M, R (On the Application Of) v The Chief Constable of Sussex Police

The Court of Appeal dismissed the claimant’s challenge to the lawfulness of Sussex Police’s Information Sharing Agreement of December 2018 ("ISA 2018"). The court held that, read holistically with its appendices (notably Appendix 4) and the Legitimate Interest Assessment, the ISA 2018 provided an "appropriate policy document" for the purposes of Part 3 of the Data Protection Act 2018 and implemented appropriate technical and organisational safeguards under the sixth data protection principle (sections 34–40 and section 42 DPA 2018 were central).

The court also rejected the claimant’s challenge to the earlier ISA 2017 for historical disclosures. It held that disclosure of bail conditions to the Brighton & Hove Business Crime Reduction Partnership (BCRP) and its vetted members did not amount to publication to members of the public under section 49 of the Children and Young Persons Act 1933 or section 45 of the Youth Justice and Criminal Evidence Act 1999.

By contrast, on cross-appeal the court allowed the police’s appeal in respect of the High Court’s finding that police disclosures that M was at risk of child sexual exploitation amounted to disclosure of her "sexual life" (sensitive data) under the Data Protection Act 1998. The Court of Appeal concluded that being at risk of sexual exploitation is not the type of information naturally understood as the data subject’s own "sexual life" and that the evidence did not support the inference relied on by the High Court. Consequently the declaration and damages awarded at first instance were reversed in that respect. The anonymity order for the claimant was continued, but additional restrictions (town or Interested Party anonymity) were refused.

Background and parties. The appellant ("M") was a vulnerable young person who had been the subject of multiple police reports and an exclusion notice by the Brighton & Hove Business Crime Reduction Partnership (BCRP). She brought judicial review proceedings by a litigation friend challenging (1) the lawfulness of Sussex Police’s arrangements for sharing personal data (including potentially sensitive personal data) with the BCRP under the ISA 2018 (Part 3 DPA 2018 / Law Enforcement Directive issues), and (2) specific historic disclosures made prior to 25 May 2018 under the Data Protection Act 1998, including an allegation that police told the BCRP she was vulnerable to child sexual exploitation (CSE). The BCRP was joined as an Interested Party. The case came on appeal from Lieven J ([2019] EWHC 975 (Admin)).

Procedural posture. Lieven J at first instance held that the ISA 2018, read with its appendices and the Legitimate Interest Assessment, provided sufficient safeguards under Part 3 DPA 2018 but found that particular emails showed unlawful disclosure under the DPA 1998 that M was vulnerable to CSE and awarded nominal damages of £500. M appealed those aspects of the judgment; the Chief Constable cross-appealed against the CSE-related finding and related findings about Operation C.

Issues framed by the court. The court focussed on: (i) whether the ISA 2018 complied with Part 3 DPA 2018, including the requirement for an "appropriate policy document" under section 42 and the obligations under the data protection principles (sections 34–40) and technical/organisational security (sections 55–66); (ii) whether the ISA 2017 and historical disclosures complied with the DPA 1998/DPA 2018; (iii) whether disclosure of bail conditions to BCRP members amounted to publication to the public for the purposes of the 1933 and 1999 Acts; and (iv) whether disclosure that M was at risk of CSE was disclosure of "sexual life" (sensitive personal data) under the DPA 1998.

Reasoning and outcome on the ISA issues. The court conducted a purposive and contextual analysis of the LED, GDPR and Part 3 DPA 2018. It concluded that Recitals may assist interpretation but do not create substantive obligations beyond the statute. The court accepted the High Court’s holistic method: the proper approach is to assess whether the totality of safeguards (the ISA, appendices, LIA, technical controls, vetting, data integrity agreements, two-stage sharing process and limited onward disclosure to vetted members on a need-to-know basis) was "appropriate" in the statutory sense. The Court of Appeal agreed that Appendix 4 and the LIA could form part of an "appropriate policy document" and that the safeguards in the ISA 2018 (and, historically, ISA 2017) were sufficient to satisfy Part 3 and the relevant principles. The court therefore dismissed the challenge to the ISA 2018 and related historic-agreement complaints.

Reasoning and outcome on past disclosures and sensitive data. The court held that information that someone is at risk of CSE is not naturally categorised as information about the person’s "sexual life" (a category of sensitive personal data in the DPA 1998). The Court found no adequate evidential basis for the High Court’s inference that police had told the BCRP that M was sexually vulnerable and that references to "Operation C" did not, per se, communicate a CSE risk. Accordingly the cross-appeal succeeded and the High Court’s finding, declaration and award in respect of that particular breach were reversed (the nominal award would not stand in light of this).

Other findings of note. The Court continued M’s anonymity order, declined further restrictions that would identify the town or Interested Party, and rejected the argument that sharing bail conditions with vetted BCRP members amounted to publication to members of the public.

Appeal dismissed in respect of challenges to the lawfulness of ISA 2018/ISA 2017 and to the characterisation of sharing bail conditions as publication to the public; cross-appeal allowed in respect of the High Court’s finding that disclosure that M was at risk of child sexual exploitation amounted to disclosure of her "sexual life" (sensitive personal data) under the DPA 1998. Rationale: the ISA 2018, read with its appendices and the LIA, met Part 3 DPA 2018 requirements (section 42 appropriate policy document and appropriate technical and organisational safeguards); disclosure of vulnerability to CSE is not naturally within "sexual life" and the evidence did not support the inference relied on by the High Court; sharing with vetted BCRP members was not publication to the public for statutory reporting restriction purposes.

On appeal from the High Court of Justice, Queen's Bench Division, Administrative Court (Lieven J) [2019] EWHC 975 (Admin). Permission to appeal previously renewed by Nicola Davies LJ on 9 March 2020. This Court delivered judgment 19 January 2021 (EWCA Civ).