The long arm of the law reaches in a university

There was an interesting post on Rory Cellan-Jones’ blog today regarding the intervention of the police in a dispute between a blogger and two of the subjects of his blog. I’ve not read the material concerned from either the complainants or the blogger but the dispute raises a number of interesting points.

The blogs were posted, at least in part, from a system within the University of Leeds. It appears that the individual was essentially tracked down from the IP addresses used on these occasions. The statement from the West Yorkshire Police indicates that a report of harassment had been received by their Surrey counterparts which they were investigating. Harassment is (I think) a criminal offence – one where an individual may be arrested by the police. So it is reasonable to assume that the police were involved as they were investigating or looking to prevent a crime.

In circumstances such as this the release of personal data is permitted under the Data Protection Act. The Information Commissioner’s Office has published guidance which is particularly useful. The guidance states that the exemption “only allows you to release personal information for the stated purposes and only if not releasing it would be likely to prejudice (that is, significantly harm) any attempt by police to prevent crime or catch a suspect”. In other words only that data pertinent to the person who is the subject of the inquiry should be released.

The guidance suggests a number of questions that should be addressed to the police (or other enforcement agencies) in these circumstances. The key ones are:
• Is the person asking for this information doing so to prevent or detect a crime or catch or prosecute an offender?
• If I do not release the personal information, will this significantly harm any attempt by the police to prevent crime or catch a suspect? (The risk must be that the investigation may very well be impeded.)
• If I do decide to release personal information to the police, what is the minimum I should release for them to be able to do their job?

Even if the answer to the first two is yes, it is not obligatory for the institution to release the data. The onus is on the institution (or more likely the Data Protection Officer) to decide whether or not to release the data under exemption. The guidance points out that if there are genuine concerns about releasing personal information, the police can be asked to obtain a court order requiring the release of the personal information.

The guidance includes some recommended good practice:

• Select a person or group of people within your organisation to make the decision whether or not to release personal information under the exemption.
• Ask for the request to be made in writing and signed by someone of sufficient authority.
• Make a record of each decision you make and the reasons why you came to that particular decision.

So institutions should have clear policies and procedures around dealing with requests from law enforcement agencies. The code of conduct for use of computers at the University is also pertinent here. The blogger was advised that he “shouldn’t be using university property in such ways”. There were probably a number of areas within the code of conduct that had been breached. For example, the UCISA model regulations include statements that “You must not send or view anything likely to offend others (e.g. porn, racist or insulting material)”. Posting could be regarded as sending and clearly in this case it had caused offence. Also there could be some argument that use of the institution’s I.T. facilities may have brought the institution into disrepute.

I suspect that the dispute only made the news because of the involvement of the police. Disputes happen all the time on the web and some end up in court, but usually in civil libel cases. What perhaps this case illustrates is that universities and colleges need to have solid procedures in place to deal with issues such as this.


2 Responses to “The long arm of the law reaches in a university”

  1. Tweets that mention The long arm of the law reaches in a university « Execsec’s blog -- Says:

    […] This post was mentioned on Twitter by Aline Hayes, Peter Tinson. Peter Tinson said: Posted a blog ( on procedures on legal issues following Rory Cellan-Jones' blog on a blog closure […]

  2. Andrew Cormack Says:

    Peter. To clarify the different legal processes. You’re correct that a request under DPA s.29 would have to be used if the police wanted to get access to the contents of files (as the BBC blog suggests happened in this case). But in cases where all they want is the name of the person using a particular IP address at a particular time then they can get that using an order under s.22 of the Regulation of Investigatory Powers Act 2000. With a RIPA order the recipient doesn’t have to (or have the right to) do the assessment of necessity and proportionality. Both provisions only apply to investigations of crime, by the way, so the fact that harassment is a crime is indeed significant.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: