At a glance
Most data sharing, and the bulk of this code, is covered by the general processing provisions under the UK GDPR and Part 2 of the DPA 2018. However, data sharing by a “competent authority” for specific law enforcement purposes is subject to a different regime under Part 3 of the DPA 2018 for law enforcement processing.
If you are a competent authority, it is very likely that you will also be processing personal data for general purposes under the UK GDPR/Part 2 of the DPA 2018, eg for Human Resources matters or other non-law enforcement purposes. In that instance, you should follow the general sections of the code on UK GDPR/Part 2 data sharing.
In more detail
- Introduction
- What is a competent authority?
- What are the law enforcement purposes?
- We are a competent authority: how do we share data under Part 3 of the DPA 2018?
- We are a competent authority: how do we share data with a controller that is not a competent authority?
- We are not a competent authority: how do we share data with a competent authority?
- How do we allow individuals to exercise their information rights under Part 3?
- How do we comply with the accountability requirement under Part 3?
Introduction
There are compelling reasons why data sharing is needed for law enforcement purposes. We are aware that sometimes organisations are hesitant about data sharing in this context. However, we emphasise that data protection law does not prevent appropriate data sharing when it is necessary to protect the public, to support ongoing policing activities, or in an emergency for example. Adhering to the provisions of the legislation and following the good practice set out in this code will help you to share data in a compliant and proportionate way.
Most data sharing, and hence the bulk of the code, is covered by the general processing provisions under Part 2 of the DPA 2018; in practice, this means referring to the UK GDPR. Data sharing by a competent authority for specific law enforcement purposes is subject to a different regime under Part 3 of the DPA 2018, which provides a separate but complementary framework. However, there are common elements to both regimes which means that data sharing processes under either Part 2 or Part 3 can be adapted, rather than having to start a new process.
Example
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.
For example, the police might ask a social worker to pass on case files to them containing details of young teenagers who may be at risk of exploitation.
The social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. The police should provide as much clarity as they can about their lines of enquiry, without prejudicing their investigation.
What is a competent authority?
A competent authority is:
- a person specified in Schedule 7 of the DPA 2018; or
- any other person if, and to the extent that, they have statutory functions to exercise public authority or public powers for the law enforcement purposes (section 30(1)(b) of the DPA 2018).
You need to check whether you are listed as a competent authority in Schedule 7 of the DPA 2018. The list includes most government departments, police chief constables, the Commissioners of HMRC, the Parole Boards and HM Land Registry.
If you are not listed in Schedule 7, you may still be a competent authority if you have a legal power to process personal data for law enforcement purposes. For example, local authorities who prosecute trading standards offences, or the Environment Agency when prosecuting environmental offences.
What are the law enforcement purposes?
This term is defined in section 31 of the DPA 2018 as:
“the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”
Criminal law enforcement must be the primary purpose of the processing.
Even if you are a competent authority, it is very likely that you will also be processing personal data for general purposes under the UK GDPR/Part 2 of the DPA 2018, rather than for law enforcement purposes. An example might be for Human Resources matters. In that instance, you should follow the general data sharing guidance contained elsewhere in this code; we also refer to this below.
We are a competent authority. How do we share data under Part 3 of the DPA 2018?
If you are a competent authority, and the sharing is to another competent authority for law enforcement purposes, then Part 3 should provide a framework allowing you to share data.
This differs in some ways from the general processing provisions in the UK GDPR and Part 2 of the DPA 2018. The differences, including lawful basis, are primarily because of the purpose for which you are processing the data.
In particular, there are some differences in the principles in Part 3, and processing of data described in Part 3 as “sensitive” is subject to additional safeguards, such as conditions in Schedule 8 of the DPA 2018. You can find out more about the requirements on the ICO website.
We are a competent authority. How do we share data with a controller that is not a competent authority?
Part 3 to Part 2 DPA 2018 data sharing
A common scenario here is data sharing by a competent authority (that is processing for law enforcement purposes) to a recipient where the disclosure is not for law enforcement purposes, or the recipient is not a competent authority. In practice, Part 3 DPA 2018 information may be shared with a third party or repurposed internally, and then be used for general processing purposes under the UK GDPR and Part 2 of the DPA 2018.
- Section 36(4) of the DPA 2018 allows you to do this, provided that “the processing is authorised by law”.
- As a competent authority, you must determine whether any processing of such data for non-law enforcement purposes is “authorised by law”. This might be, for example, statute, common law, royal prerogative or statutory code.
- The question of “authorised by law” will, in part, depend on the specific laws to which the relevant competent authority is subject. For some authorities (such as the police), you may be able to rely more heavily on common law than other organisations that are more constrained by the nature of their constitution and legal framework. These would include local authorities, which may only do those things that they are empowered to do by statute, or those that are reasonably ancillary or incidental to those powers.
- You should start by identifying the reason and the lawful basis for the sharing.
- If you are the police you should also take into account the relevant policing purposes. In the absence of a clear policing purpose, it may be that the Part 3 DPA 2018 personal data/police information should not be disclosed. See more on this below. You should then identify a relevant processing condition under the UK GDPR/Part 2 of the DPA 2018.
For the police, in the absence of an obvious statute or code of practice to provide authorisation, common law may be the natural basis to rely upon. However, as recognised by the College of Policing, common law does not provide the police with an unconditional power to engage in any activity that is not otherwise provided for by statute. It cannot be used in a way that contravenes or conflicts with any legislation, and actions based on common law must be still be compliant with the Human Rights Act 1998 and the DPA 2018.
Example
The police may provide information to the civil courts about child protection proceedings. Both the police and the court are competent authorities, but since the court proceedings are civil rather than criminal, the disclosure by the police is not in the context of law enforcement purposes. This is the case even though the reason for the police disclosing the information is to protect life, which is a policing purpose.
We are not a competent authority. How do we share data with a competent authority?
Part 2 to Part 3 DPA 2018 data sharing
If you are an organisation that does not fall within the DPA 2018 definition of a competent authority, then you can share data for law enforcement purposes with a competent authority, such as the police, in compliance with the UK GDPR and Part 2 of the DPA 2018. However, you must still have a lawful basis under Article 6 for the sharing; for example, legitimate interests. Where a request has come from a law enforcement agency under the Investigatory Powers Act 2016, the lawful basis might be legal obligation. You are also likely to need a condition for disclosing the data under Schedule 1 of the DPA 2018.
Requests for information made to you by competent authorities must be reasonable in the context of their law enforcement purpose, and they should clearly explain the necessity for the request to you.
Where necessary in the circumstances, you can also rely on the “crime and taxation” exemption from some UK GDPR provisions that is set out in DPA 2018 schedule 2, paragraph 2(1). This includes exemption from transparency obligations and most individual rights, to the extent that the application of those provisions is likely to prejudice the prevention or detection of crime.
If you are not a competent authority and are disclosing data about an individual’s criminal offences and convictions (including allegations that an individual has committed an offence) you must comply with Article 10 of the UK GDPR.
In practice, this means you need to meet a relevant condition in Schedule 1 of the DPA 2018. In this scenario, the most likely condition is in Schedule 1 paragraph 10, as modified by paragraph 36: disclosures of “criminal offence” data which are necessary for the purposes of the prevention or detection of unlawful acts; and where asking for the individual’s consent would prejudice those purposes.
The personal data of witnesses, victims, bystanders and other persons who are not the offender or alleged offender is not “criminal offence” data and a Schedule 1 DPA condition is not required to allow the processing and sharing of their data.
However, if the data you are sharing includes special category data, a condition under Article 9 of the UK GDPR needs to apply, together with a linked condition in Schedule 1 of the DPA 2018 in most cases (most likely Article 9.2(g) together with Schedule 1 paragraph 10 of the DPA 2018). You must be able to demonstrate that sharing the special category data is necessary for reasons of substantial public interest.
The DPA 2018 usually requires organisations to have an appropriate policy document to cover their general data processing under this condition. However, an organisation disclosing data to a competent authority in reliance on the condition in Schedule 1 paragraph 10 of the DPA 2018 does not need to have a policy document to cover that disclosure.
Example
A shopkeeper used CCTV, and routinely captured footage of customers in the premises. A copy of some CCTV footage was requested by a police force for an ongoing criminal investigation. The police force told the shopkeeper why they wanted it (some competent authorities may use a standard form for this).
The shopkeeper was processing data under the UK GDPR and Part 2 of the DPA 2018. Assuming the shopkeeper had a lawful basis for the processing, they could give the police a copy of the footage to help with the investigation. If the footage included images of an alleged offender they could rely on Schedule 1, paragraph 10 to process the CCTV data, and enable the sharing of the relevant footage with the police to help with the investigation.
The receiving police force (competent authority) was processing the information under Part 3 of the DPA 2018. This enabled them to fulfil their statutory functions.
How do we allow individuals to exercise their information rights under Part 3?
There are differences in the availability of individual rights for law enforcement processing. Certain individual rights under the UK GDPR, such as the right to object and the right to data portability, do not exist in Part 3 of the DPA 2018. There are exemptions and restrictions that can, in some circumstances, be legitimately applied to prevent individuals from exercising rights if there is a likely prejudice to the law enforcement purposes.
For further details on this, please refer to the section in this code on the rights of individuals, and to the ICO website guidance on law enforcement processing.
How do we comply with the accountability requirement under Part 3?
Section 34(2) in Part 3 of the DPA 2018 states that you are responsible for compliance. It requires you, as controller, to demonstrate that you comply with the principles.
You must put in place appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include policies and procedures, including data protection by design and default.
You must also maintain relevant documentation of data processing activities.
Please also see the earlier section in this code on accountability. For more specific details on Part 3 DPA 2018, please refer to the ICO guidance on law enforcement processing.