Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Disclosing personal data for criminal investigations

Thursday, August 27, 2015 - 16:36

The Information Commissioner has published updated and extended guidance on the use of the Data Protection Act's "section 29" exemption, based on cases and wider experience. This exemption is often used to release personal information (such as computer or network logs) to the police or other authorities investigating crimes, so sections 33-52 in particular are worth reading as a refresher.

The points I'm most often asked about are:

  • The exemption only applies to crimes, not to civil legal proceedings (para 9);
  • It creates a permission to disclose personal data, not a requirement to do so (para 36);
  • It only applies if applying the normal DPA rules (e.g. not disclosing) would be likely to prejudice the prevention, detection or investigation of crime (para 37); "prejudice" must be "real, actual and of substance" (para 11) and there must be a "significant and weighty chance" of it occurring (para 13);
  • The exemption only applies to the extent necessary to avoid such prejudice (i.e. you can only disclose as much information is necessary) (para 37);
  • This needs to be assessed on a case-by-case basis, not as a blanket policy (para 10);
  • Disclosure doesn't need to be requested by the authorities – a data controller can initiate the process if they consider the requirements are met (para 40);
  • Keeping records of disclosure and reasoning is a good idea (para 38).

[UPDATE] The ICO's blogpost has a nice series of worked examples


Am I correct in thinking that releasing data through this exemption doesn't provide you as much protection from a potential challenge by the subject in comparison to if you had provided the data in response to a RIPA s.22 notice or similar?

Correct. Under RIPA s22 you are *required* to release the data so long as you believe the notice is authoritative. So the only grounds for challenege is that your belief was unreasonable (or that you disclosed more than the notice required, I suppose). Under DPA s29 the data controller has responsibility for deciding whether the exemption applies, so any aspect of that could be challenged. BTW, the Home Office guidance (s1.3) is clear that DPA s29 should *not* be used if a RIPA notice covers the data required.