Police guidance on data deletion is flawed, says Information Tribunal

The data protection guidance given to police forces on when to delete records of criminal convictions is inadequate, according to the body which hears appeals under the Data Protection Act

The Information Tribunal, which adjudicates on appeals against orders from the Information Commissioner's Office (ICO), said that guidance issued to forces is unsuitable. The Tribunal said that the producer of the guidance, the Association of Chief Police Officers (ACPO), ignored its previous orders on the issue.

The censure comes in a ruling by the Tribunal in which three police forces have been ordered to block access to a set of old convictions data for minor offences because their retention breaks the Data Protection Act.

ACPO has produced a number of sets of guidelines for police forces on how it should treat convictions data on the Police National Computer (PNC). Previous versions of the guidelines were produced in association with the ICO, but a 2006 version was not.

"The Tribunal would observe that the 2006 Guidelines do not appear to be a suitable approach to the retention of conviction data in order to comply with the DPA [Data Protection Act]," said the ruling. "ACPO seems to have ignored the guidance provided in [a previous Tribunal ruling]."

That previous ruling, from 2005, called the code a "blunt instrument'.

"Any code regarding weeding or deletion should be much more sophisticated in its designation of the applicable criteria and that such matters as types of offence, age of offender, modus operandi, length of retention period, nature and extent of any soft information as well as other appropriate items, some of which were canvassed in the hearing, should be specifically incorporated in any revised code," said the 2005 ruling.

In the current case, the Tribunal has backed the Information Commissioner's ruling against five forces. They had kept conviction records dating back nearly 30 years for people who had committed minor offences and not re-offended.

One of the people was refused an opportunity to pursue her chosen career as a carer because of the retention of information about a reprimand, while another involved the person attempting to cheat a slot machine at the age of 15.

The Data Protection Act governs the keeping of information about people and says that information must be relevant and the length of time for which it is kept proportionate. The Tribunal has backed the ruling from the Information Commissioner's Office (ICO) that the police's retention of conviction data was not relevant and is excessive for policing purposes.

In each of the five cases the offences were a long time ago and the people had not re-offended. Some had suffered subsequently because the offences showed up in employers' background checks and one woman who was just 13 when she committed her offence was told at the time that the record of it would be deleted when she turned 18.

The ICO said that it hoped the ruling would create a precedent.

"We believe that this a landmark ruling which will have wider implications for police forces around the country and will ensure that irrelevant details of old criminal convictions are deleted," said assistant commissioner Mick Gorrill. "Those concerned were caused harm and distress by the retention of this data."

The police forces which have been ordered to delete the information from the National Police Computer system are Humberside, Northumbria, Staffordshire, Greater Manchester and West Midlands.

Ian Readhead, ACPO's spokesman on data protection issues, said that he too believed the ruling could have an impact on all forces' future behaviour.

"[The ruling] could have far-reaching implications for the police service as a whole," he said. "The Bichard Inquiry which followed the tragedy of the Soham murders recommended that forces should reconsider the way in which records are managed. It is now important that clear national guidelines are put in place so that forces take a consistent approach to the retention of criminal records. Our aim is to ensure that the police service can be in the best possible position to protect the public."

The Tribunal's ruling came after the police forces had appealed the ICO's original decision. A further appeal can be made. "We will now take some time to discuss these implications with the service and decide on the most appropriate course of action," said Redhead.

The Tribunal made a ruling in a similar set of cases in 2005 when dealing with incidents dating back almost 40 years. In three instances combined in one ruling it said that the police should keep the records on the national computer system as long as only police staff could access them.

That meant ensuring that the records did not appear on the register that was routinely searched by potential employers. The Tribunal emphasised in that ruling, though, that it was not meant to be a precedent and that every case had to be judged on its own facts.

In the current case ACPO argued that some records should be kept, but with access given only to the police. The ICO accepted that such an arrangement was sometimes suitable but not in this case.

The Home Office submitted written evidence claiming that the keeping of material on the database but only accessible to police was wrong in law in certain circumstances because other parties should be able to access the information.

The Information Tribunal said that police arguments that they had to keep data on the Police National Computer because it was needed by other bodies for the checking of criminal records were not right. It said that they were obliged to make available any data they had, but not obliged to keep any data for those purposes.

"If the government requires a different regime to operate then it will need to legislate accordingly with all the necessary safeguards that would be considered appropriate," it said.