YZ, R (on the application of) v Chief Constable of South Wales Police (Rev 1)

The claimant, acquitted after trial on three counts of rape, sought deletion of personal data and an acquittal entry from the Police National Computer (PNC). The defendant refused, relying on national guidance and retention policy. The court held that the Data Protection Act 2018 (in particular the law enforcement processing regime in Part 3, Chapter 2 including sections 34 and 35 and Schedule 8) governed the lawfulness of retention and that the national guidance must be read subject to the Act.

The judge found that the controller (the Chief Constable) had properly considered the material, applied professional judgment and demonstrated that processing of the claimant’s PNC data was lawful and fair and strictly necessary for law enforcement and safeguarding purposes. The guidance’s requirement for positive evidence did not improperly place the burden on the applicant. Retention under the 100-year rule was held to be justified on the facts. The claim under Article 8 ECHR likewise failed as retention was in accordance with the law and necessary for the prevention of crime and protection of the rights of others.

Background and relief sought. The claimant was tried and acquitted of three counts of rape. He applied to ACRO/Records Deletion Unit for deletion of PNC entries relating to the acquittal and other personal data. The defendant refused the application and, on internal review, upheld that refusal. The claimant sought judicial review of the decision, arguing (i) that the decision was unlawful under the Data Protection Act 2018, (ii) that the national PNC record deletion guidance was incompatible with the DPA 2018, (iii) that sensitive processing rules applied and the processing was not strictly necessary, and (iv) that retention was incompatible with Article 8 ECHR.

Procedural posture. Permission for judicial review had been granted on the papers. Additional grounds were later added concerning event history and sensitive personal data; the defendant was allowed further time to respond but ultimately no further evidence was served.

Issues framed by the court.

• Whether the guidance displaced or conflicted with the Data Protection Act 2018 and whether the defendant had satisfied the statutory requirements for law enforcement processing (sections 34 and 35 and Schedule 8).
• Whether the processing of the claimant’s PNC data, including sensitive material (racial/ethnic origin, political/religious views, mental health), was strictly necessary and met a Schedule 8 condition.
• Whether retention until the claimant reached 100 years of age was disproportionate and incompatible with Article 8 ECHR.

Court’s reasoning and conclusion. The judge held that the guidance must be read in light of and subject to the DPA 2018 and has no statutory force for PNC deletions. The controller remains responsible for demonstrating compliance with the DPA 2018. The guidance’s encouragement that applicants provide supporting evidence did not shift the legal burden onto applicants; it simply recognised that elimination as a suspect or an acquittal may not by itself justify deletion. The decision-maker (Mr Russell) had considered trial material, contemporaneous intelligence and safeguarding concerns and reasonably concluded there was no firm evidence that the allegations were malicious or false. The processing was found to be strictly necessary for law enforcement and for safeguarding the claimant’s former wife and child and to meet the conditions in Schedule 8. The 100-year retention rule was found justified on the facts. Article 8 interference was in accordance with the law and necessary for the prevention of crime and the protection of the rights of others. The claim therefore failed.

The claim is dismissed. The court held that (i) the national PNC deletion guidance must be read subject to the Data Protection Act 2018, (ii) the controller had properly applied the statutory law‑enforcement processing regime (notably sections 34 and 35 and Schedule 8) and demonstrated that retention of the claimant’s PNC data was lawful, fair and strictly necessary for law enforcement and safeguarding, and (iii) retention was proportionate for the purposes of Article 8 ECHR.