Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) came into force across all member states within the European Union on 18 May 2018. It establishes a framework of legal principles, backed by appropriate enforcement mechanisms and sanctions, governing the use of information relating to identifiable private individuals (data subjects) by those who have sole or shared control (data controllers) over the information in question. The GDPR permits member states to adjust some of its rules to suit the domestic context. In the UK, this was achieved through the enactment of the Data Protection Act 2018 (DPA). According to section 2 of the DPA, the overall objectives of the GDPR will be attained by:
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, (b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and (c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions
The Inquiry into Undercover Policing now controls (and has been engaged in the processing of) extensive data on private individuals contained in intelligence reports which were collated by police officers during the course of various covert operations. There are two features of these reports which will pose particular challenges to the inquiry which (irrespective of any finding that it is able to rely upon any exemption from particular provisions of the GDPR) will be expected to pay due regard to data privacy principles, because the principles seek to recognise and secure fundamental human rights. The first of these features is that covert intelligence reports are often comprised of mixed personal data. This means, for example, that information relating to one non-state core participant will, in most cases, be mixed in with information relating to other inquiry participants, or, indeed, with individuals not currently known to the inquiry - this includes individuals who may not be aware that they have ever been the subject of covert surveillance. Second, the reports include ‘special category’ information, relating to health, sex life, criminal convictions and other especially sensitive matters which few individuals would readily consent to share with strangers.
After numerous requests by non-state core participants for the release of the intelligence reports in which they have been named or otherwise identified, the inquiry has finally made known its intentions. In both public hearings devoted to data privacy matters (31.1.2019 and 25.3.2019), the chair of the inquiry indicated that, subject to any insurmountable legal impediment, he intends to disclose to individuals named/identified in intelligence reports unredacted versions of those reports (e.g. Inquiry Transcript, 25.3.2019: p. 69-71), after the officers who collated the reports have had the opportunity to review them and comment on the circumstances in which they were produced (Inquiry Transcript, 25.3.2019: p. 44-49), and subject to the individual to whom disclosure is made being placed under a legal duty of confidentiality in respect to what she/he has gleaned from the reports, (Inquiry Transcript, 25.3.2019, p. 65).
Whether or not it is consistent with data protection laws to satisfy the understandable desire of non-state core participants to know what information undercover police recorded about them by “...showing them a raft of data about lots of other people” (Inquiry Transcript, 25.3.2019, p. 69) was chief among the questions considered during the public hearing held last week. The answer will almost certainly depend upon an assessment of how the inquiry chair has exercised his judgement when balancing data privacy rights against the proper and efficient functioning of the inquiry. On the face of it, a simple process of redaction of documents would insulate the inquiry from criticism, complaint, and, ultimately, challenge by way of judicial review proceedings. However, this strategy was rejected by the chair on the basis that it would impose an “astonishing burden” (Inquiry Transcript, 2019: p. 79), leading to approximately “ a year or two” (Inquiry Transcript, 2019, P. 40) devoted entirely to the task of responding to subject access requests. If the inquiry chair remains of the view that any alternative to the approach he proposes for the processing of the personal data of those spied upon would “...impose a burden on those doing the work of the inquiry which is not capable of being discharged... (Inquiry Transcript, 2019: p. 71), his judgement will be difficult to dislodge. Even if it can be shown that faced with similar financial and other constraints other inquiry chair’s have reached opposite conclusions - as was suggested from the example of the inquiry into child sexual abuse (e.g. Inquiry Transcript, 2019: p. 24-5) - such evidence, in and of itself, would not indicate a failure of this inquiry chair to appropriately balance data privacy rights against other public interest considerations.
The GDPR and DPA create a robust data protection regime, but in neither is there any guarantee that in all circumstances individuals will be able to access and control their personal data in the way they would wish. The idea that a public inquiry would intentionally expose sensitive private information relating to person A to person B without person A’s knowledge and/or consent is an uncomfortable one, but it must be remembered that even in the case of mixed personal data intelligence reports the rights of person A will receive some measure of legal protection by way of the restriction order which will be imposed on person B (Inquiry Transcript, 2019: p. 65).