Although most organisations are aware of the Data Protection Act 1998 (DPA), many are confused about when they can legitimately disclose personal data in response to a request from a third party, such as the police or the Inland Revenue.
The DPA applies when personal data are processed by data controllers. Personal data must be identifiable and relate to a living individual. The definition of processing includes "disclosure of the information or data by transmission, dissemination or otherwise making available". Releasing information to a third party would, therefore, amount to processing.
Data controllers must comply with the eight data protection principles. Of these, it is usually the first and second principles that restrict the disclosure of personal data. The first principle provides that personal data must be processed fairly and lawfully; personal data will not be treated as processed fairly unless specific information is provided to the individual as to how data are processed. The second principle provides that personal data should be obtained only for one or more specified and lawful purposes.
Organisations sometimes draw up policies on how they might process personal data. For example, data protection notices given to employees typically state that the employer may release information to the police, Inland Revenue and other government agencies. But even if an organisation has notified individuals that it may disclose their data in this type of situation, the first principle may still restrict disclosure. This is because, in addition to the obligation to provide information to individuals, the first principle imposes a general obligation of fairness.
The first principle also provides that personal data may not be processed at all unless at least one of certain conditions is met, such as that the individual has given consent, or that the processing is necessary for legitimate interests pursued by the data controller.
The DPA contains a long list of exemptions that could, potentially, be relevant to requests to disclose information. However, in practice, the exemptions for crime prevention and legal proceedings are most useful. Most requests from police forces and other law enforcement agencies specifically cite the crime prevention exemption. Before an organisation releases personal data in response to such a request, it should check that the request is genuine.
Organisations can also expect to receive a request to disclose personal data if the information is relevant to legal proceedings: for example, if the third party wishes to pursue an individual whom it considers has illegally downloaded material from the internet, or whom it suspects of publishing defamatory material.
The article also considers a recent EU working party consultation on this area, how to deal with overseas requests, and relevant sanctions under the DPA.
First published on the Practical Law Company's website on 14 March 2005.