The police will, on occasion, request that a school release information about current or former pupils, parents, staff and volunteers for the purposes of an investigation. Often, this is perfectly acceptable but if the information being requested is personal data, then the GDPR/Data Protection Act 2018 is engaged and you need to ensure that the disclosure is lawful and you have documented why you consider this to be the case.
What you need to do when you get a request from the police:
1. Are you satisfied that the request is genuine?
In most cases, this will be obvious because of the context, but do be aware that you may get a request from an individual posing as a police officer.
Like with scams, it is important that you don’t take what you are told at face value. If you get an out-of-the-blue phone call, don’t be afraid to challenge the individual to give you more information.
Note your reasons why you believe this to be a genuine request.
2. Is it clear what is being requested?
How specific is the request? Do you hold the information? Can you identify what is being asked for?
Again, don’t be afraid to go back and ask the police to be more specific, and consider explaining why you need this additional information.
3. Does the information requested contain special-category personal data or information concerning criminal convictions/offences?
This will not necessarily affect whether or not you can disclose, but will affect your justification for the disclosure, so it is important to identify any special category, or criminal conviction/offence data that is being requested.
4. Do you know why the information is being requested?
In order for you to proceed, you do need to understand why the information is being requested. You will not need to know all the details of the police’s investigation/case, and there may be aspects that you cannot know, but you need, in a nutshell, to understand whether the reason for the request is:
a. Necessary for the prevention and detection of crime
b. Necessary for the apprehension or prosecution of offenders.
5. Record what, when and why
When you have the information above, you can determine the appropriate legal basis for the decision. You should then keep a record of what you have disclosed, when and the legal basis.
Whenever you make any disclosure of personal data, it must be fair, transparent and lawful. When the disclosure is made for the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders, there is an exemption to the requirement that the disclosure be fair and transparent, if doing so would, in itself, prejudice the prevention and detection of crime. However, it still needs to be lawful, and so you still require a lawful basis for this disclosure.
In most cases, the lawful basis that will apply here will either be that the disclosure is necessary for the performance of a public task, or necessary for a legitimate interest, where that legitimate interest overrides the interests, rights and freedoms of the individual about whom the disclosure is being made.
If special category data, or criminal conviction/offence data, is involved you need a condition for processing. The relevant condition will be one of the conditions under the ‘substantial public interest’ umbrella. For example, the substantial public interest in the prevention or detection of an unlawful act.
A school should also give some thought to its transparency obligations under the GDPR. In some cases, it may be appropriate to seek the views of individuals before sharing their personal data with the police. However, in many cases this will be inappropriate, both for practical and legal reasons. For example, a school should not do anything which would ‘tip-off’ possible suspects in a police investigation. In any event, the school should not contact individuals unless the police have confirmed they have no objection to this.
Mentioning this use (or type of use) of personal data in your privacy notices will also assist with the transparency obligations. Transparency does not mean that you have to seek the consent of the individual.
The police will often provide a form setting out why they need the information. The form should also cover the above points (for example, the legal basis relied on).
A school should ask for a copy of this form if it has not been provided. This was previously known as a ‘Section 29 Form’ under the pre-GDPR data protection legislation.
Occasionally, the police may request information because there is a genuine emergency, such as likely risk of serious harm to a pupil. Assuming the school is satisfied as to the identity of the police officer making the request, the priority should be to assist the police without delay rather than be overly concerned with which legal basis is being relied on.
A note on policies
Privacy notices are referenced above. These are also known as privacy policies and fair processing notices, and means the document that you use to meet your obligation to tell people what information you have about them, and what you are doing with it. As mentioned above, it is worth checking this use is included.
When relying on the substantial public interest condition for disclosure of special category personal data as set out above, you would usually have to have in place a specific policy which sets out the procedures you have in place to secure compliance with the general data protection principles, and your policies on retention and erasure of the information. This is known as an ‘Appropriate Policy Document’ and applies when you are using a number of the substantial public interest conditions to justify a particular use. You do not need one of these when you are disclosing to the police in reliance on the ‘prevention or detection of an unlawful act’ condition but may need one in other circumstances.
If you are satisfied that you have a reasonable request for information from the police for the disclosure of personal data, you will likely be able to release this information. Schools should also give some thought to the context of the police’s request, for example, if a request concerned an allegation of historic abuse at the school then there would likely be significant legal and reputational issues beyond data protection considerations.
VWVʼs online compliance management solution My OnStream provides GDPR data protection and information security e-learning for all your staff so they are aware of what is expected of them. It also tracks and manages staff progress for you and provides real-time reporting. Please consider subscribing to
My OnStream; find out more at mos.vwv.co.uk and book a free demo.