Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes
Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.
Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.
With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that
…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.
The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.