Crime condition
In detail
- What is the crime condition?
- Is it appropriate to use recognised legitimate interest for crime purposes in every situation?
- How do we apply the crime condition?
What is the crime condition?
Handling personal information for detecting, investigating and preventing crime helps protect people from harm and serves the interests of society at large.
Data protection law enables you to use people’s information where it is necessary to prevent and report crimes, as well as to help prosecute offenders (including suspected offenders). This includes where you need to share personal information with other organisations for these purposes.
The UK GDPR provides a recognised legitimate interest condition for using personal information for these purposes. Annex 1 of the UK GDPR says:
5. This condition is met where the processing is necessary for the purpose of –
a) detecting, investigating or preventing crime, or
b) apprehending or prosecuting offenders.
We call this the ‘crime condition’. The UK GDPR doesn’t give definitions for the different purposes it covers but it’s likely to be obvious whether what you want to do with the personal information is for a purpose that falls within the crime condition.
A variety of economic crimes are included in the scope of this condition, for example:
- money laundering;
- financing terrorists; and
- scams and fraud aimed at people or organisations.
Is it appropriate to use recognised legitimate interest for crime purposes in every situation?
No. Some organisations that need to handle personal information for crime-related purposes don’t need to rely on recognised legitimate interest. For example:
- public authorities may have tasks and functions which include using personal information to prevent or detect crime (the public task basis is likely to apply);
- some organisations have statutory crime reporting obligations, such as banks and other regulated institutions that have to report financial crimes to the authorities (the legal obligation basis is likely to apply); and
- competent authorities, such as the police, are covered by the rules in Part 3 of the DPA when processing personal information for law enforcement purposes (they don’t need a UK GDPR lawful basis).
If these circumstances don’t apply to you, you may be able to use recognised legitimate interest as your lawful basis.
Depending on the situation, you may find that more than one of the recognised legitimate interest conditions is relevant. For example, if you’re handling personal information for reasons of public safety, you may have a choice about whether the crime condition or the separate national security, public security and defence condition is appropriate. (For more information, see Can more than one legitimate interest condition apply at the same time?.)
How do we apply the crime condition?
If you want to apply the crime condition, you must:
- intend to handle personal information to help:
- detect, investigate or prevent a crime; or
- catch and prosecute an offender or suspect; and
- ensure that using personal information is necessary for this purpose.
Once you’ve confirmed your purpose is one of those set out in the crime condition, you must decide if it is necessary to use people’s personal information for that purpose.
This doesn’t mean it has to be absolutely essential for you to handle personal information, but you must ensure it is more than just useful. You should use it as a targeted and proportionate way of achieving the purpose of preventing criminal activity or helping to resolve crimes that have already been committed. (For more information, see What does necessary mean?.)
Example
An insurance company wants to use personal information to spot fraudulent claims and recover money it has paid out on dishonest claims. As fraud is covered by the recognised legitimate interest condition for detecting, investigating or prosecuting a crime, it decides this lawful basis may be appropriate.
To ensure its use of personal information is targeted and proportionate, the insurer follows industry best practice when deciding what fraud indicators to look for in new claims so that these can be reviewed further by its fraud investigation team. The insurer relies on recognised legitimate interest and the crime condition to handle personal information in this way.
In some circumstances this condition may be appropriate to use when you want to proactively share personal information with another organisation about suspected criminal activity.
Example
A shop owner uses CCTV to capture images of customers in the store to both deter and record incidents of shoplifting. The footage clearly shows a customer putting high-value items inside their coat before paying for items in their basket and then leaving the store.
The shop owner decides this footage is necessary for detecting a crime and catching an offender. After taking care to obscure images of any other people captured by the footage, they rely on recognised legitimate interest and the crime condition to share this footage with the local police.
Sometimes, another organisation might ask you to share personal information they need in connection with actual or suspected criminal activity. For example, the police might ask you for details of your employees’ log-in times to establish the precise details of a criminal act or to help with the prosecution of a suspect (rather than you proactively giving this information to them).
The police and other investigative bodies may use a standard form to explain what information they need from you for their investigation into the criminal activity (but not always).
If you want to share personal information in response to the request, the crime condition is likely to be appropriate. But you must only share the minimum amount of information they need. For example, if you think the personal information requested on a standard police form is excessive, you could ask them to explain why they need that information.
If you’re handling criminal offence data (which includes suspicion or allegations of criminal activity), you must also meet the requirements of article 10 of the UK GDPR. But if your purpose for using people’s personal information satisfies the crime condition, it’s likely this will also satisfy a condition from the DPA for processing criminal offence data. (For more information, see Can we use recognised legitimate interest for criminal offence data?.)
In some circumstances, personal information about people other than offenders might be covered by the crime condition (eg victims or witnesses of crime). Their personal information isn’t criminal offence data and you don’t need to identify a condition from the DPA. But victims and witnesses may have experienced trauma and can be at risk of further crime or intimidation. Due to the significant risks to the privacy and well-being of these people in the event of a personal data breach, you should take extra care when handling their information.
Using personal information in the context of the crime condition may involve special category data. If so, you must meet one of the special category data conditions in article 9 of the UK GDPR. (For more information, see Can we use recognised legitimate interest for special category data?.)
You must still meet all your other obligations under data protection law unless an exemption applies to any particular provision. There is a crime and taxation exemption in the DPA, but it doesn’t remove the requirement for you to have a lawful basis to handle personal information for this purpose. (For more information on your other data protection obligations, see What else do we need to consider?.)