The most important word in data protection is ‘purpose’.
Everything stems from the purpose for which you’re using the data. The data subjects, the data itself, the lawful basis, and everything else comes from this. It’s impossible to decide whether processing is lawful unless you know why it is happening.
I don’t know precisely what justification Lancashire Police thought they had to disclose special categories data about Nicola Bulley to the public on the 15th February 2023 but the aim was plainly to counteract the torrent of online speculation and conspiracy theories about Ms Bulley’s disappearance. I’m not going to talk about the role of the family; Lancashire Police is a controller for the purposes of UK data protection legislation, and the views or wishes of anyone else doesn’t provide them with cover. Anything I write here is speculation, and if you want a reason to tell me I shouldn’t be writing this, that’s a good one.
However, the genie is out of the bottle – the police have revealed an astonishing level of detail about a missing person and I think it’s valid to point out what tests they would need to meet in order to do so lawfully. Lawfulness can only be understood by a clear definition of the purpose. If Lancashire Police think that dampening down speculation is necessary to investigate Ms Bulley’s disappearance properly, Part 3 of the Data Protection Act 2018 applies.
Part 3 applies when “competent authorities” like the Police are in pursuit of their legal role to carry out so-called law enforcement purposes. One of those purposes is detecting a crime. Ms Bulley is missing and that could be because a crime has been committed; the police need to establish whether that is the case.
If the police believe that the ghoulish speculation about Ms Bulley’s fate is impairing their ability to detect whether a crime has been committed, I think they have a plausible argument that preventing that speculation is necessary for the law enforcement purposes.
But that’s not enough. The police statement included detailed information about Ms Bulley’s health. The use of health data (sensitive in DPA terms /special categories under UK GDPR) must be *strictly* necessary for the purpose (i.e., detecting a crime) and there must be an additional condition for processing: such conditions include the use of the data being necessary to carry out a statutory function, to protect a person’s vital interests, or to safeguard a vulnerable adult.
When I wrote the first draft of this, I felt that my lack of policing experience meant that I should defer to the police about whether the disclosure was strictly necessary for the purpose. But it is an exceptionally high bar – as ICO puts it “you cannot reasonably achieve it through less intrusive means”. Can anyone believe that Lancashire Police’s only option was to reveal the most private aspects of Ms Bulley’s life to the whole country? It would be as likely to fuel speculation as to decrease it. We all now know that our most private vulnerabilities might be used to (unsuccessfully) manage online commenters – will that help or hinder the law enforcement purposes. The risks of it not working would have to be considered as part of the necessity test.
Admittedly, the force are operating in a near-impossible environment of ill-informed, social media-exacerbated bullshit of a scale and volume that ought to embarrass us all. But that doesn’t absolve them of their responsibility to handle information like this with great care. The reality is that every high-profile investigation like this will take place under a distorted microscope, and the police have to get used to it.
I don’t think considering alternative purposes make it any better. Perhaps the aim of tackling the speculation isn’t to detect a crime. Two people have already been arrested for sending malicious communications to elected members at Wyre Council. Dispersal orders have been issued. I’m told by people in the area that there is an influx of visitors determined to solve the mystery.
The law enforcement purpose pursued by the Police could be the prevention of crime, both online and in Ms Bulley’s home community. I could be persuaded that the Police have crime prevention powers equal to the task of justifying the disclosure. But it’s the same point as above: disclosure of sensitive data in this context must be strictly necessary. Some will insist that second-guessing the police’s judgement on this is wrong, but think about the proposition you have to accept in order to do that. Given the sensitivity of the data and the police’s current record on dealing with women, is it plausible that they couldn’t have released less information, or just soldiered on? Revealing this information in hopes of deterring further excesses seems to be hopelessly optimistic rather than the only chance of quietening the horde. The speculation won’t end, even when they find her.
What if the purpose of the disclosure is not directly related to the conduct of the investigation itself, but is a direct public interest attempt to stop the chatter? If this was the justification, Lancashire Police’s actions would be even harder to justify. Part 3 of the DPA would not apply and instead, the processing would happen under the UK GDPR. The data is special categories and irrespective of the A6 lawful basis, they would need an A9 exemption to disclose the information.
Divorced from direct effects on the force’s ability to investigate Ms Bulley’s disappearance (where her vital interests are unquestionably engaged), or to prevent further crimes, the online speculation about her case doesn’t engage any of the A9 exemptions as far as I can see.
Purpose is everything. If the Police see dampening down the speculation as a worthwhile thing to do, I don’t believe that they have a valid reason in law to disclose special categories data to achieve it. There is no consent, no vital interests at stake, no statutory obligation or power that I can see. There is a substantial public interest in getting the crowd of armchair Columbos to put a sock in it, but that’s not enough. SPI has to be underpinned by a condition from the DPA, and I don’t see a match.
I think all the relevant criteria are tied to the efficacy of the police investigation, or to prevent further crimes; stopping the speculation in and of itself is a different purpose, and it’s not one I think the police have a power to do.
I feel nothing but sympathy for Ms Bulley and her family and loved ones. I hope she’s out there somewhere, and the story turns out to be less tragic than it might be. The police do face a significant problem – trust in them is at all time low and this case is obviously more complicated than the locked-room mystery the online commenters seem to think it is. Lancashire Police have probably never dealt with a situation like it. But even in extreme situations, the handling of personal data, especially the most sensitive data like what they released here, should still be taken very seriously.