In a recent post on Inforrm it was suggested that the recent notorious prank phone call from two Australian DJs to the King Edward VII Hospital where they blagged private information about the Duchess of Cambridge and which had such tragic consequences, constituted an offence under section 55 of the Data Protection Act 1998 (the “DPA”).
The answer to this question depends, however, on the precise nature of the data involved. In order for an offence to be committed under that section a person must obtain or disclose or procure the disclosure to another person of “personal data” without the consent of the data controller. The term “personal data” means “data” relating to an identifiable living individual.
Under section 1 of the DPA: “”data” means information which:
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record …
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)”
The post does not refer to the transcript of the conversation. However, referring to this (without linking to it), it seems that the author of the post made have made an incorrect assumption about the nature of the data. It seems that the information in question was simply given to the DJs by the nurse in attendance from her own knowledge of the patient.
This means that, in relation to (a), the information was not being processed by any equipment, save perhaps for the telephone through which she was speaking, and that is very unlikely to constitute equipment which is processing information for these purposes.
In relation to (b), the information was not recorded with the intention that it should be processed by means of such equipment – or indeed recorded at all, at least not in the United Kingdom, the jurisdictional extent of the DPA.
In relation to (c), the information in question does not appear to have formed part of any relevant filing system.
For the purposes of sub-paragraph (d), “an accessible record” includes health information but as before it has to be a “record”. Information given from a person’s own knowledge does not appear to count.
Finally, in respect of sub-paragraph (e), once again the information is not recorded and the hospital, which was private, is unlikely to constitute a public authority.
If the DJs had asked the nurse to look the information up on a computer, the offence would probably have been committed. But in the circumstances which occurred it seems that a vital element is missing.
The DPA is a highly technical and imperfect law. Its central focus has always been on the processing of personal information and its application as a more general privacy law can be somewhat arbitrary in a number of regards. But this illustrates the danger of using it as a proxy and the basis for a widespread media privacy law.
Dan Tench is a partner at Olswang LLP specialising in administrative and media law.