A teenager has failed in a judicial review of how information on her was shared between Sussex Police and the Brighton & Hove Business Crime Reduction Partnership.
M, who was aged under 18 when the case began and so was allowed to remain anonymous, argued that the police’s safeguards for disclosing personal information to that partnership were unlawful.
She also challenged as insufficient the award of £500 damages by the High Court, which had found that the police breached M's rights under the Data Protection Act 1998 by giving the partnership information about risks of sexual exploitation.
The police cross-appealed that Lieven J in the High Court had been wrong to find this had breached the DPA by being the disclosure of sensitive personal information about M's sexual life, and that telling the partnership M fell within a specific police operation was wrong.
In M, R (On the Application Of) v The Chief Constable of Sussex Police  EWCA Civ 42 the Court of Appeal dismissed M’s challenge but allowed the police cross-appeal.
M challenged the lawfulness of safeguards in the Information Sharing Agreement made between the partnership and the police.
There are some 500 partnership members and its main function is the management of an exclusion notice scheme, prohibiting persons from entering members' premises.
The partnership passed on information about individuals to its members via a secure intranet site and a secure mobile application. M was subject to such to a year-long exclusion order in November 2017.
Lady Justice Andrews, with whom Lady Justice Asplin and Lord Justice Bean agreed, said the main question for the High Court had been whether the information sharing agreement met the requirements of Part 3 of the DPA 2018.
She said: “In a well-structured, careful and clearly expressed judgment, Lieven J held that although there was room for improvement, on a holistic assessment, the ISA 2018 read together with its appendices (particularly Appendix 4) and a legitimate interest assessment…did provide sufficient safeguards and effective measures, including technological measures, to meet those requirements.”
M argued that the agreement was not appropriate for processing sensitive personal data relating to those aged under 18 as the safeguards were inadequate to prevent wider dissemination.
Andrews LJ concluded: “The judge was entitled, standing back, to take the view she did that so long as the nature of the data shared remains as in the legitimate interest assessment, and the safeguards she had identified exist as to onwards transmission, the sharing is proportionate, and the respondent had demonstrated compliance with the requirements of the DPA 2018.”
She dismissed arguments on whether the agreement was compatible with the requirements of the DPA 1998 and the DPA 2018 as “of historic interest only”.
M also argued that sharing of her bail conditions with partnership members amounted to making them public.
Lieven J had held that sharing was limited to partnership members and that any employees or third party contractors who received information did so in their employment capacity and subject to safeguards.
Rejecting this part of M’s challenge too, Lady Justice Andrews said: “In my judgment, Lieven J's analysis was patently correct…the correct dividing line is not between internal communications within public authorities, and all other communications; or between police officers or others carrying out a public function, and civilians; but between private communications and publications to the general public.”
But she said Lieven J had been wrong to find that informing the partnership of intelligence that M was at risk of child sexual exploitation was disclosure of her sexual life and thus an unlawful as sensitive personal data.
Allowing the police cross-appeal Andrews LJ said: “She was therefore wrong to find that there had been a breach of M's data protection rights under the DPA 1998 and of her rights under Article 8 ECHR and to grant declaratory relief.” This meant there was no basis for the award of damages.