Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Sunday, 7 September 2008

It's The Data Protection Act, not the Say Nothing To Anyone Act

If you were thinking it had become a little quiet around here then you were right - I've spent the last week in the induction phase of the Bar Vocational Course. After a year doing an LLM that was concerned with specific areas of almost entirely civil law I am having to revisit the whole wider legal spectrum, including that 'criminal' stuff I dimly remember from W201. However, this doesn't mean any less interest in lawblogging on IT and IP law; to the contrary, I am keen to keep myself abreast of my intending area of specialisation.

Something that did catch my eye last week was this story on how Marks & Spencer claimed that the Data Protection Act meant that it could not talk to the mother of a child who had received a defective Superman costume as a gift and insisted on speaking directly to the seven-year-old boy himself. As this item in The Times notes, this is just the latest in a depressingly long line of examples of how the DPA is being misinterpreted and overzealously applied whilst agencies of HM Government - who really should be applying its requirements stringently - repeatedly mislay vast swathes of sensitive personal data. For my part, I would go further; it is hard to avoid the suspicion that the DPA is being invoked to excuse laziness, conceal incompetence and in some cases to indulge in pure administrative bloody-mindedness. In one instance I'm personally aware of, a building management company refused to release financial records on income and expenditure on the grounds of 'data protection' despite the clear statutory requirements of ss.21-22 Landlord and Tenant Act 1985 to do so. In the M&S case, surely common sense should have dictated that the parent or guardian of a minor is the appropriate person to speak to? But no, the bogeyman of Data Protection is offered up instead.

In wider terms, this is symptomatic of a worrying tendency (I almost said 'trend', but I suspect it has long been thus) for people to assume that, because they are dimly aware that a certain area is regulated by law, any conduct impinging on that area is forbidden. The more that the legal regulation is publicised, the more prevalent and extensive this assumption becomes. We see this in the vexed issue of public photography, where anti-terrorism campaigns and hysterical news coverage have had the (I hope) unintended effect of convincing security guards and members of the public that anyone with a moderately decent camera is either a terrorist or a paedophile. Unfortunately, this suggests that the more we see of well-justified news stories about data protection failings, the more we might hear of shop assistants invoking the DPA.

4 comments:

Anonymous said...

The worst example of that trend, of course, was the Soham murders, where one police force invoked the DPA to justify its not having passed on relevant information to another.

Also, the example given is that particular species of idiocy which I think of as "Bollocks to three decimal places". First, what is the personal data which would require to be disclosed in the discussion? None whatsofuckingever. The parents have already shown they are in possession of all relevant facts about the defective property concerned. They are processing that data, thank you, quite properly even if you think the child is the contracting party (which it isn't and can't be) in accordance with Sch. 2 of the DPA 1998.

Anonymous said...

At a *mumblemumble-no-name* place I used to work, a colleague had his bicycle unchained and nicked in plain view of two cameras and right under the window of *mumblemumble-no-name* estate's security office.

When he requested the footage, with a crime number and a report from the Met, he was told 'no', on 'Data Protection' grounds.

The reason for the mumbling is that we think the security contractor has taken legal advice about the unlikely - and purely speculative! - possibility that it might be their own staff nicking stuff.

Simon Bradshaw said...

To Anonymous - the DPA has significant restrictions on its application where the information in question relates to the prevention or detection of crime (s.29), so this sounds like a rather weak excuse. Furthermore, if I read your description correctly, it sounds like your colleague might have had a claim against your employer for negligence! At the very least, issuing such a claim might have forced disclosure of the tape...

pangloss said...

Theoretically I suspect they are in the right you know tho for wrong reasons. As the requester isn't actually on the tape himself, it isn't a subject access request so DP law not really relevant; simply the tape is owner's property so no legal duty to share it. Correct procedure when refused should be sadly to either seek court order for disclosure in civil litigation, or report it as crime to the police who have own statutory powers to collect evidence..

But yes I have my own horror stories of DP law being used as blanket "computer says no" excuse, many involving A Certain Huge and Not Intelligent At All Building Society (not allowed to pay money IN to own account without multiple proofs of ID due to "DP law" - arg!) and A Certain Huge but Now Virginal Telco (not allowed to change name on telephone bill, again to PAY IN sums, even when resident who put name on account originally had buggered off). GRR.