to be decided.

More broadly, it is also worth noting the Met Police operation Elveden investigation which ran from 2011 to 2016 and during which more than 30 police officers, prison guards and other public officials were convicted. This was prompted by the disclosure of confidential emails by News Corp in the wake of the hacking scandal. Any state employee selling a story to a journalist runs a serious risk of imprisonment.

The biggest legal concern for The Sun (as the original publishers) might be the Bribery Act 2010. Under this Act there is no public interest defence and therefore any direct payment to a government employee for the story would be extremely risky for the journalist concerned. Although, it is not clear whether any money changed hands. Previously, UK police and government have targeted public employee who reveal stories to the press using the old common law offence of misconduct in a public office. Of course, if The Sun’s source was a private contractor, they may not be covered by this law.

Finally, it has been reported that the Hancock story has echoes of MP’s expenses scandal in 2009 when a private contractor sold The Daily Telegraph full un-redacted details of MPs’ expenses. No prosecution was ever brought, presumably because it was decided that the revelations were in the public interest.

Of course, under the Bribery Act 2010, which has no public interest defence, The Daily Telegraph could have faced prosecution.

Thomas Cattee, white-collar crime lawyer and Josie Laidman, legal researcher at Gherson Solicitors