Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
lawfulness and fairness. On the assumption that the biometric facial data is
personal data, the parties are agreed that it does not comprise sensitive
personal data (as defined at section 2 DPA 1998). Thus, the remaining
requirement under the first data protection principle is that the processing
meets a Schedule 2 condition. SWP points to any of the following: (i)
paragraph 3 of Schedule 2 (processing necessary for compliance with a legal
obligation other than one arising from contract), (ii) paragraph 5(d) of
Schedule 2 (processing necessary for the exercise of a function of a public
nature, exercised in the public interest) and (iii) paragraph 6 of Schedule 2
(processing necessary for legitimate interests of the data controller, and not
unwarranted by reason of interference with the data subject’s rights, freedoms
or legitimate interests). We consider the paragraph 6 condition to be most
clearly suited to the processing in issue in this case. However, we do not rule
out the application of either paragraph 3 or paragraph 5 (d).
127.
Thus, and for the reasons we have set out above in the context of the Article 8
claim, the use of AFR Locate meets the requirements of the first data
protection principle. The processing is necessary for SWP’s legitimate
interests taking account of the common law obligation to prevent and detect
crime. The processing is not unwarranted for the purposes of paragraph 6, for
the same reasons as it is justified for the purposes of the Article 8 claim.
(2)
Claim under section 34 of the DPA 2018
128.
SWP is subject to the provisions of Part 3 of the DPA 2018 on “law
enforcement processing”. SWP is a “competent authority” as defined in
schedule 7 to the DPA 2018. Section 34 of the DPA 2018 is in Chapter 2 of
Part 3 of the Act. By section 34(3), competent authorities “… must be able to
demonstrate compliance with this Chapter”. The remaining provisions in
Chapter 2 set out the data protection principles. Section 35, which is in issue in
this case, provides as follows:
“35 The first data protection principle
(1)
The first data protection principle is that the
processing of personal data for any of the law
enforcement purposes must be lawful and fair.
(2)
The processing of personal data for any of the law
enforcement purposes is lawful only if and to the
extent that it is based on law and either —
(a) the data subject has given consent to the
processing for that purpose, or
(b) the processing is necessary for the performance
of a task carried out for that purpose by a competent
authority.