Institutions may be asked by the police for information about students or staff in order to help them with their investigations. Unless presented with a court order, you may choose whether or not to supply such information. If you choose to supply the information, you must do so with due regard to data protection law.
The police should understand that you have a legal duty to comply with the Data Protection Act 1998. Refusing to simply hand over the information without due care isn't about making the police’s job harder or unnecessary bureaucracy – it’s about complying with the law. Unfortunately, there are instances of police officers trying to get information informally, without proper respect for the institution’s data protection duties and the individual’s right to control their information.
When the police request information, they should do so using a form similar to that on page 158 of the ACPO (2010) Guidance on the Management of Police Information or Appendix F (pages 126-132) of the ACPO (2010) Data Protection Manual of Guidance V.3. The information contained on this form will allow you to decide whether s.29 of Data Protection Act 1998 allows you to give out the information or not. The ICO gives practical, usable guidance.
The ICO suggests asking the following questions:
“• Am I sure the person is who they say they are? (For this reason particular care should be taken if the request is made over the telephone.)
• Is the person asking for this information doing so to prevent or detect a crime or catch or prosecute an offender?
• If I do not release the personal information, will this significantly harm any attempt by the police to prevent crime or catch a suspect? (The risk must be that the investigation may very well be impeded.)
• If I do decide to release personal information to the police, what is the minimum I should release for them to be able to do their job?”
A ‘yes’ answer to the first three questions, and ensuring the supply of the minimum required information is likely to satisfy the exception for release of information under s.29.
The ICO also suggests the following as good practice:
“• Select a person or group of people within your organisation to make the decision whether or not to release personal information under the exemption.
• Ask for the request to be made in writing and signed by someone of sufficient authority.
• Make a record of each decision you make and the reasons why you came to that particular decision.”
Related FAQ: Does an institution need to disclose personal information about a student given to the police to that student upon a subject access request?