We are finding that clients are increasingly being asked by law enforcement authorities to provide them with personal data about their customers and employees. This request will often be made to further an investigation into an individual suspected of criminal activity, e.g. an employee who is believed to have been committing benefit fraud, has been accused of being engaged in a criminal incident, or is suspected of trying to hoodwink AC-12.
The question for data controllers is, can we share the personal data with these authorities or not? Understandably, when police are involved and there is a sense of urgency with a request, it can be common to feel pressured into providing the authorities with everything they have asked for. However, data subjects have data privacy rights and data controllers should be considerate when determining whether to hand over the data.
The UK GDPR states that data controllers may share personal data with a law enforcement authority provided it is necessary and proportionate to do so. It is important to consider if the data requested is necessary for the outlined law enforcement purposes. Although enforcement authorities will hopefully be following the letter of the law, occasionally requests can stray beyond the remit of the purported investigation. Be sure to consider: is the data that is being requested going to be useful to the investigation? Could the investigation be carried out without the information being shared?
As an example, the fraud office of HMRC could request an employee’s payslips, personnel file, and employment contract in order to investigate allegations that an employee is fraudulently claiming a benefit from the HMRC. Providing the entire record would be unnecessary, disproportionate, and a breach of the UK GDPR. Instead, you would need to consider the information that would be required as evidence. It is likely that the duration of employment and the salary that has been paid during that time is all that is required. This should be provided in the first instance, and more data should only be provided if the authority can demonstrate that this is necessary.
In some instances the law enforcement authority will request data without giving any background information at all. In these cases, rather than risk a UK GDPR breach in handing over data without reason, first ask the law enforcement authority for the reason, explaining the ICO requires you to have lawful basis to hand over the data. If this is not forthcoming or cannot be disclosed, best practice would be to wait for an order requiring certain information to be provided.
The ICO have recognised that no two cases will be the same, and that it may be difficult for a data controller to determine which personal data they should provide to law enforcement authorities. The ICO have therefore developed a useful toolkit to assist in determining which data should be provided upon request. Alongside the use of the tool, data controllers should assess any requests critically, considering the implications of data protection law when a request is received. In providing necessary information, data controllers can do their bit to help nick bent coppers, as well as assist in more run of the mill investigations!
We are finding that businesses are increasingly being asked by law enforcement authorities to provide them with personal data about their customers and employees. This request will often be made to further an investigation into an individual suspected of criminal activity. The question for data controllers is, can we share the personal data with these authorities or not?