There are many ways organisations might share information. The most common are:
- Data Protection Requests (SARs)
- Freedom of Information Requests
- Environmental Information Regulations Requests
- Sharing for Crime/fraud prevention or identification (Data Protection Act 2018 Schedule 2, Part 1, section 2 (S212)
- Regular bulk data sharing supported by a Data Sharing Agreement or contract
This article focuses on sharing information for crime/fraud prevention or detection (Data Protection Act 2018 Schedule 2, Part 1, section 2 (S212).
There are occasions when an organisation may be asked to share some information to assist the requester in identifying or preventing crime or fraud.
For example, one employer may ask another to confirm if an individual undertakes paid work for them, and the periods any payments cover. They want to know this as they believe that the individual is working for both them and the other organisation but has not declared this and is therefore defrauding the tax office and potentially both employers.
Another example might be a police officer requesting you to share personal data you hold as they believe it is relevant to their investigation.
In both cases it is for the data controller holding the requested personal data to establish the purpose for sharing the data and whether they believe, based on the information provided, that sharing the requested data is necessary, justifiable, and proportionate.
Data controllers should ensure that they have an appropriate mechanism in place to collect all the information they need in order to make an informed decision about whether or not to share the requested personal data.
Typically this would be a form which covers the following:
- The purpose for which the requester wishes to access the information, e.g.
- For the prevention or detection of crime or fraud
- For the apprehension or prosecution of offenders
- For the assessment or collection of any tax or duty or of any imposition of a similar nature
- For any legal proceeding, including prospective legal proceedings
- For information required for the purpose of obtaining legal advice
- A list of the information the requester wishes to have access to, e.g. name, address, etc.
- An explanation of why they require access to this information
- Any relevant dates or periods they wish the information to cover
- An explanation of how their activity will be prejudiced if the requested information is not disclosed
- Any relevant dates by which they would need access to the information
- The name and contact details of the requester, including their organisation and position within that organisation
- A declaration for the requester to sign to state they will only use any information provided for the stated purpose and in compliance with data protection law; with their signature and date of signature
- A counter-signatory, e.g. a senior officer (CIO/SIRO/DPO) name, position, signature, and date of signature
You may also want to include a consent form for the requester to use as in some cases data subjects may have consented to their personal data being provided to the requester.
The law does not require you to provide the information. It is for the receiving data controller to consider the request and make a judgement whether they believe it is necessary, proportionate, and justifiable in the circumstances to make the requested disclosure. If an organisation refuses to provide the information the requesting organisation can still apply to the Courts for access if they wish. If a Court directs disclosure, it is no longer the data controller’s responsibility to consider the risks of disclosure as it has become a legal requirement.
You should seek advice from your Data Protection Officer before disclosing data as the disclosure must be approved and logged to ensure that the organisation can evidence due diligence was done in the event of a complaint.
For further advice and support on how to comply with information law please go to https://igs.essex.gov.uk/