30 January 2015
Earlier this week, a number of daily papers ran an Edinburgh local interest story about a stolen bicycle. Bike theft in Edinburgh is not newsworthy in itself, regrettably, as we can testify (twice..). However, the distinctive bike was later spotted by its owner, being sold on Gumtree. Upon contacting the Police, the owner was, reportedly, told not only that the Police were unable to ask Gumtree to divulge the seller’s identity “because of data protection”, but that they would need a warrant to obtain the information. It is unclear why the police have not used section 29 of the DPA in these circumstances as the seller is undoubtedly a suspect in relation to the theft or reset “(criminal resale)” of the bike and we do not think a warrant was required.
If their response was correctly reported, we think the Police are unduly concerned about the DPA. The ICO has consistently emphasised that the DPA does not exist to prevent data sharing. Here, we cannot see how Gumtree could be in breach of the DPA if it handed over the seller’s name to the Police. This would be an act permitted by Sections 29(1)(b) and (3) of the DPA as processing necessary to apprehend or prosecute an offender.
However, in three recent situations, where the Police might have obtained warrants, we have had to advise organisations who have instead been served with what they wrongly (but understandably) perceive to be “Police Data Protection Demands”. Habitually these official forms are entitled “Request for Personal Data”, are signed by a Police officer, explain the information which is sought and why, and cite the Section 29 exemptions for prevention, detection and prosecution of crime etc., presumably to reassure the data controller that the information can safely be handed over.
Again that may ultimately be so, but in our experience a Data Controller’s instinctive reaction upon receiving such a Police notice will often be to simply look out and hand over all the information they can find. This rather puts the cart before the horse. Section 29 does not confer on the Police an unfettered right to demand information. Instead, it provides the data controller with a possible basis for lawful processing. However, the onus of making that assessment as to lawfulness rests with the data controller. If the data controller’s thought process extends no further than “I received a piece of paper from the Police, ergo I choose to hand over everything I have”, this is unlikely to be sufficient for DPA purposes. Careful consideration of the data controller’s obligations, of the data and if necessary, clarification from the Police of the basis for seeking the information are legitimate and prudent responses.
Data Controllers should also be made aware – which they are not in the current wording of the form - that before handing anything over, they must have regard to the interests of other data subjects who may be identified within the data about the principal data subject/suspect. It may be that the aim of the Police is actually to recover information about third parties. The Data Controller must consider each case on its merits and cannot simply rely upon the assessment made by the Police that the production of the information is allowed under the exemptions to the Act. In particular, redaction of information about other data subjects may be necessary and should be considered.
Where processing is to be carried out pursuant to a request from the Police, the Data Controller may be obliged to withhold information about that processing from the Data Subject. In assessing this, the Data Controller needs to balance the interests of the Data Subject against the likely prejudice to the Police investigation; a balancing act that may be further complicated if a the third party data subject is a potential victim of the Data Subject under investigation. In these circumstances, obtaining consent from and balancing the interests of that individual may be problematic. It may be extremely difficult for the Data Controller to assess what is in the interests of the potential third party victim.
We fully accept that the Police will often be able to provide only limited information in a data request form. Data Controllers receiving a Police data request form will wish to co-operate and of course should do so, since it is desirable that the Police are able, effectively, to prevent and detect crime. However, the penalty for unlawful processing of data can also be severe (up to a £500k fine at present) so Data Controllers would be wise to take advice upon receipt of such a request form before handing over material.
We advise Data Controllers to document the process they follow. They should record their reasoning and their decisions, against possible later scrutiny of their processes by the ICO. It goes without saying that they should keep a copy of what they disclose. It is also prudent to ensure sufficiently senior management’s involvement in these important decisions. If in doubt, Data Controllers should seek advice before producing documents under such a request. Data Controllers should remember that the request form is a permissive route that, when applied appropriately, protects the data controller by allowing the lawful release of personal data relating to the investigation of a crime.
Paul Motion, Laura Irvine, and Lindsay Urquhart
bto Data Protection Defence Team.