Unfair Cop: Data Protection Breach by Metropolitan Police Against Police Officer

The Metropolitan police force will have to pay a potential six figure sum in damages after being sued for breaching data protection law through its conduct of a disciplinary procedure. That’s a risk that many organisations face today given the modern pervasiveness of data collection.

Senior officers employed powers for investigating crime to obtain information about a colleague on sick leave. The officers retrieved five years’ worth of information about her travel movements, as well as her daughter’s.

The court has not yet ruled on damages and the Met Police are expected to have to pay at least £80,000 in legal costs alone, with potential further damages of up to six figures.

This case could have been avoided if the officers concerned had even a basic understanding of the DPA. The judge called their lack of knowledge of the law as ‘astonishing’. This highlights the importance of knowing the limits of one’s power under the Data Protection Act 1998 (DPA). Even though the police had these powers of investigation, they were not entitled to use them the way they did.

The DP Principles

The DPA sets out eight principles, one of which dictates that any data that is processed must be relevant to the purpose for which it is processed. Furthermore, the data must not be excessive in relation to accomplishing that purpose. In the present case, obtaining five years’ worth of travel data in order to achieve their purpose of investigating the subject’s current location was deemed excessive, and the majority of that processed data ruled irrelevant. Additionally, seeking and processing information regarding the victim’s daughter was held to be both excessive and irrelevant. To make it worse, the police officers cited an act of Parliament which did not exist in order to obtain the personal information.

The impact of the DPA should be at the forefront of most organisations’ concerns if they are classified by the DPA as data controllers (any organisation or individual that collects, uses and keeps personal information outside very limited exemptions).

Moreover, in addition to the risk of civil action, organisations that breach data protection law run the risk of sanction by the Information Commissioner’s Office (ICO). Such sanctions include monetary penalties, criminal prosecution, or enforcement notices, such as the one issued to Southampton City Council after its demand to collect video and audio recording of the city’s taxi passengers 24 hours a day was found to be excessive.

Forbes Solicitors regularly provide advice to public authorities, providers of social housing, charities and business regarding the Data Protection Act 1998. If you have any questions, please contact Daniel Milnes.

Daniel Milnes

About Daniel Milnes

Dan is a Partner and Head of Contracts & Projects. Dan’s blogs cover the areas in which his specialities lie in commercial, regulatory and governance law which cover a broad range of matters dealing with contracts, projects, corporate and group structures, funding and compliance with a range of legal regimes including data protection. This also involves writing and advising on various forms of commercial contracts including joint ventures, development and construction agreements and intellectual property contracts including IT agreements, sponsorships and other rights licensing arrangements.
This entry was posted in Employment Law, Housing Litigation, Sports Law and tagged , , , .