12 April 2019
Steve Wood reminds public and private organisations that new data protection legislation does not stop them from disclosing personal data to assist police forces or other law enforcement authorities.
It’s nearly eleven months since the UK’s new data protection legislation came into effect, giving organisations more responsibilities and giving citizens strengthened rights. In terms of data sharing the message is also one of continuity as the core considerations that existed under the previous legislation remain the same.
We are aware that sometimes, organisations are hesitant to share people’s personal data with the police and in some cases are refusing to share with anyone, citing data protection as the problem. In cases of serious or violent crime, this can mean that essential information needed to safeguard individuals is not being passed to the relevant law enforcement authorities.
The ICO’s aim is to ensure there is trust and confidence in how organisations use personal data – we want to help organisations do this securely and fairly.
Alongside the vitally important task of keeping people’s data secure, it seems a crucial message may have been misunderstood by many in the public and private sectors – data protection law should not be a barrier to sharing when it is necessary to protect the public.
My latest blog in our myth busting series sets out to challenge the misconceptions surrounding sharing personal data with the police.
My organisation can’t voluntarily disclose personal data to police forces or other law enforcement authorities under new data protection legislation.
The GDPR and the Data Protection Act 2018 (DPA2018) do not prevent data sharing for law enforcement purposes and provides mechanisms to achieve this, but it does require organisations to use those mechanisms appropriately.
Organisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.
This can include broader safeguarding schemes to stop vulnerable people falling into crime, for example via economic deprivation or gang culture.
In the ICO’s recent action against the Metropolitan Police Service’s gangs matrix database, we were clear that the aim of the data sharing between police, local authorities and education authorities to counter gang culture was a valid public interest to pursue.
But we also made it clear that key issues of data retention, security, excessive collection and sharing had to be addressed to enable the gangs programme to be lawful.
A fair approach to data sharing, which is transparent in its purpose and accountable to obligations under data protection law, will gain the trust of our communities that are most directly affected and so enhance the ability of community policing to engage with them.
Pathways to sharing under the current law
The GDPR has not changed the legal channels that can be used to share personal data. Some of the channels that allow such sharing are not in the GDPR at all; instead they are found in the schedules of the DPA2018.
Organisations should therefore familiarise themselves with both the GDPR and the DPA2018, and ensure that they are read side by side to appreciate the full picture.
In particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as ‘competent authorities’ – such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.
Take for example a shop owner, who is asked to pass on vital CCTV footage to the police. The police require this footage because a violent crime has taken place on the shop owner’s property. Or take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers.
In these examples we understand that the shop owner and the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.
Timing is critical for effective policing
Much policing activity relies on a rapid response to issues. This rapid response includes the police gathering the information they need from other parties, such as shop owners or social workers. The investigative capability of the police can be hampered if organisations are not forthcoming when information is legitimately needed for an active investigation.
Delays to investigative enquiries do not need to be as a result of reticence to provide information to the police. The key to ensuring that the public interest in the data sharing and protection of data can be met is a proper assessment of the circumstances, and the likelihood of any prejudice to an investigation.
This includes an organisation that holds data considering the implications of not sharing with the police, and the important ‘why’ questions that underpin the context of the urgency of the police’s need.
Practical steps for organisations
There are a number of steps that organisations can take to ensure they are satisfying themselves that their responses to police requests for information are fair, lawful and timely. It is worth remembering that if you are sharing information for law enforcement purposes because it is necessary, proportionate and justified then it is unlikely to raise data protection concerns.
- Lawful basis - If you are having difficulty justifying the disclosure then look again at the lawful basis you are using under the DPA 2018. Identifying an appropriate lawful basis will provide a foundation, and you should always consider which lawful basis (or bases) best fits the circumstances. A practical step to take is to go back to the start and map your data flows.
- Staff training - Staff are more confident in processing personal data appropriately when they have clear guidance and training around their roles and responsibilities. This includes specific advice for staff on how to handle urgent information requests from the police and what records should be kept at the time of such disclosures.
- Ask the right questions - Don’t be afraid to ask the police why the information is required. You should ensure that personal data is not disclosed unless there is a clear and appropriate justification that takes account of the context for the information request from the police.
The ICO is currently working on updating its Data Sharing Code of Practice which is expected to go out for consultation in the next few weeks. This will provide further practical advice and guidance on how to share data, safely and fairly, in compliance with the law.
The Government has also launched a consultation on a new legal duty to support a multi-agency approach to preventing and tackling serious violence.
For more advice on data sharing in general, there is a full range of resources on the ICO website, including interactive toolkits, checklists and sector-specific FAQs to help organisations comply with the new laws.
|Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.|