The Data Protection Act 2018 (‘the Act’) came into force on the 25 May 2018. It incorporates the General Data Protection Regulations (GDPR) into UK’s legislation. The Act controls how personal information is used and sets strict principles that need to be followed when handling someone else’s data.
Organisations often refer to the Act to avoid disclosing data when they are approached. However, it is forgotten that the Act must be read in conjunction with the GDPR. Both the GDPR and the Act do not prevent data sharing when it is required for law enforcement purposes. If an organisation is approached by law enforcement authorities or the police forces with a request for data, then the request must be considered carefully and not just turned down. This is crucial to protect both the public interest and the hindering of any ongoing investigations.
So, what should you do if you are approached with a request to share data?
The Deputy Commissioner for the Information Commissioner’s Office has reminded organisations of the rules for data sharing and suggests that when a request for data is received, organisations should:
– Consider the request and any explanations given for the request carefully. If the request fails to give any justification on why the information requested is needed, then you should ask that you are provided with a clear justification for the request before disclosing data otherwise you may be in breach of your obligations;
– Check whether the request made is reasonable in the context of the authorities’ law enforcement purposes;
– Check whether the information you are about to share is “necessary, proportionate and justified” for the purposes of the requested law enforcement agency. It should be noted that necessary in this context does not mean essential, but it must be more than just “useful and standard practice”;
– Article 6 of the GDPR provides six lawful basis that can be used when processing data. At least one of them must apply for you to be able to process data. You should consider whether any relevant lawful basis/bases apply that would best fit the circumstances of the request. If one or more lawful basis/bases are identified, then keep a record of the one that applies. If no lawful basis applies, then you cannot share the data;
– Respond to requests received promptly to prevent delays to ongoing investigations. To achieve this ongoing staff training within the organisation is recommended.
It is important that data is not shared unnecessarily and is only shared when legitimately required by law enforcement bodies. If data is shared unlawfully then heavy sanctions and penalties may be imposed by the Information Commissioner’s Office.
However, it is often the case that organisations refuse to share data when they should do so, improperly citing data protection. For example, we are aware that landlords and agents have incorrectly informed local authorities that they cannot tell them who their tenants are as this would “breach data protection”. Where a local government body has a legitimate legal basis for seeking information, then the GDPR provides a basis for sharing that data and it should not be refused.
If you receive a request to share data and are unsure on whether you can comply with the request, then get in touch with one of our specialist solicitors who may be able to assist you with this aspect.