The family of Belly Mujinga, a railway worker who died from Covid-19 last year, want to launch a private prosecution against a man who allegedly spat on her while she was working in Victoria station. The British Transport Police refuse to name the suspect, citing “data protection concerns“.
Whatever else one can say about this case, I believe that the BTP have a clear gateway for disclosure, and so they should be honest that they don’t want to do it, not that they can’t. As a law enforcement ‘competent authority’, BTP would normally be covered by Part 3 of the Data Protection Act 2018, but a disclosure for a private prosecution probably wouldn’t be covered by their statutory powers. GDPR would, therefore, apply instead, and it has different rules for the use of ordinary, special category (e.g. health) and criminal data.
The Information Commissioner’s Office’s interpretation of ‘criminal data’ includes information about an allegation of the commission of a criminal offence, so data relating to the suspect in the context of an alleged assault would be criminal data. On that basis, to disclose the data to the Mujinga family’s lawyers, the BTP would need a lawful basis from the GDPR, and a specific condition from Schedule 1 of the Data Protection Act 2018. I’m convinced they have both.
First, the disclosure is necessary for a legitimate interest – taking forward a private prosecution, which is not possible if the family don’t know who he is. The rights and freedoms of the suspect must be considered, but they would be protected by a fair trial, and disclosure should be made direct to the lawyers, bypassing the family. The suspect should not be named and shamed, and the data should not be passed to the media – indeed if the data was used in this way, it would be a GDPR infringement that could be enforced on by the Information Commissioner or subject to litigation from the suspect. The legitimate interest is in pursuing the prosecution, and any secondary uses of the data would completely undermine the legitimate (and I would argue) public interest in letting the family have their day in court.
Second, the BTP can justify the disclosure using Schedule 1, part 3, paragraph 33(1)(a) because the disclosure is “is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)”. Once again, the family ‘s lawyers need to know who the suspect is in order to mount their prosecution. It’s important to note that some of the conditions for the processing of criminal data are recycled, covering more than one issue. The legal proceedings, rights and advice condition has been added specifically for the use of criminal data – I think you can argue that Parliament specifically envisaged the use of criminal data in litigation.
There are two caveats to all of the above. The first is that there could be other specific barriers to the BTP making this disclosure – for example, there may be legislation or rules specifically preventing the BTP from making the disclosure. If that was the case, the argument I’m putting forward here would be irrelevant, but BTP should say so instead of hiding behind Data Protection.
Second, and more important, is that even if I am right, none of this obliges the BTP to do anything. Being able to disclose data for a legitimate purpose isn’t the same as being obliged to. If the BTP want to tell the bereaved family of someone who put themselves at risk to help others during the pandemic, just as their own officers did, that they don’t want to assist with the prosecution, that’s up to them. I know how heavily I loaded that sentence, but frankly, organisations that use Data Protection as cover for their own decisions, policies or risk aversion are cowards at the best of times. This is not the best of times.
I make no assumption of guilt or innocence in this case, but black people in Britain face discrimination and unfairness in the criminal justice systems however they interact with it. Belly Mujinga and her family deserve to have their allegations tested in court. If the BTP have a specific reason not to disclose the data, they should say so. If they think the GDPR or Data Protection prevents the disclosure, they should explain why. Otherwise, their approach to this case is depressing and unjustified.