The Information Commissioner has published updated and extended guidance on the use of the Data Protection Act’s “section 29” exemption, based on cases and wider experience. This exemption is often used to release personal information (such as computer or network logs) to the police or other authorities investigating crimes, so sections 33-52 in particular are worth reading as a refresher.
The points I’m most often asked about are:
- The exemption only applies to crimes, not to civil legal proceedings (para 9);
- It creates a permission to disclose personal data, not a requirement to do so (para 36);
- It only applies if applying the normal DPA rules (e.g. not disclosing) would be likely to prejudice the prevention, detection or investigation of crime (para 37); “prejudice” must be “real, actual and of substance” (para 11) and there must be a “significant and weighty chance” of it occurring (para 13);
- The exemption only applies to the extent necessary to avoid such prejudice (i.e. you can only disclose as much information is necessary) (para 37);
- This needs to be assessed on a case-by-case basis, not as a blanket policy (para 10);
- Disclosure doesn’t need to be requested by the authorities – a data controller can initiate the process if they consider the requirements are met (para 40);
- Keeping records of disclosure and reasoning is a good idea (para 38).
[UPDATE] The ICO’s blogpost has a nice series of worked examples