One of the main things to remember when disclosing to the police under s28(3)
[1984 Act] or s29(3) [1998 Act] is that it is the Data User / Controller (not
the police) who must be reasonable convinced that failure to disclose would
prejudice the enquiry.
If you are not individually authorised by the Data User / Controller (usually
your employer) to make the decision to disclose (or not) then you should
always pass the request to someone who is so authorised.
There have been occasions (rare, but significant) where s28(3) disclosures
have been made about individuals who could not have been involved in the
alleged crime and the employer KNEW this to be the case (because the
individual was in one instance in a management meeting, in another he was
working in a different part of the country).
I would imagine this type of disclosure is outside the scope of s29(3) and
unless the organisation is registered to disclose employee data to the police
could well be illegal. But then of course Principle One would require that
the individal is informed of likely recipients.
Another thing to remember is in respect of s115 of the Crime and Disorder
Act. Data sharing under this Act is only allowed (it is not compulsory)
where compliance with the Data Protection Act 1998 has been met. In other
words, complying with the Principles, including: informing the individual
(seeking consent in most cases), ensuring the purpose is registered and
compatible with the reason for obtaining the data, ensuring data quality and
integrity, not releasing more than is strictly necessary, not keeping it for
too long (ref: Rehabilitation of Offenders, etc), processing with the rights
of the individual in mind and having appropriate security (including staff
vetting).
Ian Buckland
Keep IT Legal Ltd
[log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|