ICO v Adair, Roberts and Evans. Decision on the defendants applications to dismiss

Transcription

1 St Albans Crown Court ICO v Adair, Roberts and Evans T T T Decision on the defendants applications to dismiss 1. The three defendants in this case are each charged with offences under Section 55(1) and 60(2) of the Data Protection Act Each of the defendants is or was serving a police or SOCA officer and the charge(s) in each case are that personal data relating to individuals contained within police or SOCA documents was knowingly or recklessly obtained without the consent of the relevant data controller. 3. Hence: (a) Against Brian Adair one count is brought in relation to personal data said to be contained within an intelligence report from an operation known as Operation Flange. The relevant data controller is said to have been the Serious Organised Crime Agency. (b) Against Sheila Roberts there are three counts, in each the relevant data controller is again said to be the Serious Organised Crime Agency, and the personal data is said to have been contained in: (i) intelligence reports from Operation Basipodite; or (ii) a letter written by an investigating officer to a trial judge concerning Operation Coronary. The third count is not for obtaining but for disclosing the personal data which is the subject of count 2, to Glyn Evans. Page 1

2 (c) Against Glyn Evans there is a single count. The personal data is said to have been contained in a counter terrorism tasking assessment and the relevant data controller is said to have been the Chief Constable of Norfolk Constabulary. 4. The case was listed before me on 21 March 2014 for applications from each defendant to dismiss the counts against them and then for a PCMH. Each defendant was separately represented. Having heard the arguments advanced by the defendants and heard from the prosecution I decided to reserve my judgment on the application and to adjourn the PCMH until after my decision if, by that stage, any part of the proceedings survived because the applications were not, or not entirely, successful. 5. It is unfortunate that it has not been possible to arrange a date earlier than today for me to delivery my decision on the application, this has in part been brought about by the busy diaries of four counsel and in part by the non-returns policy that the criminal bar was then operating. However, the significance of these cases to the defendants was such that it has been better in the circumstances to find a mutually convenient date than for me to adopt a swifter course. 6. I will need to say a little more about the particulars of the charges in due course but before doing so I remind myself of the test which is to be applied on an application to dismiss. About that there is no issue raised between the parties, the differences come on the application of that test to the current charges and evidence. Page 2

3 7. At this stage, of course, the evidence has not been scrutinised at a trial, but the test is the same as that to be applied on an application of no case to answer at the end of the prosecution case at a trial i.e. the test in Galbraith. Consequently, an application to dismiss will succeed if a jury properly directed could not on consideration of the prosecution s evidence as a whole properly convict the defendant. 8. The principal points of difference between the parties in this case relate to the proper construction of the Data Protection Act 1998 and so before turning to the facts I have to address the arguments that arose in respect of the elements of the offences. Elements of the Offence 9. Each indictment contains counts of breach of Section 55(1) of the DPA The relevant words read: 55 Unlawful obtaining etc. of personal data. (1) A person must not knowingly or recklessly, without the consent of the data controller (a) obtain or disclose personal data or the information contained in personal data; (3) A person who contravenes subsection (1) is guilty of an offence. 10. So the relevant elements of the offence that the prosecution must prove to the criminal standard in relation to obtaining are: 1. that the subject matter of the allegation is personal data; and Page 3

4 2. that the defendant obtained the personal data without the consent of the data controller; and 3. that at the time he obtained the personal data the defendant knew that, or was reckless as to whether: (a) he had obtained information which was personal data; and (b) he did not have the data controllers consent to obtain the personal data. 11. I shall address these as points 1 to There will be a slight variation for Count 3 against Roberts because there the allegation is of disclosure and not obtaining. Point 1: That the subject matter of the allegation is personal data 13. Data and Personal Data are each defined term under Section 1(1) of the 1998 Act. data means information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) (c) is recorded with the intention that it should be processed by means of such equipment, is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, 14. I have omitted sub-paragraphs (d) because it is not suggested that any of the information which this case concerns any accessible record and I have omitted Page 4

5 subparagraph (e) because by Section 33A such data is excluded from any offence under Section 55. personal data means data which relate to a living individual who can be identified (a) (b) from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; 15. There is an extended definition of personal data in Section 1(2) but that does not apply to Section 55(1). 16. So personal data must first fulfil the requirement of being data and then also fulfil the requirement of being personal data. Data 17. Data is information that is being processed 1 by a computer or which is recorded with the intention that it will be processed by a computer. Or alternatively (a) (b) (c) (d) 1 processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including organisation, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data; Page 5

6 information in paper filing systems is also data if it is recorded as, or with the intention that it will become, part of a relevant filing system. 18. That gives rise to the question of what a relevant filing system is. It is defined in the statute in Section 1(1) and the definition was discussed in Durant v Financial Services Authority [2004] FSR 28. It was decided in the Court of Appeal, without dissent, that a manual filing system would only meet the requirements of the Act in respect of a relevant filing system if the manual filing system: (a) related to individuals; (b) be a set or part of a set of information; (c) be structured by reference to individuals or criteria relating to individuals; and (d) be structured in a way that specific information relating to a particular individual is readily accessible. 19. At paragraph 45 of Auld LJ he stated it is not enough that a filing system leads a searcher to a file containing documents mentioning the data subject. To qualify under the Directive and the Act, it requires a file to which that search leads to be so structured and / or indexed as to enable easy location within it or any sub-files of specific information about the data subject that he has requested 20. At paragraphs 47 and 48 the Court of Appeal identified the need for the manual filing system to be of sufficient sophistication to be broadly equivalent to a computerised record keeping system. That requires a filing system so referenced or indexed that it enables the data controller s employee responsible to identify at the outset of his search with reasonable certainty Page 6

7 and speed the file or files in which specific data relating to the person requesting the information is located and locate the relevant information about him within the file or files, without having to make a manual search of them. 21. On this issue Durant therefore decided that a data controller did not have to respond to a request by a data subject about his / her personal data to the extent that data was or might be held in a manual filing system unless that filing system was of the level of sophistication that the Court of Appeal described. 22. So it is for the prosecution to prove that the data which is the subject of its allegations was data for the purpose of the Act. So proof is required of the source of the information about which the charge relates. It must be proved that the information in question was held on a computer system or, if it came from paper files, that the information was recorded in a relevant filing system. Alternately it may be proved that the information was recorded with the intention that it become part of such information. Personal Data 23. Next it is necessary for the prosecution to prove that the nature of the data is such that it was personal data. 24. The definition of personal data has been considered both in R v Durant and more recently in Efifiom Edem v ICO and the FSA [2014] EWCA Civ 92. Eden clarifies any uncertain that arose as a result of misinterpretation of certain statements that were made in the first issue that was decided in Durant. Eden confirms that it is not necessary for the individual to be the focus of a document or for the Page 7

8 information to be significantly biographical for data to be personal data. Those matters may be of some assistance in deciding the scope of disclosure that a data controller must provide if a request is made of him to inform a putative data subject of the personal data that the controller holds, but 17 and 20 of Edem make clear that it is the statutory definition that is to be applied and consequently a name is personal data unless it is so common that without further contextual data a person would not be identifiable. Further, the more contextual information is attached to a name, whether by way of telephone number, address or otherwise, the more likely it is that a living individual will be identifiable. Indeed the name is not necessary if other information allows a living individual to be identified from the data or other information held by, or likely to come into the possession of the data controller. 25. So the prosecution must prove both that the source of the information makes it data and that the nature of the information makes data personal data. Point 2: that the defendant obtained the personal data without the consent of the data controller. 26. This contains two elements: first that the personal data was obtained; and second that at the time it was obtained this was without the consent of the data controller. The prosecution has to prove both. The principal disputes in this case are as to the meaning of the word obtain and the nature and effect of consent particularly when it is conditional. 27. I address the issues between the parties in the section headed The Main Issues, below. Page 8

9 Point 3a: that at the time he obtained the personal data the defendant knew that, or was reckless as to whether (a) he had obtained information which was personal data; and 28. Data is information and not the media on which it is kept. Of course if you have the media you also have the information on that media, but ultimately the statute is concerned with information which is personal data. 29. If knowledge is relied on the prosecution must prove that the defendant knew he had obtained information that was personal data. 30. While the defendant need not have personal knowledge of the personal information, he must be shown to have known that he had information, that the information was from a system which makes it data and that it was of a nature that makes it personal data:. i.e. that he knew that it was information from which a living individual could be identified that was held on, or recorded to be put on, the data controllers computer system or in his equivalently sophisticated manual filing system. 31. Alternatively it must be shown that the defendant was reckless as to either of these matters. Point 4b: that at the time he obtained the personal data the defendant knew that, or was reckless as to whether (b) he did not have the data controllers consent to obtain the personal data. 32. The prosecution must prove that the defendant knew or was reckless as to whether he obtained the personal information without the consent of by the data controller. Page 9

10 The Main Issues Introduction 33. Can a data controller s consent be conditional? and, if so, what it the effect of that? 34. The obvious and practical answer to the first part of that question is yes. 35. One can imagine two short scenarios. 36. First: Employee, A, asks May I use the computer system to print of a list of names and addresses and other personal data, so that I can prepare the company marketing strategy? The Data controller replies Provided you do not take the list home, yes A, accepts the condition. A has consent and he obtains the personal data However, at the end of the week, and despite remembering the data controller s condition, he decides to take, and does take, the data home to work on it there Does A commit a criminal offence under section 55(1)(a)? 37. Second: Page 10

11 37.1. Would B, in a similar scenario, commit a criminal act if B had simply been given the list in the course of his duties but had been trained that company policy prohibited staff from taking such lists home? 38. The defendants say, no, A obtained the data with consent. The only two prohibited actions in Section 55(1)(a) are obtain and disclose. Neither of these actions have occurred without consent. B never obtained personal data at all he was given it without any effort or purpose on his part; and B has not disclosed the data. 39. The prosecution say, yes to both scenarios. 40. The prosecution say that Section 55(1)(a) must be construed widely so as to achieve the purpose of the DPA. The steps in the prosecution s arguments are as follows: (1) The DPA was designed to protect individuals rights to privacy by protecting their personal data. (2) Parliament cannot have intended A s or B s conduct to be unregulated while they were holding personal data. (3) Parliament must be presumed to have intended the ICO to use the criminal sanction in Section 55(1) and 60(2) to regulate A s and B s behaviour because otherwise they could do whatever they liked with the data for as long as they wanted, short of selling it or disclosing it. Furthermore, without such a sanction Page 11

12 the data controller s conditions would be meaningless and unenforceable, Parliament cannot have intended that. 41. I do accept that a data controller may make their consent conditional, but for reasons that I will explain below I reject the prosecution s position that A or B committed an offence under section 55(1)(a). By accepting the condition or agreeing to work subject to a policy neither A or B are opting into potential criminal sanction for breach of their employer s conditions. Quite the contrary, A is protected from criminal sanction when using his employer s system to obtain personal data. Parliament does not seek to impose criminal sanction on either A or B unless they later breach Section 55(1)(a) by disclosure or breach some other penal section of the 1998 Act or some other penal statute. Neither A s nor B s holding of personal data is unregulated, in fact by accepting the data controller s conditions or working subject to company policy, they will be exposing themselves to the risk of sanction under their employer s disciplinary code. Given the responsibility that a data controller has for ensuring that the data protection principles are observed in respect of the personal data that he is responsible for, employers can be expected to enforce them. 42. I propose to proceed by reviewing the background to the 1998 Act. That involves looking briefly at the 1984 Act and EU Directive 95/46. I shall then look at certain features of the 1998 Act and then address each of the following two questions in turn. I accept that because the prosecution advances arguments based on legislative purpose, the questions are not so easy as that to separate but this the structure I have chosen. Page 12

13 (a) If personal data is received or obtained with the consent of the data controller, albeit upon terms, can the offence of obtaining in Section 55(1) be committed later if personal data is retained knowingly or recklessly in breach of the conditions imposed by the data controller and therefore without the consent of the data controller. (b) Does the word obtain as used in Section 55(1) include any coming into possession of personal data or is it restricted to procuring, getting or acquiring as a result of purpose or effort. Background to the Data Protection Act 1998 Data Protection Act The Data Protection Act 1984 was repealed and replaced with the 1998 Act. 44. The 1984 Act had created a number of criminal offences. For current purposes it is only Section 5 which bears reference. As originally enacted the 1984 Act created several criminal offences in sub-sections 5(1) to 5(5). Further offences were added through sub-sections 5(6) to 5(11), by amendment through section 161(1) of the Criminal Justice and Public Order Act Section 5 of the 1984 Act provided criminal offences, from the outset, for servants or agents of registered data users if they knowingly or recklessly contravened the terms of the data users registration by: using personal data for an un-described purpose; disclosing personal data to unnamed or un-described person; transferring personal data to an un-named country or territory; or Page 13

14 obtaining personal data from an un-described source of data. (ss.2, 3 and 5) 46. In passing I note that similar criminal liability was imposed on a data user (i.e. a registered holder of data under the 1984 Act) and there was a further offence for data users of holding personal data other than for a registered purpose. The offences applicable to servants or agents of data users did not include holding such data, but that may be because the scheme of the 1984 Act was that only a registered data user holds data, as define in Section 1(5). 47. The meaning of use under the 1984 Act was the subject of R v Brown 2, a case which ultimately reached the House of Lords in 1996, shortly before the 1998 Act was drafted. It is inconceivable that in drafting the 1998 Act, the draftsman did not at least consider their Lordships opinions in that case if only to seek to avoid similar issues arising under the 1998 Act. 48. The decision in R v Brown was that use in Section 5(2)(b) required a defendant to put personal data to practical use. It was not enough for a defendant to have processed the data (and thereby used it ) while it was stored inside a computer in order to retrieve personal data in a form readable to a human on a computer screen or a print out. It was held that the focus of the criminal offence was not on retrieval but on the point that practical use was made of personal data. EU Directive 95/46 2 [1996] A.C. 543 Page 14

15 49. The Data Protection Act 1998 ( the Act ) repealed the 1984 Act. The 1998 Act implemented, in UK domestic law, EU Directive 95/46 on the protection of individuals with regard to processing of personal data and on the free movement of such data. 50. Detailed provisions were made in Articles 2 and 3 to define personal data and the processing of personal data and to define the scope of the directive. Article 16 provided that any person acting under the authority of a data controller and who had access to personal data was not to process the data except on instruction from the data controller. 51. By Article 24, member states were required to adopt suitable measures to ensure full implementation of the directive and were required to lay down the sanctions to be imposed in the case of infringement of the provisions adopted pursuant to the directive. 52. It was entirely a matter of Parliament to decide the extent, if at all, that it was desirable within the implementing legislation to include sanctions that were of a criminal nature. 53. The 1998 Act must be construed on the basis that parliament intended to implement the Directive 3, albeit that it must also be recognised that the Directive itself gave Parliament some discretion as to how the Directive was to be implemented and enforced. 3 Paragraphs 3 & 4 of R v Durant Page 15

16 The 1998 Act 54. The 1998 Act states that it is an Act: to make provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. 55. The structure of much of the 1998 Act revolves around data controllers. Data Controller, is a defined term in Section 1(1) of the 1998 Act, generally meaning a person who determine(s) the purposes for which, and the manner in which, any personal data are, or are to be, processed. 56. Data Personal Data and Processing are each defined term under the 1998 Act. 57. I have already set out the definitions of Data and Personal Data. The definition of processing is as follows: processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including (a) (b) (c) (d) organisation, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data; 58. These definitions are closely modelled on those in Article 2 of the Directive. Each of the elements of processing from the Directive is adopted in the 1998 Act save that operating on the data by way of collection in the Directive has been Page 16

17 included by Parliament in obtaining in the 1998 Act and operating on the data by way of storage appears to have been included in holding in the 1998 Act. 59. Under the Act, several potential criminal offences can be committed by data controllers. These include: processing personal data when not registered as a data controller; failing to comply with notification requirements in respect of the register; offences concerning premature processing of accessible personal data; and failing in certain circumstances to make processed information available after a request. 60. The 1998 Act also set out by incorporation of certain schedules by Section 4, eight data protection principles with which data controllers are required to comply. It also, contains provisions for enforcement notices to be issued in the event that the Information Commissioner believes that data has been, or is being, processed in breach of the data protection principles. 61. Failure to comply with such an enforcement notice is a criminal offence, by section 47, as is failure to comply with an information notice issued pursuant to Section 43 or a special information notice issued pursuant to Section The criminal offence is committed in each case by failing to comply with the notice and not immediately on breach of the data protection principles. 63. An immediate sanction was introduced by amendment through the Criminal Justice and Immigration Act The Information Commissioner was granted powers, by Section 55A to 55E, to issue a monetary penalties notice on a data Page 17

18 controller if there was a serious contravention of the data protection principles which was likely to cause substantial damage or substantial distress and which was either deliberate or such that the data controller knew or ought to have known that substantial hard or substantial distress would be likely to be caused. Such penalty notices are enforceable via a civil action in the County Court or High Court and are not criminal fines. Section Section 55 of the Act provides for further criminal offences. These can be committed by any person. I have already set out the relevant parts of section 55(1). Section 55(2) provides a number of reverse burden defences that may be advanced by a defendant who would otherwise be guilty of an offence under Section 55(1). 65. Since this case concerns allegations that personal data was obtained by each defendant it is right to record that by Section 1(2) the 1998 Act provides an expanded definition of obtaining in relation to personal data. That sub-section states that obtaining personal data includes obtaining information to be contained in the personal data. But by Section 55(7) this expanded definition does not apply to Section 55. It seems therefore that obtaining in Section 55(1) does not include collecting new source information but obtaining personal data from the data controller s existing data which is either already on the controller s computer system or in a relevant filing system or already recorded with that intention. Page 18

19 66. If there is any purpose to be served in comparing this to the 1984 Act it would be to section 5(2), (3) and (5). As I pointed out above, so far as an employee of a registered data user under the 1984 Act was concerned an employee under the previous Act could have committed a criminal offence by using, disclosing, or transferring personal data held by his / her employer, and use meant put to practical use as per the decision in R v Brown. 67. The verbs in Section 55(1)(a) are obtain or disclose. The effect of the redrafting and the coming into force of the 1998 Act was to move the earliest potential point of criminality, as interpreted in R v Brown, back in time from the moment when personal data retrieved from a computer system was put to practical use to the point when such information was obtained, perhaps by being read on a screen or obtained on a paper print-out or perhaps obtained on some other media such as on a memory stick. 68. So I come to the parties cases on the proper interpretation of Section 55(1)(a) and the two issues I outlined earlier. Obtain / Retain 69. First, if personal data is received or obtained with the consent of the data controller, albeit upon terms, can the offence of obtaining in Section 55(1) be committed later if personal data is retained knowingly or recklessly in breach of the conditions imposed by the data controller and therefore without the consent of the data controller? Page 19

20 70. This issue can neatly be summed up as whether obtain can also mean retain or hold. 71. The defendants argue that the offence in relation to obtains can only be committed at the point when personal information is first acquired (and only then if acquired as a result of effort or purpose). The word used in the statute is obtain and obtain cannot, so it is said, also mean retain, neither can you obtain something that you already have. If no offence was committed when the personal data was first acquired then, according to the defendants, that is an end of the case because (save in one count against Roberts) no disclosure of information is alleged to have taken place. 72. Essentially, the following points are made by the Defence: (a) As a point of statutory construction, the word obtain should be given its natural and ordinary meaning, and to stretch the meaning of the verb to obtain so that it included to retain, would breach this principle. (b) The use of language elsewhere in the statute shows that the draftsman did not intend to include holding personal data within the offences created by Section 55(1)(a). (c) Even if it was considered that there was any ambiguity in the drafting of Section 55 that ambiguity ought to be resolved in favour of the defendants because to resolve the point in the prosecutions favour would offend against the principle of doubtful penalisation. Page 20

21 (d) In other statutes and in cases considering other statutes the verbs to obtain and to retain have been distinguished from each other both by the legislature and the by the courts save where the word obtain has expressly been given a wider meaning for a particular purpose. 73. The prosecution submit that I should take a more purposive approach to construction of Section 55(1). In summary the prosecution argument is that the meaning of the verb to obtain is to be interpreted as wide enough to cover the period after personal data is first acquired if it is later being held knowingly or recklessly without consent. The prosecution says that the purpose of the Act would be frustrated if Section 55(1)(a) did not apply because there would be no sanction available unless personal data was later disclosed or sold, and yet a data subject for whose benefit the legislation was enacted (or the public at large) might, depending the fact, be at risk of damage or injury because personal data was not properly secured. The Prosecution say that the defendants interpretation would allow employees, who first come into possession of personal data with consent or their employers, to keep that information as long as they wish, to keep it in whatever conditions that they wish and to do whatever they wished with the personal data, short of selling it, offering it for sale or disclosing it. Each of those possibilities, it is said, would run counter to the overall scheme and purpose of the 1998 Act. 74. Further, the Prosecution say that the data controller s consent to giving access to personal data may be, and may be known by its staff to be, conditional upon how the data is kept, or upon condition that the media on which the information is Page 21

22 stored is return on demand or after use. It is submitted that in such circumstances the offence, to knowingly or recklessly without the consent of the data controller obtain personal data, would be committed, even if personal data had been acquired earlier, at any point in time when possession coincided with breach of a condition imposed by the data controller as to how the media on which the information was kept was to be handled, coupled with knowledge of, or recklessness as to, that breach. Again, it is said that the defendant s construction would fly in the face of the Act because data controllers would lose all control over the data that they are responsible for. 75. Consequently, the prosecution say that obtain in Section 55(1)(a) can be and should be construed widely. 76. The starting point for all statutory construction is the natural and ordinary meaning of the words that Parliament has used. In Section 55(1) the word in focus is on obtain. Verbs such as hold, possess retain and use all of which might occur after first acquiring personal data and before disclosing it are not found in Section 55(1) at all. 77. I accept the defendants submission that obtain bears a natural and ordinary meaning that speaks of the point of initial acquiring or getting and not of keeping. In ordinary language, someone obtains something at the time it comes into their possession. Page 22

23 78. I also accept that as a matter of ordinary language someone who receives an object and later decides to keep it is not at that point obtaining it. 79. As a matter of ordinary language obtaining occurs at the point of possession after that an object is kept, held or retained. 80. The defendants refer me to the definition in the Shorter Oxford English Dictionary. The first meaning given, come into possession of, is consistent with modern usage. However, I note that there is a fifth meaning given to the word obtain, i.e. hold; possess; occupy albeit that this meaning is marked as being obsolete. 81. The defendants position is reinforced by the defendant s reference to Jenning v CPS (Practice Note) [2005] EWCA Civ 746 in which the word obtain was considered in the context of gaining a benefit from obtaining property (Criminal Justice Act 1988 Section 71(4)). In that context it was held that the statute deemed there to be a benefit when property was obtained and that retention of the property was unnecessary. In that context it was said that obtain did not mean retain or keep. It is equally of note that, as the defendant has submitted, the Bribery Act 2010 in section 6(2), used both the words obtain and retain in the same sub-section, indicating the draftsman considered that they had different meanings. 82. These are all powerful points in the defendant s favour, but since the meaning of language can depend on the context in which it is used, the use of words in other Page 23

24 contexts cannot be determinative. The process of interpreting a statute does not permit each word to be considered in splendid isolation, words have to be considered in their immediate context and in the context of the whole statute and the statutory purpose. So it is to that task that I turn next. 83. Staying with language, the verb to hold is used in the preamble where the Act describes itself as: An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. 84. The prosecution say that parliamentary intention as evidenced by the preamble was to regulate from the point of personal data being first obtained right through to any eventual disclosure. 85. But in support of the defendant s position it can be said that it appears that even in the preamble a distinction was being made between obtaining and holding. The defendants say that it should be presumed that the draftsman should be presumed to use words consistently in the statute and therefore that in Section 55(1)(a) where obtain is included in the text but hold is not this should be regarded as deliberately narrow. 86. Holding was not selected for Section 55(1), neither was using and neither was the wide concept of processing, all of which appear in the preamble. Processing would have provided the widest possible scope for the imposition Page 24

25 of criminal sanctions on those who step outside the terms of a data controller s consent. 87. The definition of processing is the only other occasion that holding is used in the statute in context of holding data. The definition reads: processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including. 88. Again obtaining and holding are used, supporting the defendant s position that when only obtain is used in section 55(1) it would be wrong to expand the meaning of obtain in Section 55(1) to include holding of personal data too. 89. I don t disagree in general terms with the prosecution submission that Parliament intended in the 1998 Act to regulate from the point of data being first obtained right through to any eventual disclosure. 90. Such regulation would be consistent with Article 16 of the Directive, and with Article 24 of the Directive. But after considering the terms of the Directive and the Act it is a submission that I have decided is inadequate to support the contention that Section 55(1)(a) must be interpreted as imposing a criminal offences in respect of holding, or any other form of processing, at any point after first acquisition of personal data and any ultimate disclosure, if there is knowing or reckless disregard for the data controller s consent. Page 25

26 91. I do not believe that it can be said that unless the prosecution s argument is accepted parliamentary intention in respect of holding and use would not be given effect. Section 55 is but one part of a very detailed set of regulations in the 1998 Act. There are many sections in the 1998 Act which do provide a regulatory framework in respect of processing of personal data by holding and use, as well as by obtaining and disclosing. It is not necessary for every provision of every section of the Act to be construed in a manner that fulfils every part of the general intention of parliament as expressed in the preamble to the Act. 92. So what of the points made by the Prosecution? Can it be right that Section 55(1)(a) should be interpreted in a way which would not impose any criminal sanction if, despite a data controller for good reason imposing strict criteria on its employees as to how, where and for how long, personal data should be stored, members of staff knowingly or recklessly breach those conditions? 93. Is it not necessary to adopt a purposive, even if strained, construction of the wording of Section 55(1)(a) if the lacuna identified by the Prosecution are to be filled? 94. The points made by the prosecution are certainly sufficient to have caused me to pause for thought. 95. Ultimately, I have reached the conclusion that the prosecution is asking me to go far beyond what would be legitimate as a matter statutory interpretation. There are a number of reasons for this. Page 26

27 96. First, I am far from convinced that parliamentary intention was to impose criminal sanction on an employee who obtains personal data legitimately does not disclose it but who at some point in time knowingly or recklessly breaches his employers instructions by while holding personal data perhaps by failing to exercise appropriate security or by keeping a document for too long. 97. The best guide to parliamentary intention is the statute itself and as already discussed Section 55(1)(a) the language does not support the prosecution case. The effect of the prosecution s submissions is not really to select a wide interpretation it is to rewrite the section by adding an offence of knowingly or recklessly breaching in any way any terms upon which the data controller has consented to data being processed. I do not believe that this is Parliament s intention. 98. Despite use of data having been the subject of consideration in the House of Lords in R v Brown, Parliament chose not to retain that word or to insert any words in Section 55(1)(a) that would impose criminal sanction on holding or using information short of disclosing it. 99. Second, under the Act breach of the data protection principles does not automatically result in criminal sanction. A data controller cannot be prosecuted for that unless an enforcement notice has first been served on him. Only after service of such an enforcement notice and only if there is a failure to comply with an enforcement notice can a prosecution be brought under Section 47(1). Page 27

28 100. Even deliberate breach of the data protection principles by a data controller does not permit immediate criminal prosecution. Subject to the detailed provision of Ss 55A to E, a data controller would be liable to a civil monetary penalty but not, before failing to comply with an enforcement notice, to criminal prosecution for processing personal data in breach of the data protection principles Furthermore, he can only be subjected to a civil monetary penalty if his contravention was of a kind that was likely to cause substantial damage or substantial distress (S55A(1)) If a data controller is not subject to immediate criminal sanction even for deliberate breach of the data protection principles, and if a data controller would not even be subject to civil monetary penalty unless substantial damage or substantial distress was likely to result from breach, can it really be said that a data controller s employee is intended by Parliament to be liable for immediate criminal prosecution if, having received personal information from his employer with consent, but on a condition that the employee observed the data protection principles, the emploee later knowingly breached one of the principles even though he has not disclosed any personal data. In my opinion the answer is no, or at least no on the basis of the drafting of section 55(1)(a) Next, the principle against doubtful penalisation, to which the defendants refer. This is not an absolute rule and may frequently be outweighed by other factors but it remains a cannon of construction that has to be given due weight when Page 28

29 considering whether parliamentary intention to impose criminality despite this requiring a strained construction Finally, it cannot be said that an employee of a data controller or even an exemployee is free to do as he pleases with data disclosed to him under conditions. A data controller has a duty to comply with the data protection principles, and Article 6(2) of the Directive states that it shall be for the controller to ensure that the principles in Article 6(1) from which the data protection principles derive are complied with. The seventh principle requires data controllers to have in place appropriate technical and organisational measures against unauthorised and unlawful processing of personal data. Schedule 1 Part II paragraphs 9 to 12 appear to be designed to ensure that the data controller is in a position to impose appropriate control over third party data processors as well as employees. Sanctions need not be criminal and an employee who holds data longer than his employer consent to or in condition that his employer does not agree to will expose himself to disciplinary action by his employer; he may under a suitably drafted contract even after termination of his employment be subject to civil law remedied; he may be liable, depending on the facts to prosecution for other offences; and he could be prosecuted under Section 55 if he ever disclosed the personal data or offered it for sale or sold it or attempted to do so I therefore conclude that despite the perceived lacuna that the prosecution point to, the language of the sub-section read in the context of the statute as a whole cannot fairly be read as being sufficiently flexible to permit prosecutions to be brought under Section 55(1)(a) where no offence was committed at the time that Page 29

30 personal data was first acquired and where there was been no disclosure of personal information. Purpose or Effort 106. Second, does the word obtain as used in Section 55(1) include any coming into possession of personal data or is it restricted to procuring, getting or acquiring as a result of purpose or effort I highlight the differences between the parties on this issue by referring to R v Fisher [1963] 1 All ER 744 and AG s Reference No. 1 of Both are decisions that concern different statutory provisions it may not be surprising therefore that they reach different conclusions In Fisher the Court of Appeal considered the question of the meaning of obtain in the context of obtaining credit in the Debtors Act 1869 and the Bankruptcy Act Winn J giving the judgment of the court said at page 746: Obtaining a thing means that one person A has secured from another B, normally by some active process, what A did not already possess, e.g., by purchase, exchange, force or deceit. For present purposes, it suffices to note that the word is not synonymous with accepting or receiving; for this reason, none of the various criminal offences of obtaining by fraud would be established by mere proof of a payment of money or transfer of goods to a fraudulent person in the absence of further proof that such payment or transfer was induced by, and so obtained by a fraudulent pretence or other fraud Although Fisher went on to the House of Lords it did so on a narrow point and the issue of whether an active process was required was not addressed. Page 30

31 110. Fisher was considered and distinguished in AG Reference No.1 of 1988 both in the Court of Appeal [1989] 1 All ER 321 to which I was referred and in the House of Lords [1989] 2 All ER 1 which affirmed the decision of the Court of Appeal In the AG s Reference, the issue was whether someone could be guilty of secondary insider trading when the information that they used when dealing had been received without any effort on their part The Court of Appeal found no help the dictionary definitions of obtain which it found to be expressed in sufficiently varied terms to cover both the narrow and the wide interpretation placed on the word by the parties. The definition in the Shorter Oxford English Dictionary 4 is: 'To procure or gain, as the result of purpose and effort; hence, generally, to acquire, get.' Black's Law Dictionary (5th edn, 1979) is not dissimilar: 'to get hold of by effort; to get possession of; to procure; to acquire, in any way.' Thus the word is capable of supporting the contention of either party: that of the Attorney General, who argues that it means to 'acquire in any way', and that of the respondent that it means to 'procure as the result of purpose or effort' Consequently the meaning had to be determined by reference to the statutory context In the case of insider trading the vice that parliament sought to regulate was the trading of securities while being in possession of the relevant information. It was considered that the unsoliciting tipee ought to be in no more favourable 4 I note that in the copy of the Shorter Oxford English Dictionary supplied to me by counsel for Adair the first dictionary definition is expressed slightly differently: to gain, come into possession or enjoyment of; secure or gain as the result of request or effort; acquire, get. However, the definition contains both parties contentions and leaves open leaves open the question of whether for Section 55(1) effort or purpose is required. Page 31

32 position than someone who sought out the same information. The vice was not in the method of receipt but in the use of the information by trading In relation to insider trading therefore the Court of Appeal decided, and the House of Lord s affirmed, that the general or wider meaning of acquire or get was to be preferred over the narrow meaning which involved some effort on the part of the acquirer. Both the Court of Appeal and the House of Lords did so because they felt that this was the meaning that Parliament must have intended despite the fact that it could be argued that there was ambiguity of language that ought to be resolved, when construing a penal statute, in favour of the defendant It is therefore necessary in this case to consider the statute and whether there is any basis, as there was in AG Ref 1 of 1988 to identify that the intention of parliament must have been that the wider, or so called secondary, meaning of obtain should prevail In Section 55(1)(a) the actus reus is obtaining personal data in circumstances where the defendant does not have the consent of the data controller to do so The preambles to the Directive make clear that its purposes included balancing an individual s right to privacy against the economic and social progress to which data-processing systems contribute by making processing and exchange of personal data easy. The easy access to stored personal data is, in effect, a privilege the data controller is given to achieve his or her declared and Page 32

33 registered purposes but at the cost of being subject to the regulation of the statute In my view the vice that the Directive, and in turn Parliament, has addressed is abusing the easy access to stored personal data (data that the controller possesses for his or her declared and registered purposes and subject to the regulation of the statute) by taking steps to acquire and by successfully acquiring some of that personal data without the data controllers consent The single act necessary for the imposition of criminal sanctions in Section 55(1) can be contrasted with the position that arose in respect of secondary insider trading in AG Ref 1, There the vice aimed at was unfair trading of securities it did not matter whether the inside information had been acquired purposively or had simply been handed to the trader. Furthermore, the trader did not need protection from inadvertent criminality because he would avoid criminality altogether if he took the proper course of not trading when in possession of inside information Under the 1998 Act, adopting the same wide interpretation of obtain would leave an individual at risk of inadvertent criminality (or perhaps which would be equally unacceptable without clear words from parliament to the contrary - of having to prove his innocence by relying on a defence in Section 55(2)) if, without any effort or purpose on his part, he was given information that was and was known to be, or to contain, personal data. Page 33

34 122. This is reinforced by the fact that while much information comes on some form of media, one might be given information without the receipt of any physical media by being told it, and such information may be heard in an instant but not deliberately forgotten. Within a sentence A could inform his work colleague, B, of personal data that A had legitimate access to as part of A s role processing personal data for his employer. B at the time of hearing the information knows that it is personal data and that he does not have consent to obtain it. A might or might not be guilty of disclosing the information but what of B, but more to the point, did parliament intend to make B a criminal in such circumstances? I do not think so The prosecution say that in such circumstances B would not have criminal liability because he would not have obtained the personal data until he decided to keep it. If that is an answer to the point it appears to contain an admission that purpose is a necessary ingredient of obtaining information The prosecution case would then become that obtain in Section 55(1)(a) may be satisfied if a defendant who was given information, later resolves to keep it. I have already rejected that construction I recognise of course that the narrow construction may mean that there are fine distinctions for juries to make on the basis of their experience of life as to what is or is not sufficient purpose or effort to satisfy the narrow meaning of the word obtain, and I recognise that avoiding such difficulties was regarded as an advantage of the wide construction in the Court of Appeal s decision in AG Ref. 1, Page 34