Can the police share my personal data?

Disclaimer: this article is for general information. It’s not intended to be used as legal advice. For information on how to get legal advice, please see our page here.

In limited circumstances, UK data protection law allows the police to share your personal data. They should be thinking very carefully about what data to share and whether it is necessary.

The Information Commissioner’s Office (ICO) is an independent public body. It is set up to protect personal information. It does this by promoting good practice, providing information to individuals and organisations and ruling on eligible complaints. You can complain if you think the police have shared your data unlawfully.

Privacy is your human right

Article 8 of the Human Rights Act protects your right to privacy. You can read more about Article 8 on our page here.

Article 8 is a qualified right. This means that the police can interfere with the right if:

• There is a legal basis: there must be a law that allows them to do so.
• They have a legitimate aim: they can only interfere your right to privacy for a good reason. Our page on Article 8 lists these legitimate aims.
• The interference is proportionate: it must only go as far as is needed to achieve that legitimate aim.

Personal data

In the UK, the main laws that give the rules on how your personal data can be used are the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Personal data is information relating to a person who is identified or can be identified by certain factors. These factors include things like your name, your location and your physical appearance. See the ICO’s website for more information.

Which laws allow the police to process my personal data?

Processing your personal data means doing things with it, like collecting it, storing it, and sharing it.
Part 3 of the Data Protection Act 2018 covers when competent authorities process personal data for criminal law enforcement purposes.

What’s a competent authority?

A competent authority is:

• a person listed in Schedule 7 of the Data Protection Act 2018; or
• any other person that the law gives the right to exercise public authority or public powers for the law enforcement purposes.

The police are a competent authority.

However, to be covered by Part 3 of the Data Protection Act, the police – as a competent authority – must be processing your personal data for the main purpose of law enforcement.

What’s law enforcement processing?

Section 31 of the Data Protection Act says that law enforcement purposes are:

• To prevent, investigate, detect or prosecute criminal offences
• Carry out criminal penalties (like fines or prison sentences)
• Safeguard against and prevent threats to public security.

This type of processing is covered by specific rules. If your personal data is processed for law enforcement purposes, you have fewer rights as an individual.

If the police are using this section, the main reason for processing your personal data must be for law enforcement reasons. It can’t be processed in a way that’s incompatible with that law enforcement purpose. This limits how the police can further process your personal data, such as sharing your personal data for non-law enforcement reasons.

See the ICO’s Guide to Law Enforcement Processing for more information.

How could the police lawfully share my data for non-law enforcement purposes?

The police, as a competent authority, can lawfully share data they have collected for law enforcement purposes with another organisation, like the DWP. You can read the ICO’s guide on data sharing for non-law enforcement purposes here.

However, the law places limits on the police from further sharing your data. Before sharing, the police must ask themselves the following questions

1. Does sharing this data count as processing for law-enforcement purposes?

This is also known as assessing compatibility with the purpose for which the data was collected. The law enforcement purposes are explained above.

The police would need to have one of the law enforcement reasons as the main reason for sharing the data. The police should identify why they want to share your data with a third party.

If it’s not for a law enforcement purpose, then the police would have to ask the following questions in order to lawfully share your data.

2. Is there a law that allows the police to share this data for non-law enforcement purposes?

If the police decide to share your data for a non-law enforcement purpose, this must be for a reason that is “authorised by law”. This would apply to sharing your data with bodies like the UK Department for Work and Pensions (the DWP) or the Home Office.

What does “authorised by law” mean?

The Data Protection Act doesn’t give a definition of what “authorised by law” means in this context. However, it usually means that:

• The competent authority has a legal obligation to share the data. This would mean it’s not optional and the police are legally required to share your data. However, the police don’t have the right to share your data just because there is no law banning them from doing so.

OR

• The competent authority has a legal power to share the data. This would mean that the police have a choice whether to share your data. Whether or not it is appropriate to use their power to share your data will depend on the situation.

So, the police need to show which law requires them or allows them to share the data in the first place. This could be found in

• An Act of Parliament (also called a statute). For example, the Immigration and Asylum Act 1999 gives the police (and other public authorities) broad powers to give the Home Secretary information “for use for immigration purposes”.
• A statutory code of practice, which is guidance on how the statute applies
• The common law, also known as case law. This is the law we get when judges rule on cases and clarify what the law is.

However, as the College of Policing notes:

• The common law doesn’t give the police a power to do things that’s not stated in statute law
• The police can’t use the common law in a way that goes against statute law.
• Using common law powers to share information must always follow data protection law and the Human Rights Act.

For more information, please see the College of Policing’s page on information sharing.

3. Does sharing this data have a lawful basis under UK data protection law?

If the police have identified the law that lets them share your data, they then need to identify a lawful basis for processing your data under regular UK data protection law. The police need to explain what part of UK GDPR lets them process your data. This is because they are no longer processing your data for a law enforcement purpose.

What is a lawful basis?

A lawful basis is a reason under the GDPR which allows a data processor, like the police, to collect and use your personal data.

Article 6 of the UK GDPR lists the 6 lawful bases for processing. You can read more about them here. In order to lawfully share your information with third parties, the police would have to show that at least 1 of these 6 lawful bases applied.

Further rules depending on the type of data

• Rules for processing criminal offence data. This data covers a wide range of information about people who have committed a crime (offenders) and suspected offenders. If the police want to share it, they must also follow the rules in Article 10 of the UK GDPR. Check the ICO’s website for more information on criminal offence data and the rules for sharing it.
• Rules for sensitive processing. If the police were originally processing your data for a law enforcement process, this may have included sensitive processing. This type of processing has its own rules – read more about them here. These include rules on processing data that reveals things like your racial or ethnic data, amongst other things. If the police want this share data, they will need to follow the rules processing “special category data” in Article 9 of the UK GDPR. You can read more about special category data on the ICO’s website here.

4. Does sharing comply with UK data protection law?

In addition to all the above the police would have to consider their legal obligations under other parts of UK data protection law. ICO’s Guide to Data Protection goes over this. The obligations include things like

• The data protection principles under the UK GDPR. You can read an overview of all 7 data protection principles on the ICO’s website here. A key principle is the data minimisation principle. Among other things, it requires the processing to be limited to what is necessary. The police shouldn’t be sharing more than they need.
• They should inform you of your individual rights if you ask. These include your right to access your data, known as a subject access request. Our page has more information on that here.

For more information on data sharing and your rights, please see the ICO’s Code of Practice on Law Enforcement Processing and Data Sharing, which goes into more details.

What data protection rules apply to the party receiving my data?

If the police lawfully share your data with a government department or another competent authority, they must also follow Data protection law. Please see the ICO’s Guide to Data Protection for more information.

What about my other human rights?

You shouldn’t be discriminated against because you’re disabled.

The Human Rights Act 1998

Article 14 bans public authorities, like the police, from discriminating against you when you exercise certain rights under the European Convention on Human Rights (ECHR). This includes your Article 8 rights.

You can read more about Article 14 here.

The police sharing your data interferes with your rights under Article 8. Even if they If the police share your personal data, they shouldn’t do so in a way that discriminates against you for being disabled. If they do, this could be violating your Article 14 rights.

Discrimination under the ECHR means when

• a person is treated differently on the basis of certain grounds. This includes things like health and disability.
• there is no good reason for treating them differently.

If you think the police have broken Article 14, you might want to get legal advice.

What can I do if I think the police have shared my data unlawfully?

Your right to ask for your data

The Data Protection Act 2018 gives you the right to access your data held by the police, whether this is for law enforcement purposes or not. Please see our page on making a data subject access request for more information.

For law enforcement data processing sometimes the police can limit the information they give you. This can be when there is an ongoing investigation. See section 44 of the Data Protection Act 2018 for a full list. However, the police should always tell you if they’re limiting the data they give you and why.

If it’s not law enforcement data that they shared, the regular rules for responding to subject access requests would apply to the police.

Make a data protection complaint to the police

If you make a subject access request, but you’re not happy with how the police responded, you can complain. The website of the police force involved should have a privacy notice. This should explain how to make a data protection complaint.

If you want some information on how to write your complaint, the ICO’s website provides a template letter here.

Complain to the ICO

If the police force in question respond to your complaint and you are not satisfied with it, you may wish to make a formal complaint to the ICO against that police force.

The Information Commissioner’s Office (ICO) is the UK’s independent public body set up to protect personal information.

You can ask the ICO to check if the police’s decision to restrict the data it gave you or to refuse your request was lawful. The ICO website has information about making a complaint about an organisation here.

You should send your complaint to them within 3 months of your latest exchange with the police. This is because the ICO will not investigate your concerns if there has been a delay in bringing the issue to their attention.

Get legal advice

In some situations, you have the right to apply to a court if you think the police have violated your rights under the Data Protection Act. In some situations, if you have suffered damage, you might be able to get compensation.

If this is something you’re thinking of doing, you might want to get legal advice. Visit our page here on how to find legal help.

Other pages you might be interested in

• How do I make a subject access request?
• Your right to protest: disabled people’s rights
• How should the police treat us?
• Information about discrimination
• Information on your rights and the police