Human rights and data protection
Should data be deleted after a case is closed?
R (II) (by his mother and litigation friend, NK) v Commissioner of Police of the Metropolis  QBD
A continued retention of data that was disproportionate so as to infringe the data subject’s Article 8 rights was necessarily also in breach of data protection principles.
The claimant’s mother challenged the Commissioner’s decision to retain the data of a 16-year old boy who, at the age of 11 (in 2015), had been the subject of a “radicalisation risk” referral by the Department of Education after concerns raised by an online tutor. The DoE referred the matter to the Metropolitan Police in accordance with the Government’s “Prevent Strategy”. Following investigation, the case was closed in 2016 with no further action as there were no identified concerns. In April 2019, the police refused the mother’s request for the data to be deleted. The effect of that decision was that the claimant’s data would continue to be held on 10 databases until 2022 (six years from when the documents in question were made). The claimant challenged this decision by way of judicial review.
Whilst the data retention was an interference with the claimant’s Article 8 right to private life, it was accepted that it was both in pursuit of a legitimate aim (the prevention of radicalisation) and in accordance with the law. The key question was whether the continuing retention was a proportionate interference, i.e. was it proportionate to the legitimate aim pursued? The judge held that it was not for the following reasons:
- The case was closed because the officers concluded that there was no cause for concern.
- Numerous aspects of the source’s disclosure were misinformed and some were proved to be untrue, they were not merely “unsubstantiated”.
- The source had no contact with the claimant after November 2015 (when he was aged 11). The claimant was now 16 and nearly five years had passed without any further radicalisation concerns being raised.
- Whilst the ordinary period of retention was six years, the relevant policy framework did not mandate a minimum period for children and there was a right of review. If retention was no longer required for policing purposes, then the information fell to be deleted.
- There was no policing purpose for continuing to hold the claimant’s data.
- Whilst there was “little prospect” of the data being disclosed to third parties, there was equally no guarantee of this. The claimant was particularly concerned about the prospect of disclosure to universities that he may apply to. As a result, the ongoing retention “engendered fear in a 16-year-old boy that he may be tagged (wrongly) as a supporter of terrorism”.
Since the retention was disproportionate for the purposes of Article 8, it followed that it was not “necessary” within the meaning of s.35(2)(b) Data Protection Act 2018 (DPA) and nor was the data being kept “for no longer than necessary” (s.39(1) DPA). The retention therefore breached the first and fifth data protection principles of law enforcement processing.
This is a classically fact-specific decision. There was no underlying flaw or irregularity in the police’s general approach or the governing policy. Rather, in the specific circumstances of the case, and with regard to the impact on the claimant, the ongoing retention was not justified. However, it does emphasise both the relevance of Article 8 in data protection matters involving public bodies and the critical importance of the concept of “proportionality”, a word that interestingly does not actually feature in the wording of the Article.