Contemplating Criminal Liability for the Consequences of Unlawful Data Disclosure

Volume 3, Issue 2 • 2011 • Article 2

Contemplating Criminal Liability for the Consequences ofUnlawful Data Disclosure

Emily Finch, University of Surrey

Finch, Emily (2011) "Contemplating Criminal Liability for the Consequences of Unlawful DataDisclosure," Policy & Internet: Vol. 3: Iss. 2, Article 2.http://www.psocommons.org/policyandinternet/vol3/iss2/art2

DOI: 10.2202/1944-2866.1119

©2011 Policy Studies Organization

http://www.psocommons.org/policyandinternet

http://www.psocommons.org/policyandinternet

http://www.psocommons.org

Contemplating Criminal Liability for theConsequences of Unlawful Data Disclosure

Emily Finch, University of Surrey

Abstract

This article considers whether the current approach of the criminal law to the unauthoriseddisclosure of personal data is adequate to deal with situations in which this disclosure hasfacilitated the commission of some other criminal offence. It argues that the focus of the criminallaw should be on the consequences of disclosure and that there are strong policy arguments infavour of imposing liability on the person making disclosure for the offence that has beencommitted as a consequence of this conduct. In doing so, the article considers whether this couldand should lead to the imposition of liability for constructive manslaughter if the disclosure ofpersonal data leads to the death of the person to whom the data relates. The article concludes bysuggesting that the most appropriate response is to strengthen the existing law with creation of anew offence that would focus on the consequences of disclosure.

KEYWORDS: unauthorised disclosure of person data, data protection, computer misuse, legalcausation, constructive manslaughter

Author Notes: The author would like to thank the anonymous referees for their careful andconstructive comments.

Introduction

The price of participation in ordinary activities within today’s society for the average person is an acceptance that personal data will be disclosed to and stored by a wide range of public and private organizations. Although much is said about the security of data stored on computer networks, there is less discussion of the potential vulnerability of such data to deliberate disclosure by those responsible for entering and accessing data on the system. It is true that legislation in England and Wales such as the Computer Misuse Act 1990 and the Data Protection Act 1998 was introduced to protect computer systems from unauthorized access and to guard against the escape of information contained on them. However, while these laws have served a useful purpose in establishing and enforcing a regulatory regime within which access to systems and the flow of information is limited to authorized personnel and purposes, it remains to be questioned whether they are adequate to deal with the consequences of willful disclosure of data.

This article will consider whether it is (a) possible and (b) desirable to impose criminal liability for the consequences of unlawful disclosure of data. The current legislative framework based upon the Computer Misuse Act 1990 and the Data Protection Act 1998 creates conduct offences in which the simple act of unauthorized access or unauthorized disclosure engender criminal liability, irrespective of the consequences of this access or disclosure. This article will argue that there are compelling public policy reasons that support the criminalization of the consequences of disclosure, and that mirror developments elsewhere in the criminal law. This position is also supported by the principle of fair labeling, which requires that criminal charges should match the nature and severity of the offender’s wrongdoing.

The Death of Bernard Gilbert

Bernard Gilbert was waiting to maneuver into a parking space at a supermarket in Spondon in Derbyshire, England, when another driver, Zoe Forbes, drove into it (Malvern 2008; Dolan 2008). An argument ensued after which Mrs. Forbes telephoned her husband, Mark, who told her to take a note of the other vehicle’s registration number. Mark Forbes gave the vehicle registration to PC Stephen Smith who used the Police National Computer (PNC) to obtain the driver’s address. Mark Forbes sent a text to his wife that said: “I’ve got someone on to it. Fingers crossed, I’ll get an address.” PC Smith did provide this information and Mark Forbes and his brother, Stephen, visited Mr. Gilbert’s home in order to slash the tyres of his vehicle. However, when they arrived at the address, Stephen Forbes threw a brick through the window of Mr. Gilbert’s home where he was

1

Finch: Contemplating Criminal Liability for the Consequences of Unlawful Data Disclosure

sitting watching television with his wife. Mrs. Gilbert described the noise as “like a bomb going off” and described her husband as being “ashen and shaken” by the attack. He collapsed and died 20 minutes later. Mark and Stephen Forbes were convicted of constructive manslaughter and were sentenced to three years and two-and-a-half years imprisonment, respectively (Parker 2008).

The conviction of the two men for constructive manslaughter is relatively uncontroversial, although neither man ever came into contact with or saw the victim. It is well established in criminal law that a person will be guilty of constructive manslaughter if he intentionally does an act that is unlawful and dangerous and which causes death. There is no need for the defendant to be aware that his act was either unlawful or dangerous, and he does not have to be aware that death is a possible consequence of his actions (DPP v. Newbury, 1977). Liability under the Data Protection Act 1998 For his role in these events, PC Smith was charged with disclosing personal data contrary to section 55 of the Data Protection Act 1998, which makes it an offence for a person knowingly or recklessly to disclose personal data without authority or justification. The section that follows will explain the requirements of the offence in a little more detail, both to demonstrate how they were satisfied in this case and also to highlight how this offence requires only disclosure of data and does not concern itself with any adverse consequences following on from the disclosure.

The actus reus (or conduct element) of the section 55 offence is the disclosure of personal data, which is defined by section 1(3) as “data consisting of information which relates to a living individual who can be identified from that information.” Further elaboration on the meaning of “personal data” can be found in the detailed consideration of the scope of the phrase found in the Court of Appeal judgment in R v. Durant (2003): in particular, what it means for data to “relate to” an individual. The Court of Appeal adopted a narrow approach to the meaning of “personal data” by requiring that it should be “biographical in a significant sense” and/or should have as its focus the individual concerned, rather than merely mentioning the individual (per Auld LJ, para. 28). The Information Commissioner of the United Kingdom has issued guidelines on the meaning of personal data following Durant that acknowledge that the mere mention of an individual’s name will not necessarily amount to personal data, but that suggest that a name in conjunction with some further identifying information such as an address, telephone number, or place of work would suffice (Information Commissioner’s Office 2007). Furthermore, in Attorney-General’s Reference (No. 140 of 2004), it was held that the names and addresses of vehicle owners traced through their registration numbers using the Driver and Vehicle Licensing

2

Policy & Internet, Vol. 3 [2011], Iss. 2, Art. 2

http://www.psocommons.org/policyandinternet/vol3/iss2/art2DOI: 10.2202/1944-2866.1119

Agency (DVLA) computer amounted to personal data, and its disclosure to an animal rights group constituted a breach of section 55. Accordingly, it is not difficult to see that PC Smith’s actions in identifying the address of the owner of a car from its registration on the PNC and disclosing this to Mark Forbes satisfies the conduct element of this offence.

The mens rea (or mental element) of section 55 is that the defendant must knowingly disclose personal data or be reckless as to its disclosure. This does not seem troublesome in the context of these facts. PC Smith gave a vehicle registration to someone who he knew was not a police officer, and who was not otherwise authorized to receive that information, and he deliberately accessed the PNC with the aim of obtaining and passing on this information to an unauthorized recipient. It is uncontroversial to state that this gives rise to a knowing disclosure of personal data and completes PC Smith’s liability for this offence.

Although section 55 of the Data Protection Act 1998 certainly covers the conduct in question, it is important to note its limitations. Firstly, its focus is exclusively on the conduct and takes no account of the consequences of disclosure. As such, PC Smith’s liability would have been unaltered irrespective of what happened after he passed on Mr. Gilbert’s address. For the purposes of liability under section 55, it makes no difference whether Mark Forbes used the information to bring about Mr. Gilbert’s death, or to write him an unpleasant letter, or if he had done absolutely nothing with the data at all. Secondly, the available penalties reflect the focus of the offence on disclosure itself, as the offence is only punishable by the imposition of a financial penalty in accordance with the statutory framework for standard fines (a maximum of £5,000 in magistrates’ courts or an unlimited fine at Crown Court: Criminal Justice Act 1991, section 17). In practice, it would be most unusual for the maximum fine to be imposed, taking into account the reduction that would be made if the defendant entered a guilty plea and any adjustments to reflect the relative seriousness of the offence and the defendant’s ability to pay.

In fact, it is as a result of concerns that the penalties available under the Data Protection Act 1998 are insufficient to penalize those who willfully pass on protected data, often in return for payment, to unauthorized recipients that the largely dormant common law offence of misconduct in public office has been revived in recent years, in order to prosecute police officers and other trusted public servants who have disclosed personal data as this offence (Wasik 2008). As a common law offence, there are no restrictions on the penalty that can be imposed upon conviction for this offence, so it could result in anything up to a sentence of life imprisonment.

3


Misconduct in Public Office The common law offence of misconduct in public office covers situations in which a public officer acting in his public capacity “wilfully neglects to perform his duty and/or wilfully misconducts himself, to such a degree as to amount to an abuse of the public’s trust in the office holder” (Halsbury’s Laws of England 2006). A police officer is a public officer and the use of the Police National Computer (PNC) to access personal data about individuals would fall within the scope of his public duty. In Graham v. Teeside 1981, it was held that “wilful misconduct” involved the public officer “deliberately doing something which is wrong knowing it to be wrong or with reckless indifference as to whether it is wrong or not” (per Webster J at 123). This was quoted with approval by the Court of Appeal in A-G’s Reference (No 3 of 2003), with the qualification that this must incorporate a meaning of recklessness in line with that given by the House of Lords in R v. G 2003. The disclosure of information held on the PNC to an unauthorized recipient is likely to fall within the meaning of “wilful misconduct.”

Following the recommendations of the Bichard Inquiry Report (2004), a Code of Practice relating to the use of the PNC was issued by the National Centre for Policing Excellence (section 2 of the Police Reform Act 2002 inserts a new section 39A into the Police Act 1996 that permits the Secretary of State to introduce Codes of Practice for chief officers). This Code of Practice (National Centre for Policing Excellence 2005: para. 40) stipulates that all staff undertaking PNC functions must be trained to an appropriate level of competence. Training in the use of the PNC is offered by the National Policing Improvement Agency and each of the courses offered includes data security as a component. Accordingly, a police officer who is able to access the PNC will have been trained in its use, and this training will have included coverage of the policies and practices surrounding its use, including issues of data security. It is inconceivable that a police officer who has been trained to use the PNC could be unaware that it is wrong to disclose information other than to legitimate recipients; thus the requirement that there is knowing wrongdoing seems to be satisfied. This view is encapsulated by the words of Lord Phillips CJ in R v. Hardy (2007) where he stated “accessing police computer information for an improper purpose is an offence that involves deliberation” (para. 26).

The final requirement of the offence is that the misconduct should be such that it amounts to an abuse of the public’s trust in the office holder. In R v. Dytham (1979), it was held that the misconduct involved should be sufficiently injurious to the public interest as to call for condemnation and punishment. Sir Anthony Masson, giving judgment in the Court of Final Appeal in Hong Kong in Shum Kwok Sher v. HKSAR (2002), stated that the seriousness of the misconduct would depend upon the responsibilities of the office, the importance of the public

4



objects which they serve, and the nature and extent of the departure from those responsibilities. The relevance of these factors in establishing a sufficiently serious level of misconduct was affirmed by the Court of Appeal in A-G’s Reference (No 3 of 2003), although Pill LJ added a further consideration to be taken into account: the seriousness of the consequences of the misconduct (para. 46).

The application of this offence to police officers was considered in R v. Keyte (1998) where the disclosure of information from the PNC to former colleagues who were operating as private detectives was described as “improper and impermissible.” Swinton Thomas LJ commented on the injury to the public interest caused by such disclosures, noting that the integrity of the PNC is of:

“[A]bsolutely vital importance and it goes without saying that the public must have faith and confidence in it and a belief that private information relating to them will not be released by police officers for ulterior motives.” (at 166)

Considering the requirements of the offence, it seems that there was potential to charge PC Smith with misconduct in public offence. He was a public servant whose duties included the use of the PNC, and he abused his ability to access this computerized database in order to pass on the address of the driver of a vehicle. It seems reasonable to assert that such behavior would breach public confidence in the police and in the integrity of the PNC. An ordinary person would surely be horrified to think that a parking altercation could culminate in a revenge attack because the perpetrator was able to locate the driver of a vehicle simply by asking a police officer for the address of the owner of the car. Even if PC Smith did not know that revenge was planned, he would surely have known that there was no legitimate reason for a person to seek such information from him.

Of course, it could be argued that the trial judge would not have imposed a greater sentence on PC Smith even if he had been charged with a more serious offence, given that the fine imposed was towards the lower end of the statutory range (£1,200, when it was possible to impose a fine of £5,000). However, it is important to remember that the magistrates were imposing a penalty for an offence where they are only permitted to look at the conduct and not its consequences. The common law offence of misconduct in public office is also a conduct offence, but case law has specified that the seriousness of the consequences of the misconduct should be a consideration (Attorney-General’s Reference No 3 of 2003). With the added ability to consider the consequences of the disclosure of the driver’s address, it may be that a more significant penalty

5


that acknowledged the contribution that PC Smith made to Mr. Gilbert’s death would have been imposed. Accessory to Manslaughter It is well established in criminal law that the provision of information that facilitates the commission of an offence will satisfy the actus reus of secondary liability, rendering the provider liable as an accessory to the offence committed by the recipient, contrary to section 8 of the Accessory and Abettors Act 1861. For example, in R v. Whitefield (1983) it was held that the defendant could be an accessory to a burglary at which he was not physically present on the basis of having provided information to those who committed the offence that the owner of the burgled house was away, and suggesting a means of entry. In line with this, it seems reasonable to suggest that the police officer’s actions in providing Mark Forbes with the address of the driver of the vehicle would be sufficient to satisfy the actus reus of the offence, as it was an action which aided, abetted, counseled, or procured the principal offence, contrary to section 8 of the Accessory and Abettors Act 1861.

The mens rea of secondary liability is somewhat more complicated. It requires that the defendant intends to assist the principal offender and that he has knowledge of the facts forming the essential elements of the principal’s offence. The requirement that the defendant intends to assist the principal offender can be broken down into two requirements: firstly, an intention to perform the act and secondly, an intention that the act will render assistance to the principal offender (Ormerod 2008). Although it is beyond question that the police officer intentionally disclosed confidential data to an unauthorized person, it is less clear that he did this intending to provide assistance to an offender. PC Smith would doubtless argue that he had no such intention and that he merely provided the information requested without any notion that its provision would facilitate the attack that led to the death of Mr. Gilbert. However, it is a long-standing principle of secondary liability that an accessory need not know the precise details of the offences to be committed by the principal, provided he knows “the essential matters which constitute the offence” (Johnson v. Youden 1950). It has been accepted by the House of Lords that an accessory should “not be convicted of aiding and abetting any offence his principal may commit but only one which is within his contemplation” (Director of Public Prosecutions for Northern Ireland v. Maxwell 1978).

Following this, it is clear that PC Smith could only be liable as an accessory to offences that he contemplated could be committed as a result of his disclosure of Mr. Gilbert’s address. This is likely to be contingent on what he was

6



told when the request for the address was made or, in the absence of any explanation, how he thought that information would be used. It is well established that secondary liability can be imposed even when the accessory has only a vague idea of the principal’s intended offence. This was stated by the House of Lords in Maxwell:

“[The accessory] may have in his contemplation only one offence or several; and the several which he contemplates he may see as alternatives. An accessory who leaves it to the principal to choose is liable, provided always that the choice is made from the range of offences from which the accessory contemplates the choice will be made.” (per Lord Scarman at 1363)

This makes it clear that even an accessory with imperfect knowledge of the principal’s exact plan will incur secondary liability if it so happens that the offence committed by the principal was one of those possible offences that the accessory had in mind. This creates a somewhat uncertain basis for the imposition of liability as a consequence of the unlawful disclosure of personal data, as it depends entirely on what the police officer was thinking at the point in time that he passed on the information. In this instance, it may be that PC Smith was thinking that Mark Forbes wanted the address in order to impersonate the car driver with a view to committing some kind of fraud. If so, then, however deplorable this would be, it would not suffice to render PC Smith an accessory to constructive manslaughter following Mr. Gilbert’s death. However, if PC Smith was thinking “I bet he is going to smash up someone’s car” or “I wonder if the driver is going to get a beating” or “I hope this doesn’t get out of hand or somebody might die” then he would be liable as an accessory to criminal damage, a non-fatal offence or a homicide offence, depending upon the actions of the principal to whom the assistance has been provided.

Therefore, it is perfectly possible, in theory at least, to make a police officer (or other person with access to personal data) an accessory to an offence committed as a consequence of the receipt of data. The imposition of liability will depend upon what the person who discloses the data thinks will be done with it. If the person making the disclosure thinks that the data will be used to commit an offence, and intends to assist the commission of that offence by providing the information requested, then liability as an accessory to the offence committed can follow.

It does not seem unreasonable to impose secondary liability in these circumstances. There seems to be no logical reason why the supply of confidential data should be treated differently to the supply of any other item that facilitates

7


the commission of an offence. It was said by the Court of Appeal in R v. Bryce (2004) that:

“Where a person supplies equipment to be used in the course of committing an offence of a particular type, he is guilty of aiding and abetting the commission of any such offence committed by the person to whom he supplies the equipment, providing that he knows the purpose to which the equipment is to be put or realises that there is a real possibility that it will be used for that purpose and the equipment is actually used for that purpose.” (per Potter LJ at para. 49)

A parallel can be drawn between the supply of a weapon or equipment, as

discussed in Bryce, and the provision of information that enables the principal to commit an offence. In both cases, the principal is put in a position where his desire to commit a particular offence is furthered by the volitional assistance of the person who supplies the weapon, equipment, or information that is needed.

It could be argued that the link between the provision of an address and a revenge attack culminating in the death of the victim is too tenuous to give rise to liability as an accessory to manslaughter, and that there is a more direct link between, say, the provision of a gun and a fatal shooting. However, the situations are analogous in that the principal’s desired offence could not be committed without the accessory’s contribution, whether that takes the form of the provision of a weapon with which to harm the victim or the provision of information that enables the principal to locate the victim in order to cause him harm.

It is undeniable that personal information held on secure databases has the potential to cause harm to the subject of that information if it falls into the wrong hands. This might be pecuniary or physical harm to the victim or their property. It is immaterial. What is important is that the harm can only occur if the data is disclosed beyond its intended audience, so that serious liability should follow from a breach of confidentiality that leads to the imposition of such harm. As the person making the disclosure plays a significant, albeit indirect, role in the harm that occurs, i.e., it could not have happened without this contribution, it does not seem unreasonable to move beyond the imposition of liability for the disclosure itself to look at the nature of the harm itself and to share liability between the person who caused the harm, as principal offender, and the person who facilitated the offence by the provision of information, as accessory to that offence.

8



Liability for Manslaughter

A final consideration in this particular case is whether PC Smith and others whose disclosure of confidential data leads to death can be liable for manslaughter as a principal offender. Manslaughter is a result crime; thus the actus reus will be satisfied if the prohibited result (causing death) is attributable to the defendant’s actions, irrespective of the means by which the death was bought about. Liability for constructive manslaughter will be established if the defendant has committed an unlawful act that is dangerous, provided that this dangerous unlawful act has caused the victim’s death (DPP v. Newbury 1977).

Unlawfulness

The first requirement of constructive manslaughter is that the defendant has committed a criminal offence that has a mens rea requirement (as opposed to a civil wrong or strict liability criminal offence: R v. Lamb 1967). Section 55 of the Data Protection Act 1998 would suffice, as it is a criminal offence that has the mens rea requirement that the disclosure of data must be knowing or reckless. Similarly, the offence of causing a computer to perform a function under section 1 of the Computer Misuse Act 1990 could be the basis for a constructive manslaughter conviction—as this offence requires that the defendant intentionallycauses a computer to perform a function knowing that his access is unauthorized—as could the common law offence of misconduct in public office due to its willfulness requirement. Accordingly, there are at least three offences that could form the basis of a constructive manslaughter conviction if there has been disclosure of personal data from a computer system by a public servant.

Dangerousness

The second requirement of constructive manslaughter is that the defendant’s act is dangerous. The test to be applied to the determination of the dangerousness of the unlawful act is an objective one that asks whether a sober and reasonable bystander would realize that there was a risk of some harm resulting to the victim (R v. Watson 1989). In Dawson (1985), it was held that the knowledge that is imputed to the hypothetical bystander is the knowledge that he would have if he were present at the scene and watched the unlawful act being performed. Lawson LJ went on to state that the hypothetical sober and reasonable bystander has the same knowledge as the person committing the offence.

In this instance, then, it has to be asked whether a hypothetical sober and reasonable bystander who was present when PC Smith disclosed the victim’s address and who knew what PC Smith knew would consider that the disclosure of

9


this information carried a risk of some harm resulting to Mr. Gilbert. This would be contingent on what PC Smith, or any other person in his position, knew about the planned offence and the potential victim. Allen and Cooper (2010, 179) suggest that any knowledge that the offender had during the planning and preparation stages prior to the offence should be imputed to the hypothetical bystander, as this “sets the act in context for the purpose of determining its objective dangerousness” (2010, 179). Accordingly, if a person with access to personal data was told that its disclosure would facilitate a revenge attack then it is likely that the sober and reasonable bystander would conclude that disclosure of the data carries a risk of some harm to the victim. It is important to note that the requirement is that the bystander would foresee some harm, not the risk of serious harm and certainly not the risk of death.

If the person accessing the data was aware of the victim’s age and state of health, this conclusion is all the more likely, as it was held in Watson (1989) that if the offender was aware that the victim was elderly and frail then this was knowledge that would be imputed to the sober and reasonable bystander. In this case, there is no basis to conclude one way or another that PC Smith knew that a revenge attack was planned and that the victim was elderly and not in the best of health, as he was not present at the scene, and it was accepted by the court that he had not been told what was planned. However, considering the broader possibilities, it is clear that a person with access to controlled data who was privy to such information when a request for disclosure was made could be said to have committed an unlawful act which carried an objective risk of causing some harm to the victim. Causation The final requirement for liability is that the unlawful and dangerous act has caused death according to the principles of factual and legal causation. Factual causation is established by applying the “but for” test which provides a preliminary link between the defendant’s conduct and the death that occurred by asking “but for the defendant’s action, would the victim have died?” (R v. White 1910). Here, factual causation is established as “but for” the disclosure of Mr. Gilbert’s address by PC Smith, he would not have been killed in the revenge attack. The next step is to establish legal causation.

Legal causation isolates the most culpable cause or causes of the victim’s death as appropriate for the imposition of criminal liability. It is not required that the defendant’s act is the most immediate or compelling cause of death, provided that his actions are “an operating and substantial” cause of death (R v. Malcherek and Steel 1981). It is here that any attempt to impose liability for constructive manslaughter on a person whose disclosure of personal data leads to the death of

10



another person may appear to fall into difficulty. How can it be said that breach of data protection regulations is an “operating and substantial” cause of death when the action itself is not capable of causing death?

This question could be resolved by consideration of R v. Pagett (1983). In this case, the defendant held his pregnant girlfriend hostage and used her as a shield in an attempt to escape from armed police. A police marksman fired at the defendant but shot the hostage who died from her injuries. In dealing with the question of causation, the Court of Appeal ruled that “the accused’s act need not be the sole cause, or even the main cause, of the victim’s death, it being enough that his act contributed significantly to that result” (per Robert Goff LJ at 288). Applying this principle, the Court of Appeal ruled that either of the defendant’s acts—firing at a police marksman or using force on the victim by holding her against him—would have satisfied the requirements of legal causation and rendered the appellant liable for manslaughter. Neither the act of firing a shot at a police marksman nor holding the victim against her will was the physical or medical cause of the victim’s death; indeed, the second act could not in any way be said to be something which, in isolation, was capable of ending a person’s life. Following this reasoning, it seems that it is possible that an act that cannot cause death in its own right could be the legal cause of a person’s death if it sets in motion a chain of events that ultimately leads to a fatal outcome.

It is fair to say that some doubt has been thrown upon this argument by the decision of the House of Lords in R v. Kennedy (2007). The case centered upon the question of whether a drug-dealer should be liable for causing the death of a person to whom he had supplied heroin. It was held that the voluntary actions of an informed adult of sane mind would operate as a novus actus interveniens—an intervening act—that broke the chain of causation. In essence, the victim was an autonomous actor who decided what to do with the heroin after it had been supplied and it was his decision to take the drug that caused his death. In the same way, then, it could be argued that Mark Forbes was faced with a similar choice—to use the information to attack Mr. Gilbert or not—and that his decision and the actions that followed it broke the chain of causation and relieved PC Smith of any legal responsibility for causing Mr. Gilbert’s death.

However, as the House of Lords acknowledged in Kennedy, “causation is not a single, unvarying concept to be mechanically applied without regard to the context in which the question arises.” In other words, the approach taken to legal causation is flexible, and can be adapted to suit the offence with which the defendant is charged and the circumstances of the case. This is because legal causation is heavily shaped by policy considerations so as to ensure that criminal liability vests with those who are to blame for events which occurred, irrespective of whether they are the first, last, or most compelling cause of death. As Lord

11


Hoffmann stated in Environment Agency v. Empress Car Co (Abertillery) Ltd (1999):

“Common sense answers to question of causation will differ according to the purpose for which the question is asked. Questions of causation often arise for the purpose of attributing responsibility to someone, for example, so as to blame him for something which has happened.”

As legal causation is concerned with blameworthiness, it is not outside of

the realms of possibility that a court would hold that PC Smith’s actions in disclosing the address was a legal cause of Mr. Gilbert’s death, particularly given that a unified approach to legal causation is not expected. In other words, if faced with a cause involving the harmful consequences of data disclosure, it is open to the courts to modify the approach taken to legal causation to take account of the context of the case. In particular, account could be had of the lapse in time between disclosure and consequences, as well as the indirect way in which harm is caused.

The courts have not been unwilling to find that legal causation exists in other situations where there has been a lack of temporal proximity and where the original act did not cause direct harm to the victim. For example, in R v. Mitchell (1983), the Court of Appeal upheld a conviction for constructive manslaughter after the appellant’s act of pushing into a Post Office queue led to the death of an elderly lady one week later from a pulmonary embolism. A man in the queue remonstrated with the appellant for pushing in. The appellant punched the man, knocking him into the elderly lady who fell and broke her femur. She appeared to be recovering from this injury but developed thrombosis which led to the pulmonary embolism from which she died. Despite the significant degrees of separation from the altercation in the queue to the death of the lady, the Court of Appeal held that the appellant was the legal cause of death as he set in motion a chain of events that culminated in the victim’s death. In doing so, the Court of Appeal expressly stated that there is no requirement that the act should be aimed at the victim nor that it should cause direct harm to the victim (per Staughton J at 749).

In conclusion, a detailed consideration of the authorities that deal with legal causation in relation to the offence of constructive manslaughter does not rule out the possibility that the disclosure of personal data could be the legal cause of death. It should be remembered that the entire rationale of the existence of the offence of constructive manslaughter is that it builds (constructs) liability for a fatal offence (manslaughter) on the foundation of a non-fatal offence. Therefore, to argue that the disclosure of data cannot cause death in itself cannot stand as a logical objection to the imposition of liability for constructive manslaughter in

12



events such as those that led to the death of Mr. Gilbert. The only question that remains for consideration is whether liability for manslaughter should be imposed.

Policy Arguments in Favor of the Imposition of Liability

The starting point for this article was that an ordinary person cannot participate in modern life without having their personal details stored on any number of computer systems. It is no longer, if it ever was, a matter of choice but of necessity or compulsion; without the provision of an increasing amount of personal data access to ordinary services would be denied. Moreover, in many instances, it is not even within the individual’s control, as the State gathers and controls personal data that is stored on vast databases. That this data should not be in general circulation is acknowledged by the laws that exist to control its disclosure. Not only is this a matter of privacy, it is also a matter of protecting the individual concerned from the consequences of universal visibility. Taking the Bernard Gilbert case as an example, it seems uncontroversial to state that all drivers should be able to take to the roads, and the car parks, without fear that they will be tracked down by other road-users who they may have upset during the course of their travels. If the people who control access to this information cannot be relied upon to maintain its confidentiality then it is only right that they should be penalized for their actions.

This article has argued that the locus of culpability should not rest solely on the conduct (the disclosure of the data) but also on the consequences of that disclosure (whatever they may be). It is acceptable to penalize the disclosure itself if no adverse consequences flow from this; in such a case, the wrong that has been done is the circulation of that which should be confidential. However, it seems wrong if the law fails to differentiate between the disclosure of data that causes no other ill-effects and the disclosure of data that facilitates the commission of some other criminal offence. In this case, the wrong goes beyond the breach of confidentiality to the infliction of some other form of harm on an individual. A parallel could be drawn with knife crime. A person who is in possession of a knife in a public place in England and Wales is guilty of the offence of possession of an offensive weapon contrary to section 1 of the Prevention of Crime Act 1953. He does not need to use it or intend to use it; criminality attaches to the possession of the weapon because it is regarded as wrong in itself, as possession of such a weapon is so often a precursor to its use. However, if the knife is used to inflict an injury then offences that carry more serious penalties exist to deal with the use of the knife. Surely, in a society where so much harm can be caused simply by misuse of another’s personal data, a distinction in terms of seriousness should be

13


made between unauthorized disclosure or possession of data per se and unauthorized disclosure or possession that has harmful consequences?

A situation in which unauthorized disclosure of personal data results in death is, thankfully, rare but it is important to remember that there are many other ways in which an individual can be caused harm if their personal data falls into the wrong hands: fraud offences are ever-increasing and the ability to identify a person’s place of residence renders them vulnerable to the commission of offences against their property, such as criminal damage and burglary, as well as to the risk of personal harm. This concern was acknowledged in Attorney-General’s Reference (No 140 of 2004) where Judge LJ stated:

“The unauthorised disclosure of information held in any records kept and maintained only for public purposes should always be regarded as a serious offence. The amount of private information about each and every single citizen in this country, available to public servants, has increased, and with modern technology continuing increase is virtually inevitable. Citizens are entitled to assume that the information so kept will only be made available to those who are entitled to see it, and only for the express purpose permitted by law […] Sometimes wrongful disclosure causes damage. Even if an offender has not fully anticipated the consequences of disclosure, it will be very unusual for him to be entirely ignorant of the possible consequences, and, even if those consequences are unforeseen, the impact of disclosure on any individual whose privacy has been betrayed is a critical ingredient of the sentencing decision.”

This acknowledges the potential for harm created by the disclosure of

personal data. It also highlights the powerlessness of ordinary individuals once their information is in the hands of others. As society is so dependent upon those who control access to personal data, it is important that those who misuse their powers should be heavily penalized. This not only reflects the significance of the wrongdoing and the potential for harm but it also sends a clear message to those in control of data that abuse of their position of trust is a serious matter. This was recognized by the Court of Appeal in R v. Hardy (2007) where it was held that the disclosure of personal data was “one of those offences where it is realistic to include a deterrent element in a sentence” so that the penalty imposed was increased from a 300-hour community sentence to nine months’ imprisonment. This sentence was possible as the defendant was charged with misconduct in public office to avoid the restrictive sentencing structure of the Data Protection Act 1998. This recent resurrection of the hitherto little-used offence of misconduct in public office demonstrates the dissatisfaction of the prosecutors with the adequacy of offences under the Data Protection Act and Computer

14



Misuse Act to impose an appropriate penalty on those who abuse their access to data by disclosing it to unauthorized recipients (Wasik 2008).

However, it is not only an issue of sentencing that is relevant. It is also important that the defendant is charged with an offence that reflects the full nature of the wrong involved in his conduct. What offence best encapsulates the wrong done in the case of Mr. Gilbert? Was it the misuse of a computer system or the unauthorized disclosure of personal data? Was it the abuse of PC Smith’s position of a police officer? The central premise of this article is that the conduct concerned is insignificant compared to the consequences of the conduct and, as such, that these offences that focus on the actions of the police officer are not sufficient to reflect the heinousness of the situation. Mr. Gilbert berated a young woman who stole his parking space. Without the discovery of his address, the matter would have ended there. As a consequence of the unauthorized disclosure of personal data stored on the PNC by a police officer, Mr. Gilbert’s home was attacked and he died as a result. It does not seem unreasonable that liability for manslaughter, whether as a principal offender or as a secondary party, should follow.

A Tailored Legislative Approach?

It has to be acknowledged that it is not a straightforward matter to impose such liability for the consequences of disclosure. There are particular difficulties with regard to the mens rea of secondary liability and the issue of legal causation in relation to constructive manslaughter that could pose impediments to achieving a conviction. For the Crown Prosecution Service, it may be that the guarantee of a conviction for a data protection offence is preferable to a speculative prosecution for manslaughter. However, there have been situations in the past where the Crown Prosecution Service has pursued a prosecution in the knowledge that a conviction will only be forthcoming if the courts can be prevailed upon to adapt the law. For example, after several false starts, the House of Lords in R v. Burstow (1997) was persuaded to reinterpret the Offences against the Person Act 1861 so that it included psychological, as well as physical, injury and again to accommodate the deliberate transmission of HIV in R v. Dica (2004). It may be that the publicity generated by cases such as the death of Mr. Gilbert will prompt a similar episode of prosecutorial activism in relation to the consequences of the disclosure of data.

Of course, it could be argued that it would be preferable for Parliament to tackle the issue of the harm caused by the disclosure of data in a more direct way, rather than leaving it for the courts to force the square pegs of technology-related misconduct into the round holes of the existing criminal law. Attempts to do this

15


in the past by using offences such as criminal damage to deal with unauthorized access to computer systems prior to the enactment of the Computer Misuse Act 1990 have led to the distortion of legal principles and to inconsistent verdicts (Fafinski 2009; Walden 2007).

The unauthorized disclosure of data has the potential to facilitate wide-ranging harm. It may be a rare occasion in which it results in death, but revenge attacks involving non-fatal injury or damage to property can also be facilitated by the release of the victim’s personal information. Moreover, many financial crimes such as fraud and money laundering, as well as the associated problems of identity theft, are facilitated by the availability of personal data.

In light of the potential for harm to result from the unauthorized disclosure of data, and the difficulties of adapting the current law to shift liability from the conduct involved to the consequences of disclosure, it seems reasonable to suggest that there is a need for reform. This could be developed to create a two-tier system of liability similar to that which exists under the Computer Misuse Act 1990 in which the basic offence of causing a system to perform a function (section 1) is accompanied by the more serious offence of doing so with intent to commit or facilitate some other offence (section 2). The existing offence contained in section 55 of the Data Protection Act 1998 is adequate to address situations in which there is an unauthorized disclosure of data that has no adverse consequences. What is needed is an additional basis of liability to deal with situations in which the disclosure has facilitated some other criminal offence. The creation of such an offence would fill the gap that exists in the current law in England and Wales and would focus attention on the essential nature of the wrongdoing involved, as well as providing a more significant penalty that reflects the severity of the harm that ensues from disclosure.

As it is so often the case that people are the weak link in the security of computer systems, it makes sense to develop legislation that will target this weakness, and strengthen the safety of personal data stored on computer databases.

References Allen, M., and S. Cooper. 2010. Elliot & Wood’s Cases and Materials on

Criminal Law, 10th Edition. London: Sweet & Maxwell. Bichard, M. 2004. Bichard Inquiry Report. London: The Stationery Office. Dolan, A. 2008. “Pensioner in Parking Row Died After Attackers Used Police

Computer to Track Him Down.” Daily Mail, February 5. Fafinski, S. 2009. Computer Misuse: Response, Regulation and the Law.

Cullompton: Willan Publishing.

16



Halsbury’s Laws of England. 2006. Criminal Law, Evidence and Procedure, vol. 11 (1), para. 536 (Misconduct in Public Office).

Information Commissioner’s Office. 2007. Data Protection Technical Guidance: Determining What is Personal Data, p. 6.

Malvern, J. 2008. “Pensioner Dies in Attack on this Home After Parking Space Row.” The Times, February 5.

National Centre for Policing Excellence. 2005. Code of Practice: The Police National Computer. London: Home Office, para. 40.

Ormerod, D. 2008. Smith & Hogan Criminal Law, 12th Edition. Oxford: Oxford University Press.

Parker, A. 2008. “Park Row Killer Pair Locked Up.” The Sun, April 5. Walden, I. 2007. Computer Crimes and Digital Investigations. Oxford: Oxford

University Press. Wasik, M. 2008. “Computer Misuse and Misconduct in Public Office.”

International Review of Law, Computers and Technology 22 (1–2): 135-143.

Case List

Attorney-General’s Reference (No 3 of 2003) [2004] EWCA Crim 868

Attorney-General’s Reference (No 140 of 2004) [2004] EWCA Crim 3525

DPP v. Newbury [1977] AC 500

Director of Public Prosecutions for Northern Ireland v. Maxwell [1978] 1 WLR

1350

Durant v. Financial Services Authority [2003] EWCA Civ 1746

Environment Agency v. Empress Car Co (Abertillery) Ltd [1999] 2 AC 22

Graham v. Teeside and another [1981] 81 LGR 117

Johnson v. Youden [1950] 1 KB 544

R v. Bryce [2004] EWCA Crim 1231

R v. Burstow [1998] AC 147

R v. Dawson (1985) 81 Cr App R 150

R v. Dica [2004] EWCA Crim 1103

R v. Dytham [1979] QB 722

17


R v. G [2003] UKHL 50

R v. Hardy [2007] EWCA Crim 760

R v. Keyte [1998] 2 Cr App R (S) 165

R v. Lamb [1967] 2 QB 981

R v. Malcherek and Steel [1981] 1 WLR 690

R v. Mitchell [1983] QB 741

R v. Pagett (1983) 76 Cr App R 279

R v. Watson [1989] 1 WLR 684

R v. White [1910] 2 KB 124

R v. Whitefield (1983) 79 Cr App R 36

Shum Kwok Sher v. HKSAR [2002] 5 HKCSAR 381

Legislation

Accessory and Abettors Act 1861, section 8

Computer Misuse Act 1990, sections 1 and 2

Criminal Justice Act 1991, section 17

Data Protection Act 1998, sections 1(3) and 55

Police Reform Act 2002, section 2

Police Act 1996, section 39A

18



Contemplating Criminal Liability for the Consequences of Unlawful Data Disclosure

Documents

Transcript of Contemplating Criminal Liability for the Consequences of Unlawful Data Disclosure