A Cautionary Tale for Contractual Data Protection Policies
The High Court's decision in Bangura v Loughborough University is a useful reminder for employers to ensure that data protection policies are non-contractual.
Mr Bangura was a student at Loughborough University (the University). The University assisted the police with their investigations into complaints of sexual assault on campus.
Prior to a written request for information from the police, the University provided them with Mr Bangura's registration form containing his name, address and date of birth.
Mr Bangura was arrested, but never charged.
He brought claims against the University for breach of contract and breach of the Data Protection Act 1998 (DPA). He specifically claimed that the University's disclosure of his personal information was a breach of the University's data protection policy, which formed part his contract with the University. The policy stipulated that requests for disclosure must be made in writing.
Mr Bangura's claims were unsuccessful and his application for permission to appeal was refused. Mr Bangura applied to the High Court for permission to reopen his appeal application.
The High Court
The High Court also refused Mr Bangura's permission to reopen his appeal application as his claims had no real prospect of success.
The registration document did not incorporate the University's data protection policy as part of the contract between Mr Bangura and the University, nor did the policy itself. A failure to adhere to the policy did not therefore result in a breach of contract.
Furthermore, the High Court considered that the policy could not be invariable. Although the policy stated that requests for disclosure had to be made in writing, the drafter could not have intended the University to be prohibited from providing information to the police if the situation was urgent and/or circumstances prevented a written request being made in advance.
The High Court also considered the disclosure to be lawful under the DPA in this particular case.
Best Practice
This case highlights the importance of ensuring that data protection policies are non-contractual. This reduces the risk of claims for breach of contract when the policy is not followed to the letter.
Although section 29 of the DPA allows an organisation to disclose personal data without the individual's consent (where failing to disclose would prejudice the prevention or detection of a crime, the apprehension or prosecution of offenders), the case is an important reminder that section 29 is only a partial exemption and organisations must still satisfy other relevant conditions set out in the DPA. This will often involve a balancing exercise and in this particular case the Court found that the disclosure was lawful, having balanced the legitimate interest pursued by the University in making the disclosure against any prejudice suffered by Mr Bangura.
Employers should therefore ensure their data protection policies and privacy notices stipulate that disclosures of personal data may have to be made for legal purposes and/or to prevent crime and fraud. The case also highlights that employers will have to carefully balance the interests in favour of making disclosures to the Police against any prejudice to the individual when deciding what information to disclose.