R v Brown

[1996] AC 543

(Judgment by: Lord Hoffmann)

R
v.Brown

Court:
House of Lords

Judges: Lord Goff of Chieveley
Lord Griffiths
Lord Jauncey of Tullichettle
Lord Browne-Wilkinson

Lord Hoffmann

Legislative References:
Data Protection Act 1984 - s 5

Hearing date: 8 November 1995
Judgment date: 8 February 1996


Judgment by:
Lord Hoffmann

My Lords, one of the less welcome consequences of the information technology revolution has been the ease with which it has become possible to invade the privacy of the individual. No longer is it necessary to peep through keyholes or listen under the eaves. Instead, more reliable information can be obtained in greater comfort and safety by using the concealed surveillance camera, the telephoto lens, the hidden microphone and the telephone bug. No longer is it necessary to open letters, pry into files or conduct elaborate inquiries to discover the intimate details of a person's business or financial affairs, his health, family, leisure interests or dealings with central or local government. Vast amounts of information about everyone are stored on computers, capable of instant transmission anywhere in the world and accessible at the touch of a keyboard. The right to keep oneself to oneself, to tell other people that certain things are none of their business, is under technological threat.

English common law does not know a general right of privacy and Parliament has been reluctant to enact one. But there has been some legislation to deal with particular aspects of the problem. The Data Protection Act 1984, with which this appeal is concerned, is one such statute. Although the antecedents of the principles embodied in the Act can be traced back at least as far as the Younger Committee on Privacy, which reported in 1972 (Cmnd 5012), the immediate purpose of the Act was to enable the United Kingdom to ratify the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (set out in Annex A to Cmnd 8539) which had been signed by the member states of the Council of Europe. The object of the convention was, as the preamble stated, to 'reconcile the fundamental values of the respect for privacy and the free flow of information between peoples'. The latter was a matter of considerable commercial importance to certain United Kingdom companies which carried on a substantial business in importing, processing and exporting information. The Act was therefore intended not only to protect the privacy of our own citizens but to provide sufficient safeguards for the protection of computerised personal information to satisfy other member states that such information could safely be exported to the United Kingdom.

The machinery employed by the Act to control the use of computerised personal information is a register of data users maintained by the Data Protection Registrar. 'Data' is defined in s 1(2) as--

'information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.'

By s 5(1), a person may not hold 'personal data' unless he is registered as a data user. 'Personal data' means, putting the matter shortly, data concerning a living individual from which he can be identified.

The Act uses the register as an instrument of control in two ways. The first is by the registrar's power to refuse an application for registration or to remove a data user's entry from the register. In Sch 1 (Pt I) the Act sets out eight 'data protection principles' applicable to users of personal data. I shall mention two by way of example. Principle 1 says: 'The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.' Principle 3 says: 'Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.' The registrar may refuse an application for registration if he is satisfied that the applicant is likely to contravene a data protection principle (s 7(2)(b)) and in certain cases may de-register an existing user as the ultimate sanction for failure to comply with the principles (s 11(1), (2)). Subject to a right of appeal to the Data Protection Tribunal, these powers enable the registrar to enforce compliance with the principles.

The second method of control is the direct application of the criminal law to certain acts of the registered data user and his servants or agents. Section 5(2) contains a list of prohibitions, in more specific terms than the principles, applicable to registered data users. So, for example, s 5(2)(b) says that a holder of personal data shall not 'hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry'. (Section 4(3)(b) requires the entry to state, among other things, 'the purpose or purposes for which the data are to be held or used'.) Section 5(2)(d) says that the data user shall not 'disclose such data held by him to any person who is not described in the entry' and s 5(2)(e) says that he shall not--

'directly or indirectly transfer such data held by him to any country or territory outside the United Kingdom other than one named or described in the entry.'

By s 5(3) the prohibitions in s 5(2)(b), (d) and (e) are applied to any servant or agent of the registered data user. Section 5(5) provides that any person who 'knowingly or recklessly' contravenes one of the prohibitions shall be guilty of an offence.

The facts of the present case, as they may be inferred from the verdict of the jury, are that the defendant twice used the police national computer to find out the names of the registered keepers of motor vehicles which he thought might belong to persons who owed money to clients of a debt collection agency run by his friend Mr English. This was not a purpose specified in the chief constable's entry in the register. There was no evidence that the defendant had made any positive use of the information and no one explored the question whether he put it to negative use in the sense of refraining from pursuing inquiries about the ownership of the vehicles which might otherwise have been made. This was because the Crown's position was, and remains, that such matters are irrelevant. The Crown contended that the offence was committed as soon as personal data were retrieved from the computer with the intention of using the information for an unregistered purpose, whether it was put to any use or not. The judge directed the jury in accordance with this view. He said that 'use' of personal data included 'having it available for, and holding it for' an improper purpose. On one count, it turned out that the registered keeper of the vehicle was a company, or at any rate was thought to be a company. It was therefore not 'personal data' as defined in the Act. It did not relate to and identify a living individual. But the judge directed the jury that they could nevertheless convict the defendant of attempting to commit the offence and the jury duly did so.

The Court of Appeal ([1994] QB 547) set aside both convictions on the ground that retrieving the information was not enough to constitute 'use' of personal data. Laws J said (at 551):

'In our judgment, it is one thing to access the computer and view what is contained in it and it is another thing then to use the information itself ... [The latter] would have arisen if the [defendant], having accessed the information, then proceeded in the ordinary sense of the term, to make some use of it, so as for example in his own business affairs to deploy the information obtained against the interests of somebody else. Since, on the facts here, it is in effect accepted that Mr. Brown did no such thing, it seems that the appeal must succeed on that short point alone.'

The Court of Appeal certified the following point of law of general public importance:

'Whether the word "use" in section 5 of the Data Protection Act 1984 should be construed so as to include processing the data so as to gain access to information stored within a computer without doing any further act with the information.'

The Crown's argument in support of an affirmative answer is built upon the definition of 'data' in s 1(2). That definition is wide enough to include information capable of being processed by equipment other than the normal computer. But for practical purposes it means information recorded in computer-readable form. To be in a form capable of being processed by the police national computer, the information has to be stored electronically in binary code. Only in this form can it be processed by the syntax of a digital computer. So the Crown says that 'data' (and therefore also 'personal data') meant, in this case, information recorded in binary code.

In its binary form, however, the information is incomprehensible to the human mind. 'Data' as defined is therefore something different from what one ordinarily understands by 'information'. It is, in fact, wholly uninformative. The Act, says Mr Langdale QC for the Crown, draws a clear distinction between data and information in the ordinary sense of that word. In the present case, the defendant did not use information but he used data. Mr Langdale reinforces his argument by reference to the definition of 'disclosing' in s 1(9). This says that disclosing in relation to data 'includes disclosing information extracted from the data'. So it is argued that information is not data; it is something which you extract from data.

Pursuing this argument to its logical conclusion, Mr Langdale said that the only way in which data could be 'used' was through the instrumentality of a computer, which can convert the binary digits into conventional symbols, pictures or sound. Therefore the 'use' of data can mean only the processing of that data in a computer. It cannot mean the use of the information derived from the computer, because once it has been called to the video screen or printed out, it is no longer in computer-readable form.

There is a certain formal elegance about this argument but for a number of reasons I think it is unsound. First, the purpose of the Act, as declared in the long title, is to 'regulate the use of automatically processed information relating to individuals'. It is to restrict the use which can be made of computerised information about them. It would be strange if the Act was concerned only with what happened unseen in the computer and not with what happened when the information became accessible to the human user. This is not making the tail wag the dog; it is all tail and no dog.

Secondly, one can gain some help about what amounts to improper use of data by considering what would count as proper use of data. Section 4(3)(b) requires the entry on the register to contain particulars of 'the purposes for which the data are to be held or used'. The stated purposes constitute proper use of the data. But for what kind of purpose could the data be used? Mr Langdale would presumably say that it could be processed--rearranged, called to the screen, printed out and so forth. But it could not be used for purposes such as tracing criminals: that, on Mr Langdale's argument, would be the use of information derived from the data. I can hardly imagine, however, that the registrar would be satisfied with a statement that 'the data are to be used to print them out or call them to the screen'. Nor do I think that this would satisfy s 4(3)(b).

Thirdly, the argument leads to paradoxical consequences. One policeman operates the computer out of idle curiosity to discover the owner of a vintage car which he has seen. He brings the information to the screen but makes no use of it. According to Mr Langdale, he commits a criminal offence. Another policeman reads a routine print-out from the computer which contains confidential information about a suspect under inquiry. He uses this information for improper private purposes. Mr Langdale says that he commits no offence under the Act because the information which he used was not in computer-readable form. This cannot be right.

Fourthly, Mr Langdale's argument depends almost entirely upon the definition of data as information in computer-readable form. From this he reasons that a reference to its use must mean its use in that form. But there is no support for this argument in the long title of the Act, which uses the adjectival past participle 'automatically processed' to qualify the word 'information'. Nor is any to be found in the 1981 convention to which the Act was intended to give effect. In art 2 it defines 'personal data' as 'any information relating to an identified or identifiable individual' and 'automated data file' as 'any set of data undergoing automatic processing'. 'Automatic processing' is defined to include the storage, alteration, retrieval or automated dissemination of data. Then art 5(b) says that personal data undergoing automatic processing shall be 'stored for specified and legitimate purposes and not used in a way incompatible with those purposes'. It is clear from the definition of personal data in the convention that the restriction on improper user is to apply to the personal data, ie the information relating to an identified or identifiable individual. There is no implication that it must have been so used in its computer-readable form.

I said that the argument depended almost entirely upon the terms of the definition because I have not forgotten that Mr Langdale also relied upon the reference to 'information extracted from the data' in s 1(9). But I do not think that this really helps him either. One should compare this phrase with the definition of 'processing' in s 1(7):

'"Processing", in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject.'

There, the phrase 'extracting the information constituting the data' clearly describes the process of causing the computer to convert the binary-coded information into readable form. But what has been extracted is 'the information constituting the data'. In other words, what has been extracted is still data. It has not ceased to be data as a result of the process of extraction.

What, then, is meant by 'information extracted from the data?' One can expand this phrase by substituting for 'data' a paraphrase of its definition in s 1(2). It then reads 'information extracted from information recorded in computer-readable form'. This is something different from simply converting information from binary code to intelligible form. It contemplates information extracted from information. In my view, what it has in mind is the processing of raw data in a computer to obtain other forms of useful information. For example, a computer may contain nothing more than raw accounting data: the prices and quantities of goods purchased by a business, expenses, prices for which the finished products were sold and so forth. From this raw information, the application of a computer programme can produce information which was not previously recorded, such as the profit or loss, the gross and net margins and various ratios. This, in my view, illustrates what is meant by 'information extracted from the data'.

The fallacy in the Crown's argument is, I think, one common among lawyers, namely to treat the words of an English sentence as building blocks whose meaning cannot be affected by the rest of the sentence. Only by this process can it be claimed that because the Act defines 'data' as being information in computer-readable form, every statement about data in the Act must be a reference to the information in that form. This is not the way language works. The unit of communication by means of language is the sentence and not the parts of which it is composed. The significance of individual words is affected by other words and the syntax of the whole. An ancient historian, for example, may say that some interesting inscriptions concerning the Greek corn trade have been discovered in an archaeological excavation. In that sentence, 'inscriptions' means writings on stone. This, no doubt, is how the word would be defined in a dictionary. But the historian may then say that he has used the inscriptions as the basis of an article. This does not necessarily mean that he has examined the stones himself. He could have seen photographs or transcripts. It would still be correct for him to say that he has made use of the inscriptions. In this context, the statement is true if the information which the historian used was derived from the writings on stone. Likewise one can say that one has made use of information in computer-readable form even if one did not use the information in that form.

I therefore reject the Crown's argument. I think that the natural meaning of 'use any such data held by him' in s 5(2)(b) is to use information about an individual which has been obtained from the computer. It is necessary, however, to consider whether the Crown could have been more successful with a weaker version of its argument. Could it be said that although 'use' primarily refers to the use of the information obtained from the computer, it can include, as a subsidiary meaning, the processing of that information in the form of binary data?

Retrieving data from a computer seems to me a use of the computer rather than a use of the data. But I cannot say that the latter would never be a proper use of language. That would be to embrace the same fallacy which underlies the Crown's argument in this case. In my view, however, the scheme of the Act as a whole does not permit the phrase 'use [personal] data' to be construed as including its retrieval. This is because the Act quite carefully uses a number of different words to describe various things which can be done to personal data. These include holding, using, disclosing, transferring, obtaining and, for present purposes most significantly, 'processing'. The convention, it will be remembered, referred to 'automatic processing' which it defined to include retrieval of data. Likewise, s 1(7) of the Act defines 'processing' to include 'extracting the information constituting the data'. It is clear, therefore, that the operation performed by the defendant in this case falls within the definition of 'processing'. Can it also constitute 'using?'

I do not think that it can. The Act treats processing differently from using. Data protection principle 1 (Sch 1, Pt I) says that 'personal data shall be processed fairly and lawfully'. But a breach of principle 1 is not in itself a criminal offence. It is only a ground for the service of an enforcement notice or a deregistration notice by the registrar. There is no reference to 'processing' in any of the prohibitions in s 5(2). So it seems to me that 'using' personal data was not intended to include the various operations within the computer which fall within the definition of 'processing'. Once again this view is reinforced by art 5(b) of the convention: 'Personal data undergoing automatic processing shall be ... (b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes' must mean that the using is something different from the automatic processing.

I accept that this means that unfair or unlawful forms of processing do not fall within the criminal sanctions of s 5. Instead, they are grounds for the exercise of the registrar's powers to enforce data protection principle 1. But this seems to me what is contemplated by the Act. The more extreme forms of unlawful processing, such as deliberate fabrication of data, are in any case likely to amount to fraud or forgery or false accounting.

By this reasoning I arrive at the same conclusion as Laws J reached with admirable succinctness in an ex tempore judgment. I also agree with the reasoning of my noble and learned friend Lord Goff of Chieveley, whose speech I have had the opportunity of reading in draft. I would therefore dismiss the appeal and answer the certified question in the negative.

But I add three footnotes. First, I agree with Lord Goff of Chieveley that it would have been open to the jury to find the defendant guilty of an attempt on both counts. Secondly, the appeal has been argued on the assumption that the defendant made no use of the information. There has been no consideration of what might amount to use; for example, whether not taking steps one might otherwise have taken is using the information. For my part, I think it can. A person who refrains from entering a field with a notice saying 'Beware of the Bull' is using the information obtained from the notice. My negative answer to the certified question must not be taken to mean that 'doing any further act with the information' requires positive rather than negative conduct.

Finally, I express no view about the scope of the other words which the Act uses in relation to data, such as 'disclosing' and 'transferring'. 'Transferring' clearly includes transferring the data in its binary form. Whether this can also constitute disclosing or whether disclosing requires that it should actually have come to someone else's knowledge is a question which I prefer to leave open.