LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

Non-sequitur

The finding that the actions of Lancashire Constabulary in releasing confidential medical information was lawful should not provide succour to police and law enforcement organisations concerned as to their own practices for disclosing personal data in the context of investigations. In light of the College of Policing’s review, organisations need to review the adequacy of their staff training, disclosure processes and authorisations, records of decisions and the resilience of their data protection function.
— Handley Gill Limited

The College of Policing has today published its review of Lancashire Police’s handling of the investigation into the disappearance of Nicola Bulley and has concluded that, while “lawful”, the "release of personal details regarding Nicola was avoidable and unnecessary".

The processing of personal data by competent authorities such as the police for law enforcement purposes, i.e. “the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”, is governed by Part 3 of the Data Protection Act 2018.

The disclosure of health data by the police for law enforcement purposes is “sensitive processing” under Part 3 DPA 2018 and therefore in the absence of the consent of the relevant individual, s35(5) DPA 2018 requires that it be strictly necessary, meet a Schedule 8 condition, and that the relevant controller (in this case the Chief Constable) has an “appropriate policy document” in place. Schedule 8 conditions include that disclosure is necessary: for reasons of substantial public interest; or, to the protect vital interests (life or death) of the individual concerned or another; or, to protect a child or vulnerable person from harm; or, where the information is already in public domain.

Consequently, the assertion that the release of personal information relating to Ms Bulley was not necessary but was nevertheless lawful may appear to be a non-sequitur, but the lawfulness of the release of the information was dictated by the tragic circumstances of the case, in particular due to the fact that Ms Bulley had in all likelihood already died at the point of disclosure – albeit this was not known at the time – and the Data Protection Act 2018 therefore did not apply since it only relates to the processing of personal data of living individuals.

Police forces and other competent authorities should therefore not draw any comfort from the College’s findings – or the earlier conclusions of the Information Commissioner’s office – as in other circumstances they would have been subject to potential regulatory enforcement and/or legal action.

This particular controversy in the context of the investigation arose when Lancashire Constabulary initially issued a statement in relation to Ms Bulley that “As soon as she was reported missing, following the information that was provided to the police by her partner Paul, and based on a number of specific vulnerabilities that we were made aware of, Nicola was graded as high-risk”, and later that day followed this up with the further statement “Sadly, it is clear from speaking to Paul and the family that Nicola had in the past suffered with some significant issues with alcohol which were brought on by her ongoing struggles with the menopause, and that these struggles had resurfaced over recent months. This caused some real challenges for Paul and the family… It is an unusual step for us to take to go into this level of detail about someone’s private life, but we felt it was important to clarify what we meant when we talked about ‘vulnerabilities’ to avoid any further speculation or misinterpretation.”

Regrettably, the College of Policing’s report reveals that the reference in the initial statement to Ms Bulley having “specific vulnerabilities” was not agreed with her family, and it would have been preferable to use the agreed wording in relation to specific factors in her “medical history”.

The report further reveals that the subsequent statement that was ultimately released was agreed by the family “under extreme time pressure” and faced with the assertion by police that “there was an imminent threat of publication by national newspapers of stories that would damage the family” and that “a further police media release was required, that evening, to explain the word ‘vulnerabilities’”.

The statement was the subject of immediate and widespread opprobrium, including from MPs, charities and civil society organisations, as well as individuals who had held senior roles in law enforcement and the criminal justice system.  

On 17 February, the Information Commissioner published a statement that, while acknowledging the difficulties of an ongoing investigation, “Data protection law exists to ensure people’s personal information is used properly and fairly. This includes ensuring personal details are not disclosed inappropriately… given the high profile nature of this case, we will be asking Lancashire Police to set out how they reached the decision to disclose this information in due course”.

The College of Policing’s report reveals the internal process that led to the disclosure of Ms Bulley’s personal information. The report states at page 90 that legal advice was sought in relation to the release of personal information relating to Ms Bulley:

“The head of legal services was contacted to provide legal advice on Lancashire Constabulary’s next steps and on the plan to release personal information about Nicola proactively. Lancashire Constabulary determined that personal information about Nicola’s struggles would be referenced to explain why the term ‘vulnerabilities’ had been used. The head of legal services agreed with a senior member of the M&E team that the risks of not releasing the personal information outweighed the risks of doing so. Any press release would need to balance Nicola’s privacy rights with Mr Ansell’s safeguarding needs. The decision to make a further press statement was also to ensure that any reporting regarding the attendance of a multi-agency response car on 10 January was factually correct and within context, avoiding any further misinformation and speculation about Nicola and Mr Ansell.”

However, the report also found that specialist data protection advice was not obtained, stating at page 94-:

“Although Lancashire Constabulary contacted the head of legal services, the force DPO and the information management department were not contacted before the release of the personal information. It was indicated to the review that the DPO was unavailable at that time. Due consideration was given to the potential impact around the General Data Protection Regulation (UK GDPR) and the right to a private life, noting that there were potentially significant risks to Mr Ansell if there was increased speculation around ‘vulnerability’ and what that meant. It was considered that there was a policing purpose for the release of information that Nicola had struggled with alcohol issues, and that Lancashire Constabulary had responded to a concern for welfare at her home address.

The head of the M&E team, the SIO and the head of legal services all assessed the decision to release personal information in relation to fairness, necessity and proportionality. They considered the facts and potential risks in relation to the public interest and the protection of the life of the subject or other person. In collapsing timeframes, Lancashire Constabulary followed the guidance provided. This was to justify the policing purpose that they were seeking to achieve and to demonstrate the proportionality and necessity of this, comparative to the breach of privacy. The rationale was recorded and documented for potential later review and scrutiny. The head of legal services agreed that the risk of not releasing the personal information outweighed the risks of doing so. The DPO was contacted the following day, post-release, and concurred with the legal advice that had been given.”

The reference to the UK GDPR having been considered suggests that either the force or the College of Policing, or both, may have been operating under a misapprehension as to the applicable legal regime in these circumstances. As we have stated above, we anticipate that since any processing of personal data would have been for the law enforcement purposes, Part 3 of the Data Protection Act 2018 and not the UK GDPR would apply.

Following the conclusion of the police investigation, and the tragic revelation that Ms Bulley was deceased, the Information Commissioner’s Office published a blog post which emphasised that it “wanted to be clear that while police can disclose information to protect the public and investigate crime, they would need to be able to demonstrate such disclosure was necessary and proportionate” and “We have now spoken with Lancashire Police to better understand the steps they took before releasing information. We heard in those conversations the challenging nature of considering whether and how to share personal information during fast paced, important cases. Based on our conversations with Lancashire Police, we don’t consider this case requires enforcement action. We’ll be able to provide further details around this decision following the inquest into Nicola Bulley’s death”.

The College of Policing report contains the detail of the reasoning for the ICO’s conclusion: “The ICO recognised that the ‘case was conducted in exceptional circumstances’ but did state that ‘the public disclosure of such sensitive personal information seemed extraordinary’. Ultimately, the ICO concluded that, having reviewed the circumstances and rationale that led to the disclosure, and recognising the likelihood that Nicola was probably deceased at the time of the disclosure, the public interest did not favour the ICO taking further regulatory action.”

The College’s conclusions and recommendations in this regard include:

  • “The decision to release personal information of a sensitive nature should only be made at the most senior level and following consultation with a force’s DPO. Sufficient chief officer team engagement did not take place.”

  • While the decision to release the most personal information was lawful, in our view it was avoidable and unnecessary. Personal medical information can be released if it is important to assist in resolving a situation – for example, if it is known that a person might react in a particular way because of certain medication. However, unless this type of information has a direct bearing on the case and its resolution, it would be highly unusual for it to be appropriate to disclose.”

  • Any media statement requested or constructed by the police, wholly or in part, remains the ultimate responsibility of the force. There is a wider responsibility from policing to ensure that there are appropriate ethical considerations about the content within those statements, particularly when it includes the most personal information.”

  • “Forces should, by default, not release personal information of such a sensitive nature, excepting only the most extreme of circumstances where all ethical perspectives and alternative mitigation have been considered. The decision to release personal information of such a sensitive nature should only be made at the most senior level (chief officer team), following consultation with the DPO, SIRO and/or the ICO.”

  • “The gold group records for the investigation suggest that the first request for gold sign-off on media releases only took place in the gold group meeting of 16 February. Earlier approval of critical media releases by the gold commander would have provided stronger oversight and direction, and may have prevented the unnecessary release of highly personal information.”

  • Data protection is a highly specialised area of law that requires specific support and guidance. Early consultation with a force DPO is strongly advised. Where unavailable, the DPO deputy or senior member of the force information management department should be contacted. Additional support can be secured from the force data and information board, alongside the DPO. Seeking DPO engagement at an early stage, prior to critical decision making, will ensure that data protection is actively considered throughout the whole process. It is suggested by the Lancashire Constabulary DPO that forces, nationally, would benefit from more informed learning around the role of the DPO and the specialist guidance that can be provided.”

  • The ICO advised the College that, during a time-critical incident (where it may not be known if it is a criminal matter), forces should consider the threat and risk factors, and use that to assess the necessity and proportionality of any use or disclosure of personal information. Early inclusion of a data protection professional will be key to ensuring that the right people are part of that urgent decision-making process. The decision should be documented with a clear rationale and retained for later scrutiny. These elements were considered by Lancashire Constabulary and their legal team.”

Finally, it is of note that the review made specific reference to the relationship between the police and the media, which it described as “fractured”. Disputes such as that between the BBC and South Yorkshire Police in the context of the investigation into the false allegations against Sir Cliff Richard, and the subsequent guidance from the College of Policing on the naming of suspects prior to charge, which went further than court decisions on the right to privacy, will inevitably have contributed to this. The review called for action to be taken “on all sides to help build trust”, as well as for national policing to consider the impact of social media on investigations and public confidence.

What additional measures can police forces, wider law enforcement bodies and, indeed, any data controller take having regard to the learning from this matter?

  • Too often data protection training for staff focuses on information security, and not the lawful processing of personal data. Organisations should consider offering bespoke modular data protection training for relevant staff to support them in applying data protection principles to their practical role.

  • Establish guidelines and approval processes in advance for the disclosure of personal data.

  • Organisations should consider whether they have sufficient resilience within in-house data protection teams, and consider utilising locums or implementing retainers to provide out of hours or additional expertise.

  • The preparation of template records of advice, which can be used to record outline decision making, separate to any privileged legal advice, can be useful. In practice, it can be difficult to maintain contemporaneous records, but given the delays of months of even years that can transpire between an event and its consideration by regulators or the courts, a near contemporaneous note (for example at the conclusion of an incident) will still be of relevance.

At Handley Gill we have significant experience of advising police forces and wider law enforcement on their data protection obligations and their implementation at the highest levels on strategic and operational issues. Should your organisation require support in designing and delivering bespoke data protection for police and law enforcement officers and staff, establishing and implementing disclosure and recording processes, locum services, out of hours advice or additional resilience for your data protection team, or post-data incident review and remediation services, please don’t hesitate to contact us.

Find out more about our data protection and data privacy services.