Data Protection Act: Section 35

Part 35 Disclosures required by law or made in connection with legal proceedings 

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.


Data Protection Act: Section 27

Section 27 Data Protection Act

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part “the subject information provisions” means—

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part “the non-disclosure provisions” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are—

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(c) sections 10 and 14(1) to (3).

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

Data Misuse: Examples of Police Data Misuse

Below are examples of the police misusing data. While the list is, thankfully, small, two things must be remembered:

Firstly the list only contains examples of police misusing data AND getting caught AND being arrested/convicted AND it being reported AND it being based in the UK AND being listed on this site  – this is a is a very limiting Boolean statement.

Secondly, the intent is not to show that the police are 100% corrupt, or imply that they are all taking backhanders, the list merely shows that these incidents occur and that data is not 100% safe with any organization. People are faliable and make errors, both in data handling and in judgment.

Examples of Police Data Misuse in the UK

Data Theft: Parliment

With the recent expose of politicians expenses, which came from a person taking data from Parliment, MPs want this leak stopped, and have apparently approached the police to investigate.

But, according to the Times, the in house legal team for parliament have told MPs that there is not a criminal offense, but rather a breach of contract.

This is wise advice, following the debacle of Damien Green.

The reason is that Section 55 of the data protection act, which effectively criminalizes data “theft” [strictly speaking its not theft, as no property has been stolen], has a provision that allows for data to be leak for public benifit. Section 55(2) (a) of the DPA  states that it is not an offence to if to take the data if in “the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.” In addition to this the Data Protection Act was amended by Criminal Justice and Immigration Act, allowing leaking of information for journalistic purposes

Leaking of information can often have a benefit to a community, and thankfully UK law recognizes this, and the MPs are now realizing this.

As data about MPs is leaked, this once again reminds us why too much data about you, stored about the government, even if its technically legal (most expenses are “within the rules”) is not a good idea.
the person who duplicated the vast volume of MPs’ invoices and other material had committed a breach of contract but not a criminal offence.

UK Law: Madoff Data

In an unusual, but not unsurprising move, the UK courts have allowed Madoff data to be sent to the US for further investigation.

Bernie Madoff, who was recently sent to prison for the $65 billion fraud, had companies in the UK as well as the US. The  liquidator in thies case Irving Pickard has requested specific data to be sent to the US, which the judge has allowed, but has not allowed all of the data to go, in a blanket ruling.

In the UK the data protection act prevents data from being sent out of the EU (under the 8th principle), unless there are adequate safe guards. There are exceptions, as there are with all laws, one of these is that if it is in the public interest the data should be allowed to move.

Electronic Discovery: Reviewing UK data from outside the EU

If data is processed and hosted in the UK, can it be reviewed from outside of the UK? How does the ICO view this? Does the Data Protection Act allow for review of data from outside of the EU?

Review platforms, such as Attenex, Relativity, RingTail, or IConect, allow for reviewers to plough through very large amounts of documents usually via a web browser. The reviewers can be anywhere in the world, as long as they have access to the internet.  E.g. a Manchester case, with the data hosted in London, can be reviewed by a law firm in Bristol. This example, of 3 UK cities, does not pose any legal problems. However what if the review is to be conducted outside of the UK? E.g if the data to be reviewed is from the UK, is processed and hosted in the UK, but reviewed by a  New York law firm, what does the law state about this?

The UK legislation says both a lot and very little about the subject.

The Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case.   This principle states that ““Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This means that data cannot be transferred out of the EEA, without permission of the custodian/person whose data it is, a safe harbor agreement, consent of the EU, or other acceptable EU security measure.

What does this mean for a reviewers? Is the data “transferred” out of the EEA durign a review? The term transfer is not described in legislation. Tools like Relativity, can prevent the physical of native documents, and only allow a “review” of the text or image (TIFF/PDF), this would imply that data was not transferred from the UK to the reviewers country (in this example the US), as it has not left anywhere. Also the act does not count transit as transfer.

However the ICO takes a different view. The ICO’s opinon on 2nd March 2008, and previously implied by the ICO, is that reviewing data from the the US (or any third party country) would effectively come under the eighth principle, as it is a transfer of data under the meaning of the act.

This taken alone would imply that reviewing data from a third party country, outside of the EEA would be an offence, which the ICO could prosecute for. With the ICO gradually gaining  more powers to protect data and privacy  in the UK, and pushing for more powers, the threat of a fine to law firms and data processesors has to be taken seriously.

However the ICO has stated that this problem can be resolved by a contract with the third party reviewing the data. For example if Company A was hosting data from Company B and Law Firm C, based in the US, wanted to review the data a contract between Company B and Law Firm C, guaranteeing the protection of the data, and suitable IT security by Company B and Law Firm C, should resolve the problem, and prevent any breach of the eighth principle.

Legal advice from an independent law firm and the ICO should be obtained in relation to transferring data outside of the UK. This article is provided for information purposes only and should not be construed as legal advice.

Law: Data Protection Act – 8th Principle

The Data Protection Act, whose enforcement comes under the ICO, has 8 core principles. The 8th principle, the one which most effects those in the electronic discovery industry, relates to the “transfer of data”.

The eighth principle states that:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

The ICO has produced a paper in relation to the difficult subject of international data transfers.

The legislation in the UK and EU states that

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if …the third country in question ensures an adequate level of protection.”

Somewhat inconveniently, the DPA does not define “transfer”, but it is excepted that “transfer” does not include transit. for example if a hard drive containing personal data has to go from the UK to Italy, but the courier, has to go via Russia (e.g for logistical reasons), then the data would not be, for the purposes of the act, considered to have been “transfered” to Russia, and therefore there would not be a breach.


Several third party countries have already shown that they have “adequate” data protection measures in place, these are:

  • Argentina
  • Canada
  • Guernsey
  • Isle of Man
  • Switzerland
  • Jersey

The US has an arrangment with the government to export specific data in relation to airline passengers. An upto date list of countires which are accepted as “adequate” is available from the EU.

However if data is to be transfered to third part countries if the data controller puts in place the correct procedures during the transfer to ensure there is adequate data security.

Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, it is for exporting controllers to assess adequacy in a way which is consistent with the Directive and the Act. In carrying out this assessment of adequacy, the Commissioner would expect exporting controllers to be able to demonstrate how they have addressed the various criteria set out in this guidance.”

Like the term “transfer” the term  “adequate” security is not defined within the act, but there are criteria in relation to assesing the security needed.

  • the nature of the personal data
  • the purpose(s) of the proposed transfer
  • the period during which the data are intended to be processed
  • any security measures taken in respect of the data in the third country
  • the country of origin of the personal data; and
  • the country of final destination of the personal data.