A recent blog post generated some comments on Twitter about the privacy rights of criminals vs. the desire of victims’ families to know more and the public’s right or need to evaluate the performance of governmental agencies. While transparency and freedom of information are often clarion calls in the U.S., it appears that criminals in other countries have more privacy rights or human rights than over here. I invited Jon Baines to write up his perspective on the UK case that started the conversation. Jon is a UK citizen with a special interest in data protection and privacy matters. The following is his guest commentary:
The Kilmarnock Advertiser, a Scottish newspaper, recently reported on the efforts by parents of a murdered woman to find out more from a local council about the reasons for her killing.
The paper reported:
THE parents of murdered Kilmarnock woman Vikki McGrand have been left in the dark about her death – because releasing details would breach the rights of their daughter’s killer.
South Ayrshire Council says it cannot give specific information about monster Gavin Boyd as it would be illegal under data protection laws.
Although the story goes on to suggest that the Council will make public an “executive summary” of a report into its supervision of the killer, under Data Protection legislation it is probably correct to take a cautious approach to disclosure.
The United Kingdom Data Protection Act 1998 (the “DPA”) requires that any organisation holding data on an individual must abide by the Act. “Personal data” is, broadly, any information identifying an individual. “Sensitive personal data” is a sub-category of the former, and is, again broadly, data about the individual’s racial origin, political opinions, religious belief, sexual life, physical and mental health and the commission or alleged commission by the individual of any offence. The conditions which permit disclosure of sensitive personal data are very restricted. There is no general “public interest” condition which permits disclosure of sensitive personal data.
In this case, it appears that the Council has undertaken a review into its handling of its supervision of the killer. If, as seems likely, this review was an ad-hoc one, not governed by any statutory obligations, the Council has to consider carefully whether it has legal powers either to disclose to individuals, or make public, information in the subsequent report. The report presumably contains information relating to the killer’s mental health and certainly relating to his commission of an offence, and so would certainly contain, in large part, his sensitive personal data. Unless the Council can show that publication or disclosure to the parents is legally necessary, it would probably be in breach of the DPA if it did either (the “executive summary” will probably be carefully worded in order to avoid such a breach, and will stick to generalities or information already in the public domain).
This is not to say that sensitive personal data of a murderer could never be disclosed or made public. For instance, if the disclosure was necessary to protect “vital” interests (i.e. there was a risk to someone’s life), or if it was made as part of a statutory inquiry, then suitable conditions for the “processing” would exist.
It’s instinctive to feel, on a balance of interests, that parents of a murdered woman have a right to know details of the health and social supervision of the person who killed their daughter. However, a murderer does not surrender all his rights upon conviction, and, it is probably the case that, under the DPA at least, no mechanism exists to permit disclosure of such information.