The High Court in Bangura v Loughborough University [2016] EWHC 1503 (QB) ruled 19 May that Loughborough University acted lawfully under the Data Protection Act 1998 (“DPA”) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. In contravention of the university’s data protection policy, the registration form was supplied to Leicestershire Police before a written request for the form was received.

The claimant, Mr Bangura (who had been a student at the university), appealed an earlier summary judgment against him, arguing that the university’s disclosure of his personal data to the police – prior to receiving a written request – was an action which contravened its data protection policy. The claimant asserted that the policy formed part of his contract with the university, and sought permission to re-open his application for permission to appeal against an earlier order, and various other relief.

The court refused the application on the basis that it had no realistic prospect of success. Specifically:

  1. The claim under the DPA was rejected on the basis that Section 29 does not state that a request for information must be made in writing, and that the test for legitimate interests had been met.
  2. Section 29(3) permits a data controller to disclose personal data without an individual’s knowledge or consent (an exemption from Principle 1 of the DPA), where the disclosure is for the prevention or detection of crime, or the apprehension or prosecution of offenders.
  3. The disclosure of the claimant’s registration form was not a breach of contract, as the policy was not incorporated into the contract between the claimant and the university by either the policy itself, or the registration document.

The Information Commissioner’s Office provides guidance in both its data sharing code of practice and its checklist for data sharing, for organisations that disclose personal data. Organisations are advised to: (i) consider whether the sharing would be justified; (ii) consider whether it has the power to share; and (ii) record the decision to share. Organisations could avoid the administrative burden of court proceedings by including express wording in their data protection policies specifying the extent to which the policy has contractual force, and the potential of disclosure for criminal, fraudulent or legal purposes.