Law Enforcement Data Retention under the Data Protection Act 2018: Insights from Robert Bartosik v Police Scotland [2022] CSOH 55

Introduction

The case of Robert Bartosik v Police Scotland [2022] CSOH 55, adjudicated by the Outer House of the Court of Session on August 16, 2022, presents a significant examination of data protection principles within the realm of law enforcement. The petitioner, Robert Bartosik, sought the erasure of personal data retained by Police Scotland under Sections 167 and 169 of the Data Protection Act 2018 ("the 2018 Act"), alleging distress caused by inaccurate information retained by the police. The respondent, Police Scotland, contested the erasure request, asserting that the data should be preserved for law enforcement purposes and that the petitioner was not entitled to compensation.

This commentary delves into the background of the case, summarizes the court's judgment, analyzes the legal reasoning and precedents cited, and explores the broader impact of this decision on data protection law within law enforcement contexts.

Summary of the Judgment

Robert Bartosik, a taxi driver, reported instances of alleged taxi fraud to Police Scotland, which he claimed were not properly investigated. Following his complaint, an investigation ensued, involving a statement from a Public Enquiry Support Assistant (PESA). This statement contained information about Bartosik that was unrelated to his complaint and was later determined to be inaccurate.

Bartosik requested the erasure of this inaccurate information under the 2018 Act. Police Scotland refused, citing the need to retain the data for law enforcement purposes and referencing retention policies that require such data to be maintained until January 2026. Bartosik further claimed he did not receive prior notification of the refusal and sought both data erasure and compensation for distress.

The court ultimately dismissed Bartosik's petition, ruling that Police Scotland acted within its rights under the 2018 Act. The court found that the data in question was part of the official record for law enforcement purposes and thus did not warrant erasure despite being inaccurate. Additionally, the claimant did not establish a right to compensation, as the court deemed the distress claimed by Bartosik to be insufficiently substantiated.

Analysis

Precedents Cited

The judgment referenced R (on the application of O (a minor, by her litigation friend AO)) v SSHD [2022] UKSC 3 as a key precedent. In this case, the Supreme Court emphasized the importance of adhering to the plain meaning of statutory language, asserting that external aids like explanatory notes should not override the clear terms of the law. This precedent reinforced the court's approach to interpreting the 2018 Act within its explicit provisions, particularly regarding data accuracy and retention in law enforcement contexts.

Additionally, the court considered the Guide to Law Enforcement Processing issued by the Information Commissioner (January 2021). This guide clarifies the application of data protection principles in law enforcement, particularly the distinction between personal data based on facts and personal assessments, such as witness statements. The guide underscored that while factual data must be accurate and up-to-date, subjective statements by witnesses do not require the same level of precision, provided they are part of the official record.

Legal Reasoning

The court's legal reasoning centered on the interpretation and application of Sections 37 and 38 of the Data Protection Act 2018, which pertain to data adequacy, accuracy, and relevance within law enforcement purposes. The court determined that Police Scotland was justified in retaining the challenged information as it was integral to the official record of the complaint investigation. The data was processed for law enforcement purposes, thereby meeting the adequacy and relevance criteria outlined in the Act.

Crucially, the court addressed the distinction between factual personal data and personal assessments. It affirmed that statements made by individuals in their capacity as witnesses are subject to interpretation and are permissible within law enforcement records, even if found to be inaccurate post hoc. The explanatory notes and the professional guidelines supported this stance by clarifying that the inherent subjectivity of witness statements exempts them from stringent accuracy requirements.

Furthermore, the court examined the procedural aspects of the petition, including the timeliness and method of communication. It concluded that Police Scotland had fulfilled its obligations under Sections 48(1)(b) and 54(2) by sending the refusal letter to the petitioner’s declared email address, despite the petitioner’s subsequent claim of not receiving it. The court found no breach in the statutory duties related to informing the petitioner of the refusal.

Impact

This judgment has significant implications for the application of data protection laws within law enforcement agencies. It underscores the precedence of maintaining official records over individual requests for data erasure when such data is pertinent to law enforcement functions. The decision clarifies that even inaccurate personal data, if part of a law enforcement investigation, may be retained and does not automatically warrant erasure or compensation.

Future cases involving data erasure requests from individuals interacting with law enforcement will likely reference this judgment. It establishes that data controllers in law enforcement have substantial discretion to retain data necessary for official purposes, thereby setting a high threshold for individuals seeking erasure or compensation based on distress claims.

Additionally, the court's interpretation reaffirms the necessity for law enforcement agencies to implement robust data retention and processing protocols that align with the 2018 Act. Agencies must ensure that personal data is handled appropriately, distinguishing between factual information and personal assessments to comply with legal standards.

Complex Concepts Simplified

Law Enforcement Purposes under the Data Protection Act 2018

The Data Protection Act 2018 categorizes data processing activities under different purposes. When personal data is processed for "law enforcement purposes," it pertains to activities such as the prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties. This classification grants law enforcement agencies certain privileges regarding data retention and processing, provided they adhere to specific principles of adequacy, relevance, and accuracy.

Sections 37 and 38 Explained

Section 37: Stipulates that personal data processed for law enforcement must be adequate, relevant, and not excessive relative to its intended purpose.
Section 38:
- (1)(a) Requires that such data must be accurate and, where necessary, kept up to date.
- (1)(b) Mandates that any inaccurate personal data must be erased or rectified without delay, taking reasonable steps to ensure this.
- (2) Emphasizes the distinction between personal data based on facts and personal assessments, applying accuracy requirements accordingly.
- (4) Obliges data controllers to prevent inaccurate, incomplete, or outdated data from being transmitted or made available for law enforcement purposes.

Data Controllers and Personal Data

In the context of the 2018 Act, a "data controller" is an entity that determines the purposes and means of processing personal data. Law enforcement agencies like Police Scotland act as data controllers when handling personal data related to investigations and complaints. They are responsible for ensuring compliance with the Act's provisions, including data retention policies and responding to data subject requests.

Conclusion

The judgment in Robert Bartosik v Police Scotland reaffirms the authority of law enforcement agencies to retain personal data necessary for official purposes, even when such data is later identified as inaccurate. By upholding the retention and processing practices under Sections 37 and 38 of the Data Protection Act 2018, the court delineates clear boundaries between individual data erasure rights and the operational needs of law enforcement.

This decision emphasizes the importance of accurate data processing within legal frameworks and the challenges individuals may face when seeking data erasure in contexts involving law enforcement. It underscores the necessity for data controllers to balance individual rights with public safety and procedural integrity, ensuring that data retention practices are both legally compliant and justifiably necessary.

For legal practitioners and data protection officers, this case serves as a crucial reference point for navigating the complexities of data retention within law enforcement, highlighting the need for meticulous adherence to statutory requirements and the safeguarding of both individual rights and public interests.