Article by
When the police need your organisation’s confidential data, does GDPR allow you to provide them? Here we consider the issues.
Most individuals will do everything they can to cooperate with the police when they request information for an investigation. When that information concerns someone else’s confidential data, however, the right response is not always straightforward.
Would you know what to do if the police asked for staff records, or issued a warrant requesting all laptops and computers, for example? What about requests to assist investigations into a serious crime that your CCTV may have captured? How can companies comply with these requests, while continuing to meet their obligations under GDPR?
What is the UK GDPR?
The UK’s General Data Protection Regulation (UK GDPR) was retained in domestic law on 25 May 2018. It sits alongside the Data Protection Act 2018 (DPA 2018), protecting “natural persons” when processing their personal data as a “fundamental right”.
Although the UK GDPR makes it clear that this is “not an absolute right; it must be considered in relation to its function in society and balanced against other fundamental rights”, there are still legal requirements under both the UK GDPR and the DPA 2018 for data to be shared responsibly and proportionately, even when sharing such data with the police.
Companies that fail to do so could, in the most serious cases, face fines of up to 4% of annual global turnover if found guilty of infringing the UK GDPR and the DPA 2018. The Information Commissioner’s Office (ICO) can also take regulatory action, including bans on data processing, or suspending data transfers. As such, non-compliant data sharing can cost a company significantly in both financial and reputational terms, regardless of the intention behind it.
What are data controllers?
Most businesses are considered data controllers under GDPR. This means that they collect relevant personal data and process those data for a specific purpose. Data that concern “natural persons” often relate to employees and customers, such as names, addresses and contact details, as well as emails, pay slips, appointments, and even CCTV footage.
As data controllers, businesses are expected to manage these data responsibly, and take all necessary measures to keep data secure.
“Controllers shoulder the highest level of compliance responsibility,” the ICO says. “You must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements. You are also responsible for the compliance of your processor(s).”
The best way of demonstrating compliance with UK GDPR and its seven principles is to have in place a Data Protection Policy that explains which data are controlled, how they are controlled and processed, and how the business carries out its activities in accordance with both UK GDPR and DPA 2018 requirements. It is also important that a Data Protection Policy is in place before any data are requested by the police or another law enforcement authority.
What are the seven principles of UK GDPR?
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
What is a lawful basis for data sharing?
The UK GDPR and DPA 2018 do not prohibit sharing personal data with the police. Under UK GDPR, businesses can share data for such purposes as “the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”
The DPA 2018 permits processing personal data for the “performance of a task carried out in the public interest, such as the administration of justice.”
Furthermore, in addition to the data sharing provisions under the GDPR and DPA 2018, the new Economic Crime and Corporate Transparency Act 2023 has made amendments to the Proceeds of Crime Act 2002 to enable sharing of information between certain businesses for the purposes of preventing, detecting, and investigating economic crime.
Both businesses and the police will, however, need to provide a lawful basis for sharing and processing personal data.
Listed under Article 6 of the UK GDPR, these include:
- Consent from the data subject
- Performance of a contract with the data subject
- Compliance with a controller’s legal obligation
- Protecting the interests of the data subject or someone else
- The public interest
- Performing a task under a controller’s official authority
- Legitimate interests of the controller (providing these do not interfere with someone else’s freedoms or rights).
For more sensitive data, known as special category data, businesses and the police must also identify a lawful condition, as well as a lawful basis. Listed under Article 9, these cover matters in which public interest may override individual rights and freedoms, including those “on the basis of domestic law”.
It is important to remember that, without a lawful basis and a lawful condition, sharing any data – even those that could aid a police investigation – could be in breach of the UK GDPR. An individual or organisation is also under no obligation to share data straightaway unless the police have a warrant, although it is still advisable to work with legal teams to check that the scope and breadth of that warrant are proportionate to the needs of the investigation.
What are special category data?
According to UK GDPR, special category data are any data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership”, as well as “biometric data for the purpose of uniquely identifying a natural person” or any data that detail a person’s health, sex life, or sexual orientation.
Processing these data is prohibited unless it can be justified by one of the ten lawful conditions under Article 9 of the UK GDPR.
What does it mean to process data proportionately?
Defining a lawful basis and a lawful condition does not open the floodgates to indiscriminate data sharing and processing. Both the UK GDPR and the DPA 2018 stipulate that only those data required for the purposes of the activity defined under the lawful basis and the lawful condition must be processed.
If, for example, the police require CCTV footage to confirm an alibi given by a suspect in an investigation, they may only process footage taken from the specific place and time detailed in the alibi. As such, providing a week’s worth of footage from all CCTV cameras on the premises would not be proportionate to the purposes of the investigation, and would therefore breach both the UK GDPR and the DPA 2018.
Sharing and processing an individual’s data must be done with their consent, unless doing so would risk harm to themselves or others or prejudice an investigation. Where consent is not sought, this too must be justified, and only data relevant to this justification may be shared and processed without requiring consent.
Top tips for sharing confidential data with the police
- Stay calm. Being approached by the police can be a stressful and intimidating experience, which may cause an individual to act hastily. Businesses should ensure that all employees know what to do when faced with a police request.
- Do not share all the information straightaway. The police cannot compel an individual to share confidential data unless they have a warrant or a court order. Businesses should only share relevant data once satisfied that they have a lawful condition and/ or a lawful basis for doing so.
- Nominate a competent person to handle such requests. A competent person should be someone in a senior position, with knowledge of both the UK GDPR and the DPA 2018. For larger organisations, this may be the Data Protection Officer or a member of the compliance team. Make sure all employees, particularly public-facing individuals such as receptionists, know who to contact.
- Record everything. When the police or another law enforcement authority make a request for data, this should also be submitted in writing. After ensuring that the request provides all necessary detail, a business should file it with all other relevant correspondence, as well as details of any decisions made, by whom, and when.
- Do not provide original copies. Hard copies containing special category data, such as medical records, should not be removed from the premises. Before making a copy, a business should ensure any information not relevant to the investigation is redacted. Record how many copies are made, and to whom they are given.
- Share data securely. Before sharing any data electronically, businesses should verify the identity of the recipient and ensure they have adequate security frameworks in place. All data shared electronically must be encrypted and must never be transferred via personal accounts or devices. As data controllers, businesses will also be liable for the security of any data processed by third parties.
- Seek legal advice. The UK GDPR is complex. It is therefore important to work with legal professionals at the earliest opportunity to ensure any data shared with the police are done so in compliance with data protection law.
Why is a Data Protection Policy important?
In addition to detailing how businesses comply with the UK GDPR’s seven principles, Data Protection Policies can also define a process for handling data sharing requests from police and other law enforcement authorities. This can include:
- the nominated person to whom such requests must be forwarded;
- the format in which any requests must be made, along with the information required;
- where and how records and documents relevant to such requests must be stored.
Once developed, this process must be communicated across the whole business to ensure everyone if aware of their obligations under GDPR.
Working with legal professionals at any stage of this process is key. As well as offering advice during an investigation, legal teams can also help businesses to develop a procedure for data sharing in line with UK GDPR requirements and can even conduct ‘role plays’ with individuals to help them prepare for, and manage, situations in which data are requested by the police.
Assisting the police in an investigation is a crucial part of the UK’s legal and judiciary system, but this cannot be done at the cost of an individual’s fundamental rights and freedoms. Through adequate preparation, however, it is possible to ensure a business can act in the wider public interest, while meeting its obligations as a controller and/ or processor of personal data.
Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.