CL, R (on the application of) v The Secretary of State for the Home Department, Court of Appeal - Administrative Court, December 06, 2018, [2018] EWHC 3333 (Admin)

Resolution Date:December 06, 2018
Issuing Organization:Administrative Court
Actores:CL, R (on the application of) v The Secretary of State for the Home Department

Case Nos: CO/3515/2016 & CO/1076/2018

Neutral Citation Number: [2018] EWHC 3333 (Admin)





Manchester Civil Justice Centre

1 Bridge Street,

Manchester M60 9DJ

Date: 06/12/18

Before :




- - - - - - - - - - - - - - - - - - - - -

Between :

- - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - -

Amanda Weston QC and Jennifer Twite (instructed by Hodge Jones and Allen)

for the Claimant

Charlotte Ventham (instructed by Weightmans LLP) for the Defendant

The Interested Party neither appearing nor being represented

Hearing dates: 13 July and 12 October 2018

- - - - - - - - - - - - - - - - - - - - -

JudgmentLord Justice Hickinbottom :


  1. ``Sexting'' is the creating, sharing, sending or posting of sexually explicit messages or images via mobile phones or other electronic devices. It covers a wide variety of circumstances. This case concerns peer-to-peer sexting by young people of photographs, initially self-generated and deliberately sent to another young person, although sometimes transmitted as a result of a request by and/or pressure from the recipient and sometimes sent on by the recipient to third parties.

  2. Sexting potentially involves a number of criminal offences, e.g. distributing or showing an indecent photograph of a child contrary to section 1(b) of the Protection of Children Act 1978, or causing or inciting a child to engage in sexual activity contrary to section 1 (read with section 13) of the Sexual Offences Act 2003. These claims particularly concern the treatment by the police of reports of such behaviour.

  3. The Claimant is the subject of two crime reports as a result of his alleged involvement in sexting incidents. At the time of the incidents, he was 14 or 15 years old. He is now over 18; but it has been agreed that he should be treated as a minor for the purposes of the determination of these claims. In these judicial reviews, he seeks deletion of the crime reports (or, at least, the details in those reports which identify him), on the primary basis that the recording and retention of his details is an unjustified interference with his rights under article 8 of the European Convention on Human Rights (``article 8'': we will refer to the Convention as ``the ECHR''). In practice, he is not so much concerned about retention of the data by the police in itself: he is anxious that, if the police retain information identifying him with these incidents, that may be disclosed if (e.g.) a potential employer seeks an enhanced criminal record check before offering him a job.

  4. Before us, Ms Amanda Weston QC leading Ms Jennifer Twite of Counsel appeared for the Claimant, and Ms Charlotte Ventham of Counsel for the Defendant Chief Constable. At the outset, we would like to express our gratitude for their written and oral submissions.

  5. This is the judgment of the court to which we have each contributed.

    Police Powers of Obtaining and Storing Information

  6. Reported crimes are recorded by police forces on their own local crime recording systems. Information recorded locally can be shared with other police forces on request. We will refer to the local databases maintained by police forces collectively as ``the Police Database''. These claims are concerned with the Police Database - which is distinct from the Police National Computer (``the PNC'') which records inter alia convictions and cautions.

  7. The police have a common law power to obtain and retain information for policing purposes, notably the prevention of crime and disorder. This power is now the subject of a substantial regulatory scheme which is focused on the Data Protection Act 2018 (``the DPA 2018'') which, effective from 23 May 2018, transposes into domestic law European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (``the General Data Protection Regulation'', or ``the GDPR''). The GDPR and the DPA 2018 repealed earlier measures, namely European Parliament and Council Directive 95/46/EC on the same subject matter (``the Data Protection Directive'', or ``the DPD''), and the Data Protection Act 1998 (``the DPA 1998'') which gave effect to the DPD.

  8. At the time of each of the specific challenged decisions, the earlier regime was operative; but, as the claims challenge continued retention of the data, the GDPR/DPA 2018 regime is also in play. However, for the purposes of these claims, the regimes have essentially the same foundations. Like the DPD, the GDPR is a harmonisation measure designed to produce a common European framework of regulation ensuring ``a high level of protection'' satisfying, amongst others, the standards in article 8 (see recital (10) of the GDPR, and recitals (10) and (11) of the DPD).

  9. They have each regulated the ``processing'' of data, which includes the obtaining, recording or holding of information or data or carrying out any operation upon it including retrieval, use or disclosure (see article 4(2) of the GDPR, and article 2(b) of the DPD).

  10. In respect of the ``processing'' of data, section 22 of the DPA 2018 requires a ``controller'' to comply with various obligations set out in article 5 of the GDPR, in particular (so far as relevant to these claims) that:

    ``Personal data shall be:

    (a) processed lawfully, fairly and in a transparent manner in relation to the data subject...

    (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes...

    (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed...

    (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay...

    (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed...

    (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing...''.

    These obligations were, in substance, required of a controller under the previous regime (see especially section 4 of, and Parts I and II of Schedule 1 and Schedule 2 to, the DPA 1998).

  11. They focus on the ``processing'' (including the collecting and retaining) of personal data being strictly restricted to particular ``purposes''. By article 6(1) of the GDPR, processing shall be lawful only if and to the extent that at least one of several criteria applies, notably for the purposes of these claims:

    ``(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;...''.

    These again effectively replicate the provisions of the earlier scheme, the substance of article 6(1)(e) being formerly found in paragraph 5(d) of Schedule 2 to the DPA 1998. It chimes with the important purposes potentially permitted as an interference by a public authority with an individual's right to respect for his private and family life under article 8(2) of the ECHR, notably ``for the prevention of disorder and crime'' but also ``for the protection of the rights and freedoms of others'' (see R (Catt) v Association of Chief Police Officers; R (T) v Metropolitan Police Commissioner [2015] UKSC 9; [2015] AC 1065 (``Catt'') at [48] per Baroness Hale of Richmond DP).

  12. By article 6(2) of the GDPR:

    ``Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing...'';

    and the general provisions of the GDPR, which apply to all data processing by whomever performed, are indeed supplemented in the case of the police by extensive published codes and guidance.

  13. Under section 39A of the Police Act 1996, until 2014, the Secretary of State was empowered to issue codes of practice to promote the efficiency and effectiveness of police forces. In July 2005, under that power and closely following the provisions of the DPA 1998, the Secretary of State issued a ``Code of Practice on the Management of Police Information'' (``the Code of Practice''), prepared by the National Centre of Policing Excellence. The Code of Practice restricts the processing of data to that required for police purposes, defined in paragraph 2.2.2 as follows:

    ``(a) protecting life and property,

    (b) preserving order,

    (c) preventing the commission of offences,

    (d) bringing offenders to justice, and

    (e) any duty or responsibility of the police arising from common or statute law''.

    Under paragraphs 4.5 and 4.6, at intervals, retained information must be reviewed, the likelihood of it being used for police purposes reassessed, and consideration given to its deletion.

  14. Paragraph 3.1.1 of the Code of Practice provides for more detailed guidance to be given to ensure consistent police procedures with regard to data processing and to identify minimum standards of information management. In 2006 (updated in 2010), the Secretary of State issued such further guidance under the Code, namely ``Guidance on the Management of Police Information'' (or ``MOPI''). As a result of section 124(2) of the Anti-Social Behaviour, Crime and Policing Act 2014, section 39A of the Police Act 1996 was amended so that the power to give guidance was transferred from the Secretary of State to the College of Policing (albeit with the approval of the Secretary of...

To continue reading