Information Commissioner's Office
Necessity and proportionality: questions police must ask when considering sharing personal information with the public
In February, the ICO announced it would be asking Lancashire Police to set out how they reached the decision to include personal information in media statements as they sought to find Nicola Bulley.
This was an important piece of work around a high profile case. We wanted to reassure the public that there are rules in place to protect how personal information is used and shared. And we wanted to be clear that while police can disclose information to protect the public and investigate crime, they would need to be able to demonstrate such disclosure was necessary and proportionate.
We have now spoken with Lancashire Police to better understand the steps they took before releasing information. We heard in those conversations the challenging nature of considering whether and how to share personal information during fast paced, important cases. Based on our conversations with Lancashire Police, we don’t consider this case requires enforcement action. We’ll be able to provide further details around this decision following the inquest into Nicola Bulley’s death.
While this concludes our work with Lancashire Police, it is clear that their consideration of what information to share during a fast-paced case is a challenge all police could face. We therefore wanted to share the wider lessons all police can benefit from.
Data protection law does not prevent police from doing their job. It is part of helping police do that job well. The law specifically considers the challenges law enforcement organisations may face using personal data, and asks police to consider the risks of disclosing information alongside the valuable role disclosure can play in an investigation, in particular when police are calling on the public’s help to find a missing person.
Police can better understand their legal requirements by asking themselves the following questions:
- Is sharing this information necessary? If it is important the public know something sensitive about a missing person, then the law provides ways information can be shared. But it is important to think about whether there are alternatives to disclosure that would also achieve your objectives.
- Is sharing this information proportionate? You need to consider any harm or detriment that may come from sharing information, and make sure this does not outweigh what you are trying to achieve. This is particularly important for sensitive information. The law specifically sets a higher standard for sharing information about someone’s health, for instance.
- Will there be an impact on others? It is important to consider who else might be affected by any disclosures: sharing information about one individual may also have an effect on the privacy rights of their family and friends.
- Are you recording the factors being considered in your decision making? As the Lancashire Police case has shown, there will be times when the ICO expects police to set out how they reached a decision to disclose information.
- What is the Data Protection Officer’s view? When it comes to answering all of these questions, the police’s DPO will be ideally placed to draw together their knowledge of data protection, as well as their understanding of their organisation’s operating processes, to help consider the balance between privacy, the public interest, and the interests of all those involved.
By considering the factors we are sharing today, police can make informed decisions about how to respect people’s data protection rights during fast-moving and high-profile investigations while still getting the job done. We’ll continue to offer our advice and support to police, and will be sharing these tips more widely.
Latest News from
Information Commissioner's Office
Data breaches put domestic abuse victims’ lives at risk, UK Information Commissioner warns28/09/2023 13:15:00
The UK Information Commissioner has today called on organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
“This needs to be dealt with.” - ICO issues Enforcement Notice to City of York Council over FOI backlog21/09/2023 16:25:00
The Information Commissioner’s Office (ICO) has issued an Enforcement Notice to City of York Council to clear its backlog of 261 unanswered Freedom of Information requests
ICO issues half a million pounds in new fines as fight to tackle illegal nuisance calls continues21/09/2023 15:25:00
The Information Commissioner’s Office (ICO) has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.
Share information to protect children and young people at risk, urges UK Information Commissioner15/09/2023 10:15:00
Organisations will not get in trouble if they share information to protect children and young people at risk of serious harm, the UK Information Commissioner’s Office (ICO) has promised.
Former social services council employee fined for unlawfully accessing sensitive personal data14/09/2023 09:15:00
A former family intervention officer at St Helens Borough Council has been sentenced for unlawfully accessing social services records.
UK Information Commissioner and NCSC CEO sign Memorandum of Understanding13/09/2023 13:10:00
The UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC), Lindy Cameron, yesterday signed a joint Memorandum of Understanding (MoU) that sets out how both organisations will cooperate.
ICO to review period and fertility tracking apps as poll shows more than half of women are concerned over data security07/09/2023 16:20:00
The Information Commissioner’s Office (ICO) is reviewing period and fertility apps as new figures show more than half of women have concerns over data security
ICO publishes new guidance on sending bulk communications by email31/08/2023 16:20:00
The Information Commissioner’s Office (ICO) yesterday issued a warning to organisations to use alternatives to the blind carbon copy (BCC) email function when sending emails containing sensitive personal information, following a catalogue of business blunders.
Joint statement on data scraping and data protection25/08/2023 09:10:00
The Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have today published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.