Introduction to the toolkit
Has a law enforcement authority asked you to share personal data with them, for law enforcement purposes, and are you unsure whether you can share it or not?
Data protection law enables you to share personal data with a law enforcement authority, as long as you can justify that it is necessary and proportionate.
This toolkit is aimed at small organisations and businesses who need to consider this kind of request and make a decision. It is designed to assist those who have a basic knowledge or awareness of data protection.
If you are a very small organisation or individual business, we recommend that you look at the data sharing pages on our SME Hub.
If you are a larger organisation with expertise in data protection, this toolkit may not be suitable for you. We recommend that you refer to the data sharing code of practice or seek advice from your data protection officer (DPO). We hope to work with some of our stakeholders to develop a set of case studies, covering more complex issues around sharing data with law enforcement authorities for law enforcement purposes.
However, no matter your organisation’s size, this toolkit should help you to clarify your decision about sharing data with a law enforcement authority.
This toolkit takes you through the relevant considerations and helps you make a decision about when and how you can share the requested data. The toolkit also generates a report at the end, which assists with documenting your decisions and justifications. The toolkit does not tell you what your decision should be, but it gives you the information and steps to take to make a decision yourself.
If you are asked to share data in an emergency situation, it’s unlikely that this toolkit would be appropriate for you to use. In an emergency, you should share as much data as is necessary and proportionate. You should plan ahead where possible, and we recommend that you read the ‘data sharing in an emergency’ section within the data sharing code of practice for further information.
What is a law enforcement authority?
In data protection law, a law enforcement authority is called a ‘competent authority’, and you may see this term used in other guidance. However, for ease of reference we refer to it as a law enforcement authority throughout this toolkit. These organisations include those which have law enforcement or investigatory functions, such as:
- the police;
- National Crime Agency;
- Government departments;
- the courts;
- the Director of Public Prosecutions;
- The Crown Office and Procurator Service;
- The Public Prosecution Service NI;
- the Lord Advocate;
- UK Border Force;
- prisons;
- the Commissioners of HM Revenue and Customs;
- Parole Boards or Parole Commissioners for Northern Ireland;
- Police Ombudsman’s office for Northern Ireland;
- Police Investigations & Review Commissioner;
- HM Land Registry;
- Driver and Vehicle Agency Northern Ireland (DVANI);
- TV Licensing; and
- the Information Commissioner’s Office.
An organisation could also be a law enforcement authority if they have a legal power to process personal data for law enforcement purposes, for example:
- local authorities in Scotland and Northern Ireland when investigating trading standards offences; and
- the Environment Agency, The Northern Ireland Environment Agency and The Scottish Environmental Protection Agency when prosecuting environmental offences.
Intelligence services such as the Security Service or the Secret Intelligence Service are not law enforcement authorities and the rules are different.
What are law enforcement purposes?
Data protection legislation defines law enforcement purposes as “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”
How to use the toolkit?
Stage one
This assesses whether the toolkit applies to you. It checks whether you have enough information about the personal data that the law enforcement authority has asked you to share with them, and why.
Stage two
This assesses if you can share the personal data lawfully and securely. It also prompts you to consider the amount of personal data you are sharing and its accuracy.
Your report
After completing both stages, the toolkit generates a report which lists the suggested next steps for you to take and gives you a place to record your decisions and justifications. You should download, fill in and save that document as a record.
Feedback
We are committed to continuing to develop this and other toolkits in order to facilitate effective and compliant data sharing. In order to this, we are seeking your feedback on what works well with the toolkit and what could be improved. We will assess this feedback on a regular basis in order to make changes and improvements to the toolkit. After completing the toolkit, please consider completing our feedback survey.