Legal Authority Disclosures
Legal background
These guidelines are intended to cover situations where the University of Sheffield receives requests from agencies connected with law enforcement for personal data about students, staff or other individuals whose information the University processes.
Usually, such requests will come from the police. However, other government agencies may also request data for law enforcement purposes, such as the Department for Work and Pensions, local authorities, HM Customs and Revenue and UK Visas and Immigration (UKVI), Student Loans Company or the HSE.
Personal data held by the University must be managed in accordance with the General Data Protection Regulation and the Data Protection Act (2018), collectively "data protection law". In general, care should be taken to ensure that the processing of data disclosed to law enforcement agencies is "lawful and fair" in accordance with the first principle of the GDPR. The Data Protection Act 2018 (DPA) does include exemptions which allow personal data to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the data, and regardless of the purpose for which the data were originally gathered. In particular, personal data may be released if:
- The information is required for safeguarding national security (section 110 of the DPA); or
- Failure to provide the data would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty (Schedule 2 Part 1 Paragraph 2 of the DPA).
Personal data may also be disclosed without contravening the DPA where the disclosure is required by law. For example, the Social Security Fraud Act 2001 requires education institutions to provide any information to authorised officers of the Department for Work and Pensions or local authorities which they require for the investigation of fraud against the state benefit system. Refusal to provide the information can lead to prosecution of the institution.
Before we release data to a law enforcement agency, we need to ensure that the information is being provided to a genuine and properly authorised investigation. If we are not satisfied that there are valid grounds for releasing the information, the DPA does not oblige us to do so: the exemptions in the Act are permissive. However, if we refuse to release the information, law enforcement agencies may obtain a court order requiring us to provide it. As indicated above, we may also face penalties under other legislation which requires us to disclose data.
The University seeks to cooperate with the police and other agencies in the prevention and detection of crime, and the maintenance of a safe environment for the University and the wider community. Personal data which are necessary for a legitimate investigation will normally be released. Sections 2 and 3 set out the procedures that should be followed when responding to requests for data, to ensure there are adequate safeguards in place to protect the University against the claim that information has been released contrary to the DPA.
Responding to requests for information
The University must only disclose personal data in response to an adequate and properly authorised written request.
Police forces have standard form for requesting personal data, in accordance with guidance issued by the Association of Chief Police Officers (ACPO). The form should certify that the information is required for an investigation concerning national security, the prevention or detection of crime, or the apprehension or prosecution of offenders, and that the investigation would be prejudiced by a failure to disclose the information. This provides us with a legal basis for supplying the data under the DPA exemptions. Staff should compel police authorities who make requests for personal data, apart from in emergency situations, to complete a relevant form.
Other law enforcement agencies may not use standard forms. However, any request should:
- Be in writing, on headed paper, and signed by an officer of the agency;
- Specify the type of information which is required - the categories and extent of the information requested should not be open-ended, and should be proportionate to the purpose;
- Describe the nature of the investigation (e.g. citing any relevant statutory authority to obtain the information); and
- Certify that the information is necessary for the investigation.
If a properly completed form or letter is received, the data should normally be disclosed. However, remember that we can (and should) refuse to provide the information if we have reason to doubt that the request is genuine.
These requests should be sent to dataprotection@sheffield.ac.uk. For out of hours requests please see section 5.3.
Emergency situations
An emergency situation is one where we have reason to believe that there is a danger of death or injury to a member of the University or any other person. The police and other emergency services may urgently require personal data from us, and may not have time to complete a formal written request. In these circumstances data can be provided by either the data protection team or the security team.
The Security team may also provide information in out of hours circumstances, they can be contacted at: security@sheffield.ac.uk or 0114 222 4085.
Do not be bullied into disclosing data if you have any doubt as to the validity of the request. Ask the enquirer to submit the request in writing, and refer the enquiry to the data protection team.