The Queen (on the application of M) v The Chief Constable of Sussex Police
| Jurisdiction | England & Wales |
| Judge | Lady Justice Andrews,Lady Justice Asplin,Lord Justice Bean |
| Judgment Date | 19 January 2021 |
| Neutral Citation | [2021] EWCA Civ 42 |
| Court | Court of Appeal (Civil Division) |
| Docket Number | Case No: C1/2019/2622 & C1/2019/2623 |
| Date | 19 January 2021 |
[2021] EWCA Civ 42
IN THE COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
ADMINISTRATIVE COURT
The Honourable Mrs Justice Lieven DBE
Royal Courts of Justice
Strand, London, WC2A 2LL
Lord Justice Bean
Lady Justice Asplin DBE
and
Lady Justice Andrews DBE
Case No: C1/2019/2622 & C1/2019/2623
and
Eric Metcalfe (instructed by Matthew Gold & Co Ltd) for the Appellant
Elliot Gold and Aaron Rathmell (instructed by Weightmans LLP) for the Respondent
Hearing date: 17 December 2020
Approved Judgment
Introduction
The Appellant was the claimant in these proceedings. At the time of Lieven J's judgment she was 16 years old and brought the claim by a litigation friend. She is an extremely vulnerable young person, who had gone missing from home on numerous occasions and was excluded from school. She has convictions for shoplifting and assault, and since 31 October 2017 she had been reported to the police for over 50 incidents of violence, theft, or anti-social behaviour, mostly if not all in the Respondent's area. Before this appeal could be heard, she turned 18; the first issue that we had to consider was whether, in those circumstances, the anonymity order made under CPR 39.2 and renewed by Nicola Davies LJ when she granted permission to appeal on 9 March 2020, should continue.
It became clear that, but for the Covid-19 pandemic, this appeal would have been heard some months before the Appellant's 18 th birthday. Irrespective of other justifications which might exist for maintaining the order, the Court felt that she should not be disadvantaged by the impact of such unprecedented events on the timing of the hearing. Accordingly, as previously ordered, she shall continue to be known as “M” and no person shall identify her or any member of her family in any report of these proceedings.
However, we refused an application made at the hearing by Mr Metcalfe, on behalf of M, to extend the existing prohibition by precluding any identification of the town in which the relevant events took place or of the Interested Party, on the basis that this would “almost inevitably” lead to M's identification. We were not satisfied that it would, and in any event, we considered such additional interference with the principle of open justice to be unwarranted; the order that has been made is proportionate and suffices to protect M's legitimate countervailing interests.
The claim for judicial review fell into two parts. The first was a challenge to the lawfulness of the Respondent's safeguards for disclosing sensitive personal data to the Brighton & Hove Business Crime Reduction Partnership (“the BCRP”) under an Information Sharing Agreement made in December 2018 (“ISA 2018”). The BCRP was joined as an Interested Party. It has taken no part in the proceedings, but the Respondent has relied upon evidence provided by its Business Crime Reduction Manager, Ms Lisa Perretta.
The Respondent is the public authority responsible for crime and disorder strategies in Sussex pursuant to section 5(1)(b) of the Crime and Disorder Act 1998. By section 6(1)(a) of that Act, she must “formulate and implement a strategy for the reduction of crime and disorder in the area (including anti-social and other behaviour adversely affecting the local environment)”. To that end, it is important for the police to be able to engage in meaningful dialogue and share information with local businesses with a view to safeguarding against the risks of criminal and anti-social behaviour.
The BCRP is an organisation with more than 500 members, including local businesses, national and independent retailers, private security firms, public houses, bars and nightclubs. The structure and operation of the BCRP, and the provisions of documents produced by the BCRP which are relevant to the issue of data sharing, are described in detail at paragraphs 13 – 18 of Li even J's judgment. Its principal function is the management of an exclusion notice scheme, prohibiting persons from entering its members' commercial premises. The decision whether to exclude an individual is made by the BCRP Management Committee (also referred to as the Executive Committee). M was made subject to such an exclusion order on 7 November 2017 for a period of 12 months.
The Respondent may decide to share data relating to an individual with the BCRP for law enforcement purposes. As explained by Superintendent De La Rue in his witness statement, the purpose of the police sharing information with the BCRP is to inform the BCRP Management Committee of issues concerning particular individuals, in order for it to take a decision on whether they should be excluded. The Respondent does not share data directly with any BCRP member. If it decides to share data with the BCRP, that data can only be accessed by certain BCRP employees, all of whom have achieved level 2 non-police personnel vetting (“NPV”). This is addressed in section 4 of the ISA 2018, to which I shall refer later in this judgment.
Paragraph 4.10 of the BCRP Code of Practice provides that:
“police will only disclose information to the local Partnership where there is a clear legal basis to do so and under the terms of the agreed Information Sharing Agreement. Information provided under partnership arrangements by police is for the prevention and detection of crime and prosecution of offenders and must not be used for any other purpose.”
The police are not the only source of data that the BCRP may receive about an individual. Any member of the BCRP may provide information to the Management Committee, which may include, for example, CCTV footage; that information is not shared with other members. All requests for information, sharing of information and denied requests will be recorded. The information is required to be kept on a secure server within a secure location with a control access system, to which the general public has no access.
It is the BCRP Management Committee which usually decides what information to share with its members according to its own Data Sharing Policy. Once the information it has received about an individual reaches a certain threshold set for exclusion, the BCRP may decide to disclose specific data to its members to make them aware of any threat to their premises, and to ensure that the exclusion is effective. Any such onward disclosure is made via a secure intranet site and a secure mobile application. However, a decision to share with members the personal data of a person aged 14–17 must be taken by the Board of Management, consisting of a minimum of three persons, of whom at least one must be the BCRP chair or crime manager.
Not all BCRP members require access to the intranet. At the time of the hearing below, the number of members who were granted such access was 239 — under half the membership. Access to the shared data will be restricted to those members whose premises are likely to be affected by the exclusion order. Prior to consent to access being given, the member requesting it must sign a data integrity agreement (described in paragraph 18 of Lieven J's judgment) which forbids the sharing of information with any third party. Anyone who has not logged on to the intranet for more than six weeks is removed, and every six months all members are “locked out” of the intranet and required to re-certify their adherence to the data integrity agreement to regain access to it.
The ISA 2018 was the latest in a series of information sharing agreements made between the Respondent and the BCRP from 2013 onwards, with a view to ensuring compliance with the relevant data protection regimes. Indeed, the claim for judicial review started life as a challenge to the lawfulness of its immediate predecessor, which was entered into in 2017. That challenge became academic when that agreement was superseded, and permission was granted to amend the claim. The challenge to the earlier version of the ISA was maintained, but (understandably) the arguments are dealt with briefly in the judgment below, and played very little part in this appeal.
Lieven J's decision is one of the first concerning the requirements of Part 3 of the Data Protection Act 2018 (“ DPA 2018”). Among other matters, it involved consideration of (1) the scope and nature of the obligations under two of the six data protection principles set out in sections 34–40 of the DPA 2018, which give effect to Article 4(1) of the Law Enforcement Directive, Directive 2016/680 (“LED”), and (2) the additional safeguards required for the processing of “sensitive data” for law enforcement purposes under section 42 of the DPA 2018.
The main question for the High Court was whether the ISA 2018 met the requirements of Part 3 of the DPA 2018. In a well-structured, careful and clearly expressed judgment, Lieven J held that although there was room for improvement, on a holistic assessment, the ISA 2018 read together with its appendices (particularly Appendix 4) and a Legitimate Interest Assessment (“LIA”) which was an appendix to that appendix, did provide sufficient safeguards and effective measures, including technological measures, to meet those requirements.
Mr Metcalfe submitted that the Judge was wrong to reach that conclusion. His chief complaint was that the ISA 2018 is not an appropriate policy document for the purposes of processing sensitive personal data relating to children and young persons under the age of 18. Mr Metcalfe was at great pains to stress that no objection was taken to the sharing of such data with the BCRP or the purposes for which it was shared, but rather that the...
To continue reading
Request your trial