The General Data Protection Regulation and Data Protection Act 2018 came into force in 2018. The new data protection regime significantly changed the law in the UK with increased obligations on data controllers and enhanced rights for data subjects. Any business which processes personal data will be a controller and subject to data protection legislation. Personal data is widely defined and includes any information which relates to an individual. Whilst it will normally constitute documents, CCTV images, telephone recordings, biometrics, etc. will also constitute personal data. As a controller, a business could find itself facing civil proceedings or a complaint to the Information Commissioner's Office (ICO) if it breaches data protection legislation.

Businesses, from time to time, receive requests for information from the police or other authorities. It could relate to the investigation of a crime or pursuing someone for fines or other outstanding monies due to the Government. One example for city centre businesses is when their CCTV footage is requested to help identify offenders, often resulting from anti-social behaviour. Another is queries made by local agencies to investigate benefit fraud or to locate parents who have failed to meet their financial obligations.

The police make most requests, but businesses are increasingly being asked to advise on requests made by other bodies such as HMRC, local authorities, and NHS trusts. Often they are investigating specific offences such as a local authority requesting information about a parent in connection with an alleged fraud. In light of the financial squeeze driven by the coronavirus (COVID-19) pandemic, it is perhaps not surprising that these requests are becoming more common. As many of us continue to work from home, the exchange of personal data online grows significantly.

Unless there is an express statutory power, there is no legal obligation to provide information without a court order. However, responsible businesses will usually want to cooperate as a civic duty.

Data protection legislation makes a provision for businesses to assist the police and regulatory bodies without breaching their data protection obligations. Before sharing information, a business should be satisfied that the body making the request has the necessary powers to do so and that those powers are relevant to the request being made. The organisation should readily know the statutory basis on which it makes the request. A business should also ask for a standard request form to be completed before the information is disclosed.

In most cases, there will be no issue for businesses in sharing information containing personal data with the police and regulatory authorities. However, caution should be exercised. In some cases, data subjects have pursued civil cases against businesses and/or complained to the ICO when it was alleged the business shared personal data without proper authority or the disclosure was excessive to the purpose of the request. Businesses should take a step back and properly consider the request and how they should reply.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact Director Michael King, who specialises in intellectual property, data protection and information law, for further advice or information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.