Disclosing information to prevent or detect crime may seem a fairly straightforward exemption on the surface, but once organisations have to consider real-world examples, it can appear more complex.
The updated guidance we’ve published today should help to remove some of that uncertainty.
Some of the guidance is aimed at organisations that often process data for crime and taxation purposes, like the police and HMRC. It looks at how they can withhold information from individuals when the DPA usually requires it to be provided.
Other parts are aimed at organisations that have been asked to provide data to the police, and should help them make informed decisions about disclosure. The effect of the exemption is to remove some of the usual requirements of the data protection principles. This means that they should only be used when necessary. If the exemption doesn’t apply, the DPA won’t necessarily prevent disclosure but you need to ensure that the principles are complied with in full. At 16 pages, it’s one of our shorter pieces of guidance, and well worth a read. But to give you a taster, here’s a few of the examples that we explain in the guidance about disclosures. Take a look to see if you’d have reached the same conclusions, and then have a look through the guidance for a few more details.
Should my company disclose personal data?
1. A victim of a mugging tells the police that their attacker ran off through your business’s car park. You have CCTV footage that will help to identify the attacker and show their movements.
The first step in deciding whether the exemption applies is to identify the prejudice that might occur if the DPA was followed in the usual way.
The CCTV is clearly of importance to the apprehension and prosecution of the offender. Withholding the footage from the police would have a significant impact on the investigation. You can disclose the CCTV footage.
2. A police force is concerned about a rise in burglaries targeting older people. They ask your local elderly support charity to share the names and addresses of their clients, so that the police can contact them to offer crime prevention advice.
The next step in assessing whether the exemption applies is to establish a causal link between the use of the data and the prejudicial effect.
There is not a clear causal link between disclosing the client names / addresses and preventing crime. The exemption is unlikely to apply to the disclosure. However, the police force and charity might be able to find a way to share the information which doesn’t rely on the exemption
3. Your insurance company is concerned about the validity of a claim and conducts a standard investigation into whether it is an attempted fraud. While the claim is still being assessed, the customer makes a subject access request for the information held about them.
A data controller needs to demonstrate that failing to apply the exemption would be “likely” to cause the prejudice identified.
Your company cannot simply claim that releasing the information might prejudice an ongoing attempt to detect a criminal act. You would need to demonstrate more precisely how providing the information in this case would adversely affect your ability to investigate and prevent criminally fraudulent claims.
4. A detective constable contacts you to ask for the contact details for one of your employees. They say that the disclosure is necessary for the crime and taxation purposes but are unwilling to provide further details in case it compromises the investigation.
Application of the exemption is discretionary – it allows disclosure in specific circumstances but does not require it.
You need to be satisfied that the exemption applies. You could ask that a more senior police officer signs off a request for disclosure and provides a statement that is as clear as possible about why the information is needed. If you are still concerned that disclosing the information would breach the DPA, you can ask the police to obtain a court order.
|Thomas Oppé is a Senior Policy Officer at the ICO. He has contributed to guidance on many different aspects on data protection compliance, including the ICO code of practice on anonymisation.Thomas also has a lead role in the promotion of Privacy Impact Assessments and has worked with several organisations in their implementation of PIAs.|