Criminal Records Bureau – Data protection – Principles - Duration

(1) Chief Constable of Humberside (2) Chief Constable of Staffordshire (3) Chief Constable of Northumbria (4) Chief Constable of West Midlands (5) Chief Constable of Greater Manchester (appellants) v Information Commissioner (respondent) & Secretary of State for the Home Department (intervener): CA (Civ Div) (Lords Justice Waller, Carnwath, Hughes): 19 October 2009

The appellant chief constables appealed against decisions of the Information Tribunal that certain old convictions should be deleted from the Police National Computer.

In five cases individuals had complained to the Information Commissioner following the disclosure of old minor convictions pursuant to a request by the Criminal Records Bureau or, in one case, a request by one of the individuals herself. In respect of each of those convictions, the Information Tribunal upheld the view of the Information Commissioner that they should be deleted from the Police National Computer. The police took the view that no convictions should be deleted except in exceptional circumstances, which should be narrowly construed as limited to such matters as convictions being established as wrongly obtained.

The tribunal found that the purposes for which the convictions were held were ‘core’ police purposes, such as the detection of crime, and rejected the evidence of the police that the convictions had some value for those core purposes. The tribunal went on to hold that excessive data was being retained contrary to the third data ­protection principle and that data was being kept for longer than necessary contrary to the fifth data protection principle.

A separate point arose in the case of one individual (S), who alleged that the retention of a reprimand on the computer after her 18th birthday was unfair under the first data protection principle because she had been given an assurance that the reprimand would be removed from her record when she was 18 if she did not get into any more trouble. The chief constables submitted that, to confine ‘purposes’ to core police purposes found no support from the provisions of the Data Protection Act 1998 and Directive 95/46 was to take too narrow a view, and in so far as it was a registered purpose to hold the information so that it could be supplied to others, for example a complete history of convictions to the courts and the Crown Prosecution Service, there could be no question of the data retained being excessive or being held for longer than necessary.

Held: (1) It was a misinterpretation of the 1998 act to suggest that, if the police registered particulars then the only purposes for which data could be retained were ‘core’ or operational police purposes. The data controller had to specify the purpose for which data was retained. There was no statutory constraint on any individual or company as to the purposes for which he or it was entitled to retain data. The purposes had to be lawful in order to comply with the first data protection principle but, that apart, a data controller could process data for any purpose.

What the data controller had to do, however, was identify the purpose or purposes in the public register so that people knew what the data was being retained for and so that the Information Commissioner and data subjects could test the principles under the act by reference to the purposes identified.

The chief constables had registered purposes such as ‘vetting and licensing’ which, together with the list of recipients, indicated that one of the purposes for which the police retained the data on the Police National Computer was to be able to supply accurate records of convictions to the Crown Prosecution Service, the courts and the Criminal Records Bureau. Since those recipients required a complete record of convictions spent and otherwise, it could not be said that the data being retained was excessive or being retained for longer than necessary for those purposes. The tribunal had been wrong to find that the correct approach was that the police processed data for their core purposes.

(2) Even if the narrower approach to purposes was correct, the tribunal was wrong to hold that retention of the information was a breach of the third and fifth principles by reference to statistical evidence relating to the risk of future offending. If the police said rationally and reasonably that convictions, however old or minor, had a value in the work they did, that should, in effect, be the end of the matter.

(3) Article 8(5) of the directive permitted a complete register of criminal convictions to be kept, and if a complete record could be kept then it was permissible to maintain a record which was designed to be complete in relation to all offences of a defined degree of seriousness. The specific endorsement by the directive of the concept of a complete register made it impossible to argue that the retention of information in such a register was in itself objectionable under article 8 of the European Convention on Human Rights 1950. (4) S had been informed that the reprimand would be removed from her record under the policy of ‘weeding’ then in force. The policy had changed. If it was fair to retain convictions under the new policy it did not become unfair to do so simply because the data subject was told of what the policy then was when being convicted or reprimanded. Furthermore, the deletion of the reprimand, leading as it would to deletion of many others, would be likely to prejudice the ­prevention and detection of crime and the apprehension or prosecution of offenders within the exemption in section 29(1) from the first data protection principle.

Appeals allowed.

David N Jones (instructed by the in-house solicitor) for the appellants; Timothy Pitt-Payne (instructed by the in-house solicitor) for the respondent; Jonathan Swift, Cecilia Ivimy (instructed by the Treasury solicitors) for the intervener.