R v Brown AC 543
(Judgment by: Lord Goff of Chieveley)
Data Protection Act 1984 - s 5
Judgment date: 8 February 1996
Lord Goff of Chieveley
My Lords, the defendant, Gregory Michael Brown, was charged with offences under the Data Protection Act 1984, viz that on two occasions he used personal data held within the memory of the police national computer for a purpose other than the purpose described in the relevant entry in the register, contrary to s 5(2)(b), (3) and (5) of the Act. In the case of the first offence (count 1) he was convicted of an attempt. In the case of the second (count 2) he was convicted of the full offence. His convictions were quashed on appeal, and the prosecution now appeal to your Lordships' House. The appeal raises the question of the meaning of the word 'use' in s 5(2)(b). To explain how the question has arisen, it is necessary first to set out briefly the simple facts of the case, and the outcome of the trial; and then to examine the relevant provisions of the Act in order to ascertain the meaning of the word 'use' in its statutory context.
The facts of the case
The defendant was formerly a police constable in the Kent Constabulary. The Chief Constable of Kent is a registered data user for the purposes of the Act. His agents, of which the defendant was one, were entitled to make use of the data stored in the database of the police national computer for the registered purpose of policing.
The defendant was friendly with a Mr English, who set up a debt collection business under the name of Capital Investigations Ltd. On two occasions the defendant made use of the police national computer to check the registration numbers of vehicles owned by debtors of clients of Capital Investigations. These checks were effected by him through other officers who operated the computer on his behalf.
In the case of the first vehicle (the subject of count 1) the search did not reveal any personal data as defined by the Act, because the vehicle was owned by a company. In the case of the second vehicle (the subject of count 2) the search did reveal personal data; but there was no evidence that the defendant, or indeed any person, subsequently made any use of the information so obtained. The judge directed the jury that, in the case of count 1, the defendant could only be guilty of an attempt. The essence of the defendant's defence was that he made his inquiries legitimately for the purposes of policing, and that it was a coincidence that the vehicles were also of interest to Capital Investigations. The jury convicted the defendant of an attempt under count 1, and of the full offence under count 2. It is therefore plain that they rejected his defence. The defendant was fined £500 on each count, and ordered to pay £1,750 towards the prosecution costs.
The 1984 Act
The Act is a substantial and elaborate statute, but for present purposes the essential provisions are the following. At the centre of the Act is Pt II, which provides for the registration and supervision of data users. A data user is a person who holds data (s 1(5)). 'Data' is defined in s 1(2) as--
'information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.'
In other words, data may be broadly described as information recorded in computer-readable form. 'Personal data' is 'data consisting of information which relates to a living individual who can be identified from that information' (s 1(3)). A data user must not hold personal data unless there is an entry in respect of him in the register (s 5(1)). Certain restrictions are placed upon such a person; these are set out in s 5(2). By s 5(3), a servant or agent of a person so registered is subject to the same restrictions as that person. By s 5(5) any person who knowingly or recklessly contravenes any of the provisions of s 5(2) shall be guilty of an offence.
The restrictions under s 5(2) are:
'A person in respect of whom such an entry is contained in the register shall not--(a) hold personal data of any description other than that specified in the entry; (b) hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry; (c) obtain such data, or information to be contained in such data, to be held by him from any source which is not described in the entry; (d) disclose such data held by him to any person who is not described in the entry; or (e) directly or indirectly transfer such data held by him to any country or territory outside the United Kingdom other than one named or described in the entry.'
The defendant, as the servant or agent of the Chief Constable of Kent (who was a data user so registered), was charged with two offences of using personal data for an improper purpose contrary to s 5(2)(b).
The question in the case
Now the only action taken by the defendant in relation to the relevant data was that he caused another police officer to operate the computer and so caused the information which constituted the data to be displayed on a screen. The defendant then read the information so displayed, and observed what it consisted of, but took no other action in relation to it. The question is whether by so acting he used the data, contrary to s 5(2)(b).
Counsel for the prosecution has submitted throughout the present case that the defendant did thereby use the data, and indeed that this was the only way in which the data could be used for the purposes of the Act. This was because data is defined in the Act as being information recorded in what may broadly be called computer-readable form. It followed, the submission ran, that it was only while the information was in that form that it constituted data. Once the computer had been operated to retrieve the information from the database, either by displaying it on a screen or by causing the computer to print it out, the information so revealed was not in computer-readable form. It was not therefore data and its use did not constitute use of data for the purposes of the Act. This submission was accepted by the judge at the trial. It was on this basis that the jury were directed, and that the defendant was convicted of using or attempting to use data contrary to s 5(2)(b).
This construction was rejected by the Court of Appeal ( QB 547) who considered that the word 'use', which is not defined in the Act, must be given its ordinary meaning, and this required that it was necessary to do something to the data, and not merely to access it, before the data could be said to be 'used' within the statute, as for example by the defendant deploying the information so obtained in his own business affairs against the interests of somebody else. It was for this reason that the Court of Appeal quashed the conviction of the defendant on both counts. The court certified the following question as raising a point of law of general public importance:
'Whether the word "use" in section 5 of the Data Protection Act 1984 should be construed so as to include processing the data so as to gain access to information stored within a computer without doing any further act with the information.'
The true construction of the Act
I approach the matter as follows. I accept that, since the word 'use' is not defined in the Act, it must be given its natural and ordinary meaning. Synonyms of the verb 'use' are to 'make use of' or to 'employ for a purpose'. Here the word is used in relation to 'data', and data means information recorded in a computer-readable form. I must confess that at first sight I would not have thought that simply retrieving such information from the database in which it is stored, so that it appeared on a screen or a print-out and could therefore be read by a human being, could properly be described as 'using' the information so recorded. Of course, the computer would be used to retrieve it; but the retrieval of the information would not of itself be 'using' the information so retrieved. It would simply be transferring the information into a different form. This to my mind underlines the fact that the definition of data as information in a computer-readable form does not mean that such information is only data while it is so recorded. It means rather that, if information is so recorded, it becomes data for the purposes of the Act; and if such information from that source is thereafter made use of it is used within the meaning of the Act. So if for example a police constable with the Kent Constabulary operates the police computer to retrieve personal data from the database so that he becomes aware of its contents, and then proceeds to make use of that information, he uses the personal data within the meaning of the statute. In such a case, the retrieval is not the use; it is simply a prerequisite of the use. Moreover, if the police officer, who is the servant or agent of the data user (the chief constable) knowingly or recklessly puts the information to an improper use, he will be guilty of an offence under the Act. This may occur not only where the police officer retrieves the personal data from the database and then puts the information to an improper use, but also where, for example, he improperly makes use of personal data which has come to his knowledge when he operated the police computer innocently on a previous occasion, or where the data has been communicated to him by a colleague who had innocently operated the computer.
The same principles apply to disclosure as they do to use. Although there is a particular reference to the meaning of 'disclosing' in s 1(9) of the Act, to which I shall shortly refer, disclosure as such is not defined in the Act, and the word 'disclose', like the word 'use', should where it appears in the Act be given its natural and ordinary meaning. Subject to exceptional circumstances, information which is recorded in computer-readable form cannot be disclosed unless it has first been retrieved from the database and changed into a form in which it can be communicated to that person. I do not consider that s 1(9) places any obstacle in the way of that simple proposition. It provides:
'"Disclosing", in relation to data, includes disclosing information extracted from the data; and where the identification of the individual who is the subject of personal data depends partly on the information constituting the data and partly on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.'
It is apparent from reading the whole of this provision that it is concerned with the particular case of disclosing information extracted from data, ie information extracted from the information recorded in computer-readable form, and with the particular situation which arises where such an extract does not of itself reveal the identity of the person who is the subject of the data (as the whole of the data would if it fell within the definition of personal data in s 1(3)). I cannot see how this special provision can have any impact on the conclusion that the word 'disclose', being undefined in the Act, should be given its natural and ordinary meaning. Indeed, if the purpose of this provision had been to provide that, exceptionally, disclosure may occur after the information has been retrieved from the database, it would surely have been drafted in a different form; and a similar provision would have been made in respect of use.
I add in parenthesis that a question may arise whether the unauthorised transfer of data from the database of one computer to the database of another within the United Kingdom (cf s 5(2)(e)) could of itself amount to disclosure of data contrary to s 5(2)(d) of the Act. No such question arises for decision in the present case. I however incline to the view that such a transfer would not of itself amount to disclosure of data 'to any person who is not described in the entry' contrary to s 5(2)(d), although it may readily be inferred that the person effecting the transfer was inevitably thereby disclosing the data to another person or persons who, as he well knew, would retrieve the information from the second database and so have the information disclosed to him. On this basis, I cannot see that this exceptional case detracts from the approach to the construction of the Act which I favour.
Confirmation of the approach which I favour can be found elsewhere in the Act. Useful example s can be seen in Sch 1 to the Act, which is concerned with the data protection principles. The third principle (set out in Pt I of the Schedule) is that 'Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes'. Such a principle cannot, as I read it, be concerned only with information while it is in computer-readable form. It is concerned with use or disclosure by a person of the relevant information as such. Further confirmation of the correctness of this approach is to be found in para 7 of Pt II of Sch 1, which refers to personal data 'held for historical, statistical or research purposes and not used in such a way that damage or distress is, or is likely to be, caused to any data subject ...' Such a use would be inconceivable if data could only be used by its being retrieved from the database.
It seems to me that the above reading of the statute accords not only with the natural and ordinary meaning of the word 'use' in its statutory context, but also with the statutory purpose of protecting personal data from improper use (or disclosure). It is a startling fact that, if the construction urged upon your Lordships by the prosecution were correct, a police officer who idly operated the police computer, retrieving personal data onto the screen without putting it to any use, would not merely be subject to disciplinary action (where appropriate) but would be guilty of a criminal offence; whereas another police officer who learned from a colleague of certain information constituting personal data stored in the database of the police computer and then, knowing of its source, used the information for business purposes, would not. This surely cannot be the statutory intention; indeed if it were so, it could give rise to justifiable concern on the part of individuals who are the subject of personal data. Strange results such as these would, in my opinion, be avoided if the relevant words in the statute were given their natural and ordinary meaning. If that had been done in the present case, the defendant would have been charged not with the full offence of using personal data, but with an attempt to do so. If the defendant had been so charged, the jury would have had to consider whether, on the evidence before them, the defendant's actions coupled with his state of mind showed that he was committing no more than acts preparatory for the commission of an offence, for example if he was just finding out whether there was information available which might be of use to him in assisting Capital Investigations in their debt-collecting business; or whether he had embarked on the commission of the offence of using personal data for an improper purpose because, when he caused his colleague to operate the computer to reveal the information about the owners of the two vehicles in question, he had a firm intention to put that information to an improper use if it proved to be useful for that purpose. In the latter circumstances the case would, as I see it, have been little different from that of a man who puts his hand in another man's pocket with an intention to steal anything he finds inside; even if he finds nothing, he will nevertheless be guilty of an attempt to steal.
For these reasons, which I understand to be the same as those expressed by my noble and learned friend Lord Hoffmann (whose speech I have had the opportunity of reading in draft), I agree with the interpretation which found favour with the Court of Appeal. I would therefore dismiss the appeal, and order that the defendant's costs should be paid out of public funds. I only add that, in my opinion, there is no question in the present case of upholding the conviction of an attempt under count 1, or of substituting a conviction of an attempt under count 2. No suggestion was made that this should be done if the prosecution's interpretation was rejected. In my opinion, this was right. Such a conviction was only possible in the present case if the jury, properly directed on the law, had concluded on the evidence before them that the accused had gone beyond mere acts of preparation and embarked upon the commission of the offence so as to render him guilty of an attempt.