A blog from Melissa Mathieson, the ICO's Director of Regulatory Policy Projects
As statistics show that shoplifting is up by 27% across ten of the largest cities in the UK*, more retailers are turning to technology to protect their business.
Data protection law enables retailers to share criminal offence data such as images to prevent or detect crime as long as it's necessary and proportionate. We want businesses to be able to take action to prevent crime, but we want people who aren’t breaking the law to be able to go about their day without unjustified intrusion.
We’ve worked closely with retailers to show them how they can share information to prevent or detect crime in line with data protection law. Here are the key areas they need to be thinking about:
What is necessary and proportionate?
Information should only be made available to a limited number of people who need it to prevent and detect crimes such as shoplifting. Wider public disclosures of information, such as posting it on an online retail-related social media platform, are less likely to be justifiable.
Where retailers deem that sharing is necessary and proportionate, they must be aware that this will bring with it responsibilities around the key data protection principles such as accuracy and retention.
Below are some examples of situations when sharing suspect or criminal details may and may not be appropriate:
Likely to be appropriate
Sharing suspect details with police - You can share criminal offence data with the police or other relevant law authorities to prevent, detect or investigate crime. The information you give them could bring a criminal to justice and is likely to be necessary and proportionate. Our website has more details on what is classed as criminal offence data.
Sharing information with a manager of another store in your shopping centre - This is likely to be appropriate as they are in the local area and may have experienced similar instances. They may be able to share further information or help you prevent reoccurrences.
Sharing information with the security guards of your shopping centre - This is likely to be appropriate as they may come across the individual as part of their professional role. Forewarning will be useful to achieve your purpose of preventing and detecting crime.
May not be appropriate
Putting images in a staff room – Showing images of suspected shoplifters should be limited to what is needed and only to necessary individuals such as retail and security staff via secure channels. This limits the audience to what is necessary and proportionate. Putting them up in a staff room for all to see is less likely to be appropriate.
Local businesses sharing images between one another via a messaging platform - If neighbouring retailers want to share images between one another, they should consider putting an agreement in place where they all agree to use only secure work devices and activate auto delete settings. Without this, images could end up in personal phones and uploaded to personal cloud backups.
Publishing the information on a social media group open to any members of the public from the local area - You must only share personal information in a way that’s proportionate and necessary to achieve your purpose. Sharing personal information so widely is likely to be excessive.
Putting images in the local area, such as shop windows and lampposts - You must only share personal information in a way that’s proportionate and necessary to achieve your purpose. Sharing images in this way gives access to those who don’t have the appropriate authority to see them or take any action.
The ICO is here to help
We do a lot of work in this space - from engaging with retailers and their trade associations, engaging law enforcement authorities, to researching new technologies – and will continue to ensure we help retailers in their fight against crime while still respecting privacy rights.
Retailers must adopt a data protection by design approach, considering data protection and privacy issues upfront at the design stage and throughout the lifecycle of your system. There’s more detail in our draft biometric guidance, which we are currently consulting on.
We also have other resources to help retailers such as our data sharing code, CCTV guidance, Advice for small organisations hub, Opinion on live facial recognition in public places and general UK GDPR guidance.
Any retailer that needs help to use or share information to prevent or detect crime can find our guidance on our website or contact us for advice.