R v Brown
[1996] AC 543(Judgment by: Lord Griffiths)
R
v.Brown
Judges:
Lord Goff of Chieveley
Lord GriffithsLord Jauncey of Tullichettle
Lord Browne-Wilkinson
Lord Hoffmann
Legislative References:
Data Protection Act 1984 - s 5
Judgment date: 8 February 1996
Judgment by:
Lord Griffiths
My Lords, the defendant, a police officer in the Kent Constabulary, was found guilty on two counts in an indictment charging him with improper use of personal data in the police national computer contrary to s 5 of the Data Protection Act 1984.
The police national computer holds within its memory particulars by which the ownership of motor vehicles can be identified from their index numbers. This is obviously valuable information for police purposes such as the tracing of stolen vehicles and the identification of traffic offenders. The defendant as a police officer had access to this information for proper police purposes by virtue of s 4 of the Act under which the Chief Constable of Kent was registered as a data user and the police officers in the Kent Constabulary as those entitled to use the data for police purposes.
The prosecution case was that the defendant, in addition to his duties as a police constable, was also working for a debt-collecting business called Capital Investigations Ltd, and on two occasions asked the operator of the police computer to give him the name of the owner of a particular vehicle of which he supplied the index number, in the hope that he might thereby identify an asset in the hands of a debtor which would assist the collection of a debt.
The defendant's defence was that the two inquiries were for proper police purposes and had nothing to do with debt collection. The jury by their verdicts of guilty rejected the defendant's explanation and accepted that he was seeking the information for the purpose of debt collection.
The operator of the computer, innocently in the belief that the defendant was making an inquiry for police purposes, displayed the requested information on the computer screen and the defendant read it.
Both counts charged the defendant with improper use of 'personal data'.
In answer to the first request which was the subject of count 1 the information showed that the vehicle was owned by a company. In answer to the second request, which was the subject of count 2, the information showed the name of the person who owned the car, who was a debtor being pursued by Capital Investigations.
The relevant parts of s 5 of the Act under which the defendant was charged provide:
'(1) A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries on a computer bureau, is for the time being contained in the register.
(2) A person in respect of whom such an entry is contained in the register shall not--(a) hold personal data of any description other than that specified in the entry; (b) hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry; (c) obtain such data, or information to be contained in such data, to be held by him from any source which is not described in the entry; (d) disclose such data held by him to any person who is not described in the entry; or (e) directly or indirectly transfer such data held by him to any country or territory outside the United Kingdom other than one named or described in the entry.
(3) A servant or agent of a person to whom subsection (2) above applies shall, as respects personal data held by that person, be subject to the same restrictions on the use, disclosure or transfer of the data as those to which that person is subject under paragraphs (b), (d) and (e) of that subsection and, as respects personal data to be held by that person, to the same restrictions as those to which he is subject under paragraph (c) of that subsection.
(4) A person shall not, in carrying on a computer bureau, provide services in respect of personal data unless an entry in respect of that person as a person carrying on such a bureau, or as a data user who also carries on such a bureau, is for the time being contained in the register.
(5) Any person who contravenes subsection (1) above or knowingly or recklessly contravenes any of the other provisions of this section shall be guilty of an offence.'
On count 1 the judge directed the jury that they could not convict the defendant of using 'personal data' because the information that the vehicle was owned by a company was not 'personal data' within the meaning of the definition of personal data in s 1(3) of the Act, which provides that 'Personal data means data consisting of information which relates to a living individual who can be identified from that information', but that they could convict of an attempt to use 'personal data'.
On count 2 no such difficulty arose because the information showing the car was owned by an individual was 'personal data'.
The judge gave the jury the following direction on the meaning of the word 'use' in s 5(2)(b):
'Members of the jury, what is said there is that the defendant, as it were, holding himself out as a policeman in the course of his duty, in fact, obtained material to be used in relation to the business of the debt collection agency. In other words, for a purpose other than one described in the register of users etc. If, members of the jury, you are a police officer--I am not suggesting you should find any of these matters proved, that is a matter for you--but supposing for the purposes of understanding it you are a police officer and you are also a part-time debt collector. The fact that you, as a police officer, acquire information which you obtain and which is there, available to assist you under your other hat as a debt collector, is, as a matter of law, sufficient to establish you as a person who is an agent using personal data for a purpose other than one of those described. It does not follow that you have to be, as it were, pursued by the Crown to the extent of being seen to take advantage of your knowledge of the address, status, whatever it is you may have acquired, in order to get a hand on somebody's collar and say: "Come on, pay up." The fact that you, as a party to the debt collector's business, aside from being a chief constable, hold that information for such benefit as it may bring to the debt collecting business, having acquired it for that purpose, would be, as I would direct you, sufficient to be described as "using" personal data.'
On this direction the jury found the defendant guilty of an attempt on count 1 and guilty of the full offence on count 2.
The Court of Appeal ([1994] QB 547) allowed the defendant's appeal on both counts because they held that there was no evidence that the defendant had used the information within the meaning of s 5(2)(b).
The Court of Appeal put the matter thus (at 551):
'The argument for the appellant [the defendant] has been a short and simple one: since the term "used" is not defined in the Data Protection Act--a statute which is at pains to set out many definitions of other terms--the ordinary meaning of the word "use" is the one to be taken in construing the Act. As a proposition that is not disputed by Mr. Kark. What is the ordinary sense of the word "use" as we see it in section 5(2)(b)? In our judgment, it is one thing to access the computer and view what is contained in it and it is another thing then to use the information itself. Section 5 speaks of the use of data, and this enables Mr. Johnson to submit that it is necessary to do something to the data, not merely to access it, before it is "used" within the statute. That would have arisen if the appellant, having accessed the information, then proceeded, in the ordinary sense of the term, to make some use of it, so as for example in his own business affairs to deploy the information obtained against the interests of somebody else. Since, on the facts here, it is in effect accepted that Mr. Brown did no such thing, it seems that the appeal must succeed on that short point alone. The conviction will be quashed.'
The Court of Appeal certified the following question:
'Whether the word "use" in section 5 of the Data Protection Act 1984 should be construed so as to include processing the data so as to gain access to information stored within a computer without doing any further act with the information.'
The prosecution in presenting the appeal invited your Lordships to apply a very restricted construction of the word 'use' based upon the definition of 'data' in s 1(2) which I cannot accept. The definition of 'data' in s 1(2) provides:
'"Data" means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.'
The prosecution submitted that data is to be contrasted with the information recorded in the data, and that once the data has been translated from computer-readable form into a form that is intelligible to the human mind either by display on a screen or a print-out, it ceases to be data and becomes information. If this construction is correct it has some remarkable results. In the first place data can only be used in that fraction of time between the operation of the computer and the display of the information, and secondly that a policeman who reads information properly displayed for police purposes but then applies it for some wholly improper purpose, is not using personal data for that improper purpose.
The prosecution sought to support this construction by reference to s 5(2)(c): 'obtain such data, or information to be contained in such data', and s 1(9): '"Disclosing" in relation to data, includes disclosing information extracted from the data', and submitted that when the draftsman intended that the information should be included in the definition of 'data', he said so.
But contrast these expressions with the definition of 'personal data' in s 1(3): '"Personal data" means data consisting of information which relates to a living individual ...' And s 21(1):
'Subject to the provisions of this section, an individual shall be entitled--(a) to be informed by any data user whether the data held by him include data of which that individual is the data subject; and (b) to be supplied by any data user with a copy of the information constituting any such personal data held by him; and where any of the information referred to in paragraph (b) above is expressed in terms which are not intelligible without explanation the information shall be accompanied by an explanation of those terms.'
The purpose of the references to information in the subsections to which the prosecution referred, namely s 5(2)(c) and s 1(9), is not to differentiate between information and data but to make it clear that the prohibition against obtaining data in s 5(2)(c) applies to obtaining data both in computer-readable form and in written form, and that 'disclosing' in s 1(9) applies to both disclosing data in computer-readable form, for example by handing over a tape, and disclosing it in written form, for example as a print-out made from the tape.
But whilst I reject the construction relied upon by the prosecution, and of which I can find no trace in the summing up of the trial judge, the question remains: have you 'used' the information if, for an improper purpose, you have informed yourself of the information by reading it on a screen or in a print-out, which was the view of the trial judge, or do you have to go further and apply the information for an improper purpose, which was the view of the Court of Appeal.
Whilst I have found this to be a difficult question I have come to the conclusion that 'use' should be given a broad construction as otherwise the purpose of the Act will not be achieved, there will be a serious lacuna in the protection it provides, and there will be difficulties in its enforcement.
The 1984 Act was enacted to implement the obligations that this country accepted as a signatory to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (set out in Annex A to Cmnd 8539). The Act should therefore be construed so far as permissible to accord with the convention.
Article 1 of the convention sets out the object and purpose of the convention in the following language:
'The purpose of this Convention is to secure in the territory of each party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy , with regard to automatic processing of personal data relating to him ("data protection").'
To read the personal data about an individual displayed on a computer screen or in a print-out is an invasion of that person's privacy, if there is no legitimate purpose for doing so. I therefore prefer the construction that forbids the illegitimate display of personal data and this is achieved by giving a wide construction to use in s 5(2)(b) so that it covers not only applying the information in the data for an illegitimate purpose but also the invasion of privacy involved in the illegitimate display of the information.
It is not straining the meaning of language to say that a person is using the information stored in a computer if he informs himself of its contents. Whether or not he then goes on to apply the information for a particular purpose, and to use it in that sense, will depend on the value of the information to him: but whether or not he applies the information does not alter the fact that he has wrongly invaded the privacy of the individual, and now has the information available to apply at any time in the future.
Once information has entered the public domain it is impractical to attempt to place any restraints on its use or further dissemination. The Act therefore concentrates its protective provisions in s 5 upon the conduct of those who hold or have access to personal data, in an attempt to ensure that they do not abuse the data, and confine it to the proper purpose for which it is required.
The purpose of the offences created by s 5 of the Act is clearly to protect the integrity and security of the data. A servant or agent of the holder of data is guilty of an offence if he uses data for any purpose not described in the register, if he discloses it to any person not described in the register, if he obtains it from a source not described in the register, and if he transfers it to a territory outside the United Kingdom not described in the register. So what would be the position of a police officer who deliberately falsified personal data held in the computer? He undoubtedly processed the data within the meaning of s 1(7); but if he was not 'using' the data by processing it he committed no offence. I cannot believe that in the Data Protection Act it was intended that wrongful interference with the data by those with access to it should not be an offence. But such is the result if 'use' is given the limited meaning adopted by the Court of Appeal.
This police officer had no business to be reading the personal data on the police computer for debt-collecting purposes, and I see no hardship in adopting a construction of the section that creates an offence if he does so. If on the other hand an obligation is laid on the prosecution to prove not only that illegitimate access to the information in the computer was obtained, but also how that information was subsequently applied I can see great practical difficulties in the enforcement of the Act and the protection of personal data that the convention and the Act intended to achieve.
I would therefore answer the certified question in the affirmative and allow this appeal, and refer the case to the Court of Appeal to consider the other grounds of appeal which have not yet been argued.