Information Commissioner's Office
Blog: Data Protection law does not prevent information sharing to save lives and stop crime
Steve Wood reminds public and private organisations that new data protection legislation does not stop them from disclosing personal data to assist police forces or other law enforcement authorities.
It’s nearly eleven months since the UK’s new data protection legislation came into effect, giving organisations more responsibilities and giving citizens strengthened rights. In terms of data sharing the message is also one of continuity as the core considerations that existed under the previous legislation remain the same.
We are aware that sometimes, organisations are hesitant to share people’s personal data with the police and in some cases are refusing to share with anyone, citing data protection as the problem. In cases of serious or violent crime, this can mean that essential information needed to safeguard individuals is not being passed to the relevant law enforcement authorities.
The ICO’s aim is to ensure there is trust and confidence in how organisations use personal data – we want to help organisations do this securely and fairly.
Alongside the vitally important task of keeping people’s data secure, it seems a crucial message may have been misunderstood by many in the public and private sectors – data protection law should not be a barrier to sharing when it is necessary to protect the public.
My latest blog in our myth busting series sets out to challenge the misconceptions surrounding sharing personal data with the police.
My organisation can’t voluntarily disclose personal data to police forces or other law enforcement authorities under new data protection legislation.
The GDPR and the Data Protection Act 2018 (DPA2018) do not prevent data sharing for law enforcement purposes and provides mechanisms to achieve this, but it does require organisations to use those mechanisms appropriately.
Organisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.
This can include broader safeguarding schemes to stop vulnerable people falling into crime, for example via economic deprivation or gang culture.
In the ICO’s recent action against the Metropolitan Police Service’s gangs matrix database, we were clear that the aim of the data sharing between police, local authorities and education authorities to counter gang culture was a valid public interest to pursue.
But we also made it clear that key issues of data retention, security, excessive collection and sharing had to be addressed to enable the gangs programme to be lawful.
A fair approach to data sharing, which is transparent in its purpose and accountable to obligations under data protection law, will gain the trust of our communities that are most directly affected and so enhance the ability of community policing to engage with them.
Pathways to sharing under the current law
The GDPR has not changed the legal channels that can be used to share personal data. Some of the channels that allow such sharing are not in the GDPR at all; instead they are found in the schedules of the DPA2018.
Organisations should therefore familiarise themselves with both the GDPR and the DPA2018, and ensure that they are read side by side to appreciate the full picture.
In particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as ‘competent authorities’ – such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.
Take for example a shop owner, who is asked to pass on vital CCTV footage to the police. The police require this footage because a violent crime has taken place on the shop owner’s property. Or take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers.
In these examples we understand that the shop owner and the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.
Timing is critical for effective policing
Much policing activity relies on a rapid response to issues. This rapid response includes the police gathering the information they need from other parties, such as shop owners or social workers. The investigative capability of the police can be hampered if organisations are not forthcoming when information is legitimately needed for an active investigation.
Delays to investigative enquiries do not need to be as a result of reticence to provide information to the police. The key to ensuring that the public interest in the data sharing and protection of data can be met is a proper assessment of the circumstances, and the likelihood of any prejudice to an investigation.
This includes an organisation that holds data considering the implications of not sharing with the police, and the important ‘why’ questions that underpin the context of the urgency of the police’s need.
Practical steps for organisations
There are a number of steps that organisations can take to ensure they are satisfying themselves that their responses to police requests for information are fair, lawful and timely. It is worth remembering that if you are sharing information for law enforcement purposes because it is necessary, proportionate and justified then it is unlikely to raise data protection concerns.
- Lawful basis - If you are having difficulty justifying the disclosure then look again at the lawful basis you are using under the DPA 2018. Identifying an appropriate lawful basis will provide a foundation, and you should always consider which lawful basis (or bases) best fits the circumstances. A practical step to take is to go back to the start and map your data flows.
- Staff training - Staff are more confident in processing personal data appropriately when they have clear guidance and training around their roles and responsibilities. This includes specific advice for staff on how to handle urgent information requests from the police and what records should be kept at the time of such disclosures.
- Ask the right questions - Don’t be afraid to ask the police why the information is required. You should ensure that personal data is not disclosed unless there is a clear and appropriate justification that takes account of the context for the information request from the police.
The ICO is currently working on updating its Data Sharing Code of Practice which is expected to go out for consultation in the next few weeks. This will provide further practical advice and guidance on how to share data, safely and fairly, in compliance with the law.
The Government has also launched a consultation on a new legal duty to support a multi-agency approach to preventing and tackling serious violence.
For more advice on data sharing in general, there is a full range of resources on the ICO website, including interactive toolkits, checklists and sector-specific FAQs to help organisations comply with the new laws.
Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
Latest News from
Information Commissioner's Office
Blog: Why special category personal data needs to be handled even more carefully15/11/2019 09:10:00
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 14 November 2019.
ICO call for views on the application for powers under the Proceeds of Crime Act11/11/2019 09:10:00
The Information Commissioner invites views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002 (POCA).
Information Commissioner reminds political parties they must comply with the law ahead of General Election06/11/2019 09:10:00
The Information Commissioner has sent the following letter to the political parties in relation to the use of data in political campaigning.
Blog: Live facial recognition technology – police forces need to slow down and justify its use31/10/2019 13:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 31 October 2019.
Statement on an agreement reached between Facebook and the ICO30/10/2019 15:10:00
In 2017 the Information Commissioner's Office ("ICO") commenced a formal investigation into the misuse of personal data in political campaigns.
Blog: Embedding accountability – we want to hear from you29/10/2019 13:20:00
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 28 October 2019.
AI Auditing Framework Call for Input: final considerations and next steps29/10/2019 09:10:00
As the initial Call for Input into the development of the ICO AI Auditing Framework comes to an end, Simon McDougall, Executive Director for Technology and Innovation, reflects on some of the overarching themes that have emerged in the first phase of our work.
Data Protection Impact Assessments and AI24/10/2019 10:20:00
Simon Reader, Senior Policy Officer, discusses some of the key considerations for organisations undertaking data protection impact assessments for Artificial Intelligence (AI) systems.