• 0115 9 500 500 | 0115 9 607 607
  • Open 24/7

Dealing with Data Requests under Schedule 2 Part 1 Paragraph 2 of the Data Protection Act 2018 and GDPR Article 6(1)(d)

This guideline is intended to cover situations where DG Cars receive a request from agencies connected with law enforcement for personal data about customers, drivers, employees or other individuals whose information we hold. Usually, such requests will come from the police.

However, other government agencies may also request data for law enforcement purposes, such as the Department for Work and Pensions, local authorities, HM Customs and Revenue and UK Visas and Immigration (UKVI).

Personal data held by DG Cars must be managed in accordance with the General Data Protection Regulation and the Data Protection Act (2018).

Our data protection policy provides general guidance regarding when personal data can be disclosed.  In general, care should be taken to ensure that the processing of data disclosed to law enforcement agencies is "fair and lawful" in accordance with the first principle of the GDPR.

The Data Protection Act (2018) includes exemptions which allow personal data to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the data, and regardless of the purpose for which the data were originally gathered.

In particular, personal data may be released if:

 

  • The information is required for safeguarding national security(DPA section 26); or
  • Failure to provide the data would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty(Schedule 1 Part 2 Clause 1 of the DPA).
  • Personal data may also be disclosed where the disclosure is required by law. E.g. Social Security Fraud Act 2001 – disclosure of information to authorised officers of the Department for Work and Pensions or local authorities as part of an investigation of fraud against the state benefit system. Refusal to provide the information can lead to prosecution of the institution.

 

Before we release data to a law enforcement agency, we need to ensure that the information is being provided to a genuine and properly authorised investigation. If we are not satisfied that there are valid grounds for releasing the information, the DPA does not oblige us to do so.

If we refuse to release the information, law enforcement agencies may obtain a court order requiring us to provide it. We may also face penalties under other legislation which requires us to disclose data.

DG Cars want to co-operate with the police and other agencies in the prevention and detection of crime. Personal data required for a legitimate investigation will normally be released. The sections below outline the procedures that should be followed when responding to requests for data, to ensure there are adequate safeguards in place to protect DG Cars against the claim that information has been released contrary to the DPA/GDPR.

(1)           Responding to requests for information   

The following points apply to routine requests for personal data.

It is important that we respond to requests in a consistent and co-ordinated way, using the most up to date information. To facilitate this, staff who receive a request for personal data from a law enforcement agency must forward it as soon as possible to:

Peter Shearstone - who will co-ordinate the DG Cars response.  Cait Burton, Suhail Mughal and Stuart Lyon in Peter’s absence.

  • Requests for data about current or former employees, please forward to:

 

Peter Shearstone - who will co-ordinate the DG Cars response.

  • Requests for data about current or former drivers / escorts, please forward to:

 

Peter Shearstone - who will co-ordinate the DG Cars response.

  • All other requests for personal data are dealt with according to our privacy policy and should be forwarded to the Data Protection Officer – Imran Khan.

The above staff will ensure that the data requests are actioned according to our data protection policies.

(2)           Requests from the Police Force

Police forces use standard data protection forms relating to the relevant part of the DPA2018 /GDPR act which provides for the exemption for requesting personal data. 

This form should certify that the information is required for an investigation concerning national security, the prevention or detection of crime, or the apprehension or prosecution of offenders, and that the investigation would be prejudiced by a failure to disclose the information.

This provides us with a legal basis for supplying the data under the DPA exemptions. 

 

Staff should request a data protection form except in emergency situations.  Staff who can deal with a police request are Peter, Cait, Suhail and Stuart

Other law enforcement agencies may not use standard forms.

However, any request should:

  • Be in writing, on headed paper, and signed by an officer of the agency.
  • Describe the nature of the information which is required.
  • Describe the nature of the investigation (e.g. citing any relevant statutory authority to obtain the information).
  • Certify that the information is necessary for the investigation.

If a properly completed form or letter is received, the data should normally be disclosed. However, remember that we can (and should) refuse to provide the information if we have reason to doubt that the request is genuine.

Copies of the form or letter used to request personal data, other correspondence with the law enforcement agency and a copy of any data released should be retained by the DG Cars for 6 years.

Questions or issues relating to written requests from law enforcement agencies should be directed to the Data Protection Office – Imran Khan.

(3)           Individual requests made by a third party such as a Solicitor

A customer can authorise their solicitor to make a data request and it should be treated as if it was made by the customer.  As long as, they provide the customer’s written consent.

These requests should be dealt with by the Data Protection Office – Imran Khan.

(4)           Data requests from Insurance Companies

Insurance companies do not have the same privileges as solicitors – the ICO has said insurance companies using data requests to obtain information is an abuse of the process.

If a data request is received from insurers, we should contact the customer/driver/employee to explain the implications and the extent of the disclosure and should provide the information to the individual themselves instead of directly to the insurance company.

This doesn’t mean that we refuse to respond to a data request from an insurance company, but it does mean they need to stay vigilant and compliant.

The DPA has made it a criminal offence to make a data request in order to access information about individuals’ convictions and cautions.  If you suspect that a data request from an insurer is trying to collect information about an individual’s criminal record, then it should be reported to the ICO and the Association of British Insurers.

(5)           Emergency situations   

An emergency is one where we have reason to believe that there is a danger of death or injury to an individual. The police and other emergency services may urgently require personal data from us and may not have time to complete a formal written request. In these circumstances, any staff member who has access to the data can legally disclose the information, but the safeguards below need to be met:

  • If possible, seek the authorisation from DG Cars Senior Management before providing the data.
  • If the request is received by telephone, ask the caller to provide a switchboard number, and call them back through the organisation's switchboard before providing the data. This provides a basic (though not full proof) way of checking that the call is genuine.
  • Ask the enquirer to follow up their request with a formal written request, so that we have this on file. Keep a record of the enquiry and your response, and pass details to the Data Protection Officer, as soon as possible.

 

(6)           Do not be bullied into disclosing data

If you have any doubt as to the validity of the request. Ask the enquirer to submit the request in writing and refer the enquiry to those staff who normally deal with written requests.

 

(7)           Data Protection Requests Charges

Subject Access Requests from individuals cannot be charged for unless deemed as ‘excessive or manifestly unfounded’ or they ask for a second copy of data already provided.

Requests disclosed under Schedule 2 Part 1 Paragraph 2 of the Data Protection Act 2018 and GDPR Article 6(1)(d) from external organisations can be charged and will be charged in accordance the following rates:

Search of Ghost / Phantom systems

From £50 per hour

All work in accordance with supplying information for the Data Protection request

From £10 per hour

CCTV requests (all work in accordance of reviewing footage and if necessary, supplying footage).

£150 per request

Requests from Insurance Companies

From £10 per hour

 

Each request will be reviewed on a case by case basis and purchase order numbers should be obtained before any data released unless deemed unnecessary or obstructive.