Sharing Personal Data With the Police

In short, no.  However, it does provide a framework that permits you to share information with the police for law enforcement purposes where it is necessary and proportionate to do so.  This framework also permits you to share data in response to a court order or other legal requirement.  Often it will be obvious that you need to share personal data, such as when you receive a court order or need to report a crime; however, in some scenarios, you will need to think carefully before you commit to sharing.

If your organisation receives a court order for information, you must provide it, as not complying with a court order may represent a contempt of court.

The first consideration will be your organisation’s lawful basis for sharing the information in accordance with the lawfulness, fairness and transparency principle from Article 5 of the UK General Data Protection Regulation (UK GDPR).  You will need to consider which, if any, of the six lawful bases in Article 6 of the UK GDPR will apply.  

One lawful basis that may apply is that of ’legitimate interests’ under Article 6(1)(f), where processing is necessary for your organisation’s legitimate interest or that of a third party, such as the police, provided those interests are not outweighed by the interests, rights and freedoms of the individual whose data you are sharing. For example, your organisation’s legitimate interest may be to report a crime or share with the police the personal data of an individual suspected of a crime to ensure a fair and proper investigation.

If your organisation receives a court order or has a statutory duty to report potential crimes to the police, your lawful basis is likely to be legal obligation in Article 6(1)(c), which provides a lawful basis to share personal data where it is necessary for your organisation to comply with a legal obligation.

It is rare that the lawful basis of consent presents a practical approach in these cases.  Consent can be withdrawn - and consent must be able to be withdrawn easily – so, it is only appropriate if the individual has a real choice in agreeing to you sharing their personal data.  Whilst a victim of crime may be willing for you to share their personal data, an alleged perpetrator is unlikely to do so.  As such, consent is unlikely to be your first choice for consideration.

If your organisation exercises official authority, it is possible to rely on public task in Article 6(1)(e) as your lawful basis.  However, you need to be able to demonstrate that sharing personal data is necessary to exercise your specific official authority and identify a clear basis in law.

There may be instances where your organisation is processing personal data for the purposes of crime prevention and detection, such as in a CCTV system.  In this case, its privacy policy will need to clearly state this purpose and indicate that CCTV images may be shared with the authorities.

You should also consider whether the sharing represents further processing in a manner that is not compatible with your organisation’s original purpose for holding the data.  This is covered by the purpose limitation principle, which states that personal data shall be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.

You can normally only process personal data for a new, previously unanticipated purpose if the new purpose is compatible with the original purpose, if you get the individual’s specific consent for the new purpose, or if you can identify a clear legal provision that requires or allows the new processing in the public interest.

If the new purpose is compatible - for example, if you were processing information from CCTV installed to prevent and detect crime - you may not need a new lawful basis to further process the personal data.  The situation is different if you originally relied on consent, as you will need to obtain fresh consent that specifically covers the new purpose, and we have already covered the difficulties in relying on consent as the lawful basis.

However, in this context your organisation should also consider the crime and taxation exemption in Schedule 2 of DPA 2018.  This exemption applies if you process personal data for the purposes of the prevention and detection of crime, or the apprehension or prosecution of offenders.  It exempts you from some of the UK GDPR’s provisions, including the purpose limitation principle, meaning that you do not need to consider whether sharing personal data with a law enforcement authority is compatible with your original purpose for processing the personal data.  However, you still must comply with the requirement for the processing to be lawful, and will therefore still need a lawful basis.  In practice, this is likely to be your original lawful basis for processing the personal data, unless you originally relied on consent.  However, depending on the circumstances, you may require a new lawful basis, such as legitimate interests.

You also need to consider the data minimisation principle, so that you only provide as much personal data as is adequate, relevant and necessary for the purpose of sharing with the police.  The legislation does not define how much personal data is necessary and you will need to determine this depending on the circumstances. Ultimately, your organisation must only share the personal data that is necessary for the police to fulfil its law enforcement purposes, but no more.  In its request for information, the police will usually explain what data it needs from your organisation and why the police needs the personal data it holds.  If the police do not provide this information then your organisation should ask for it, to help you assess whether disclosure to the police is justified and lawful.  To summarise, just because your organisation receives a request from the police for personal data (unsupported by a court order) to assist in its investigations, it is not automatically lawful for you to let the police have all the personal information requested.  If, on the other hand, you receive a court order to disclose personal data, this will explain what your organisation must provide and why and, to repeat, you must comply with such an order.

‍

Special category data is personal data concerning an individual’s racial or ethnic origin, political opinions, health, religious or philosophical beliefs, trade union membership, sexual orientation, sex life, genetic data and biometric data (when this is used to identify a particular individual).  It does not include personal data about criminal offences, allegations or convictions, but we will cover that in the next section.

As well as having a lawful basis under Article 6, to share special category data with the police, your organisation would need to identify a specific condition for processing special category data under Article 9(2) of the UK GDPR.  Of the ten conditions for processing special category data, sharing data for the prevention or detection of crime is covered in Article 9(2)(g).  You would also need to rely on the linked condition from paragraph 10 of Schedule 1 of the DPA 2018, for preventing or detecting unlawful acts.

This condition is met if the sharing is necessary for the purposes of preventing or detecting crime, where obtaining the individual’s consent would prejudice those purposes and where the disclosure is necessary for reasons of substantial public interest.  In practical terms, substantial public interest is taken to mean that which is in the best interests of society, and you must be able to determine that the sharing is required to prevent or investigate a crime and that it is in the public interest to do so.

When processing special category data, some of the conditions in Schedule 1 require you to have an appropriate policy document in place.  However, this is not the case when relying on the condition in paragraph 10 to share special category data with the police or other competent authority.  

To learn more about GDPR requirements around special category data, read our blog Are you Processing Special Category Personal Data Without Knowing it?

Criminal offence data includes personal data about criminal convictions and offences, or related security measures, which would include allegations of an offence.  

Criminal offence data can only be shared if you have a lawful basis under Article 6 and either the processing is carried out under the control of official authority, or you have lawful authority under Article 10.  Again, Schedule 1 can provide you with lawful authority that you can rely on if the sharing is necessary for the purposes of preventing or detecting a crime, where asking for the individual’s consent would prejudice those purposes and where the disclosure is necessary for reasons of substantial public interest.

Paragraph 36 of Schedule 1 of the DPA 2018 removes the requirement to explicitly demonstrate that the processing is necessary for reasons of substantial public interest for criminal offence data.  However, if the sharing also includes special category data, you will still have to demonstrate this in respect of that data.

Data protection law generally provides individuals with a right to be informed about the processing of their personal data, and the first data protection principle provides for transparency.  Individuals’ right to be informed about what your organisation does with their personal data includes any data sharing you perform; however, in some cases, informing individuals that they are suspected of a crime can prejudice an investigation or allow them to evade detection.  The crime and taxation exemption will exempt you from the provisions on the right to be informed and the transparency principle, as the exemption applies if complying with these provisions would be likely to prejudice your purposes (prevention or detection of an unlawful act) of the processing, i.e., making the disclosure to the police.

When sharing data with the police, your organisation must comply with all its usual other obligations under data protection legislation, such as processing personal data fairly, ensuring accuracy of the personal data you share, and providing appropriate security measures, with an awareness that more sensitive personal data requires greater protection.

As part of your organisation’s obligations under the accountability principle, you should document your decision making and maintain a good record of the data sharing so that you can demonstrate data protection compliance.

When considering sharing personal data with police, you may be mandated to perform a data protection impact assessment (DPIA) if the sharing is likely to result in a high risk.  However, using the framework of a DPIA to shape your decision making and to record the process is good practice, even if you decide it does not represent high risk.