Can information obtained using the exemptions afforded by Section 29 1 of the Data Protection Act 1998 be relied upon in any subsequent civil action?

Similar documents
Information exempt from the subject access right (section 40(4) and

Anti-Fraud, Bribery and Corruption Response Policy. Telford and Wrekin Clinical Commissioning Group

REPORTING COMPANY LAW OFFENCES. Information for auditors

ICO v Adair, Roberts and Evans. Decision on the defendants applications to dismiss

EU (Withdrawal) Bill- Committee stage

PART 2: THE EUROPEAN CONVENTION ON HUMAN RIGHTS. The Human Rights Act 1998 and the Criminal Justice System

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

Law Enforcement processing (Part 3 of the DPA 2018)

Regulatory Activity (Section 31)

Financial Guidance and Claims Bill [HL]

Anti-Fraud, Bribery and Corruption Policy and Response Plan

The course of justice and inquiries exception (regulation 12(5)(b))

ARTICLE 29 Data Protection Working Party

Guidance on Conducting Litigation

The City of London Law Society Competition Law Committee

Data Protection Act 1998

The Campaign for Freedom of Information

THE RIGHTS OF PEOPLE WHO HAVE BEEN ARRESTED

Consolidated Practice Committee Rules

Sierra Leone. Comments on the Right to Access Information Bill. April 2010

CONSOLIDATED PRACTICE COMMITTEE RULES

The Introduction of a Plea Negotiation Framework for Fraud Cases in England and Wales

Decision 177/2010 Ms Matilda Gifford and the Chief Constable of Strathclyde Police

EXEMPTION NOTE. Prejudice and Likelihood

PROTECTION OF CHILDREN AND PREVENTION OF SEXUAL OFFENCES (SCOTLAND) ACT 2005

Department of the Premier and Cabinet Circular. PC032 Lobbyist Code of Conduct. October 2009

Decision 156/2011 Mr Ralph Lucas and the University of Glasgow

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

Data Protection Bill: Summary of government amendments for Lords Committee tabled on 20 October 2017

Data Protection Bill [HL]

PART 2 REGULATED ACTIVITIES Chapter I Regulated Activities 3. Regulated activities. Chapter II The General Prohibition 4. The general prohibition.

Counter-Terrorism Bill

Public Authority (Accountability) Bill

Data protection. Guide to the Law Enforcement Provisions

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

LIMITATION OF LIABILITY BY ACCOUNTANTS

Consultation on the General Data Protection Regulation: CAP s evaluation of responses

SUPREME COURT OF QUEENSLAND

DATA SHARING AND PROCESSING

Freedom of Information

DISCLOSURE POLICY. 3.1 The Board of the Commission approved this policy on 19 December 2014.

Access to Personal Information Procedure

Safeguarding your drinking water quality

BERMUDA BRIBERY ACT : 47

Freedom of Information and Members correspondence with Public Authorities

STOCK EXCHANGE ACT 1988 Act 38 of August 1989 ARRANGEMENT OF SECTIONS

Making a protected disclosure blowing the whistle

FREEDOM OF INFORMATION ACT REQUEST THE ATTORNEY GENERAL S LEGAL ADVICE ON THE IRAQ MILITARY INTERVENTION ADVICE

Protection of Freedoms Act 2012

Legal Truth where the duties to the Court and the Client Collide Professor Alan Paterson OBE

Freedom of Information (Amendment) Bill

How we use Personal Information

Police Station Advice Advising on Silence

CHARITIES AND TRUSTEE INVESTMENT (SCOTLAND) ACT 2005 EXPLANATORY NOTES

Information Notice I/2016/1

Data protection and journalism: a guide for the media

FREEDOM OF INFORMATION ACT 2000 SUMMARY GUIDANCE

Freedom of Information Act Policy

Guidance on the RIBA Code of Practice for Chartered Practices - complaint procedures.

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Data Protection Policy

Criminal Finances Bill

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

How we use Personal Information

The House of Lords looked at the perception of bias and whether such presence breached a defendant's right to fair trial.

Merrydale Infant School Freedom of Information Act

Guidance for Disciplinary Committee hearings

HGV Road User Levy Bill

Anti-Bribery and Corruption Policy

Reforming Scots Criminal Law and Practice: Reform of Sheriff and Jury Procedure. Response to consultation. March 2013

xmlns:atom=" xmlns:atom=" Fraud Act CHAPTER 35

Decision 070/2005 Ms R and the Scottish Tourist Board (operating as VisitScotland)

Dangerous Dogs Act 1991

C-451 Workplace Psychological Harassment Prevention Act

Investigatory Powers Bill

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

EHRiC/S5/18/ACR/26 EQUALITIES AND HUMAN RIGHTS COMMITTEE AGE OF CRIMINAL RESPONSIBILITY (SCOTLAND) BILL SUBMISSION FROM THE LAW SOCIETY OF SCOTLAND

2014 Bill 12. Second Session, 28th Legislature, 63 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 12 STATUTES AMENDMENT ACT, 2014

REFLECTIONS ON SIR TERENCE ETHERTON S PILGRIM FATHERS LECTURE: THE CONFLICTS OF LEGAL PLURALISM: SECULAR LAW AND RELIGIOUS FAITH IN THE UNITED KINGDOM

CHAPTER 11:07 REHABILITATION OF OFFENDERS ACT ARRANGEMENT OF SECTIONS

SOCIAL CARE WALES (INVESTIGATION) RULES 2017 INTERNAL VERSION

Domestic Violence, Crime and Victims Bill [HL]

Freedom of Information Act 2000 (Section 50) Decision Notice

SUBJECT ACCESS REQUEST

Modern Slavery Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 8-EN.

Financial Guidance and Claims Bill [HL]

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Decision 100/2013 Mr Alistair Sloan and the Scottish Ministers. Refusal to confirm or deny whether information is held

Decision 192/2006 Mr David Sharpe and the Chief Constable of Strathclyde Police

Report of a Complaint Handling Review in relation to Police Scotland

The learner can: 1.1 Explain the requirements of a lawful arrest.

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

Irish Government Publishes Data Protection Bill 2018

B I L L. No. 30 An Act to amend The Freedom of Information and Protection of Privacy Act

Forensic Science Regulator Bill

Public Defender Service. Code of Conduct

REGULATION OF INVESTIGATORY POWERS BILL SECOND READING BRIEFING

Nursing and Midwifery Council:

Counter-fraud and anti-bribery policy

JUDGMENT. Assets Recovery Agency (Ex-parte) (Jamaica)

Transcription:

THE QUESTION Can information obtained using the exemptions afforded by Section 29 1 of the Data Protection Act 1998 be relied upon in any subsequent civil action? This discussion specifically addresses insurance fraud, but clearly has implications for any crime that is investigated, where there may be further recourse to the civil courts. This is a concern indentified by a study commissioned by the Fraud Advisory Panel (FAP) in 2006 titled Perceptions on the impact of data protection legislation on the successful private sector investigation of Fraud 2. It has also been a subject of discussion amongst investigators in the private sector since first raised by Lord Norton and the Viscount Chelmsford, who represented the Institute of Loss Adjusters and the Association of British Investigators as the Data Protection Bill progressed through the House of Lords in 1998. It is important the reader is aware that: a) A number of private companies conduct their own investigations to gather evidence for a private prosecution despite its questionable value 3 ; b) In some instances the Police will not consider getting involved until some evidence is provided that a crime has taken place, therefore a private 1 Section 29 gives an exemption to the processing of personal data for the following purposes: a) The prevention or detection of crime; b) The apprehension or prosecution of offenders( ) Such personal data are exempt from: a. The First Data Protection Principle (except Schedules 2 & 3); b. The subject access provisions in Section 7. A Practical Guide to UK & EU Law. Peter Carey (page 156) 2 This is a study conducted on behalf of FAP by Perpetuity research & Consultancy International (PRCI) Ltd in March, 2006. The authors are Professor Martin Gill, Douglas S Smith MSc MIRM, Martin Hemming MSc LLB. 3 A crime is an offence against the good order of the state. It is for the state by its appropriate agencies to investigate alleged crimes and decide whether offenders should be prosecuted. In times past, with no public prosecution service and ill-organised means of enforcing the law, the prosecution of offenders necessarily depended on the involvement of private individuals, but that is no longer so. The surviving right of a private prosecution is of questionable value and can be exercised in a way damaging to the public interest. Lord Bingham Jones -v- Whalley (2006) UKHL 41 1

individual/organisation may need to investigate an incident in order to obtain that evidence. The following scenario is used to illustrate some of the situations the investigator may be faced with. An insurance claim is made which the insurance company suspects may be fraudulent. They decide to investigate it either themselves, or through the services of a loss adjuster or private investigator. For the sake of this discussion it is assumed that: A privacy impact assessment 4 has been conducted; The loss adjuster/private investigator has been instructed in accordance with the Data Protection Act 1998 5 If they have not could that add weight to any argument in favour of the evidence gathered being deemed inadmissible? The investigation is conducted and reliance is made on the exemptions afforded by a Section 29 request. Information obtained includes bank details, a log of telephone calls and other information provided by Data Controllers in response to this request. As a result of the investigation the matter is handed over to the Police. Scenario 1 The case is prosecuted and the defendant is found not guilty 4 Privacy Impact Assessment, published by the Information Commissioner s Office. www.ico.gov.uk 5 Data Protection Act 1998 Part II Paras 11 & 12: 11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle a. Choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and b. Take reasonable steps to ensure compliance with those measures. 12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless a. The processing is carried out under a contract i. Which is made or evidenced in writing, and ii. Under which the data processor is to act only on instructions from the data controller, and b. The contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh priniciple. 2

Scenario 2 The Police discuss the matter with the Crown Prosecution Service and it is decided that they will not prosecute. Scenario 3 For whatever reason, the insurance company decides not to report the matter to the Police, or proceed by way of a private prosecution. The insured proceeds with a claim against the insurance company who refuses to pay it. The insured sues. Although the evidence gathered using the Section 29 exemptions did not satisfy the criminal burden of proof beyond all reasonable doubt. The insurance company feels confident that it would satisfy the civil requirement of in all probability. This now poses the question, the subject of this discussion: can the insurance company use the evidence obtained under Section 29 to rebut the insured s claim? This question was posed to the Data Protection Chat Group 6 resulting in a conflict of views; some feeling it could be used and others insistent that the information would have to be requested again using Section 35 7. The members of this chat group are practicing data protection officers. Their disagreement is perhaps further indication of the complexity of the Data protection Laws 8. Rosemary Jay, a partner with Pinsent Masons Solicitors and formerly a solicitor in the Information Commissioner s Office, has this to say on the subject: 6 www.jiscmail.ac.uk/lists/data-protection.html 7 Section 35 Data Protection Act 1998: 1. Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court. 2. Personal data are exempt from the non-disclosure provisions where the disclosure is necessary - i. For the purpose of, or in connection with any legal proceedings (including prospective legal proceedings), or ii. For the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights. 8 Lord Phillips, in the Court of Appeal, described the DPA as a cumbersome and inelegant piece of legislation and commented that the High Court Judge had described it as weaving his way through a thicket. Naomi Campbell -v- Mirror Group Newspapers (2002) EWCA Civ No:1373 para 72. 3

The exemptions [reference to Section 29] apply to anyone who processes for one of 10 purposes and who fulfils the necessary conditions ( ) The processing must have been carried out for one of these purposes. It is clear that the provision will apply to those bodies for which the investigation of crime or the prosecution of offenders is their primary purpose. It is less clear where the boundaries lie for those who might be described as carrying out such processing for secondary purposes, that is otherwise than for the core purposes of the organisation. There may be actions by a private body or a public body where crime is not central to the reason for the processing action or decision. For example, the investigation of dishonesty in an employee may be investigated primarily to be treated as a disciplinary matter by an employer. The employer may choose not to report it to the Police. Nevertheless, the actions of the employee were criminal. It is not clear whether the controller could claim the exemption for the apprehension of crime for any processing involved. The heading Prevention of Crime could cover a very wide area. It is suggested that the proper approach is to construe these narrowly as they are exemptions. Prosecution is limited to criminal proceedings and does not cover civil proceedings. 9 The opinion of the Information Commissioner s Office (ICO) is not so cautious. The disclosing data controller might envisage that if any fraud is detected it will be reported to the Police but it is fair to assume that the data controller will also envisage that the insurer will also prevent the fraud by refusing the claim. Therefore, this use of the data would appear to fall within S29(1). As a result this processing is exempt from the first data protection principle except the requirement to comply with the conditions in Schedules 2 & 3. Lucy Dennehy, Solicitor with ICO This may not be such a safe assumption in less clear cut cases of fraud not involving an insurance claim where the potential secondary use of the information was not made clear to the Data Controller providing the information. 9 Data Protection Law and Practice 2 nd Edition, paras 15-12, page 369. Rosemary Jay and Angus Hamilton ISBN 0-421-79480-1 4

Where the suspected fraud leads to a prosecution there appears to be no disagreement as to the use of the data obtained. However, if the matter is not prosecuted, for whatever reason, and the insured pursues the claim by suing the insurer: the insurer s defence depends upon it being able to adduce evidence that it was entitled to reject the claim as it was fraudulent. The ICO is of the view that: this further processing in relation to the civil litigation cannot be categorised as processing to prevent or detect crime, so S29(i) would not apply to that processing. However the ICO believes that this further processing is both fair and compatible with the purposes it was obtained. This view supports those put forward by a number of insurance companies. Where they have established that the claim is fraudulent they are entitled to defend themselves against any subsequent claim made by the insured. If they were not able to use the data collected then they would be in the difficult position of reporting all questionable claims to the Police regardless of the prospect of any success and then only refusing to pay out on cases where the prosecution was successful or a caution was accepted. A caveat was expressed by Ms Dennehy with regard to the above: The Commissioner would be concerned if a body was seen to use S29 to obtain information where there was never any intention of pursuing a criminal prosecution. This concern was expressed by Lord Williams of Mostyn 10 at the committee stage as the Data Protection Bill progressed through the House of Lords. It has also been a topic of conversation on a number of occasions in chat groups subscribed to by private investigators. How this could be proved may be somewhat problematic for the insured but if his arguments were successful then would this leave the insurer and/or his agent liable to 10 Lord Williams of Mostyn was Parliamentary Under-Secretary of State in the House of Lords for the Home Office when the Data Protection Bill was making its way through both Houses of Parliament in 1998. 5

prosecution under Section 55 11 : obtaining information by deception? Could this in turn strengthen the insured s argument for the evidence to be gathered under section 29 exemptions to be deemed inadmissible? How many breaches of HRA and DPA would it take before the court decides that the evidence is inadmissible? A further scenario put to Ms Dennehy was where the insurer had paid out a claim and then subsequently questioned its validity. The insurer conducts an investigation as above and subsequently uses the information gathered under Section 29 exemptions to recover the monies through the civil court. The ICO is of the view that: On strict reading of S29 this processing does not fall within the definitions of preventing or detecting crime. However, the processing that is proposed, the recovery of proceeds of crime, is sufficiently serious and associated with the prevention and detection of crime to be fair and consistent with the purposes for which it was obtained. However, if the alleged fraudster has been prosecuted and found to be not guilty, then the civil action cannot be for the recovery of the proceeds of crime as the data subject has been found not to have committed any crime. In these circumstances the Commissioner would not consider this processing to be fair. 11 Section 55 Data Protection Act 1998: 1. A person must not knowingly or recklessly, without consent of the data controller a. Obtain or disclose personal data or the information contained in personal data, or b. Procure the disclosure to another person of the information contained in personal data. 2. Subsection (1) does not apply to a person who shows a. That the obtaining, disclosing or procuring i. Was necessary for he purpose of preventing or detecting crime, or ( ) 3. A person who contravenes subsection (1) is guilty of an offence. 6

CONCLUSION It appears, therefore, that information gathered in accordance with Section 29 of the Data Protection Act 1998 can be used in a subsequent civil action subject to a number of caveats. 1. The Data Controller relying on the exemption is entitled to do so. 2. The Data Controller providing the information is aware that it may also be used to rebut any subsequent civil claim. 3. If challenged the Data Controller (in the above scenario the insurer) can clearly demonstrate that they have some sort of track record in prosecuting cases of this nature. It would seem that all three would need to be satisfied. If they were not, would that open up the possibility of a challenge to the admissibility of the evidence gathered by citing: Article 8 Respect for privacy; Article 6 - Right to a fair trial: Human Rights Act 1998, as well as breaches of the DPA 1998? The admissibility of evidence was raised in the Jones -v- University of Warwick case 12 where an investigator tricked her way into Mrs Jones s home and videoed her activities. Mrs Jones had made a claim for damage to her hand. In the first instance, the High Court Judge deemed the video evidence inadmissible. Lord Woolf, on appeal, decided that although the evidence was obtained by improper and unjustified conduct it was admissible. However, Lord Woolf demonstrated his displeasure by expressing the view that the defendant (the University) should meet the costs of the proceedings that were necessary to resolve the admissibility of that evidence. It is interesting to note that there were no Data Protection arguments raised in this case. Would that be the same today, five years later, when breaches of Data Protection are now common place in the news and ever-increasing numbers of lawyers are adding Data Protection to their list of services? 12 Jones -v- University of Warwick (2003) EWCA 7

If the Data Protection arguments had been submitted and developed, would they have added weight to support the Articles 8 & 6 HRA arguments that the video evidence should be deemed admissible? It is not too fanciful a question if we look at Lord Bonomy s comments in the later Martin case 13 : Indeed, I am not at all sure that faced with the situation presented to the Court of Appeal in Jones, I would have admitted the evidence. The members of the Court of Appeal were strongly influenced by what they saw as practical difficulties in the way of reaching a just outcome see paragraph 28. It is not clear to me that similar difficulties would arise in a Scottish case. In our jurisdiction, evidence of which both parties are aware is regularly excluded without impairing the ability of parties to present their cases on the strength of the admissible evidence. However, a decision on circumstances similar to those in Jones must await the day when they arise here. That leaves us with one final question: would you like to be the test case that could provide clarity to assist those involved in private sector investigations to help navigate their way through this fog of legal uncertainty? CHRIS BROGAN MA LLM 13 Martin -v- McGuiness 2003 Scot CS198 (11 July 2003) 8

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback