On 15 July 2015 at 10:34AM the National Police Air Support Unit released an aerial photo of, what looks to be, Michael McIntyre on Twitter with the caption ‘whilst on tasking in central London this morning we spotted a certain energetic funny man…can you guess who?’. Shortly after the picture was posted online, Twitter exploded with outrage and complaints of breaches of data protection.
Despite removing the tweet, a Metropolitan Police spokesperson said in a statement that "this tweet does not, as far as we know, constitute a breach of data protection legislation".
So how does the Data Protection Act 1998 apply?
The Data Protection Act 1998 imposes broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected. Therefore, the Act can be used by both private individuals and celebrities to prevent publication of photographs or film of them, where such photographs or film constitute personal data.
The first element to consider is whether the data has been ‘processed’. ‘Processing’ has been given a wide definition and includes, among other things, obtaining, recording, holding or disclosing personal data. Therefore, the definition encompasses a wide range of activities which involve personal data.
The second element which needs to be satisfied is that the data which has been processed by an individual or business (data controllers) amounts to ‘personal data’. Again ‘personal data’ has been given a relatively wide definition and includes data which relates to living individuals (data subjects) who can be identified from the data, or from the data and other personal information.
In August 2007, the Information Commissioner (who is responsible for enforcing and overseeing the Data Protection Act 1998) issued a technical guidance note on what constitutes personal data for the purposes of the Data Protection Act 1998. The guidance clearly sets out that information relating to individuals, including photographs and film, is only likely to constitute personal data under the Act if two criteria are satisfied:
- A living individual can be identified either from the photograph or film alone, or with other information which is in the possession of the data controller. In practice, photographs or film are only likely to be caught if they are held along with other personal data about the individual, or if the photograph or film is of a person so well-known that the photograph or film would identify him/her anyway; and
- The photograph or film relates to the person in their personal or family life, business or profession. This is the case when it is either "obviously about" that person or if it is "linked to" that person so that it provides particular information about him or her.
Simon McKay, a criminal and human right’s lawyer, and author of a leading textbook on covert policing law has stated that the Metropolitan Police are a data controller and the photograph is personal data, within the definitions explained above, and therefore there are compliance issues with the Data Protection Act 1998 through publishing the photograph on Twitter.
Schedule 1 to the Data Protection Act 1998 then sets out a number of key data protection principles. The most relevant in this situation would be principle one and two which require that:
- Data must be processed fairly and lawfully. This is regarded as the most important principle as it requires that data must not be obtained through unlawful means or unfairly. The fairness requirement can only be established if at least one of the following conditions are satisfied:
- The individual has consented to the processing;
- The processing is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract;
- The processing is necessary to comply with a legal obligation of the data controller;
- The processing is necessary to protect the vital interests of the individual;
- The processing is necessary for the administration of justice, or for the exercise of any function conferred by statute; or
- The processing is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
- Data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes. According to Article 6(1)(b) of the Data Protection Directive (1995/46/EC), personal data must be collected for specified, explicit and legitimate purposes, and not be further processed in a way incompatible with those purposes.
From the information provided above, there are clearly compliance issues with the two principles above. Firstly, even though the photograph was obtained through lawful means, CCTV air surveillance, how the photograph was then disclosed does not appear to meet any of the conditions of ‘fairness’ mentioned in principle one. Secondly, it is evident that even though the photograph was obtained through specified lawful purposes, it was then processed further in a manner which appears inconsistent with those lawful purposes. Therefore, this seems to support Simon McKay’s statement regarding the compliance issues with the Data Protection Act 1998.
Simon McKay has further commented that there is legal precedent that related to the McIntyre case. "The courts have held the arbitrary publication of photographs by the police without a pressing need to do so is unlawful." Taking the picture was not an issue, but the decision to post it online could therefore cause problems regarding compliance with the Data Protection Act 1998.
For these reasons, it is understandable why the Information Commission Officer is now investigating this incident and has explained that ‘processing personal data and disclosing images of this nature without a justifiable policing purpose’ could amount to a breach of the Data Protection Act 1998.
Other areas of potential breach
Through considering well-established case law, there is also a potential conflict with Article 8 of the European Convention on Human Rights, the right to privacy. In Andre Wood v Commissioner of Police of the Metropolis  the High Court emphasised that the mere taking of photographs was not adequate to amount to an interference of an individual’s right to privacy and that more would be required. Therefore, highlighting that the taking of the photograph of Michael McIntyre would not constitute a breach of his right to privacy. However, the interference with Article 8 may arise through the publication of this photograph on Twitter. In Von Hannover v Germany  the European Court of Human Rights held that the taking and publishing of photographs of Princess Caroline of Monaco in a public place did violate her right to privacy under the Convention. The key issue here would be; in what capacity was Michael McIntyre in when the photograph was taken, public or private?
A final consideration would be whether there has been breaches of the CCTV Code of Practice which provides that images should only be used for their stated purpose, which, in most circumstances, is to combat crime and anti-social behaviour. In response to the picture being posted on twitter the Surveillance Camera Commissioner Tony Porter has stated that ‘public disclosure of anyone’s image for the purposes of fun is a clear breach’ of the Code of Practice. Therefore, this may cause further problems for the National Police Air Support Unit staff, especially for the individual(s) who posted the tweet.
If any further legal guidance is required on a data protection or privacy issues, feel free to contact our Corporate Commercial team through Christopher Buck on 01908 660966 or by email at Christopher.Buck@franklins-sols.co.uk