In the course of police investigations, requests are often made for access to (and, later, disclosure of) information about victim-survivors from third parties. This includes things such as medical and therapy records, school and social services records, and records held by charitable organisations such as homelessness charities. Requests are also often made for access to (and, later, disclosure of) data held on victim-survivors’ digital devices, including phone and social media data.
Victim-survivors have a legal right to the protection of their privacy.
This is enshrined in Article 8 of the Human Rights Act.
The Data Protection Act 2018 provides that ‘data subjects’ (such as victims of crime) can expect their private data to be processed according to 6 key principles, including that that it must be ‘lawful and fair’, the purpose must be ‘specific, explicit and legitimate’, and the personal data being processed must be ‘fair and not excessive’.
The legal basis for processing a victim-survivor’s data is usually consent, which must be freely given with a finite remit, for example to view text messages sent to a particular person and between specified dates. However, victim-survivors often do not fully understand the reasons for their data being accessed or what the consequences of that access may be, and in these cases their consent cannot be considered informed (see our final report for more information on this).
The Information Commissioner’s Office criticised national police and CPS practices around complainants’ personal data. It identified a number of barriers to meaningful consent, for example mobile phones are likely to hold information about many individuals and it is not feasible to obtain consent from each of them, but the owner of the phone cannot provide consent on their behalf. This means that as well as attempts to gain consent from the complainant, the requested data must be justifiable on the legal basis of being a “strict necessity for the law enforcement purpose”, which means that police “must fully consider the challenge of the high threshold, i.e. ‘strictly necessary’ is more than ‘necessary’”.
Case law sets out that digital devices are not automatically relevant to sexual offences: see R v E  EWCA Crim 2426 and R v McPartland and another  EWCA Crim 1782. The ruling in Bater-James & Mohammed v R  EWCA Crim 790 stated that: “It is not a ‘reasonable’ line of inquiry if the investigator pursues fanciful or inherently speculative researches…There is no presumption that a complainant’s mobile telephone or other devices should be inspected, retained or downloaded.” (para.70, 78).
As a result of Bater-James and the ICO report, a national consent form has been withdrawn and CPS procedures have been revised. Whilst these are positive steps forward, it cannot be assumed that this will automatically or quickly result in widespread change in practice or that changes are enduring.
A system of ongoing accountability is therefore crucial in ensuring that victim-survivors’ data is accessed and processed according to their legal rights. Victim-survivors cannot be expected to have the knowledge, skill, or experience required to advocate for these rights by themselves. It requires an independent legally qualified professional.