Nov 22023

UK Information Commissioner’s Office Publishes Toolkit for Data Sharing with Law Enforcement

William RM Long, Eleanor Dodding and Mhairi Cameron
, , , , , , ,

The Information Commissioner’s Office (“ICO”) has introduced a toolkit on data sharing with law enforcement (“Toolkit”) which supplements the ICO’s existing guidance on sharing personal data with law enforcement authorities. The Toolkit is intended to function as a tool for smaller organisations to make an informed decision about whether to share personal data with law enforcement. Larger organisations with expertise in data protection are encouraged to refer to the ICO’s data sharing code of practice but in any event, the Toolkit is intended to help provide clarity for all organisations in making decisions relating to this type of sharing.

Assessment

The Toolkit splits the relevant data sharing assessment into two stages:

Stage One

This stage allows an organisation to assess whether the Toolkit applies in asking two questions.  Firstly, has a law enforcement authority asked you to share personal data with them?  Secondly, has the law enforcement authority asked you to share personal data with them for law enforcement purposes?

Definitions

To answer that question, the Toolkit firstly clarifies various relevant definitions, including:

  • Law enforcement authorities: also known as “competent authorities” under UK data protection law. Such authorities include those which have law enforcement and investigatory functions, beyond the police such as government departments, HM Land Registry, the courts, TV Licensing and the ICO, amongst others.
  • Law enforcement purposes: this is defined by UK data protection law as “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”
  • Personal data: any information that relates to an identified or identifiable individual (e.g., a name, address, CCTV images).

Clear Explanation

The Toolkit then asks “Has the law enforcement authority clearly explained what personal data they want you to share with them and why they need it?” The ICO explains that there must be clarity in the scope and type of data requested, but that law enforcement also needs to provide direct reasons why they need this data, which should be explained in the request.

Necessity

The next question is “Are you satisfied that sharing the personal data with the law enforcement authority would be necessary for their law enforcement purposes?”

The ICO explains that necessity is more than merely useful or standard, but does not have to be absolutely essential. This requirement intersects with the aim of data minimisation i.e., could the purpose be achieved without sharing the information or limiting the amount of personal data shared.

Stage Two

This stage assesses whether the personal data can be shared lawfully and securely.

Lawful basis for sharing personal data

The Toolkit requires organisations to identify a lawful basis for sharing under Article 6 GDPR (i.e., public task, legitimate interests, compliance with a legal obligation) and provides further background information for those who require it.

Where special category personal data are being shared, organisations are also required to confirm which Article 9 condition(s) will be relevant. Where criminal offence data are being shared, this is only permitted where the organisation is either (i) sharing the data under control of official authority; or (ii) authorised by law.

Data Protection Principles

Organisations must then confirm they have considered that the sharing meets the other data protection principles, including that the sharing is: (i) fair and transparent; (ii) limited to a specific purpose; (iii) adequate, relevant and limited to what is necessary; (iv)  accurate and up to date; and (v) secure.

Report

Based on the above responses, the Toolkit then generates a report, which provides suggested next steps as well as allowing organisations to record and document decisions and justifications in accordance with the accountability principle.

Conclusion

As noted above, even for organisations not using the Toolkit functionality directly, the Toolkit provides a helpful checklist of the key data protection considerations that should be addressed before sharing personal data with law enforcement authorities. However, the ICO recognizes that many of the risks in these scenarios are context specific, and the Toolkit cannot provide an exhaustive or definitive list of issues to consider in this context. For example, one area the Toolkit does not cover is international data transfers. Ultimately, comprehensive evaluations remain the responsibility of controller organisations before such sharing takes place.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

Mhairi Cameron

Trainee Solicitor

mcameron@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.