The Information Commissioner’s Office has closed its criminal investigation into the disclosure of CCTV footage that led to the resignation of Matt Hancock MP as Secretary of State for Health and Social Care.

In June last year, The Sun newspaper published CCTV images depicting Hancock kissing Gina Coladangelo – a friend and non-executive director at the Department of Health and Social Care – inside his ministerial office. The images were reportedly taken on 6 May 2021 – prior to the Government lifting the social distancing guidelines which prohibited intimate contact with anyone outside a person’s household. Hancock resigned the day after the images were published.

EMCOR Group plc, who operated the CCTV systems for the Department of Health and Social Care, reported a personal data breach to the Information Commissioner – who then launched a criminal investigation. In July, data protection officers searched two homes in the South of England, where they seized computer equipment and electronic devices.

The Information Commissioner’s investigation was criticised by The Sun editor Victoria Newton, who argued that the story “was clearly in the public interest” and that the investigation would “in the future, stop whistleblowers coming forward to papers”.

In its statement following the conclusion of the investigation, the Information Commissioner’s Office noted that it had a “legal duty to carry out an impartial assessment of the evidence”, given the “seriousness of the report” and “the implications it potentially had for the security of information across government”. However, it was found that there was insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing the CCTV footage. The statement indicates that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone, but that six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage.

The criminal offence being investigated was the “unlawful obtaining of personal data” under section 170 of the Data Protection Act 2018, which makes it illegal to obtain, disclose or retain personal data without the consent of the controller. However, it is a defence to prove that this was “necessary for the purposes of preventing or detecting crime” or “justified as being in the public interest”. According to the Crown Prosecution Service, the precursor to this provision from the Data Protection Act 1998 was most typically or commonly used to prosecute those who access healthcare or financial records without a legitimate reason.