29 September 2023 - We have updated the section ‘How do we decide on our lawful basis for sharing?’ where it discusses if you did not originally intend to share personal information with a law enforcement authority. We have clarified that when deciding your lawful basis for the sharing, your original lawful basis might not be appropriate, especially if you originally relied on consent. You should consider whether the original lawful basis is still appropriate. This might mean you need to identify a new lawful basis.
☐ We consider what the purpose is for sharing personal data with law enforcement authorities, and whether it is necessary and proportionate to do so.
☐ We identify a lawful basis under Article 6 of the UK GDPR before sharing the personal data. If the sharing of personal data was not the original intention of the processing, we consider whether this new purpose is compatible with that original purpose.
☐ We also identify a condition for processing under Article 9 of the UK GDPR and any relevant condition in Schedule 1 of the DPA 2018 before sharing special category data.
☐ We identify a condition for processing under Article 10 of the UK GDPR and a relevant condition in Schedule 1 of the DPA 2018 before sharing criminal offence data.
☐ We record our lawful basis and, if relevant, our conditions for processing special category or criminal offence data.
☐ We only share the minimum necessary amount of relevant and adequate personal data.
☐ We ensure that the personal data is shared in compliance with our other data protection duties and obligations, including fairness, accuracy and security.
A law enforcement authority is known under data protection law as a “competent authority”. This means any of the authorities listed in Schedule 7 of the DPA 2018 including the police, courts and prisons. Competent authorities can also be any other organisation or person with statutory law enforcement functions, such as local authorities detecting trading standards offences or the Environment Agency when investigating environmental offences. For ease of reference, we use the term “law enforcement authority” throughout this piece of guidance.
Part 3 of the DPA 2018 sets out separate data protection rules for authorities with law enforcement functions when they are processing for “law enforcement purposes”.
The law enforcement purposes are defined in section 31 of the DPA 2018 as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and prevention of threats to public security.
Further reading – ICO guidance
You can share personal data where it is necessary and proportionate to do so. The UK GDPR, together with the DPA 2018, provide a framework to allow you to share personal data with law enforcement authorities that need to process personal data for the law enforcement purposes, such as the prevention, investigation and detection of crime.
These provisions do not force you to disclose personal data, but they do allow you to disclose personal data on a voluntary basis, provided that it is necessary and proportionate to do so. In some cases it will be clear why you need to share personal data, whereas in others you may need to carefully consider your reasons for sharing.
The DPA 2018 also allows you to share personal data with law enforcement authorities in order to comply with court orders, or other legislation and legal requirements.
There are likely to be three circumstances when you may need to share personal data with a law enforcement authority to enable it to carry out its law enforcement functions:
You must be satisfied that sharing personal data with a law enforcement authority is lawful. This means you must have a lawful basis under Article 6 of the UK GDPR before you share the personal data. There are six lawful bases and the most appropriate depends on the particular circumstances of each case.
For example in some circumstances it may be appropriate to use the legitimate interests lawful basis in Article 6(1)(f). This is when the processing is necessary for your legitimate interests or those of a third party and they don’t outweigh the interests, rights or freedoms, which require the protection of personal data, of the individual whose personal data you are processing.
There might be a legitimate interest to share personal data of an individual suspected of an offence with a law enforcement authority to ensure they have all the necessary information for a proper and fair investigation.
Example
A building firm identifies an employee committing fraud after investigating irregularities in its procurement processes.
The firm considers that it is in its legitimate business interests to report those who commit fraud and it is necessary to provide a copy of records which shows the employee defrauding the firm. It cannot report the fraud without sharing personal data of the employee. It is likely to be in the individual’s reasonable expectations that such a disclosure would be made in the event of a suspected crime. The firm determines that, on balance, its interests in preventing fraud outweigh the interests of the employee who committed the act.
If you are required by a court order or you have a statutory duty to report potential criminal acts to a law enforcement authority, then your lawful basis is likely to be legal obligation in Article 6(1)(c). This provides a lawful basis to share personal data where it is necessary for you to comply with a legal obligation.
You may be able to rely on vital interests in Article 6(1)(d) as your lawful basis, if you need to share the personal data to protect someone’s life. However, this is only likely to be applicable in a very limited range of circumstances where an individual’s life is at risk.
Consent under Article 6(1)(a) may provide a lawful basis for sharing, but this is unlikely to be practical. It is only appropriate if the individual has a real choice in freely agreeing to you sharing their personal data and being able to easily withdraw consent. For example, a victim of crime may be willing for you to share their personal data, however, the alleged perpetrator is unlikely to do so. This means that in practical terms consent is unlikely to be appropriate in the context of law enforcement and you should consider another lawful basis.
You may be able to rely on public task in Article 6(1)(e) as your lawful basis if you exercise official authority (for example, a public body’s tasks, functions, duties or powers) or carry out a specific task in the public interest. You need to demonstrate that sharing personal data is necessary and the relevant task or function must have a clear basis in law.
If your original intention for processing the personal data included sharing it with a law enforcement authority, then the lawful basis you choose should reflect this purpose. For example, if you have installed a CCTV system for the purpose of the prevention and detection of crime, then you may intend to share any evidence of criminal activity with the police. You may have decided to rely on the legitimate interests lawful basis to process and further share any relevant footage with the authorities.
However, if you didn’t envisage sharing the personal data with a law enforcement authority, then using the data in this way is a new purpose. An example might be where you are processing employee data for HR purposes and then receive a request to share some of your records with a law enforcement authority as part of its investigation into suspected criminal activity.
The “purpose limitation” principle in Article 5 of the UK GDPR states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. This means you need to consider whether this new purpose is compatible with your original purpose.
You can normally only process personal data for a new purpose which you did not originally anticipate if:
If the new purpose is compatible, then you may not need a new lawful basis to further process the personal data. This situation is different if you originally relied on consent, as you will need to get fresh consent which specifically covers the new purpose.
Please see our guidance on purpose limitation for more information on this principle and details on compatible processing.
If you are processing personal data without envisaging the need to share it with a law enforcement authority, then doing so might not be compatible with your original purpose. This depends on the circumstances of each case.
However, the “crime and taxation: general exemption” (see the section How does the crime and taxation exemption work?) may be available if you are sharing personal data with a law enforcement authority. This can exempt you from the purpose limitation requirement, meaning that you do not need to consider whether sharing personal data with a law enforcement authority is compatible with your original purpose for processing the personal data. However, you still have to comply with the requirement for the processing to be lawful, which means you still need a lawful basis. In practice, this is likely to be your original lawful basis for processing the personal data, unless you originally relied on consent. However, depending on the circumstances, a new lawful basis might be needed, such as legitimate interests.
For further information on the lawful bases read our guidance on lawful basis for processing.
You need to carefully consider what your lawful basis is in each case. You should document your lawful basis for processing so that you can demonstrate compliance and accountability.
There are further requirements if the personal data you want to share consists of special category data, or criminal offence data or both (see below).
In addition to this, you need to comply with other requirements of data protection law (see the section Is there anything else we need to consider?).
Further reading – ICO guidance
Other resources
We have produced a tool for smaller organisations and businesses that need to consider requests to share personal data with a law enforcement authority.