What do you do when a government agency comes asking for access to personal data? EU GDPR / UK Data Protection 2018
A UK based company contacts us for guidance as the police have contacted them asking for access to the personal data of a customer. The company believes it is compliant with data protection law and has plenty of procedures save for one, how they respond to a request for disclosure of personal data from a government agency. What is more, it seems the agency (in this case the police) expected to be able to simply turn up and collect the information.
Whilst it will be more common for such requests to come from the police, other government agencies may also request data for law enforcement purposes, such as but not limited to, the Department for Work and Pensions, Local Authorities, HM Customs and Revenue and UK Visas and Immigration (UKVI).
For this UK company they are required to comply with both the Regulation (EU) 2016/679 (the GDPR – General Data Protection Legislation) and the UK’s national law the Data Protection Act 2018 (c.12) (the DPA 2018) legally requiring the company to protect the personal data of data subjects that is being processed (stored, transmitted, used, etc.) by the company. This includes all personal data provided by and/or collected from data subjects whether they are members of staff, customers or any other individuals. Under Data Protection Law all organisations are explicitly barred from disclosing personal data to persons other than the data subject without their knowledge and a lawful purpose, and the data subject has explicit Rights which principally involve transparency e.g., the right to know why the company needs their personal data, what they will lawfully do with it, how they will process and protect it, who else might have access to it and why, etc. This includes the right to know when their personal data is accessed by others not previously notified to them and the reason (lawful purpose) for the access.
The first advice we gave was for the company was to contact the officer making the request and inform them that the company required a formal, documented (usually letter headed) submission which must clearly state (for this police request) among other things, that 1) ‘failure to provide the data would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders’ and that the company would respond in due course to the disclosure request.
If the disclosure request is complied with then this is a change of purpose for processing the personal data and under data protection law, the data subject is legally entitled to be informed of this change and ergo in this case, that the police are requesting the disclosure and why i.e., for the investigation of criminal offences etc.. The police would clearly not want this disclosure request informed to the data subject under investigation, so the police also need to explicitly confirm in their disclosure request that, 2) ‘the individual(s) whose personal data is sought should not be informed of this disclosure request as to do so would be likely to prejudice the ‘investigation/enquiry, etc.’’. Confirmation of 1) and 2) above will exempt the company and permit the disclosure of the personal data and information to the government agency without informing the data subject of the disclosure request.
Any disclosure request form submitted from a UK government agency should indicate the legal basis they are relying on for example, whether the request for disclosure is under a) the Data Protection Act 2018 Schedule 2 Part 1 (Paragraph 2) or under b) the Data Protection Act 2018 Schedule 2 Part 1 (Paragraph 5).
If the disclosure request is under a) above, it must indicate the reason (matters) they are making the request i.e., (a) the prevention or detection of crime; or (b) the apprehension or prosecution of offenders; or (c) the assessment or collection of a tax or duty or an imposition of a similar nature; AND explicitly confirm that: i) the personal data and information requested below is needed for the purpose indicated above and a failure to provide that information will be likely to prejudice those matters; AND that ii) the individual(s) whose personal data is sought should not be informed of this disclosure request as to do so would be likely to prejudice the matters described above.
If the disclosure request is under b) above, it must indicate the reason (matters) they are making the request i.e., (a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings); or (b) is necessary for the purpose of obtaining legal advice; or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights; AND explicitly confirm that: i) the personal data and information requested below is needed for the purpose indicated above and a failure to provide that information will be likely to prejudice those matters; AND that ii) the individual(s) whose personal data is sought should not be informed of this disclosure request as to do so would be likely to prejudice the matters described above.
Under both a) and b), the company should be informed within the disclosure request about the information the agency would like access to with any relevant dates and why releasing the personal data and information requested is necessary. There should also be for a) an explanation of how non-disclosure of the personal data and information would prejudice the purpose and for b) and explanation of which law or enactment and section number applies.
It is important that DPOs and staff responding to disclosure requests, compel a government agency submitting a disclosure request to make the statements shown above; they should not simply submit to the will of the agency as doing so, would mean that the company would be in breach of data protection law for the government agency, it might also endanger the case they may bring against the data subject.
Many DPOs who are new to the world of data protection since May 2018 and the arrival of the EU GDPR / DPA 2018 are not aware that the company can simply refuse a government agency disclosure request made under a) or b) above, it does not have to comply with a ‘request’ nor give reasons for the refusal. If the agency seeks and gains a court order following a refusal, then the company would have to comply with the court order which gives explicit exemptions to the company and they would not be in breach of data protection law.
If the company chooses to comply with the disclosure request they should carry this out in a similar way they would handle a SAR (Subject Access Request) and make sure that the personal data of others within the personal data and information, who are not included in the disclosure request, are redacted and the personal data when collated is transferred in the most appropriate and secure format. Any compliance with a disclosure request should be authorised at the highest level in the company.
If the disclosure request relates to an emergency such as a need to disclose the staff member’s medical details in order to provide assistance to them, these may often be verbal requests and it would be okay for the company to provide the necessary information without delay and without a formal documented request. The DPO should document all actions taken under such circumstances.
If you do not have a policy and procedure for dealing with government agency requests, you ought to and do not think that you are too small. We can help you out.
If you have a question regarding an issue relating to the above within your organisation, then contact us.