Supplementary guidance: public sector data sharing for prevention and detection of crime
Published 28 March 2018
© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/identity-document-validation-technology/supplementary-guidance-public-sector-data-sharing-for-prevention-and-detection-of-crime
1. Introduction
Identity document validation technologies (IDVT) are powerful tools for identifying fraudulent identity documents and keeping an audit trail of the checks made for both parties involved, especially where the systems are able to share data on them and to make checks against other data-bases on the data contained within the document. By sharing data on these documents you can help to reduce the risk of those documents being used elsewhere. Making checks against other data sources can also help you to verify the identity of the identity document holder.
2. Power to share data
A public body may only share data if it has power to do so. The power may be set out expressly in statute, or it may be implied from the body’s other statutory powers and functions. Government departments headed by a Minister of the Crown may also have common law powers to share data. Before considering a proposal to share data it is necessary to consider whether the parties to a proposed arrangement have the necessary legal powers.
2.1 Sharing of personal data for statistical purposes
Where the data to be shared is anonymised it is less likely that problems should arise, although consideration still has to be given to the principles in the Data Protection Act 1998 (DPA). If the data required for statistical purposes contains information which may identify individuals (personal data), then the sharing should be approached in the same way as for any other circumstances.
2.2 Express statutory powers
Some legislation includes explicit gateways by which information can be disclosed or received for particular purposes. Such gateways may be permissive (creating a discretionary power to disclose or receive data) or mandatory (requiring data to be transferred in certain circumstances).
Examples of permissive statutory gateways include (not exhaustive):
- section 115 of the Crime and Disorder Act 1998, allowing anyone to pass information to certain authorities if it is necessary or expedient for the purposes of any provision of the Act;
- section 17 of the Anti-Terrorism, Crime and Security Act 2001, allowing disclosures under the statutory provisions specified in Schedule 4 for purposes connected with criminal investigation and prosecution, where such disclosures are proportionate; and
- section 20 of the Immigration and Asylum Act 1999, as amended by section 55 of the Immigration Act 2016 allows all public authorities to supply information to the Secretary of State for immigration purposes.
2.3 Common law powers
Where there are no relevant express or implied statutory powers to share data, government departments that are headed by a Minister of the Crown may be able to rely on common law powers to share data. This is known as the Ram Doctrine but the power to share data under common law may be replaced by statute and limited by the requirements of public law, the law of confidence or by agreement.
The Courts have rarely considered the use of common law powers by public bodies to share data, so there is a risk on depending on these powers. The degree of risk depends on:
- the nature of the information proposed to be collected and disclosed;
- the purposes for which it was to be collected and disclosed; and
- the identity of the bodies acting as recipients.
It is worth noting that even where common law data sharing powers are compatible with Article 8 of the ECHR, they may still not provide a suitable basis for public sector data sharing for other reasons. Sometimes a statutory framework is necessary, for example, where criminal sanctions need to be imposed on officials who fail to comply with procedures on managing data.
Public bodies which are neither central government departments nor organisations which derive their powers from statute will need to assess what powers (if any) they have to process data and whether there are any explicit or implicit restrictions, or any other limitations.
2.4 Implied powers to share data
Where the legislation regulating a public body’s activities is silent on the issue of data sharing, it may be possible to rely on an implied power to share information derived from the express provisions of the legislation. This is because express statutory powers may be taken to authorise the organisation to do other things that are reasonably incidental to those which are expressly permitted. To rely on an implied power, the public body needs to identify the activity to which the proposed data sharing would be reasonably incidental, and then check whether it has the power to engage in that activity.
3. The Data Protection Act 1998
The current principal legislative provision relating to data protection is the Data Protection Act 1998 (DPA). The DPA gives individuals a number of important rights to ensure that personal information covered by the Act is processed lawfully. It regulates the manner in which such information can be collected, used and stored. If the parties have the necessary power to share data, the next step is to consider whether the proposal is compatible with other data sharing legal provisions.
3.1 Application of the Data Protection Act
Data includes all automatically processed information as well as some manual records.
Personal data means data relating to an identified or identifiable living individual. Anonymised data may still be personal data if the data controller can identify who the information relates to.
Sensitive personal data are personal information consisting of information as to racial or ethnic origin, political opinions, religious and similar beliefs, trade union membership, physical or mental health, sexual life, and the commission or alleged commission of any offence or criminal proceeding. The DPA imposes additional requirements (found in Schedule 3 of the DPA) in relation to the processing (including the sharing) of such data.
The processing of personal information includes anything which may be done to personal data, such as obtaining, holding, using, disclosing or destroying it. Many types of public sector data sharing will involve information held on computer, so if the information relates to identified or identifiable individuals, it will be clear that the DPA applies.
Data controllers are persons who determine the purposes for which, and the manner in which, the personal information is processed.
Data processors are persons who process personal information on behalf of a data controller, rather than on their own behalf.
Data subjects are the individuals to whom the personal information relates.
3.2 The data protection principles
The eight data protection principles set out in Schedule 1 Part I of the DPA form the core of data protection regulation.
The first principle: fairness and lawfulness
This requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless— (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
The second principle: purposes
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
The third principle: adequate, relevant and not excessive
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
The fourth principle: accurate and up to date
Personal data shall be accurate and, where necessary, kept up to date.
The fifth principle: information not to be kept longer than necessary
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The sixth principle: rights of data subjects
Personal data shall be processed in accordance with the rights of data subjects under this Act.
The seventh principle: keeping personal data secure
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The eighth principle: transfer outside the EEA
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
4. General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED)
The Data Protection Act 1998 will be replaced in May 2018 with legislation based on the General Data Protection Regulations (GDPR) and, for law enforcement, and for crime detection purposes, the Law Enforcement Directive. This guidance will be updated to reflect any changes required by the regulation and directive.
5. The Human Rights Act 1998 and the European Convention on Human Rights
Data sharing by public authorities must comply with the European Convention of Human Rights (now part of the UK domestic law as a result of the Human Rights Act 1998), and in particular Article 8, which provides:
- Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
This means that public bodies are not prevented from sharing data with other organisations; however, it must be lawful and proportionate so it meets the purpose for which the data needs to be shared.
6. Memoranda of Understanding for sharing data
It is strongly advisable for public authorities to have in place a Data Sharing Agreement or Memorandum of Understanding to formally define the project, ensure that relevant considerations have been considered, and record the respective obligations of the parties.
Clauses that it may be appropriate to include in such an agreement are:
- Details of the participants involved in the exchange;
- Scope and purpose for the exchange and why it is necessary and proportionate;
- (Where necessary) confirmation of the identity, role and responsibility of the Data Controller in respect of any data processed as a result of the data sharing (separate guidance exists);
- The legal basis on which data is being shared;
- Freedom of Information Act 2000 (FOIA) and Data Protection Act 1989 (DPA) obligations: including detailed process for handling Subject Access and FOIA requests or equivalent (for international exchanges);
- What information, or types/ categories of information, will be exchanged;
- Method of exchange, including information handling requirements/ obligations;
- Retention and disposal instructions;
- Permitted use including onward disclosure;
- Monitoring, reporting, review and dispute resolution procedures;
- Costs (if applicable);
- Modification and termination procedures;
- Signatories; and
- Named points of contact for all aspects of the agreement.
We have published a model of a memorandum of understanding. Many organisations, such as the police, have their own models and template for data sharing agreements.