Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
(d) the processing of data concerning an individual's
sex life or sexual orientation.”
The Claimant’s case is that the use of AFR Locate by SWP does not comply
with the first data protection principle. This submission is not directed to
section 35(2) of the DPA 2018 but instead to the requirements that stem from
section 35(3). The Claimant contends, firstly, that AFR Locate entails
“sensitive processing” as described at section 35(8) of the DPA 2018. SWP
accepts that it does so far as it concerns processing of the biometric data of
those who are on a watchlist, but disputes that the sensitive processing extends
to the biometric data of members of the public whose faces are captured by the
CCTV cameras. The Claimant contends, secondly, that AFR Locate does not
meet the requirements of section 35(5): the processing is not “strictly
necessary” for the law enforcement purpose; no Schedule 8 condition is met;
and there is no appropriate policy document that meets the requirements of
section 42(2) of the DPA 2018.
Does AFR entail processing biometric data of members of the public “for the purpose
of uniquely identifying an individual”?
129.
130.
The first matter to address is the scope of sensitive processing where AFR
Locate is used: does it entail processing biometric data of members of the
public “for the purpose of uniquely identifying an individual”? By section
205(1) of the DPA 2018 “biometric data” is defined as follows.
"biometric data" means personal data resulting from specific
technical processing relating to the physical, physiological or
behavioural characteristics of an individual, which allows or
confirms the unique identification of that individual, such as
facial images or dactyloscopic data”
131.
It is beyond argument that the facial biometric data of members of the public
gathered when AFR Locate is used is “biometric data” as so defined. SWP’s
submission is that processing this biometric data in the context of AFR Locate
is not sensitive processing because the purpose of AFR Locate is not to
identify the members of public per se, but rather to identify those on the
watchlist. SWP emphasises that the necessary purpose is formulated as “the
purpose of uniquely identifying an individual”. This in the context of AFR
Locate, says SWP, can only refer to the person on the watchlist. SWP accepts
that the outcome would be different if the purpose were expressed in terms of
“identifying the individual” or “identifying the individual to whom the
biometric data relates”, but that is not how the provision has been formulated.
132.
We do not accept this submission. As a matter of straightforward language,
section 35(8)(b) of the DPA 2018 can properly be read as applying both to the
biometric data for those on the watchlist and to the biometric data of the
members of the public. This conclusion is supported by the legislative history
of the General Data Protection Regulation (Reg 2016/679/EU – “the GDPR”)
and the Law Enforcement Directive (2016/680/EU), measures which the DPA
2018 seek to implement. Article 9 of the GDPR lists the “special categories of