29 September 2023 - We have updated the section ‘How do we decide on our lawful basis for sharing?’ where it discusses if you did not originally intend to share personal information with a law enforcement authority. We have clarified that when deciding your lawful basis for the sharing, your original lawful basis might not be appropriate, especially if you originally relied on consent. You should consider whether the original lawful basis is still appropriate. This might mean you need to identify a new lawful basis.
At a glance
- The UK GDPR does not prevent you sharing personal data with law enforcement authorities (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. The UK GDPR and the DPA 2018 allow for this type of data sharing where it is necessary and proportionate.
- If you want to share personal data with a law enforcement authority you need a lawful basis under Article 6.
- If you want to share special category data you need both a lawful basis and a condition for processing under Article 9. Some of these conditions require you to meet an additional condition from the DPA 2018.
- If you want to share criminal offence data you need both a lawful basis, and either ‘official authority’ or a separate condition for processing under Article 10. The DPA 2018 sets out specific conditions for this.
- Paragraph 10 of Schedule 1 of the DPA 2018 provides a condition for sharing special category data or criminal offence data where it is necessary for the prevention or detection of unlawful acts, and where asking for consent would prejudice that purpose.
- Paragraph 2 of Schedule 2 of the DPA 2018 provides an exemption (the “crime and taxation” exemption) from the UK GDPR’s transparency obligations and most individual rights, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This is not a blanket exemption and you must consider it on a case-by-case basis.
☐ We consider what the purpose is for sharing personal data with law enforcement authorities, and whether it is necessary and proportionate to do so.
☐ We identify a lawful basis under Article 6 of the UK GDPR before sharing the personal data. If the sharing of personal data was not the original intention of the processing, we consider whether this new purpose is compatible with that original purpose.
☐ We also identify a condition for processing under Article 9 of the UK GDPR and any relevant condition in Schedule 1 of the DPA 2018 before sharing special category data.
☐ We identify a condition for processing under Article 10 of the UK GDPR and a relevant condition in Schedule 1 of the DPA 2018 before sharing criminal offence data.
☐ We record our lawful basis and, if relevant, our conditions for processing special category or criminal offence data.
☐ We only share the minimum necessary amount of relevant and adequate personal data.
☐ We ensure that the personal data is shared in compliance with our other data protection duties and obligations, including fairness, accuracy and security.
What do you mean by a law enforcement authority?
A law enforcement authority is known under data protection law as a “competent authority”. This means any of the authorities listed in Schedule 7 of the DPA 2018 including the police, courts and prisons. Competent authorities can also be any other organisation or person with statutory law enforcement functions, such as local authorities detecting trading standards offences or the Environment Agency when investigating environmental offences. For ease of reference, we use the term “law enforcement authority” throughout this piece of guidance.
Part 3 of the DPA 2018 sets out separate data protection rules for authorities with law enforcement functions when they are processing for “law enforcement purposes”.
The law enforcement purposes are defined in section 31 of the DPA 2018 as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and prevention of threats to public security.
Can we share personal data with law enforcement authorities?
You can share personal data where it is necessary and proportionate to do so. The UK GDPR, together with the DPA 2018, provide a framework to allow you to share personal data with law enforcement authorities that need to process personal data for the law enforcement purposes, such as the prevention, investigation and detection of crime.
These provisions do not force you to disclose personal data, but they do allow you to disclose personal data on a voluntary basis, provided that it is necessary and proportionate to do so. In some cases it will be clear why you need to share personal data, whereas in others you may need to carefully consider your reasons for sharing.
The DPA 2018 also allows you to share personal data with law enforcement authorities in order to comply with court orders, or other legislation and legal requirements.
When might we need to share personal data with law enforcement authorities?
There are likely to be three circumstances when you may need to share personal data with a law enforcement authority to enable it to carry out its law enforcement functions:
- where you want to proactively share personal data; for example, you want to report a crime to the police and provide relevant personal data you hold;
- where you receive a request from a law enforcement authority for personal data you hold; for example, the police may request personal data from you to help them investigate a crime; or
- where a court order or another legal obligation compels you to share personal data with a law enforcement authority.
How do we decide on our lawful basis for sharing?
You must be satisfied that sharing personal data with a law enforcement authority is lawful. This means you must have a lawful basis under Article 6 of the UK GDPR before you share the personal data. There are six lawful bases and the most appropriate depends on the particular circumstances of each case.
For example in some circumstances it may be appropriate to use the legitimate interests lawful basis in Article 6(1)(f). This is when the processing is necessary for your legitimate interests or those of a third party and they don’t outweigh the interests, rights or freedoms, which require the protection of personal data, of the individual whose personal data you are processing.
There might be a legitimate interest to share personal data of an individual suspected of an offence with a law enforcement authority to ensure they have all the necessary information for a proper and fair investigation.
A building firm identifies an employee committing fraud after investigating irregularities in its procurement processes.
The firm considers that it is in its legitimate business interests to report those who commit fraud and it is necessary to provide a copy of records which shows the employee defrauding the firm. It cannot report the fraud without sharing personal data of the employee. It is likely to be in the individual’s reasonable expectations that such a disclosure would be made in the event of a suspected crime. The firm determines that, on balance, its interests in preventing fraud outweigh the interests of the employee who committed the act.
If you are required by a court order or you have a statutory duty to report potential criminal acts to a law enforcement authority, then your lawful basis is likely to be legal obligation in Article 6(1)(c). This provides a lawful basis to share personal data where it is necessary for you to comply with a legal obligation.
You may be able to rely on vital interests in Article 6(1)(d) as your lawful basis, if you need to share the personal data to protect someone’s life. However, this is only likely to be applicable in a very limited range of circumstances where an individual’s life is at risk.
Consent under Article 6(1)(a) may provide a lawful basis for sharing, but this is unlikely to be practical. It is only appropriate if the individual has a real choice in freely agreeing to you sharing their personal data and being able to easily withdraw consent. For example, a victim of crime may be willing for you to share their personal data, however, the alleged perpetrator is unlikely to do so. This means that in practical terms consent is unlikely to be appropriate in the context of law enforcement and you should consider another lawful basis.
You may be able to rely on public task in Article 6(1)(e) as your lawful basis if you exercise official authority (for example, a public body’s tasks, functions, duties or powers) or carry out a specific task in the public interest. You need to demonstrate that sharing personal data is necessary and the relevant task or function must have a clear basis in law.
If your original intention for processing the personal data included sharing it with a law enforcement authority, then the lawful basis you choose should reflect this purpose. For example, if you have installed a CCTV system for the purpose of the prevention and detection of crime, then you may intend to share any evidence of criminal activity with the police. You may have decided to rely on the legitimate interests lawful basis to process and further share any relevant footage with the authorities.
However, if you didn’t envisage sharing the personal data with a law enforcement authority, then using the data in this way is a new purpose. An example might be where you are processing employee data for HR purposes and then receive a request to share some of your records with a law enforcement authority as part of its investigation into suspected criminal activity.
The “purpose limitation” principle in Article 5 of the UK GDPR states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. This means you need to consider whether this new purpose is compatible with your original purpose.
You can normally only process personal data for a new purpose which you did not originally anticipate if:
- the new purpose is compatible with the original purpose;
- you get the individual’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest.
If the new purpose is compatible, then you may not need a new lawful basis to further process the personal data. This situation is different if you originally relied on consent, as you will need to get fresh consent which specifically covers the new purpose.
Please see our guidance on purpose limitation for more information on this principle and details on compatible processing.
If you are processing personal data without envisaging the need to share it with a law enforcement authority, then doing so might not be compatible with your original purpose. This depends on the circumstances of each case.
However, the “crime and taxation: general exemption” (see the section How does the crime and taxation exemption work?) may be available if you are sharing personal data with a law enforcement authority. This can exempt you from the purpose limitation requirement, meaning that you do not need to consider whether sharing personal data with a law enforcement authority is compatible with your original purpose for processing the personal data. However, you still have to comply with the requirement for the processing to be lawful, which means you still need a lawful basis. In practice, this is likely to be your original lawful basis for processing the personal data, unless you originally relied on consent. However, depending on the circumstances, a new lawful basis might be needed, such as legitimate interests.
For further information on the lawful bases read our guidance on lawful basis for processing.
You need to carefully consider what your lawful basis is in each case. You should document your lawful basis for processing so that you can demonstrate compliance and accountability.
There are further requirements if the personal data you want to share consists of special category data, or criminal offence data or both (see below).
In addition to this, you need to comply with other requirements of data protection law (see the section Is there anything else we need to consider?).
Further reading – ICO guidance
We have produced a tool for smaller organisations and businesses that need to consider requests to share personal data with a law enforcement authority.
See also our Data sharing information page
Can we share special category data with law enforcement authorities?
Special category data consists of personal data revealing or concerning an individual’s racial or ethnic origin, political opinions, health, religious or philosophical beliefs, trade union membership, sexual orientation, sex life, genetic data and biometric data where used for identification purposes.
It doesn’t include personal data about criminal offences, allegations or convictions. For more on this see the section Can we share criminal offence data with law enforcement authorities? below.
To share special category data with a law enforcement authority you need to identify a specific condition for processing special category data under Article 9(2) of the UK GDPR, as well as having a lawful basis under Article 6. There are 10 conditions for processing special category data.
If you wish to share data for the prevention or detection of unlawful acts, the most likely condition to apply is contained in Article 9(2)(g) of the UK GDPR (substantial public interest), with the linked condition in paragraph 10 of Schedule 1 of the DPA 2018 (preventing or detecting unlawful acts).
You can rely on this condition if:
- the disclosure (sharing) is necessary for the purposes of preventing or detecting an unlawful act;
- asking for the individual’s consent would prejudice those purposes; and
- the disclosure is necessary for reasons of substantial public interest.
The term “substantial public interest” is not defined in the DPA 2018 or the UK GDPR. However, the public interest can be taken to cover a wide range of values and principles relating to the public good, or what is in the best interests of society. Substantial public interest means the public interest needs to be real and of substance. You should be able to make specific arguments about the practical wider benefits of your sharing. For more information, please see our guidance on What are ‘reasons of substantial public interest’?
Many of the conditions in Part 2 of Schedule 1 require you to have an “appropriate policy document” in place. However, this is not the case when relying on the condition in paragraph 10 to share special category data with a competent authority. See our guidance on What is an appropriate policy document? if you want to know more.
You should document your special category condition so that you can demonstrate compliance and accountability.
Can we share criminal offence data with law enforcement authorities?
Criminal offence data might be one of the most common types of personal data you may need to share with law enforcement authorities.
Criminal offence data includes personal data about criminal convictions and offences, or related security measures. This also includes information about allegations of an offence.
For more information read our guidance on criminal offence data.
You can only share criminal offence data with law enforcement authorities if you have a lawful basis under Article 6 and either:
- the processing is carried out under the control of official authority (for example, public authorities, such as the Driver and Vehicle Licensing Authority; the Disclosure and Barring Service; and the courts, have specific roles which may give them the official authority to process criminal offence data); or
- you have lawful authority under Article 10. The DPA 2018 sets out specific conditions providing lawful authority in Schedule 1.
As with special category data, paragraph 10 of Schedule 1 is also likely to provide a condition for sharing criminal offence data for preventing or detecting unlawful acts. You can rely on this condition if:
- the disclosure (sharing) is necessary for the purposes of preventing or detecting an unlawful act;
- asking for the individual’s consent would prejudice those purposes; and
- the disclosure is necessary for reasons of substantial public interest.
Unlike special category data, when processing criminal offence data for preventing or detecting unlawful acts, there is no requirement to explicitly demonstrate that the processing is necessary for reasons of substantial public interest. For example, disclosing or preparing to disclose personal data to a law enforcement authority to assist their investigation. This is because paragraph 36 of Schedule 1 of the DPA 2018 removes this requirement for criminal offence data. So if you are processing criminal offence data only, and not special category data, you can rely on the condition in paragraph 10 without needing to demonstrate that the processing is necessary for reasons of substantial public interest.
A shopkeeper is using CCTV, and routinely captures footage of customers in the premises. A police force request a copy of some CCTV footage of an incident involving an assault on a customer for an ongoing criminal investigation. The police force tells the shopkeeper why it is wanted (some law enforcement authorities may use a standard form for requesting personal data).
The shopkeeper is processing criminal offence data under Article 10 of the UK GDPR and Part 2 of the DPA 2018. This means the shopkeeper needs both a lawful basis for processing under Article 6 (such as legitimate interests) and a condition for processing under Schedule 1 of the DPA 2018. In this case, the shopkeeper is likely to rely on paragraph 10 of Schedule 1 to process the CCTV data, and to give the police a copy of the footage to help with the investigation.
The receiving police force (law enforcement authority) is processing the information under Part 3 of the DPA 2018 in carrying out its functions for law enforcement purposes.
An employer receives details of an allegation made by one of its employees about theft of property from the organisation by another employee. The employer reports the incident to the police, who request details to investigate the matter.
The employer is processing personal data in the form of criminal offence data under Article 10 of the UK GDPR and Part 2 of the DPA 2018. This means the employer (who does not hold any official authority for the processing) needs both a lawful basis for processing under Article 6 and a condition for processing under Schedule 1 of the DPA 2018. In this case the employer is likely to rely on legitimate interests as its lawful basis and paragraph 10 of Schedule 1 to process the details of the allegation against its employee and to share this with the police.
The receiving police force (the law enforcement authority) is processing the information under Part 3 of the DPA 2018 in carrying out its functions for law enforcement purposes.
When relying on the condition in paragraph 10 to disclose (or to prepare to disclose) criminal offence data with a law enforcement authority, it is not necessary to have an “appropriate policy document” in place, as is usually required for reliance with a condition in Part 2 of Schedule 1. See our guidance on What is an appropriate policy document? for more information.
You should document your condition for processing criminal offence data so that you can demonstrate compliance and accountability.
How much personal data should we share?
To comply with the data minimisation principle, you should only provide as much personal data as is adequate, relevant and limited to the purpose of sharing with a law enforcement authority. How much personal data is necessary depends on the circumstances in each case.
You need to be satisfied that the personal data is necessary for the law enforcement authority to fulfil its law enforcement purposes. For example, a police force should tell you why it needs the personal data you hold. You must only share personal data that is limited to what is requested and what is reasonable. If you receive a court order to disclose personal data, this will set out what is deemed necessary for the investigation and what you must disclose.
A police force requests personal data from an employer about an employee’s attendance at work in order to verify an alibi whilst investigating suspected criminal behaviour during a specified period of time. The force uses a form to explain the reason for its request for the personal data.
The employer only provides copies of the employee’s swipe card entry records for the period specified by the police force and does not provide records outside this period.
The employer provides copies of all of the employee’s swipe card entry time records from the past three years and full personnel file, including disciplinary information. This additional information is unnecessary.
An organisation reports an alleged offence under section 170 of the DPA 2018 to the ICO regarding unlawful obtaining of personal data by an employee. The ICO requests details relating to the allegation about the individual.
The organisation provides personal data about the employee’s actions during the alleged offence.
The organisation provides a full personnel file about the employee as part of the evidence it supplies to the ICO. This extra personal data is not relevant to the allegation.
If you are proactively sharing personal data (eg if you are reporting a crime) you should not provide more than is reasonably needed for you to do this.
Do we need to tell individuals that we are sharing their personal data?
Data protection law generally requires you to be transparent with individuals. They also have a right to be informed about what you intend to do with their personal data, including whom you may share it with. However, there are some exemptions, particularly if you are sharing personal data with competent authorities. See the section How does the crime and taxation exemption work?.
Is there anything else we need to consider?
Yes. You need to comply with your other obligations under data protection law. These should be familiar to you from your general processing activities. In particular, when sharing personal data, you should:
- process personal data fairly;
- ensure your purposes are specified, explicit and legitimate;
- ensure the accuracy of personal data you share;
- ensure appropriate security measures are in place when sharing – more sensitive personal data generally requires more protection;
- carry out a DPIA beforehand if the sharing is likely to result in high risk;
- retain personal data only for as long as necessary;
- keep records of your sharing, purposes and lawful basis for doing so, and any exemptions you may rely on; and
- respect the rights of individuals under the UK GDPR.
There is an exemption from some of these obligations if you need to share personal data with competent authorities. See the section How does the crime and taxation exemption work?
How does the crime and taxation exemption work?
If you are sharing personal data with a competent authority, you may be able to rely on the “crime and taxation: general exemption” when complying with some of your obligations under data protection legislation. This exemption is set out in paragraph 2 of Schedule 2 of the DPA 2018.
This exemption can apply if you share personal data for any one of the following purposes:
- to prevent or detect crime;
- to apprehend or prosecute offenders; or
- to assess or collect a tax, duty or similar imposition.
It exempts you from the UK GDPR’s provisions on individuals’ data protection rights, such as:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling;
- notifying individuals of personal data breaches;
- the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
- the purpose limitation principle; and
- all the other principles, but only so far as they relate to the right to be informed and the other individual rights.
It is not a blanket exemption. It applies only to the extent that complying with these provisions would be likely to prejudice the purposes listed above. If you can comply with the obligations under the UK GDPR without causing prejudice, you must do so.
To comply with your accountability obligations, you must be able to:
- explain the nature of the prejudice to the purpose or purposes listed above; and
- show a direct causal link between compliance and the prejudice to the purpose or purposes.
The potential prejudice has to be real and substantial rather than just a remote possibility. A common example might be where complying with an individual’s rights could prejudice the purposes of preventing or detecting crime by alerting them to the fact that you have shared their personal data with the police as part of an investigation.
A shopkeeper receives a subject access request from an individual suspected of theft. They have requested a copy of the shop’s CCTV footage, and confirmation of what processing is taking place, including any disclosures made by the shopkeeper. The shopkeeper has shared the CCTV footage of the theft with the police.
The shopkeeper does not have to comply with any element of the individual’s request that would be likely to prejudice the police investigation, for example by alerting the individual to the fact that the matter has been reported to the police. The shopkeeper does not need to provide any privacy information to the individual (under their right to be informed) if to do so would prejudice the police investigation.
An employee of an organisation makes an allegation of theft by another employee. The organisation shares details of the allegation with the police. The police investigation is ongoing.
The employee suspected of theft makes a SAR to the organisation for details about the allegation and whether any information has been passed to the police. The organisation does not need to comply with the SAR if, having consulted first with the police, it considers doing so would prejudice the police investigation. Similarly, the organisation does not need to provide any privacy information under the right to be informed because to do so would alert the individual of the police investigation.
Once the investigation has been completed and the individual has been charged, they make a further SAR to their employer who now complies with it as the police investigation will no longer be prejudiced.
A police force is investigating suspected criminal activity involving the use of a haulage firm’s commercial vehicles to move around illicit goods. The force asks a haulage firm to provide details of the movements of its vehicles and drivers to establish which employee is involved. The manager provides a copy of the shift rota and vehicle log for the time period in question. The company does not provide any privacy information under the right to be informed to the employees concerned because to do so would alert the individual of the police investigation.
We’re a law enforcement authority. Can we share or reuse personal data originally processed under the UK GDPR / Part 2 of the DPA 2018 for law enforcement purposes?
Yes. The same rules apply to you as to non-law enforcement authorities sharing personal data with law enforcement authorities for processing under Part 3 of the DPA.
Provided that the sharing is proportionate and appropriate, the UK GDPR does not prevent you sharing personal data with another law enforcement authority for further processing under the law enforcement purposes. In addition, if you are processing personal data under the UK GDPR / Part 2 of the DPA 2018, you may reuse that data for further processing under Part 3 if you are also a competent authority for those purposes.
You need to make sure you have a lawful basis for the sharing and, if relevant, a condition for processing if this includes special category or criminal offence data or both, and comply with your other data protection obligations.