A case law review of data retention in policing

Analysts have described data as the ‘lifeblood of the digital world’ and there is no doubt data is one of the most valued commodities in the modern age. It is likely data will even become a form of currency in the future. As such, the correct management and approach to its retention is crucial. Most of the public discourse on data use may appear more prevalent in the fields of marketing, healthcare and retail – but there is an ever-evolving landscape of data protection judgments in the police law sphere that should be noted and analysed with interest.

Data retention versus respect for a private family life

It is true for many individuals that there are indiscretions in the past that one would prefer to be forgotten. However, if those indiscretions constitute criminal offences, instead of being forgotten with the passage of time, they are stored on central databases accessible by police forces until one reaches the ripe old age of 100. This was the case for the claimants Q, B and A in the matter of R (QSA) v National Police Chiefs’ Council (NPCC) [2021] 1 WLR 2962 – and they sought to challenge the data being retained.

• The claimants were convicted of loitering in a street or public place for the purposes of prostitution in the 1980s-1990s. The convictions were recorded on the PNC. As is standard policy, the convictions were to remain on the PNC until Q, B and A were 100 years of age. The policy in place did allow certain chief officers to exercise their discretion, in exceptional circumstances, to delete PNC records relating to non-court disposals. Offences that resulted in court convictions were not eligible for record deletion.
• Q, B, and A claimed the 100-year policy was unlawful on the basis that it was not in accordance with the law and constituted a disproportionate interference with their right to privacy under Article 8 of the ECHR.
• The court held the 100-year policy was “in accordance with the law” and it could not be clearer or have a more foreseeable effect. The Court held that the 100-year policy was also proportionate for the following reasons: -

1. Government agencies have a genuine and pressing need to access a comprehensive record of criminal convictions. This objective is sufficiently important to the criminal justice system — and to public services requiring security, vetting, and licensing — to justify interference with the claimants’ Article 8 rights.
2. The interference occasioned by bare retention of data is modest and readily justified as the public interest in the maintenance of a comprehensive record of convictions far outweighs the personal interest of Q, B and A in deleting their past convictions.

The interaction of the claimants’ rights under the ECHR were carefully balanced in this case with the need to uphold criminal justice and ensure the validity of background vetting for the public services. The court could not be seen to displacing the 100-year policy lightly in one instance, or they may be forced to do it on numerous instances in the future. The court highlighted, in this instance, the retention of data was modest in its impact on the claimants, and it does not appear to have been alleged that the data was being used for any other purpose.

Proportionality will be at the discretion of the court in each individual case – and on that basis, it would be most interesting to see the outcome of a case on similar facts, but in a case where the data has been used for the purpose of vetting or security requirements being refused to a claimant because of the data held. It remains unclear if the court would take a different view on the proportionality of the data retention in circumstances where Q, B and A were unable to secure jobs, or complete their current job roles, because of security or vetting refusals on the basis of convictions some 30-40 years prior.

Data retention in the case of an acquittal

Another case concerning the data retention and the 100-year policy was that of R (YZ) v Chief Constable of South Wales [2022] EWCA Civ 683.

• The claimant (YZ) applied for his personal data to be deleted from the PNC. He had been acquitted of raping his former wife, but details of the acquittal had been retained on the PNC. Other matters, such as his political and religious views, were also recorded. YZ submitted retaining that information was a breach of the Data Protection Act 1998 (DPA) and incompatible with Article 8 ECHR. The case referred to policy guidance, ‘Deletion of Records From National Police Systems.’
• The court found that the police guidance was relevant but had no statutory force. Although the guidance encourages individuals to provide reasons to justify the deletion of PNC records, it is ultimately for the data controller to demonstrate compliance with the DPA. Processing for law enforcement purposes must be lawful and fair. It is not for the applicant to show his records should be deleted.
• YZ’s acquittal, however, did not necessarily mean his personal data should be deleted. The finding merely demonstrated the jury could not be sure YZ had committed rape. The presumption of innocence had no continuing relevance, except to prohibit a public authority from suggesting that the acquitted defendant should have been convicted. The police had to consider whether retention was necessary, taking into account the allegations and any other information.
• On the facts, processing the retained information was necessary for law enforcement in order to protect the former couple’s child and potentially YZ’s ex-wife as well. The decision to retain information about YZ’s religious views and mental health was fair and rational because it included concerns of extremism. It was also acceptable to retain the information for 100 years since it could not be said that the risk to the child and wife would diminish to the point of insignificance in the claimant’s lifetime. The Article 8 claim failed for similar reasons. Retention was in accordance with the law, in the interest of preventing crime and for the protection of the individuals previously referred to.

It is therefore clear, while an individual’s Article 8 rights are of the utmost importance, so is the ability to effectively police within and uphold the criminal justice system, and above all, protect the public from harm by preventing crime. Our criminal justice system requires the jury to be confident beyond reasonable doubt that the defendant is guilty of the crime that they are on trial for in order to convict. The criminal court does not deal in ‘guilty’ and a definitive finding that the defendant is ’innocent’ – but rather ‘guilty’ or ‘not guilty’ – and that is an important distinction to be made. The court set out that a presumption of innocence following an acquittal does not automatically entitle you to have your data deleted. The safety of the claimant’s wife and child also had to be considered. The court deemed the retention of the data to be proportionate in these circumstances presumably owing to the severity of the offence reported. It was not just the retention of the data regarding the acquittal that was challenged by the claimant, but also data relating to his religious views and mental health. The court found the retention of this sensitive data reasonable and rational in the context of concerns about extremism.

The court’s rationale for upholding that the data retention in both instances of the acquittal and sensitive data appears to have been motivated by a desire to ensure that police had all information required to protect members of the public from potential future offences. However minimal the risks may be, they could not be reduced to a level so insignificant that the data could be destroyed.

Data retention following third party data manipulation

A case with completely different facts, but no less interesting, was Chief Constable of Greater Manchester v Zuniga (Z) and Others [2021] EWHC 1572 (Fam).

• Z provided forensic analysis services to police forces, including GMP, for the purposes of identifying drug use. The results were used in a wide range of court cases. GMP led an investigation into alleged data manipulation by Z between 2011 and 2017. The investigation uncovered 27,000 reports which appeared to have been affected. GMP applied for permission to obtain and use a large amount of potentially affected biometric data without limitation, since otherwise the data could only be held for the purpose of criminal law enforcement pursuant to s22 PACE 1984, despite the material having potential significance to the victims of miscarriages of justice.
• The court held that GMP had permission to retain and use the material subject to two requirements: (i) that the subjects of the material’s identities would only be revealed in criminal trials with consent of the individual, and (ii) that the order would be reviewed every 12 months by the President of the Family Division.
• Retention, use and disclosure of biometric data constitutes an interference with an individual’s Article 8 ECHR rights and therefore had to be justified according to well-established principles. The interference was in accordance with the law, since the order was governed by PACE and the Family Procedure Rules. It was necessary for practical purposes, because otherwise GMP would have had to apply for permission for disclosure of data on a case-by-case basis, which would be a disproportionate burden on court resources. Finally, the interference was proportionate as the orders would be reviewed every 12 months, allowing for reasonable retention and use of the data.

There is vast debate on the fairness of the 100-year rule – and a freedom of information request submitted by a member of the public earlier this year asked the NPCC to confirm if they had plans to change it. In response, the NPCC confirmed that there was a review ongoing which was consulting the ICO, Home Office, MOJ, the Biometrics and Children’s Commissioners and other key stakeholders. They stated a report in relation to this will be published at the appropriate time. It is possible therefore, at an undetermined point in the future, the rules may change – but until then, data will be retained for a century from the individual’s birth – and exceptions will only be made in exceptional circumstances.

Concluding remarks

The majority of these claims are pursued as Human Rights Act claims under Article 8 – and it appeared, until recently, the procedure for such claims may also be changing in the near future. Plans to ‘overhaul’ the Human Rights Act, in the form of the Bill of Rights, would have required a ‘permissions’ stage to pursue claims. This would have required a potential claimant to convince a court that the alleged breach of their human rights caused a significant disadvantage to them, only then could a claim continue against the proposed defendant. This would have presented a bar which some of the cases above may not have even passed in order to bring the claim, never mind reach a hearing. However, given it has been announced that these plans are being ‘shelved’ for now, the status quo remains – and data claims will still be pursued under Article 8 in the usual way.

The above cases demonstrate that data is not just the ‘lifeblood’ of the digital world – but policing as well. Without the vast intelligence compiled on the PNC, the checks completed on it would be rendered almost useless. Without the data retention rules, there could be untold consequences for victims of crime, officer safety – and the progress of numerous vital investigations. This must ultimately be valued higher than an individual’s wish to be forgotten or removed from a digital file – without this, the ability to police our entire society effectively as we know it would collapse. However, the court will not take interference with Article 8 lightly – and as such, a case-by-case analysis will continue be seen. It appears only the correct administration and enforcement of justice will justify such an interference.

Emelia Bezant-Gahan is a solicitor with the public services law team at Plexus Law: plexuslaw.co.uk