It is fair to say that Andrew Mountbatten-Windsor, formerly known as Prince Andrew, has had what his late mother would have described as an ‘annus horribilis’. On 30 October, Buckingham Palace announced that Andrew would lose his ‘prince’ title and would be leaving his Royal Lodge home in Windsor.
This action followed a series of disclosures from the serialisation of a posthumous memoir by Mountbatten-Windsor’s accuser, Virginia Giuffre, which piled pressure on King Charles to take further action against the then prince. Adding to this was a story by the Mail on Sunday on 19 October which will be of interest to information lawyers.
The Mail alleged that Mountbatten-Windsor asked his police protection officer to investigate Giuffre, just before the newspaper published a photo (right) in February 2011 of Giuffre’s first meeting with the then prince (Mountbatten-Windsor has denied meeting Giuffre and suggested that the photograph may have been doctored). The Mail alleges that Mountbatten-Windsor gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he ‘sought to dig up dirt’ on Giuffre.
Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Mountbatten-Windsor has consistently denied all allegations against him.
When the above stories were first published, the Metropolitan Police said: ‘We are aware of media reporting and are actively looking into the claims made.’ Of course, we do not have detailed information about the circumstances around the latest allegations against Mountbatten-Windsor, but (if true) there is a possible breach of section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:
a) obtain or disclose personal data without the consent of the controller;
b) procure the disclosure of personal data to another person without the consent of the controller; or
c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
So if the latest allegations are true, Mountbatten-Windsor and/or his police protection officer at the time could have committed a criminal offence under the DPA 2018. Unlike some other allegations against him, this offence cannot lead to a prison term; just a fine. Successive information commissioners have argued that a custodial sentence under section 170 would be a better deterrent (but to no avail).
Will the Information Commissioner’s Office be knocking on Mountbatten-Windsor’s door? In June 2023, the ICO disclosed that, since 1 June 2018, 92 cases involving section 170 offences were investigated by its criminal investigations team. There have been a number of more recent section 170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.
For example, in July, at Leeds Crown Court, Qonain Hussain pleaded guilty to one offence of unlawfully obtaining personal data. Hussain was ordered to pay a fine of £1,500. The former insurance claims adviser was employed by BISL Ltd, an insurance intermediary that arranges and administers car insurance policies. The ICO’s investigation found that between 1 April 2020 and 5 November 2020, 1,550 customer records had been accessed by Hussain. Although he was required to access customer records when handling claims, a large portion of the records was found to have been accessed outside of his scheduled working hours or while he was on annual leave.
Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990. This carries tougher sentences, including a maximum of two years’ imprisonment on indictment. In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners. In August 2022, the ICO commenced criminal proceedings against eight individuals for allegedly accessing and obtaining customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.
Ibrahim Hasan is a lawyer and director of Act Now Training
No comments yet