It is not uncommon for organisations to receive requests from the Police to share personal data held about employees, clients or visitors that may be the subject of an investigation. However given the potential risks associated with non-compliance with the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA), it is natural to be wary of sharing personal data with third parties, even if the requestor is the Police. Here we discuss whether organisations can assist the Police without exposing it to undue risk and what you should do if approached by the Police for information.
Is the request a mandatory or voluntary request?
If the Police request is in the form of a warrant, an organisation will have little choice but to respond accordingly. More often than not however, the Police request is not a mandatory demand for information and therefore it should not be assumed that the organisation must automatically disclose the personal data requested. It is for the organisation to determine whether it wishes to be helpful and assist the Police by providing this personal data. This could be a request for information about employees, customers or a copy of CCTV recording etc.
Any request must be considered on the merits of its own facts and circumstances. While it may wish to be helpful to the Police, the organisation ought also consider the impact this could have on the individual concerned and also how it would effect its relationship with the individual and wider public from a trust perspective. Would disclosure be in the reasonable expectation of the individual concerned? Any disclosure must also be permitted under GDPR or DPA.
Does the GDPR/DPA permit sharing with Police?
While each case will turn on its own facts, the GDPR/DPA generally allows organisations to disclose personal data to the Police where this is deemed necessary (a) for the prevention or detection of crime; or (b) the apprehension or prosecution of offenders. These provisions could permit disclosure even if there is no legal obligation to disclose (e.g. under a warrant) and/or such disclosure is not covered in any applicable privacy notice.
If permitted, are other parts of GDPR/DPA still applicable?
Even where an organisations is of the view it can disclose the personal data to the Police, remaining parts of the GDPR and DPA are still relevant and must be considered. Indeed the organisation would need to establish and document internally a legal basis for this sharing under Art 6 of GDPR (e.g. legitimate interest of the Police or public interest). To the extent that the requested information consisted of special category data (e.g. health data), it would need to also establish a legal basis under Art 9 (e.g. Substantial Public Interest).
Should all personal data requested be disclosed to the Police?
The recipient organisation should only hand over personal data/documents that is actually necessary, relevant and proportionate for the requirements of the Police investigation as opposed to automatically giving the Police access to everything they request. It is important that should this situation arise that the organisation asks the Police to document what they need and why this information is relevant as this will enable the request to be restricted where appropriate. It will also create a paper trail which could be helpful if the disclosure is ever challenged. It will be important for the organisation to be able to establish the legal basis it relied on and that it only shared information that was actually necessary for a clear purpose as outlined by the Police. Lastly, the organisation should also be mindful how it shares the personal data with the Police in a practical sense and ensure it does so in a secure manner, particularly given the information may be sensitive.
What should employees/staff do if they receive a request for information from the Police?
The Police could ask any staff member to disclose information to them. To ensure that your organisation can give the request proper consideration, it is important to advise staff what they should do or who they should contact internally to deal with this. Normally any such request may be handled by a senior member of staff with support by the Data Protection Officer or such other colleague with data protection experience.
If you would like to discuss any of the issues raised in this article, please contact Loretta Maxfield by emailing lmaxfield@thorntons-law.co.uk or by calling our Intellectual Property team on 03330 430350.