Saturday, 10 March 2012

Data protection concerns over release of SCCRC Megrahi report "wrong-headed"

[The following are excerpts from a recent post on the 2040 Information Law Blog:]

One of the perennial Data Protection annoyances is the way that people cover ignorance, laziness or downright dishonesty by hiding behind the Data Protection Act as the excuse not to do something (it’s almost always the justification for not providing personal data to someone else in entirely justifiable circumstances). (...)

However, the Scottish Government’s current claim that the DPA prevents disclosure of information about Abdelbaset Mohmed Ali al-Megrahi’s conviction and appeal are wrong-headed, and risk damaging perceptions of the Act at a time when phone-hacking and online security have finally broken though and made more people concerned about how their data is used. The most recent stage in this farrago sees Kenny MacAskill asking Kenneth Clarke to allow Scotland an exception from the DPA so that they can finally put Megrahi’s records out there. They claim that the DPA hurdle is the only thing stopping them from giving the information out. (...)

Firstly, Clarke – or any other member of the coalition – cannot give the Scottish Government an exception from the DPA, because no such power exists. They would have to amend the whole Act. A cynic might suggest that they know this, and hope to implicate the UK government in whatever problem that Megrahi’s non-death and the alleged miscarriage of justice presents. There are those who accuse the Scottish Government of using the release as a bargaining chip to get Megrahi’s appeal dropped. The Scottish Government and Kenny MacAskilll refute this entirely. But asking for an exception is hogwash – either the DPA offers a solution on its own terms or it doesn’t. If MacAskill wanted a pragmatic solution, he could ask the Information Commissioner Chris Graham if he would be willing to exercise his discretion and not take any action should there be some complaint about the release. Admittedly, the ICO is not the most bold or imaginative regulator, but while Clarke cannot wish the DPA away, Graham can choose not to take forceful and painful action when a breach takes place, if he has a justification for doing so. As FOI regulator, he would hardly struggle to identify a public interest in transparency that justifies stepping back.

If the Scottish Government publishes, Megrahi could of course sue under Section 13 of the Act for the damage caused to him by the disclosure. A gentleman in the South West did just that recently, but it’s odd for Salmond and his colleagues to back away from a fight, especially as they would surely consider any damages to be a small price to pay for transparency. There is, in any case, a precedent for a politician ignoring the normal rules of privacy and confidentiality in favour of expediency, when the Coalition published the Baby P Serious Case Review despite the fact – for good public interest reasons – they are normally kept secret. And besides, the man is dying. He has other things on his mind.

But the Scottish Government is still in luck. There is a routine way of disclosing information about Megrahi’s appeal without breaching the Data Protection Act. The issue breaks down like this: to process the records (in this case, to publish them), the Scottish Government needs to ensure that the processing of his records is fair, lawful and meets two conditions, one for Schedule 2 and one from Schedule 3. And all they need is Megrahi’s consent. This would make the disclosure fair, lawful and would meet the two conditions. Megrahi has already said that as long as all the documents relevant to the case are disclosed, he will consent. There’s a lot more about that here:

Rather than a time-wasting trip to Ken Clarke that everyone in Holyrood must know is a dead end, why not just put everything in front of the court of public opinion?  So I see two possibilities: either the Scottish Government doesn’t employ people who understand the Data Protection Act (I’ve met some of them, and they absolutely do), or there are things that Megrahi wants in the public domain that the Scottish Government doesn’t. I don’t know if Megrahi is guilty or innocent, and I don’t care. The families of the 270 people who died in the Lockerbie outrage are absolutely blameless, and they deserve total transparency regardless, so what possible objection could there be?
The author John Ashton has already suggested that the Scottish Government might be looking for reasons to delay publication ( and waving the DP card is not a sign of good faith in my experience. Given that I subscribe to the Bill Hicks Theory of Government, I’m not the best person to judge a politician’s motives. But motives are irrelevant to the main point here: Data Protection does not prevent the disclosure of the records, and the Scottish Government should not say that it does. Such statements are a red rag to every idiot who wants to ignore DP because they don’t have the patience to follow its sensible principles. All the Scottish Government needs is Megrahi’s consent, and he has explained what they need to do to get it. All he asks for is further transparency, which is surely what we should all want. Too many people died to mess this one around any longer.

And one final thought: if MacAskill really does want transparency, all he has to do is wait. The biggest exception to Data Protection is mortality – when Megrahi dies, the DP objections go with him.


  1. [What follows is the text of an e-mail message received today from's Peter Biddulph.]

    Seeing the latest piece on your blog, I find this kind of thing sad and disconcerting. Just where is our society going when failures of public duty can be concealed behind the specious claim of "protect my personal data and human rights"?

    The SCCRC report reveals the context within which certain parties view the SCCRC’s report. The reasons for its attempted concealment are clear.

    In a briefing note written 15th May 2007 DI Dalgleish advises his colleagues of “expectation that the SCCRC’s statement of reasons ... is likely to question the integrity of Anthony Gauci’s evidence and also reveal that he and his brother have received substantial payments from the American authorities... While Mr Scicluna recognises that the issue of payments by the American Rewards for Justice programme was engineered only after the trial and subsequent appeal process had concluded, he agrees there is scope for distorted or malicious reporting of the facts and a real danger that if SCCRC’s statement of reasons is leaked to the media, Anthony Gauci could be portrayed as having given flawed evidence for financial reward…”

    We must recall that flawed evidence for financial reward is exactly what Gauci did give.

    Dalgliesh omits the fact that an offer of “unlimited money with $10,000 available immediately” was made available to Gauci in September 1989, just two weeks after his first of many interviews by Scottish police.

    My understanding of Data Protection legislation is that it protects an individual from unjustified exposure of his or her personal identifiers, or exposure outside the terms and conditions under which that data has been provided. In the case of the SCCRC’s findings, I consider that publication would be entirely justified on the grounds of public interest and natural justice.

    I hope you would agree that the purpose of Data Protection legislation has never been, nor should it ever be, to protect an individual from exposure of failure of public duty under the law.

  2. That last sentence of the article is pretty strange. It's not Megrahi who might want to prevent stuff being released under the DPA.