The Information Commissioner’s Office (“ICO”) has introduced a toolkit on data sharing with law enforcement (“Toolkit”) which supplements the ICO’s existing guidance on sharing personal data with law enforcement authorities. The Toolkit is intended to function as a tool for smaller organisations to make an informed decision about whether to share personal data with law enforcement. Larger organisations with expertise in data protection are encouraged to refer to the ICO’s data sharing code of practice but in any event, the Toolkit is intended to help provide clarity for all organisations in making decisions relating to this type of sharing.
The Toolkit splits the relevant data sharing assessment into two stages:
This stage allows an organisation to assess whether the Toolkit applies in asking two questions. Firstly, has a law enforcement authority asked you to share personal data with them? Secondly, has the law enforcement authority asked you to share personal data with them for law enforcement purposes?
To answer that question, the Toolkit firstly clarifies various relevant definitions, including:
- Law enforcement authorities: also known as “competent authorities” under UK data protection law. Such authorities include those which have law enforcement and investigatory functions, beyond the police such as government departments, HM Land Registry, the courts, TV Licensing and the ICO, amongst others.
- Law enforcement purposes: this is defined by UK data protection law as “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”
- Personal data: any information that relates to an identified or identifiable individual (e.g., a name, address, CCTV images).
The Toolkit then asks “Has the law enforcement authority clearly explained what personal data they want you to share with them and why they need it?” The ICO explains that there must be clarity in the scope and type of data requested, but that law enforcement also needs to provide direct reasons why they need this data, which should be explained in the request.
The next question is “Are you satisfied that sharing the personal data with the law enforcement authority would be necessary for their law enforcement purposes?”
The ICO explains that necessity is more than merely useful or standard, but does not have to be absolutely essential. This requirement intersects with the aim of data minimisation i.e., could the purpose be achieved without sharing the information or limiting the amount of personal data shared.
This stage assesses whether the personal data can be shared lawfully and securely.
Lawful basis for sharing personal data
The Toolkit requires organisations to identify a lawful basis for sharing under Article 6 GDPR (i.e., public task, legitimate interests, compliance with a legal obligation) and provides further background information for those who require it.
Where special category personal data are being shared, organisations are also required to confirm which Article 9 condition(s) will be relevant. Where criminal offence data are being shared, this is only permitted where the organisation is either (i) sharing the data under control of official authority; or (ii) authorised by law.
Data Protection Principles
Organisations must then confirm they have considered that the sharing meets the other data protection principles, including that the sharing is: (i) fair and transparent; (ii) limited to a specific purpose; (iii) adequate, relevant and limited to what is necessary; (iv) accurate and up to date; and (v) secure.
Based on the above responses, the Toolkit then generates a report, which provides suggested next steps as well as allowing organisations to record and document decisions and justifications in accordance with the accountability principle.
As noted above, even for organisations not using the Toolkit functionality directly, the Toolkit provides a helpful checklist of the key data protection considerations that should be addressed before sharing personal data with law enforcement authorities. However, the ICO recognizes that many of the risks in these scenarios are context specific, and the Toolkit cannot provide an exhaustive or definitive list of issues to consider in this context. For example, one area the Toolkit does not cover is international data transfers. Ultimately, comprehensive evaluations remain the responsibility of controller organisations before such sharing takes place.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.