The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Data protection as a shield for data controllers

12 October 2021

In FF v Secretary of State for the Home Department [2021] EWHC 2566 (Admin), Dove J considered the impact of the Data Protection Act 2018 on the disclosure of information about an individual’s immigration affairs to a third party, the claimant, who had asked the Home Secretary to exclude that individual from the UK, on the grounds that he was involved in torture in Bahrain.

Dove J held that the (non-)existence of a decision about exclusion, and the reasons for any such decision, were personal data about the individual concerned. He does not appear to have considered the requirement for that data to be being processed by automatic means or in a structured filing system, which raises an interesting issue if no decision had in fact been taken: how can the absence of a decision be ‘processed’ in such a way as to make it personal data? He held that, on the Home Secretary’s own policy, there was no public law requirement or duty for any decision to be communicated to the third party.

However, if there had been, that would arguably have provided a basis for the processing of the personal data being necessary to comply with a public law obligation, applying Cooper v NCA [2019] EWCA Civ 16. That case is a useful reminder of the breadth of obligations that can justify processing personal data where it is necessary to do so.

The judge also noted that the Home Secretary was entitled to ‘approach her dealings in relation to the immigration affairs of individuals as being sensitive and confidential to them, and not to make them available to third parties.’ That accords with the Home Secretary’s general practice, but it is perhaps surprising that the claimant did not rely on SSHD v G & H [2020] EWCA Civ 1001, in which the Court of Appeal was not persuaded that ‘the confidentiality of information relied on by an asylum applicant should be treated any differently from other categories of confidential information’. That said, in this case, where there was no public law obligation to disclose, no doubt the result would have been the same: immigration information is still confidential, and in G & H the issue was whether that confidentiality should be overridden by a court order for disclosure, which avoids data protection issues (by Art 6(1)(c) UK GDPR for ‘ordinary’ personal data, Art 9(1)(f) UK GDPR for special category data, and para 34 of Sch 1 DPA for criminal offence data, for those taking notes).

FF does not break substantial new ground in the information law field, but it’s a useful example of how data protection can arise in a wide variety of contexts – and how, for any data controller, it can be a shield against claims, as well as a potential risk.

Further reading

FF v SSHD [2021] EWHC 2566 (Admin) (in which Saara was junior counsel for the SSHD; she did not contribute to this piece)

SSHD v G & H [2020] EWCA Civ 1001 (in which John was junior counsel for the SSHD, led by Alan Payne QC

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)