Legal Updates

Data Protection – Unlawful Access and Disclosure – Personal Information

In the case of R v Rooney (CA) [2006], an employee was convicted of unlawfully obtaining and disclosing personal data.

The defendant worked in the human resources department of a police constabulary, where she had access to the personal data of other employees. The defendant’s sister had a relationship with a police officer, A. This relationship ended in 2003. A then began a relationship with T, who was another employee of the police force. Eventually A and T moved into an address in Tunstall together. The details of this new address were updated on the employee database.

The defendant accessed the information held about A and T a number of times, and proceeded to tell her sister that the pair had moved to Tunstall, however, she did not specify the exact address.

The prosecution argued that the defendant had abused her position and breached the Data Protection Act 1998 (“DPA”) by accessing personal information that was unrelated to work and then passing that information along without consent. The particulars of the indictment stated that she had knowingly or recklessly and without consent of the data controller, disclosed personal data in contravention of s.55 (1) DPA.

The defendant submitted that she could rely on the defence within s.55 (2) DPA because she was acting in pursuance of her duty to check that the information was up-to-date.

She was convicted on two counts of unlawfully obtaining of personal data and one count of unlawfully disclosing personal data. With regards to the latter conviction, she appealed on the ground that by merely mentioning to her sister that the pair now lived in Tunstall, she had not disclosed the full address and subsequently the charge of unlawfully disclosing personal data was not be made out.

The court rejected the appeal and held that:

â–ª     the charge was for the disclosure of ‘personal data’ or the disclosure of ‘information found in personal data’; and

â–ª     the reference to Tunstall amounted to ‘information found in personal data’, meaning it did not matter that the specific address had not been disclosed.

The defendant’s convictions were upheld.

Comment: Please contact us for more information on data protection at  [email protected]. Visit http://www.rtcoopers.com/practice_dataprotection.php

© RT COOPERS, 2006. This Briefing Note does not provide a comprehensive or complete statement of the law relating to the issues discussed nor does it constitute legal advice. It is intended only to highlight general issues. Specialist legal advice should always be sought in relation to particular circumstances.