Obtaining a court order for disclosure

I am not a lawyer, and free legal advice is generally worth exactly what you paid for it, however there is a hole in the online documentation when it comes to the procedure you must follow if you want to obtain information which is covered by the Data Protection Act 1998 (DPA) but which is not about you.

Let us say, hypothetically, that you have been harassed on the internet by someone who conceals their identity behind a pseudonym. You may wish to take legal advice about this, or perhaps apply for an injunction to require them to stop. In order to do this you will need a name and an address for service of documents. This information is held by the internet service provider they use, and possibly by other service providers such as, say, telephone companies whose service has been used to make nuisance calls. But this information is private data and protected under the DPA; this is very frustrating if the person has been using the protection afforded them under the Act to violate your privacy.

Your right to obtain data

The DPA contains a clause in section IV which is specifically designed to cover this. Section 35 reads as follows:

35 Disclosures required by law or made in connection with legal proceedings etc.

(1)Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
(2)Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—
(a)for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or
(b)for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

The police can use the Regulation of Investigatory Powers Act 2000 (RIPA) to make a request directly, and many service providers will act on this. You, as a private individual, do not have this ability. The police may be reluctant to act without a credibly identified suspect as the trail may easily go cold and leave them with no outcome after in some cases a significant amount of work. So you are in a Catch-22 situation.

This is when you have to learn how to get data from data custodians under the provisions of the DPA. There is plenty of documentation on how to get data where you are the subject - these are called Subject Access Requests - but precious little on how to obtain third party data for the purposes of securing your legal rights.

What you have to do is to apply to a court for a Norwich Pharmacal order (an order for disclosure as outlined in Section 35(1) DPA) by invoking your rights as defined in Section 35(2). In order to do this you have to demonstrate:

  1. That you have good cause to require the data
  2. That the cause is linked to the data custodian against whom you wish to make the order
  3. That the identified data custodian is likely to have the data you require

Section 35(2) allows for a fairly broad definition of the purposes for which you might need the data: "for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights" allows the court significant flexibility in determining the legitimate purpose to which the data will be put.

What you will need

Evidence of an offence or tort

There are two kinds of wrongdoing: criminal offences and civil torts. Some Acts of Parliament allow for both civil and criminal penalties. Some likely relevant legislation in a case of harassment, stalking or cyberstalking are:

Protection from Harassment Act

The Protection from Harassment Act 1997 is a powerful piece of legislation which covers sustained abusive behaviour. Right at the outset it establishes the offence of harassment thus:

1. Prohibition of harassment

(1)A person must not pursue a course of conduct—
(a)which amounts to harassment of another, and
(b)which he knows or ought to know amounts to harassment of the other.
(2)For the purposes of this section, the person whose course of conduct is in question ought to know that it amounts to harassment of another if a reasonable person in possession of the same information would think the course of conduct amounted to harassment of the other.

You can ask for disclosure if you can show that you have reasonable grounds for believing that someone has engaged in a course of conduct which is unreasonable, which amounts to harassment, and which that person would or should have known was harassment.

Factors which affect this might include:

  • The duration of the course of conduct
  • The number of different ways it has been pursued
  • The severity of the conduct

So if someone has attacked you in one place online, then followed you to another place online, then made nuisance telephone calls or visited your home, then you probably have a good case that they are harassing you.

Remember, in order to obtain an order you do not need to prove the case to either criminal or civil burdens of proof, you only have to show that you have good cause to believe that you are the victim of harassment by an individual.

Malicious Communications Act

The Malicious Communications Act 1988 is an act which covers nuisance telephone calls, poison pen letters and so on. It defines an offence thus:

1. Offence of sending letters etc. with intent to cause distress or anxiety.

(1)Any person who sends to another person—
(a)a letter, electronic communication or article of any description which conveys—
(i)a message which is indecent or grossly offensive;
(ii)a threat; or
(iii)information which is false and known or believed to be false by the sender; or
(b)any article or electronic communication which is, in whole or part, of an indecent or grossly offensive nature,
is guilty of an offence if his purpose, or one of his purposes, in sending it is that it should, so far as falling within paragraph (a) or (b) above, cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated.

It defines an electronic communication thus:

2A)In this section “electronic communication” includes—
(a)any oral or other communication by means of a telecommunication system (within the meaning of the Telecommunications Act 1984 (c. 12)); and
(b)any communication (however sent) that is in electronic form.

Phone calls, emails, faxes, even tweets, all are electronic communications.

Probably the least ambiguous of these is nuisance phone calls, and if your receive these you may find that the action you have to take in order to preserve your quality of life - call barring, changing your telephone number and so on - impedes the collection of evidence. Many recipients of nuisance calls also find that the hassle of changing phone numbers is too much, or are intimidated by the complexities of dealing with phone companies' abuse departments.

What you can do is to buy a phone that screens calls, like the Panasonic KX-TG9333T, which has a night mode (so only your close family can call at times you define), call blocking and so on. This, combined with caller ID and anonymous call barring, should allow you to keep on with your life and avoid huge upheaval - it will also allow you to establish that it is genuine nuisance and not a mistake. When you have recorded details of perhaps 20 or 30 calls perhaps at unsocial hours, all of which have been dutifully blocked and logged by the handset, then you will know that it is worth taking action.

In some cases people use reverse charge services such as 0800 Reverse or 0800 MumDad. This adds one step to the process in that the caller IDs of the inbound (A) party are also considered private under the DPA and you will need to obtain an order to get the data. Once again the police can use a RIPA request, which these companies usually promptly accept, or you can use the court order process outlined below.

Computer Misuse Act

The Computer Misuse Act 1990 is designed to cover what is colloquially termed hacking. It defines three main offences:

1. Unauthorised access to computer material.
(1)A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured ;
(b)the access he intends to secure, or to enable to be secured, is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
(1)A person is guilty of an offence under this section if he commits an offence under section 1 above (“the unauthorised access offence”) with intent—
(a)to commit an offence to which this section applies; or
(b)to facilitate the commission of such an offence (whether by himself or by any other person);
and the offence he intends to commit or facilitate is referred to below in this section as the further offence.
(2)This section applies to offences—
(a)for which the sentence is fixed by law; or
(b)for which a person who has attained the age of twenty-one years (eighteen in relation to England and Wales) and has no previous convictions may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the M1Magistrates’ Courts Act 1980).
(3)It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.
(4)A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
(1)A person is guilty of an offence if—
(a)he does any unauthorised act in relation to a computer;
(b)at the time when he does the act he knows that it is unauthorised; and
(c)either subsection (2) or subsection (3) below applies.
(2)This subsection applies if the person intends by doing the act—
(a)to impair the operation of any computer;
(b)to prevent or hinder access to any program or data held in any computer;
(c)to impair the operation of any such program or the reliability of any such data; or
(d)to enable any of the things mentioned in paragraphs (a) to (c) above to be done.

The key text here is access to any program or data. If authorisation to use a computer is contingent on acceptance of terms of service, and a person egregiously violates those terms of service, then this may be considered unauthorised access.

Communications Act

The Communications Act 2003 is the act which established OFCOM and allowed foreign ownership of broadcast media. At first sight its relevance is not clear, but it turns out that there have been convictions (e.g. Gregory Straszkiewicz convicted for "piggybacking" under the Communications Act and Computer Misuse Act. Straszkiewicz' actions were not malicious, he just wanted to get WiFi access form his car; the going rate seems to be a police caution in such cases. If, however, it is done with malicious intent, then the penalties may well be more severe.

"Libel Act"

The Libel Act is not a single Act of Parliament but is a portmanteau term for a branch of legislation aimed at the protection of reputation, including malicious falsehood, criminal libel and defamation.

The English law on libel and defamation is famously broken but it is also very strong; the considerations here might be:

  • Is the statement true
  • Is it an opinion that a reasonable person might hold
  • Is it uttered with malicious intent
  • Is it intended to damage the reputation of the target.

It is a complex (read: incredibly expensive) area of law. You will lose even if you win, as Simon Singh says, so this is a nuclear option.


A nuisance is a common law tort, one of the oldest pieces of legislation we have. A nuisance is committed where someone interferes materially with your "right of quiet enjoyment" of your real property.

Evidence of cause

The most important thing you must do is meticulously gather evidence. While not responding to the individual you will need to get full details of every part of a "course of conduct" for the protection from harassment act, and incident s under the other acts.

For email messages, posts to Usenet and the like, you need full headers. SpamCop have a handy guide to doing this for many common mail clients. For social networking sites you need to keep copies of any messages you send to administrators and their replies, especially any case reference numbers and dates.

The offences above are not designed to cover the nasty man being horrible to you. If you arrive at a website, post something lame and get flamed, then that's all part of the rough and tumble of the internet (though there may be exceptions if the victim is obviously vulnerable or if the abuse is especially vicious).

The sorts of thing that are likely to be considered offences under the legislation above are:

  • Causing you to go in fear of harm, for example if you believe the person has poorly controlled impulses and a violent temper.
  • Privacy violations, including obsessive interest in your family or personal life, teazing out elements of information and posting them combined in a way that might invite identity theft and so on.
  • Egregious violations of terms of service. Report abuses to service providers as they happen and keep the responses. If the individual has their service disconnected this is evidence that you have good cause to believe the conduct was unacceptable.
  • Repeated terminations of service. If a person is known to have received several warnings or had their service disconnected more than once then you have a strong case for believing that the conduct is both unlawful and known to the individual to be so. Note the term in the Protection from Harassment Act: which he knows or ought to know amounts to harassment of the other - warnings and service disconnections are a heavy clue that you are doing something wrong!
  • Continuation over multiple venues. If the person follows you to social networking sites or other websites unconnected with the original venue then this is stepping over the line of normal interpersonal dispute.
  • Libel or defamation. Even if you do not intend to pursue damages for defamation you are legitimately entitled to apply for an injunction preventing the person from repeating it (and if they violate this injunction then they are guilty of contempt of court and can be fined and / or imprisoned.
  • Malicious remarks that can have no purpose other than to cause hurt.
  • Visiting your house or otherwise interfering with your "right of quiet enjoyment".

If you can show evidence that these kinds of things have happened, and can honestly state that they have had a negative impact on your life then a court may consider that you have reasonable grounds for requiring data.

Evidence of link

You will need to establish a link between the conduct and the provider from whom you seek data. If the individual is deceitful or has become wary of service disconnection this may prove difficult. However, once again, you are not in court fighting the actual case, you are merely establishing that there is a case to answer; good circumstantial evidence (for example linking style, the software used, such as an unusual email client, and themes) should be sufficient.

Remember, the Information Commissioner's Office have god-like powers. Service providers will not risk falling foul of the DPA. If you get someone's data form the provider and they have not fought their corner, they may be subject to stinging sanctions.

The degree of resistance will depend on the case and the information. If the only information is telephone numbers (for example if they have used a reverse charge calling service) then the mere existence of the calls is evidence of an issue, especially if they are at unsocial hours, and an order is unlikely to be defended. ISPs on the other hand will defend an order because it may not be their subscriber who is committing the abuse. The important thing to remember here is that while they might defend it, this is not a trial of the individual, nor of the case for abuse, it is a question of whether you have reasonable established that the provider has data which is necessary to you in order to exert the rights afforded you under Section 35(2) of the DPA.

It's a lot like an indictment. It is not itself a hearing f the case, but an initial establishment that there is a case to answer.

Make it easy for the data custodian. Present your documentation in a clear timeline, show evidence of any characteristic behaviour such as repeated phrases or themes, and show evidence that this behaviour is linked to their service.

Example: A person has falsely accused you of murder using a certain online identity. Over time they become wary of explicitly stating this, perhaps because they have had their service disconnected or have been warned by their provider. A different identity pops up making the same claim, which has not been made by anyone else. This cannot be explicitly linked to the service provider, but the course of conduct can be so linked. To demonstrate this to the court's satisfaction, then, you need to show that there is a strong circumstantial link between the recent offence, the user of the service, and perhaps the user's history with other providers.

Apply for an order

Amazingly, this is actually the easy bit! Once you know how.

  • Find the address of your local county court.
  • Download form N244 from the Courts Service website; it includes notes for guidance.
  • Fill in the form. Remember that:
    • What you are requesting is an order against the service provider (who must be listed as defendant). This can be stated in plain English, and is best put in simple terms, such as "To provide such information as they hold on the subscriber using their service with IP address <x> on date <d>" or "To provide such information as they hold on the subscriber involved in <provider>'s abuse ticket reference <y>". You can list numerous tickets, numerous IPs and dates, but space is limited; if you run out then there is an option to enclose a draft order. You do not need to do this unless there is insufficient space.
    • You want it dealt with at a hearing. It is not such a common occurrence that they are likely to deal with it any other way.
    • The level of judge required is a District Judge.
    • The application should be served on the service provider at their registered address (it will normally be heard at your local court but might be listed closer to them).
    • Under what evidence, you check "the evidence set out in the box below" - you can continue on as many additional pages as necessary. This is called a "statement of truth" and has similar legal status to a police statement. You must sign it (and it;s a good idea to sign every page) but it does not need to be sworn and witnessed as an affidavit would.
    • The statement does not need to contain the evidence; you should include that as well and in the statement say "according to the evidence supplied" or some other terms referencing it.
    • Avoid cod-legalese. Write in plain English.
    • State at the beginning what offences or torts you believe have been committed, that you are making a request for an order for disclosure of data under Section 35(2) of the Data Protection Act 1998 and why require this data, for example in order to pursue an injunction or civil remedy or to take legal advice. Remember, Section 35(20 explicitly includes prospective legal proceedings and is designed for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
    • Outline the injurious acts you believe have been committed, again avoiding cod-legal. "A person unknown to me whose online identity is X has pursued a campaign of harassment and vilification against me for three years. This has caused me significant alarm and distress. The incidents have included X, Y, X. I have enclosed evidence of these acts" - tell the story as you would to a sympathetic friend, in just enough detail to establish why you feel aggrieved and why you feel there is a pressing need to establish the identity of the individual involved.
    • State why you need the information. "I cannot take action to protect my reputation without an identity and an address for service of documents", for example.
    • Anticipate objections. "I understand that the defendant will be under a duty to protect their subscriber's identity as the course of conduct may be the action of another person, perhaps a family member or tenant; however, the subscriber is responsible for the use to which the service is put and it will not be possible to identify the person responsible, even if it is not the subscriber themselves, without the subscriber's details.
    • Under likely duration, put 15 minutes.
    • Finally, be sure to note any dates you would be unavailable for a hearing (planned holidays, periods travelling on business etc)..
  • Take the form, any additional pages, and any supporting evidence to the court. The application fee is currently £80 er order (they should take credit cards). You need three copies of everything, do this beforehand, even if your court has a copier they will charge the earth!
  • You can file multiple applications with multiple defendants. You will be charged a fee per defendant. If you hand them all in together, there should be a single case number and hopefully a single hearing.

The hearing

This is an adversarial hearing. If the matter is contended you will be seated opposite a representative of the company. You are asking for an order against them, they are defending it. Be prepared. Know your evidence and material, have your copy to hand. Have a note pad and pen. Be respectful to the judge and courteous to all concerned. If there are misunderstandings then apologise and ask for a moment to clarify them with the defendant. You can meet beforehand or afterwards if you wish.

Remember, the judge needs to know that there is reasonable grounds to suppose an injury has been done to you. Speak clearly and do not rush.

At the end of the hearing the judge will either make the order, defer to a later hearing, or decline the application. I do not know what the route for appeal is at this stage as it has not been necessary thus far.

What to do when you get the information

If you believe that offences have been committed then you must report this to the police. They will be much more willing to act if you have concrete evidence in the form of responses to court orders which identify the person you suspect is responsible.

You should ask the police about civil proceedings, and whether initiating civil proceedings would compromise or hinder their investigation.

Do not make the information public. You may have shared suspicions and perhaps the reasons for those suspicions, but once you have data which was protected under the Data Protection Act I think it would be wrong to use it for any purposes other than that for which it was provided, plus potentially preventing further abuse. It may be tempting to shout from the rooftops that you have proved it to be So-and-so of Such-and-such Street, Boring-on-Thames, but that would be wrong.

Any information presented in open court will become a matter of record; at that point you may be able to make a moderate statement. I would recommend you take advice before doing so.

OK, I hope that helps you ins some small way.