The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

A blog by Deputy Commissioner James Dipple-Johnstone for police, the criminal justice system and victims’ support groups. 

There can be few more important areas of our lives where our wider rights and our information rights combine than in the criminal justice arena.

The UK Government has recently supported recommendations made by the Justice Select Committee’s inquiry, Disclosure of Evidence in Criminal Cases on the use of personal data in criminal cases.

One of these recommendations states there should be ‘clear guidelines on handling sensitive material.’

Victims of serious sexual offence crimes are particularly vulnerable, and it’s crucial that the rights they have in law are upheld in order to maintain confidence in the UK’s criminal justice system and their continued willingness to come forward and report crimes.

But we are also aware of the challenges faced by the authorities in order to balance the right to a fair trial with the privacy rights of victims.

One of the objectives from our Regulatory Action Policy is to respond swiftly and effectively where breaches of legislation affect vulnerable people. That’s why the way victims’ personal information is treated and used in cases of rape and serious sexual assault is of significant concern to the ICO.

When we recently received complaints from multiple victims’ representatives and victim support campaigns, giving details of potential excessive use of victims’ personal information in cases of rape and serious sexual assault, we launched an investigation.


The issues presented to us raise concerns around the collection, secure handling and the use of victims’ personal information.

Whilst implementing the General Data Protection Regulation (GDPR) this year, the government also brought in the Law Enforcement Directive in Part 3 of the Data Protection Act 2018 (DPA2018) which updated the rules for handling and using personal data in the law enforcement context.

One example of this arises during the early stages of an allegation of a serious sexual offence crime where the police and prosecuting authorities rely on a ‘Stafford statement’. It is a consent-style form that victims sign to give police access to their personal information.  

A Stafford statement can give wide-ranging, blanket consent for police to access detailed and sensitive information, including copies of a victim’s medical, education, psychiatric, social service and family court proceedings records. These records can date from many years prior to the incident under investigation. 

But these statements are often signed in the immediate aftermath and shock of the crime, and, we are told, victims can often be unclear as to what they are consenting to and why.


As part of our investigation we believe it’s important to track the journey victims’ information takes through the criminal justice system, from allegation, through disclosure and onto any compensation application that may be made. This is to identify areas where victims’ information is most vulnerable or where processing may be excessive and disproportionate.

This is a complex and challenging area and involves some of the most sensitive personal data gathered by the state. The principle and basis of consent in these circumstances is a key element of our investigation.

We will be working closely with police forces, prosecuting authorities, victims and their representatives and other stakeholders across the UK to ensure that we consider all the facts. Our focus is to understand whether the law is being followed, to provide clarity and offer advice on any improvements that need to be made.

Ultimately, victims need to be supported and to have confidence that they can give their evidence and information in the knowledge it will be safeguarded, used appropriately and with minimal intrusion into their privacy.

We will be reporting any findings and recommendations publicly once our investigation has concluded.

James Dipple-Johnstone is Deputy Commissioner for Operations at the ICO. He oversees the Enforcement and Assurance departments as well as those for Data Protection Complaints and Reviews and FOI Complaints and Appeals.