M, R (on the application of) v The Chief Constable of Sussex Police & Anor

The claimant, a vulnerable 16 year old, challenged (1) the lawfulness of the Defendant police force's Information Sharing Agreements with a Business Crime Reduction Partnership (BCRP) under the Data Protection Act 2018, and (2) past disclosures of her personal and sensitive personal data to the BCRP under the Data Protection Act 1998/2018. The court analysed the statutory data protection regime in Part 3 of the 2018 Act (including the lawfulness requirement in s.35, the special conditions in Schedule 8, the requirement for an appropriate policy document in s.42 and obligations to implement "appropriate technical and organisational measures" in ss.56, 57 and 66) and the Article 8 ECHR considerations governing privacy interests, particularly of children.

The court found that the December 2018 Information Sharing Agreement (ISA 2018), together with its appendices and legitimate interest assessment, provided sufficient safeguards and measures to satisfy the statutory requirements of the Data Protection Act 2018 for the purposes and participants in the scheme, albeit that the documents could be clearer and might be improved in drafting and signposting. The earlier ISA 2017 was also found not to breach the Data Protection Act 1998 or the 2018 Act on the material before the court.

On the facts of individual disclosures complained of, the court concluded that the police had lawfully shared incident details, photographs (biometric data) and other non-sensitive personal data for legitimate public-protection purposes, but had unlawfully shared information revealing the claimant's vulnerability to child sexual exploitation. The court also held that sharing bail conditions with BCRP members and their employees in that contractual context did not amount to publication to the public under the Children and Young Persons Act 1933 or s.45 Youth Justice and Criminal Evidence Act 1999.

Background and parties:

• The claimant (M) is a vulnerable 16 year old with a history of going missing, convictions and concerns about child sexual exploitation. The defendant is the Chief Constable of Sussex Police. The interested party is a Business Crime Reduction Partnership (BCRP) operating an exclusion-notice scheme for local businesses and security staff.

Nature of the claim:

• The claimant sought judicial review challenging (Issue One) the lawfulness of the police's Information Sharing Agreements (ISA 2017 and ISA 2018) with BCRP under the Data Protection Act 2018 and (Issue Two) particular past disclosures of the claimant's data to BCRP said to be unlawful under the Data Protection Act 1998 (and, where applicable, the 2018 Act).

Procedural posture:

• Permission for judicial review was granted by Lang J; evidence disclosure issues arose (late disclosure of key documents and incomplete audit material) and the court admitted late evidence and allowed amendment to address ISA 2018.

Issues framed by the court:

1. Whether ISA 2018 contains sufficient "appropriate technical and organisational measures" and other safeguards to permit the sharing of (including sensitive) personal data under the Data Protection Act 2018.
2. Whether the individual disclosures of the claimant's data to BCRP were lawful, including whether information revealing vulnerability to child sexual exploitation or bail conditions were shared lawfully.

Court's reasoning and outcome on those issues:

• Issue One: The court analysed the 2018 Act requirements (s.35 on lawfulness, Schedule 8 conditions for sensitive processing, s.42 on policy documents, ss.56, 57, 59 and 66 on technical and organisational measures and security). The ISA 2018 identified joint controller status, contained security and vetting requirements, restricted onward distribution by contract (Data Integrity Agreement) and included an appended Legitimate Interest Assessment and a policy for processing children's data. The court found these safeguards, taken holistically, met the statutory standards, although documents could be better signposted and drafted. The ISA 2017 was also not shown to have breached the DPA 1998 or the 2018 Act on the material before the court.
• Issue Two: On the evidence the police had shared incident details and the claimant's photograph and basic personal data lawfully for public-protection purposes. However, the court found that emails and disclosed material showed the police had shared information disclosing the claimant's vulnerability to child sexual exploitation; that sharing was insufficiently justified and inadequately assessed and therefore breached the Data Protection Act 1998. The sharing of bail conditions with BCRP members and their employees was not a publication to the public for the purposes of the Children and Young Persons Act 1933 or s.45 of the 1999 Act in the court's view.

Other material findings:

• The court criticised the defendant's incomplete disclosure and lack of candour, which limited the court's ability to determine precisely what was disclosed and reduced weight to be given to some of the defendant's assurances.

The claim was allowed in part. The court dismissed the challenge to ISA 2018 (finding it provided sufficient safeguards to comply with the Data Protection Act 2018) and dismissed most of the complainant's challenges to past disclosures, but upheld the claim in respect of unlawful sharing of information revealing the claimant's vulnerability to child sexual exploitation under the Data Protection Act 1998. The court also held that sharing bail conditions with members/employees of the BCRP did not amount to publication to the public under the Children and Young Persons Act 1933 or s.45 Youth Justice and Criminal Evidence Act 1999.