Skip to main content
Home

Crime condition

Contents

At a glance

  • This condition may be appropriate if you need to handle personal information to detect, investigate or prevent crime (including capturing or prosecuting offenders).
  • If you’re handling criminal offence data, you must meet the additional requirements of article 10 of the UK GDPR.

In detail

What is the crime condition?

Handling personal information for detecting, investigating and preventing crime helps protect people from harm and serves the interest of society at large. Data protection law enables you to use people’s information where it is necessary to prevent and report crimes, as well as to prosecute offenders (including suspected offenders). 

Annex 1 of the UK GDPR says:

“5. This condition is met where the processing is necessary for the purpose of–

a) detecting, investigating or preventing crime, or

b) apprehending or prosecuting offenders.

We call this the ‘crime condition’. The UK GDPR doesn’t give definitions for the different purposes listed in the crime condition. But you don’t need to look beyond the ordinary meaning of the words when deciding if you can meet the condition. 

A variety of economic crimes are included in the scope of this condition, for example: 

  • money laundering;
  • financing terrorists; and 
  • scams and fraud aimed at people or organisations. 

How do we apply the crime condition?

If you want to apply the crime condition, you must:

  • intend to handle personal information to help: 
    • detect, investigate or prevent a crime; or 
    • catch and prosecute an offender or suspect; and
  • ensure that using personal information is necessary for this purpose. 

Once you’ve confirmed your purpose is one of those set out in the crime condition, you must decide if it is necessary to use people’s personal information to pursue that aim.

This doesn’t mean it has to be absolutely essential for you to handle personal information, but you must ensure it is more than just useful. You should use it as a targeted and proportionate way of achieving the purpose of preventing criminal activity or helping to resolve crimes that have already been committed.

Example

An insurance company wants to use personal information to spot fraudulent claims and recover money it has paid out on dishonest claims. As fraud is covered by the recognised legitimate interest condition for detecting, investigating or prosecuting a crime, it decides this lawful basis may be appropriate. 

To ensure its use of personal information is targeted and proportionate, the insurer follows industry best practice when deciding what fraud indicators to look for in new claims so that these can be reviewed further by its fraud investigation team. The insurer relies on recognised legitimate interest and the crime condition to handle personal information in this way.

If you’re handling criminal offence data, you must also meet the requirements of article 10 of the UK GDPR. But if your purpose for using people’s personal information satisfies the crime condition, it’s likely this will also satisfy an appropriate condition from the DPA for processing criminal offence data. (For more information, see Can we use recognised legitimate interest for criminal offence data?.)   

Example

A shop owner uses CCTV to capture images of customers in the store to both deter and record incidents of shoplifting. The footage clearly shows a customer putting high-value items inside their coat before paying for items in their basket and then leaving the store. 

The shop owner decides this footage is necessary for detecting a crime and catching an offender. After taking care to obscure images of any other people captured by the footage, they rely on recognised legitimate interest and the crime condition to share this footage with the local police. 

In some circumstances, personal information about people other than offenders might be covered by this condition (eg victims or witnesses of crime). Their personal information isn’t criminal offence data and you don’t need to identify a condition from the DPA. But victims and witnesses may have experienced trauma and can be at risk of further crime or intimidation. Due to the significant risks to the privacy and well-being of these people in the event of a personal data breach, you should take extra care when handling their information. 

Remember, not all organisations that handle personal information relating to crime can use recognised legitimate interest. (For more information, see ‘Can we use recognised legitimate interest for criminal offence data?’.)  

Some organisations have statutory reporting obligations, such as banks and other regulated institutions that have to report financial crimes to the authorities. If you have an obligation like this, the legal obligation lawful basis is likely to apply. 

In some circumstances, using personal information in the context of the crime condition may involve special category data. If so, you must meet one of the special category data conditions in article 9 of the UK GDPR. (For more information, see Can we use recognised legitimate interest for special category data?.)

Depending on the situation, you may find that more than one of the recognised legitimate interest conditions is relevant. For example, if you are handling personal information for reasons of public safety, you may have a choice about whether the crime condition or the separate national security, public security and defence condition is appropriate. (For more information, see Can more than one recognised legitimate interest condition apply at the same time?.) 

Whichever condition you use, you must still meet all your other obligations under data protection law. (For more information, see What else do we need to consider?.)

Further reading – ICO guidance