Jim Meyer :: ranked as a leading criminal and regulatory enforcement solicitor
Data protection and the General Data Protection Regulation
Experienced regulatory enforcement and compliance lawyer who provides advice and assistance to clients in relation to data protection law and the General Data Protection Regulation
If you are facing enforcement action by the Information Commissioner’s Office (“ICO”) you are best advised to instruct an experienced solicitor, like Jim Meyer, to defend you. The Data Protection Act 2018 has greatly extended the UK’s data protection laws, and, whilst the fines that can be imposed are massive, the ICO has an array of options available, including warnings and reprimands; instructing a solicitor early greatly increases your prospects of achieving a favourable outcome.
If you are accused of obstructing the ICO, knowingly or recklessly retaining personal data without consent, re-identifying personal data that had been “de-identified” (i.e. redacted), altering data to prevent disclosure, or unlawfully requiring another person to provide or give access to a relevant record, then you should seek legal advice from an experienced practitioner.
With over 27 years‘ years experience as a regulatory enforcement lawyer, Jim’s clients include companies and unincorporated organisations, as well as company officers (directors and company secretaries), managers and employees who are often referred by their company’s own lawyers for specialist advice and assistance.
Jim advises individuals on the potential liability that is secondary to their company’s, for example when there is an allegation that a company’s offending was caused by a director’s or manager’s consent, connivance, and/or neglect, as well as advising more genuinely in relation to a request for assistance, or a request made compelling the provision of information.
Seek the advice of an experienced lawyer who can help you comply with data protection law
The enhanced rights and obligations enshrined in the General Data Protection Regulation (GDPR) mean that now, more than ever, businesses cannot afford to ignore data protection law. Jim can advise on what is a broad range of complex data protection issues, helping you to:
Ensure that personal data is protected, including:
Assisting you to conduct a data processing audit;
Advising you in relation to the lawful bases of processing;
Drafting privacy notices to meet the new standards of transparency;
Advising you in relation to website policies and cookies notices;
Advising you in relation to electronic marketing and how to comply with the Privacy and Electronic Communication Regulations;
Advising you on the appointment, role and responsibilities of a data protection officer;
Assisting you to maintain records to demonstrate your data protection compliance.
Manage the consequences when it is not, including:
You first response following a data breach, including the obligation to notify the ICO and other regulatory bodies;
Focussed legal advice and practical support if you are subject to an ICO investigation
Mitigating the damage to potential claimants and ensuring you are prepared for any civil litigation which may follow.
Relevant case law in relation to data protection offences
The High Court refused permission for a claimant to seek judicial review of the Secretary of State for the Home Department's decision to provide mutual legal assistance to the US government to assist a criminal investigation which could lead to the prosecution of a suspected British terrorist. On a proper reading of Directive 2016/680 and the Data Protection Act 2018, there was no scope for arguing that the processing of personal data was not necessary or was disproportionate because the relevant objective was prosecution and the suspect might be prosecuted in the UK.
The independent adjudicator, to whom disciplinary charges against prisoners were referred, did not have an express or implied power to refer charges to the police. The regime for discipline in prisons was intended to operate separately from the criminal justice system, except where the governor referred charges to the police or where the charges related to very serious offences.
The current legal regime in the UK was adequate to ensure the appropriate and non-arbitrary use of automated facial recognition technology. A police force's use of such technology in a pilot scheme was consistent with the requirements of human rights and data protection legislation and the public-sector equality duty.
CA (Civ Div) (Sir Geoffrey Vos C, Sales LJ, Baker LJ)
22 January 2019
The National Crime Agency had complied with its obligations under the Data Protection Act 1998 when using information obtained from a police force as part of an information-sharing practice between law enforcement agencies in disciplinary proceedings which resulted in an employee's dismissal for gross misconduct.
The claimant, who had been the subject of research by the Extremism Analysis Unit, had not made out his challenge to the lawfulness of the Prevent Duty Guidance for England and Wales and the Higher Education Prevent Duty Guidance, which were aimed at preventing people from being drawn into terrorism. Further, the collection, storage and dissemination by the Extremism Analysis Unit of his data had not breached his privacy rights under ECHR art.8.
A prisoner had not suffered procedural unfairness where the prison governor upgraded his security category and status based on information that the prisoner was potentially involved in trafficking illegal substances and products into the prison. Although the governor had not fully disclosed the reasons for his decision, such non-disclosure could be justified on the basis of protecting sources of information, intelligence methods and the integrity of an ongoing investigation, and was statutorily recognised by the Data Protection Act 1998 s.29.
EAT (Judge Eady QC)
16 June 2017
Although a tribunal had been entitled to conclude that an employer had acted fairly in its conduct of an investigation into information-sharing practices with the police, it was unclear whether it had had proper regard to the employee's particular concerns as to how those practices might prejudice his participation in an internal disciplinary procedure while facing ongoing criminal proceedings. The tribunal's failure to engage with that point rendered its conclusion unsafe.
CA (Crim Div) (Davis LJ, Gilbart J, Judge Zeidman QC)
23 September 2016
When refusing an application for permission to appeal against the registration of an overseas freezing order, the Court of Appeal commented that when dealing with such challenges, Crown Court judges in England and Wales should refuse to entertain evidence or arguments directed at the substantive basis for the making of the initial freezing order. Only the courts of the issuing state had the jurisdiction to consider such arguments.
A declaration was granted that a defendant had failed to comply with a subject access request under the Data Protection Act 1998 s.7 and an order made that the defendant comply with that request. The defendant failed to establish that either a crime or a privilege exemption applied, and there was no good reason not to exercise the court's discretion in favour of the claimants who had made a valid request.
In discharging their core functions of investigating crime and obtaining evidence, the police did not owe a duty of care to potential witnesses in general. Further, the Merseyside police had not assumed responsibility for the safety of witnesses to a shooting incident. A negligence claim brought by the witnesses, relating to the disclosure of their address to the defendants by the CPS, could therefore not be sustained.
The disclosure by police to the Local Authority Designated Officer of information about a teacher's past sexual misconduct with students was unlawful and in breach of the teacher's ECHR art.8 rights where the information turned out to be false and the relevant officers had failed to verify it against the police database records. The criteria in the Police Act 1997 relating to enhanced criminal record certificates also applied to other forms of disclosure.
SC (Lord Neuberger PSC, Lady Hale DPSC, Lord Mance JSC, Lord Sumption JSC, Lord Toulson JSC)
4 March 2015
The retention by the police of records of an elderly and non-violent man's participation in demonstrations organised by an extremist protest group was proportionate for the purposes of ECHR art.8. The police's policy on the retention of data in relation to harassment cases was not unlawful.
The Child Sex Offender Disclosure scheme, the Management of Police Information Guidance and the Multi-Agency Public Protection Arrangements Guidance were schemes for the collection, ordering and possible disclosure of data by the police which were not arbitrary and provided adequate guarantees against arbitrariness. The schemes all represented public standards which could be applied to the management of personal data held by the police and were "in accordance with the law" for the purposes of the ECHR art.8. Moreover, they pursued legitimate aims and therefore represented a proportionate and justifiable interference with rights in accordance with art.8(2).
The Police Force did not have a duty to inform a former police constable's new employer that, whilst in the force, the constable had taken long periods of sick-leave and had an unresolved gross misconduct charge against him. To provide that information would breach data protection principles and his legitimate expectations.
QBD (Admin) (Andrews J)
12 February 2014
It had been unreasonable for a Chief Constable to have included information about a failed prosecution for sexual offences against a child on an enhanced criminal record certificate where the prosecution had failed due to the unreliability of the evidence. As the claimant, who had applied to volunteer as a church worker, obtained just satisfaction by the quashing of the decision to include the information, it was not appropriate to award damages and the fair thing to do was to reflect compensation in terms of costs.
Although it was common knowledge that the coming into force of the Protection of Freedoms Act 2012 s.25 would prevent the retention by police of fingerprint information and DNA profiles, it would be wrong for the police to start deleting material in anticipation, or for courts to make destruction orders in the interim on a case-by-case basis. A consistent approach nationally was important, and the detail of the s.25 regime should be known before steps were taken to implement it.
The regime contained in the Data Protection Act 1998, the Human Rights Act 1998 and the Statistics and Registration Service Act 2007 constituted a sufficiently accessible and predictable body of law and satisfied the requirement that any disclosure of personal census data under s.39(4)(f) of the 2007 Act "for the purposes of a criminal investigation or criminal proceedings (whether or not in the United Kingdom)" was in accordance with the law for the purposes of the European Convention on Human Rights art.8(2).
The notification requirements imposed on offenders convicted of certain terrorist offences, pursuant to the Counter-Terrorism Act 2008 Pt 4, were not incompatible with their rights under the European Convention on Human Rights 1950 art.8, and it was not necessary for there to be a mechanism in place to review those notification requirements.
CA (Civ Div) (Sir Anthony May (President QB), Leveson LJ, Toulson LJ)
12 January 2011
A chief constable responding to a request for information to be included in an enhanced criminal record certificate under the Police Act 1997 s.115(7) did not owe a duty of care to the person applying for the certificate.
A police officer's inadvertent disclosure of a prison assessment report, which attracted public interest immunity by virtue of being part of the multi-agency public protection arrangements scheme, was not capable of interfering with the report's public interest immunity status.
The words "in the open air" in the Criminal Justice and Public Order Act 1994 s.68 and s.69 had been removed by virtue of the Anti-social Behaviour Act 2003 s.59 but it was clear that the definition of "land" under s.68 and s.69 specifically included "buildings".
CA (Crim Div) (Lord Phillips LCJ, Hedley J, Pitchers J)
7 March 2007
A suspended sentence had been wrong in principle in circumstances where a serving police officer had disclosed information protected by the Data Protection Act 1998 to a known criminal who had intended to seek retribution against others outside the law.
Although sentences imposed for conspiracy to supply a Class A drug were not manifestly excessive, the disparity in the sentences passed was such as to cause a substantial sense of grievance.
Information Tr (David Marks, John Black, Jean Nelson)
12 October 2005
The criminal conviction data relating to three individuals and held on the police national computer should be retained for inspection only by the data controller or a data controller representing a chief officer of police, subject to the retention rules of the Association of Chief Police Officers' Code of Practice for Data Protection; the data should not be disclosed to other parties. The Information Tribunal set out the criteria to be considered when formulating future guidance or codes concerning the deletion of conviction data held on police computer systems.
The National Probation Service had erred in failing to consider the rights of the applicant when considering him for early release on licence by deciding that a third party should be informed of the applicant's conviction.
Where a corporate body such as a local authority failed to renew its registration under the Data Protection Act 1984 notwithstanding reminders to do so, it could reasonably be inferred that the body was aware of its omission so that its continued holding and use of personal data "knowingly" or "recklessly" contravened s.5 of the Act.
Crown Ct (Chichester) (HH Judge A Thorpe)
18 December 2001
Directors of a company whose employees had used dishonest means to obtain personal data without the directors' knowledge were each sentenced to a two-year conditional discharge.
A claim for damages for alarm and "distress", brought against a police force for failure to maintain an up-to-date PNC record, would be an abuse of process because there was no real prospect of success and the appellant could neither claim for "distress" nor claim under a discrete head of damage.
Although it could be possible that, according to the nature of a disability, a prisoner's case preparation could be seriously and substantially disadvantaged by restricted computer facilities, that was not the case for the present claimant.
CA (Crim Div) (Roch LJ, Rougier J, Gray J)
20 October 2000
Information relating to a living individual who could be identified from it was "personal data" within the meaning of the Data Protection Act 1984 and was held subject to a restriction against disclosure.
QBD (Admin) (Sullivan J)
25 May 2000
An application for judicial review of police retention of records, in respect of an alleged paedophile whose conviction was dismissed on appeal, was itself dismissed because the police were entitled to retain his records where the acquittal was secured through lack of corroboration.