Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Disclosing personal data for criminal investigations

The Information Commissioner has published updated and extended guidance on the use of the Data Protection Act’s “section 29” exemption, based on cases and wider experience. This exemption is often used to release personal information (such as computer or network logs) to the police or other authorities investigating crimes, so sections 33-52 in particular are worth reading as a refresher.

The points I’m most often asked about are:

  • The exemption only applies to crimes, not to civil legal proceedings (para 9);
  • It creates a permission to disclose personal data, not a requirement to do so (para 36);
  • It only applies if applying the normal DPA rules (e.g. not disclosing) would be likely to prejudice the prevention, detection or investigation of crime (para 37); “prejudice” must be “real, actual and of substance” (para 11) and there must be a “significant and weighty chance” of it occurring (para 13);
  • The exemption only applies to the extent necessary to avoid such prejudice (i.e. you can only disclose as much information is necessary) (para 37);
  • This needs to be assessed on a case-by-case basis, not as a blanket policy (para 10);
  • Disclosure doesn’t need to be requested by the authorities – a data controller can initiate the process if they consider the requirements are met (para 40);
  • Keeping records of disclosure and reasoning is a good idea (para 38).

[UPDATE] The ICO’s blogpost has a nice series of worked examples

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *