Out-Law / Your Daily Need-To-Know

Police infringed database rights of forensics firm in misusing confidential information, High Court rules

Out-Law News | 14 Nov 2011 | 12:40 pm | 4 min. read

A UK police force breached database rights and misused confidential information stored on a company's database when it shared the data on an online law enforcement forum, the High Court has ruled.

The Court ruled that West Yorkshire police (WYP) was "vicariously liable" for a breach of confidence and the misuse of data by its chief constable, Stephen Hirst, when he posted data that enables mobile phone handsets to be individually identified onto a police forum.

Mr Justice Arnold had earlier ruled that WYP and Hirst violated the database rights of Forensic Telecommunications Services (FTS), a firm that specialises in extracting data that helps identify the handsets.

Database rights provide legal protection over the investment individuals put into the creation of databases. The rights exist independently of any copyright protection that may apply to that content. Under copyright law, however, facts cannot be copyrighted, meaning the content of databases is sometimes only protectable under the database rights legislation. Those rights are determined on the basis of the level of investment involved in the creation and arrangement of the database.

FTS licensed the use of its automatic data decoding software to the UK Security Services in order for officers to recover deleted mobile phone data. The licence agreement also included the provision of a database containing "a considerable number of Nokia mobile phones and compiled lists" relating to individual identification numbers for devices.

A Security Services officer shared some of FTS' data with Hirst when he was conducting investigations as part of a "major counter-terrorism" operation. Hirst, working in WYP's High Tech Crime Unit (HTCU) at the time, had been using less efficient 'trial and error' decoding methods in an attempt to identify devices obtained during the operation.

When Hirst shared the information with other law enforcement officers on a phone forensics website forum he had helped set up, he was in breach of confidence and misused the data for a purpose not intended when the Security Services officer had shared it with him, the judge ruled.

"Mr Hirst received at least a substantial copy of the [database] from the Security Service officer during the period of 9-11 June 2006 and that the officer gave it to Mr Hirst in order that Mr Hirst could assist him to extract and decode data from the mobile phones under examination in [the counter-terrorism operation]," Mr Justice Arnold said in his ruling.

"At that time, Mr Hirst was aware that FTS was a commercial supplier of forensic services and [FTS' data decoding software] was licensed to the Security Service, but not to WYP," the judge said. 

"I consider that a reasonable person standing in the shoes of Mr Hirst would ... have appreciated that the information was confidential and that it was being disclosed to him for a limited purpose. Accordingly, Mr Hirst came under an equitable obligation of confidence to use the information only for that limited purpose. It follows ... that Mr Hirst misused FTS's confidential information when he posted the [FTS database contents] on the [forum] on 20 June 2006 and when he made copies of it for his own and his colleagues' use within the HTCU." the judge said.

Mr Justice Arnold had earlier determined that FTS was entitled to database rights for the mobile handset identification database it had compiled. He said the company had earned the rights as a result of the "substantial investment" it had put in to "obtaining and verifying the data" on its database.

Mr Justice Arnold said Hirst was liable, and WYP vicariously liable, for infringement of FTS' database rights, but said neither was liable for a further infringement of rights that had occurred when some of FTS' data became contained on a separate database that had been developed.

"I consider that Mr Hirst did extract and re-utilise a substantial part of the contents of the database both quantitatively and qualitatively," the judge ruled.

The judge rejected further claims made by FTS relating to copyright infringement, ruling that the database contained "no structure" that was copyrightable.

Legal protection for the content of databases is provided by the database right under the EU's Database Directive, regardless of the copyright protection. Facts and other pre-existing data are not copyrightable because they are not original in the sense that they have been created by the author. The Directive was implemented into the UK's Copyright and Rights in Databases Regulations in 1997 and confers rights on the person who put in a substantial investment into the collection and arrangement of the data contained in the database.

Under the Regulations a person is generally deemed to have infringed database rights if they extract or re-utilise all or a substantial part of the contents of a protected database without the owner's consent.

Database rights are automatically bestowed on databases as soon as the database exists in a recorded form. The rights last for 15 years from the end of the year that the making of the database was completed or, if it was published during that period, 15 years from the end of the year in which the database was first made available to the public.

There are a number of "permitted acts" set out in the Regulations. A database right in a database which has been made available to the public is not infringed by those who use it for non-commercial 'fair dealing', provided the source of the material is indicated.

Under the Regulations extraction and re-utilisation is also permitted when it is not possible by reasonable inquiry to ascertain the identity of the maker and it is reasonable to assume that the database right has expired.

Iain Connor, an intellectual property laws expert at Pinsent Masons, the law firm behind Out-Law, said that although database rights are sometimes seen as a poor relation to other intellectual property rights, they should not be forgotten.  

"Companies invest vast amounts of money gathering data from a variety of sources to give that data a business purpose," Connor said. "Even though such companies did not create the data by their investment they have certainly created a protectable asset which cannot be used without permission.  It seems like the police force simply regarded FTS’ expertise in this area as public property but the judge disagreed which serves as a lesson to anyone using someone else’s database."