We often advise clients on requests to share information with others – including with government and law enforcement agencies. There can often be pressure to share information quickly, without the chance to scrutinise the implications properly and where the requesting authority is confident that it is entitled to ask for the information. A recent widely reported case illustrates the pitfalls that can arise.
Information to investigate an employee
It was reported yesterday that the Metropolitan Police and Greater Manchester Police admitted breaching the Data Protection Act 1998 and Article 8 of the European Convention on Human Rights by obtaining and misusing personal data relating to Ms Brown, an ex-Detective Constable who had gone on holiday while on sick leave. A senior police officer approved an application to an airline seeking details of Ms Brown’s air travel for the last 5 years. The application referred to a non-existent Act of Parliament (the “Police Act 2007”) as the basis for the request. A request was also made for information from the National Border Targeting Centre, a division within the UK Border Force which collects information on people leaving and entering the country. In both cases personal information was shared with the police.
Points to bear in mind
The requests for information came from the police, which, like other public bodies, might be assumed to have considered carefully the legal basis on which they sought to obtain the personal information.
Our advice to clients dealing with requests to share information is to consider the request very carefully – and to ask questions when in doubt about the legality or scope of a request. In particular, you should ask yourself:
- What powers are being relied on? Do they include a power to compel you to provide the information requested? In the absence of such a power you are not compelled to disclose the information just because you have been asked to provide it.
- Do you have the power to share the information? Public bodies should look at the legislation that sets out their powers and duties.
- Are there any other special rights of access to information that might apply? The common law and other statutory provisions may give specific rights to a certain class or organisation requesting the information. An example of this would be section 6 of the Victims and Witnesses (Scotland) Act 2014 in respect of certain court documents.
- Will sharing information be compatible with other laws? Does the information sharing comply with the Human Rights Act 1998, and Article 8 ECHR in particular? Does sharing the information pursue a legitimate aim and is it necessary and proportionate to achieve that aim? Even if the body asking for the information may be pursuing a legitimate interest, you should also consider whether it is legitimate for you to disclose the data. Can the data sharing be justified with reference to the conditions in Schedule 2 and (where sensitive personal data is involved) Schedule 3 of the DPA? Are there any other statutory or common law prohibitions such as rights of confidentiality or intellectual property?
- Should the organisation enter into a data sharing agreement? Such agreements can be appropriate for both continuous and one-off data sharing exercises. They should include a requirement to comply with the DPA, duties of confidentiality and obligations to store the data securely, including appropriate warranties and rights of termination for legal breaches.