Data Protection Act 1998: Procuring Disclosure of Personal Data

In the light of concerns about the extent to which private enquiry agents, the media and others have been able to obtain and use personal data in apparent disregard of the rights of the data subject, barristers should be familiar with all the provisions of the DPA in particular, those which may be relevant when considering the obtaining and use of material as evidence in proceedings.

On the one hand, s. 35 permits the data controller to disclose personal data when required by law or court order, or when necessary for the purpose of actual or prospective legal proceedings, for obtaining legal advice or for establishing, exercising or defending legal rights. So, if one's client, as a data controller, is already lawfully in possession of an item of personal information, the DPA will not necessarily limit the typical uses to which counsel may wish to put it in proceedings, provided that such use is proportionate to the Art. 8 rights of the individual. Where disclosure of personal information is contemplated, it may be sensible to consider what additional protections could be put in place to limit the disclosure to the general public of personal information, particularly sensitive personal information.

In addition, s. 55 DPA renders it a criminal offence knowingly or recklessly to obtain, disclose or procure the disclosure of personal data without the consent of the data controller (subject to various exceptions, including a reasonable belief in legal entitlement, and a public interest defence). Counsel should bear this provision in mind, from the standpoint of their own potential liability as well as that of their lay and professional clients, when advising that information be obtained about personal matters concerning the opposing party, such as financial status or criminal records, which would normally be held as personal data under the DPA. In particular cases, other provisions of the DPA may also be relevant to professional practice. The use of documents obtained by such methods, may, in any event, be excluded from consideration, (see Imerman v Tchenguiz [2010] EWCA Civ 908).

Extended powers of the Information Commissioner

Since 2010 the ICO has had the power to levy monetary penalties for serious breaches of the Data protection principles (s.55A DPA). Guidance as to how this discretion will be exercised is available on the ICO website.  The monetary penalty is capped at £500,000. Such penalties are applied in cases where there have been serious breaches with the aim that they serve as a sanction and a deterrent. Recently, penalties of between £60,000 and £100,000 have been imposed.

This guidance is no substitute for obtaining advice on the substantive legal obligations of members of the Bar, including obligations under the DPA, but this reminder may be useful.

Professional Practice Committee
Bar Council
Reviewed July 2011

©2013. The Bar Council