University Data Protection Policy Deemed Not Invariable by High Court

A High Court ruling in the case of Bangura v Loughborough University [2016], has concluded that in providing a copy of a suspected student’s university registration form to Leicestershire Police to assist with their investigations of sexual assaults and rape accusations against students, Loughborough University was not in breach of contract and had acted in compliance with section 29 of the Data Protection Act 1998 (DPA) despite providing the information in advance of receiving a written request from the police, which defied the university’s own data protection policy.


The court held that the claim under the DPA was indisputable on the grounds that section 29 does not indicate that a request must be in writing. Condition 6(1) of Schedule 2 (legitimate interests) to the DPA was also accepted in consideration of the serious nature of the offences. A further point raised by the Court was that the policy was not deemed to be invariable as the information may be needed urgently. The disclosure was also not considered to be a breach of contract because the registration document and the policy did not purport to incorporate the policy as part of the contract between the student and the university. With this in mind, the claimant student was refused permission to appeal a summary judgment in favour of the university as it would not have succeeded.


Section 29(3) of the DPA provides an exemption from the first data protection principle if the disclosure is for the prevention or detection of a crime section 29 (1)(a) DPA, the apprehension or prosecution of offenders section 29 (1)(b) DPA, or for taxation purposes section 29 (1)(c) DPA. The Section 29 exemptions allow an organisation to disclose personal data without an individual’s knowledge or consent, however this must apply the requirement of fairness as informing the individual could prejudice the crime and taxation purposes.


It is important to note that although the need to disclose personal data without the data subject’s knowledge will occur in limited circumstances, the Information Commissioner’s Office still recommends that where organisations may need to disclose personal data for criminal, fraudulent or legal purposes, they state this clearly in their privacy policies so as to ensure optimal transparency. Furthermore, by documenting any data sharing that is done without the individual’s consent, the organisation will be protected in case the individual decides to ask the ICO to investigate or to seek compensation through the courts.


Forbes Solicitors regularly advise a range of clients on requests for disclosure of information whether under the DPA, FOIA or DBS. If you would like more information please contact Daniel Milnes.


This entry was posted in Corporate & Restructuring, Employment Law, Housing Litigation and tagged , , , , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *