Cooper v National Crime Agency

Mr Cooper (“C”) was an intelligence officer employed by the Serious Organised Crime Agency (“SOCA”) between January 2004 and October 2012, when he was dismissed following disciplinary proceedings.

C’s disciplinary proceedings arose following an incident outside a public house in Hove, in April 2012. C was arrested and charged with being drunk and disorderly in a public place and with assault on a police officer. SOCA conducted disciplinary proceedings and concluded that this behaviour was a serious breach of the SOCA Code and as a consequence, C was dismissed.

C brought claims in both the Employment Tribunal (“ET”) and in the County Court:

• In the ET, C issued a claim for unfair dismissal. One of C’s complaints in support of that claim was that SOCA had improperly received sensitive personal data (being custody material drawn up by Sussex Police following C’s arrest in Hove) and had improperly used this data in the context of his disciplinary proceedings. C submitted that this constituted a breach of the Data Protection Act 1998 (“the DPA”). The ET found that the sharing of this information had been standard practice and not in breach of the DPA. On appeal to the Employment Appeal Tribunal (“EAT”), one of C’s two grounds of appeal was that the ET had not properly considered his submissions on the DPA. The EAT dismissed that ground of appeal.
• In the County Court, C issued a claim for £800,000 in damages for unlawful processing of sensitive personal data contrary to his rights under the DPA. The County Court dismissed this claim.

Accordingly, the Court of Appeal had before it two joined appeals from the EAT and the County Court. Both appeals raised, among other things, issues on similar subject matter relating to data protection principles and whether SOCA had acted in breach of the DPA in receiving and using the police custody information in the course of disciplinary proceedings.

Whether the judge in the County Court had:

a.  Misapplied the first data protection principle.

b.  Misapplied the second data protection principle.

c.  Failed to deal with the aspect of C’s case regarding the provision of information by SOCA to Sussex Police.

d.  Erred in his findings on causation.

Whether the ET and the EAT had failed to grapple with C’s case that SOCA had been in breach of the DPA.

Dismissing the appeal:

1. There was no merit in the appeal: it was “entirely unsurprising” that SOCA should have wished to use the information provided by Sussex Police in the disciplinary proceedings [83]. SOCA had complied with the first and second data protection principles.
2. The term “necessity” used in various DPA conditions means “reasonable necessity”, endorsing the summary of legal principles set out by the Upper Tribunal in Goldsmith International Business School v Information Commissioner [2014] UKUT 563 (AAC) and also noting the judgment of Lady Hale in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 [89]-[93].
3. Following the incident in April 2012, SOCA had an “urgent need” to fully investigate what had happened; this included the need to find out the extent of any reputational damage to SOCA as a major law enforcement agency. SOCA needed to act promptly, and its objectives could not have been addressed if it had had to wait to find out what information might be forthcoming in a prosecution [96].
4. Although protection of Article 8 rights is one of the “general inspirations” for the Directive, it does not follow that Article 8 rights are automatically engaged in every case covered by the Directive. If Article 8 rights are to be relied upon, it is for the claimant to plead and make out the case to that effect [94].
5. C had explicitly consented to SOCA processing his sensitive personal data by way of the signed employment contract [102].
6. SOCA’s use and processing of the police custody material was fair and lawful: SOCA was carrying out functions of a public nature and acting in the public interest [104], [108], [113]-[115].

This case was heard under the old data protection regime, prior to the introduction of the GDPR. However, much of the reasoning is pertinent to the present regime and the case is particularly instructive in the context of public sector data controllers.  It is also of importance that the Court confirmed as a statement of law that “necessity” in the context of the data protection conditions means “reasonable necessity”, as opposed to ‘strict’ or ‘absolute’ necessity.

From a data protection in practice perspective, the Court’s observations on pleading are also instructive. It was submitted before the Court of Appeal that the County Court ought to have proceeded on the footing that C had invoked his rights under Article 8 even though not pleaded in his particulars of claim. The Court did not agree and noted that if Article 8 rights are to be relied upon, it is necessary for a claimant to plead and make out a case to that effect. The Court took a similar approach to the pleading of the fairness obligation in the first data protection principle, which had not been pleaded as a properly particularised discrete argument. The judge in the County Court had dismissed this part of C’s case on the grounds that it was not properly pleaded, and the Court of Appeal agreed with that approach. Both of those observations are important guidance on the Court’s expectations of how data protection claims should be pleaded.

One finding and area of the Court’s discussion that would likely have been considered differently under the present data protection regime is that of consent. In Cooper, the signing of the SOCA employment contract was held to satisfy the condition of consent to processing. Under the GDPR, consent must be freely given, specific, informed, and unambiguous (Recital 32 of the GDPR). If consent is to be given in the context of a written declaration also concerning other matters (such as in an employment contract), the request for consent to processing must be clearly distinguishable from the other matters (Article 7 of the GDPR). In those circumstances, it is unlikely that a processing clause in an employment contract will be deemed ‘explicit consent’ under the current data protection regime.