Giving confidential data to the police

When the police need your organisation’s confidential data, does GDPR allow you to provide them? Here we consider the issues. 

Most individuals will do everything they can to cooperate with the police when they request information for an investigation. When that information concerns someone else’s confidential data, however, the right response is not always straightforward.

Would you know what to do if the police asked for staff records, or issued a warrant requesting all laptops and computers, for example? What about requests to assist investigations into a serious crime that your CCTV may have captured? How can companies comply with these requests, while continuing to meet their obligations under GDPR?

What is the UK GDPR?

The UK’s General Data Protection Regulation (UK GDPR) was retained in domestic law on 25 May 2018. It sits alongside the Data Protection Act 2018 (DPA 2018), protecting “natural persons” when processing their personal data as a “fundamental right”.

Although the UK GDPR makes it clear that this is “not an absolute right; it must be considered in relation to its function in society and balanced against other fundamental rights”, there are still legal requirements under both the UK GDPR and the DPA 2018 for data to be shared responsibly and proportionately, even when sharing such data with the police.

Companies that fail to do so could, in the most serious cases, face fines of up to 4% of annual global turnover if found guilty of infringing the UK GDPR and the DPA 2018. The Information Commissioner’s Office (ICO) can also take regulatory action, including bans on data processing, or suspending data transfers. As such, non-compliant data sharing can cost a company significantly in both financial and reputational terms, regardless of the intention behind it.

What are data controllers?

Most businesses are considered data controllers under GDPR. This means that they collect relevant personal data and process those data for a specific purpose. Data that concern “natural persons” often relate to employees and customers, such as names, addresses and contact details, as well as emails, pay slips, appointments, and even CCTV footage.

As data controllers, businesses are expected to manage these data responsibly, and take all necessary measures to keep data secure.

“Controllers shoulder the highest level of compliance responsibility,” the ICO says. “You must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements. You are also responsible for the compliance of your processor(s).”

The best way of demonstrating compliance with UK GDPR and its seven principles is to have in place a Data Protection Policy that explains which data are controlled, how they are controlled and processed, and how the business carries out its activities in accordance with both UK GDPR and DPA 2018 requirements. It is also important that a Data Protection Policy is in place before any data are requested by the police or another law enforcement authority.

What is a lawful basis for data sharing?

The UK GDPR and DPA 2018 do not prohibit sharing personal data with the police. Under UK GDPR, businesses can share data for such purposes as “the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”

The DPA 2018 permits processing personal data for the “performance of a task carried out in the public interest, such as the administration of justice.”

Furthermore, in addition to the data sharing provisions under the GDPR and DPA 2018, the new Economic Crime and Corporate Transparency Act 2023 has made amendments to the Proceeds of Crime Act 2002 to enable sharing of information between certain businesses for the purposes of preventing, detecting, and investigating economic crime.

Both businesses and the police will, however, need to provide a lawful basis for sharing and processing personal data.

Listed under Article 6 of the UK GDPR, these include:

• Consent from the data subject
• Performance of a contract with the data subject
• Compliance with a controller’s legal obligation
• Protecting the interests of the data subject or someone else
• The public interest
• Performing a task under a controller’s official authority
• Legitimate interests of the controller (providing these do not interfere with someone else’s freedoms or rights).

For more sensitive data, known as special category data, businesses and the police must also identify a lawful condition, as well as a lawful basis. Listed under Article 9, these cover matters in which public interest may override individual rights and freedoms, including those “on the basis of domestic law”.

It is important to remember that, without a lawful basis and a lawful condition, sharing any data – even those that could aid a police investigation – could be in breach of the UK GDPR. An individual or organisation is also under no obligation to share data straightaway unless the police have a warrant, although it is still advisable to work with legal teams to check that the scope and breadth of that warrant are proportionate to the needs of the investigation.

What does it mean to process data proportionately?

Defining a lawful basis and a lawful condition does not open the floodgates to indiscriminate data sharing and processing. Both the UK GDPR and the DPA 2018 stipulate that only those data required for the purposes of the activity defined under the lawful basis and the lawful condition must be processed.

If, for example, the police require CCTV footage to confirm an alibi given by a suspect in an investigation, they may only process footage taken from the specific place and time detailed in the alibi. As such, providing a week’s worth of footage from all CCTV cameras on the premises would not be proportionate to the purposes of the investigation, and would therefore breach both the UK GDPR and the DPA 2018.

Sharing and processing an individual’s data must be done with their consent, unless doing so would risk harm to themselves or others or prejudice an investigation. Where consent is not sought, this too must be justified, and only data relevant to this justification may be shared and processed without requiring consent.

Why is a Data Protection Policy important?

In addition to detailing how businesses comply with the UK GDPR’s seven principles, Data Protection Policies can also define a process for handling data sharing requests from police and other law enforcement authorities. This can include:

• the nominated person to whom such requests must be forwarded;
• the format in which any requests must be made, along with the information required;
• where and how records and documents relevant to such requests must be stored.

Once developed, this process must be communicated across the whole business to ensure everyone if aware of their obligations under GDPR.

Working with legal professionals at any stage of this process is key. As well as offering advice during an investigation, legal teams can also help businesses to develop a procedure for data sharing in line with UK GDPR requirements and can even conduct ‘role plays’ with individuals to help them prepare for, and manage, situations in which data are requested by the police.

Assisting the police in an investigation is a crucial part of the UK’s legal and judiciary system, but this cannot be done at the cost of an individual’s fundamental rights and freedoms. Through adequate preparation, however, it is possible to ensure a business can act in the wider public interest, while meeting its obligations as a controller and/ or processor of personal data.