Post a comment
Print articleThe ICO gets involved in the fight against shoplifting
November, 2023 - Shoosmiths LLP
Businesses are often not compelled to share this type of data, and the blog is welcome as businesses may find themselves in situations where there may be conflict between discharging what they feel is a moral duty and the lawfulness of sharing, especially if it based on legitimate interests. It’s a difficult call for any business but is especially hard to navigate for retail given the risk of related crimes, and the complexity of the rules.
The blog notes that as "shoplifting is up by 27% across ten of the largest cities in the UK, more retailers are turning to technology to protect their business."
However, the ICO also highlights that a balance needs to be struck between competing interests: “we want businesses to be able to take action to prevent crime, but we want people who aren’t breaking the law to be able to go about their day without unjustified intrusion.”
Knowing some underlying principles can help make sense of it all.
What is criminal offences data?
The rules about use of criminal offences data are found in the UK’s version of the General Data Protection Regulation, known as the UK GDPR, and the Data Protection Act 2018 (DPA) which supplements it. This data covers ‘criminal convictions and offences’ and covers a wide range of information about potential offenders including personal data about suspicion of criminal activity, unproven allegations, and information relating to the absence of convictions, as well as trials and sentencing. So once a retailer has suspicions of a possible offence, then dealing with images or any other information about possible offenders in digital format will come under the rules.
Striking a balance?
Criminal offences data must be treated with care because it could create significant risks to a person’s rights and freedoms and expose them to discrimination. But the legislation also reflects the public interest in sharing it in certain circumstances.
So, the ICO recognises that retailers may share criminal offence data, such as the image or other details of a suspect, to prevent or detect crime if such sharing is necessary and proportionate. However, such sharing is only lawful for retailers if they are also following their data protection compliance responsibilities more generally.
Compliance obligations
When processing criminal offence data for any purpose (including both collection and future disclosures to the police, other retailers, staff or the public) certain rules must be complied with.
First, data sharing must be proportionate. If there are less privacy-intrusive options available, such as strategically placed mirrors, placing of checkouts, or locking away valuable items, these should be considered first. More intrusive options can only be justified if a retailer can demonstrate that other approaches will not be sufficient.
All data processing comes with responsibilities, such as finding and documenting a lawful basis (Art. 6 UK GDPR), an exemption for processing any sensitive data (Art. 9 UK GDPR) and being open about what processing takes place (Arts 13 to 15).
Conditions
On top of this, Art. 10 provides that criminal offence data may only be processed if the controller has official authority for the processing, or if they meet one of the conditions set out in Schedule 1 of the Data Protection Act 2018. As retailers will not generally have official authority, they must first find and document a Schedule 1 condition. The likeliest such condition for the retailer is that it is necessary for preventing or detecting unlawful acts (paragraph 10).
Use of this condition will also require retailers to have an ‘appropriate policy document’ or APD in place unless the sharing is only with police. The ICO has published a template APD which shows the typical types of information this should contain.
Given the potential risks to individuals’ rights, all Schedule 1 conditions are narrowly interpreted. Retailers must examine the specific requirements of the condition carefully to ensure they can all be met. The Paragraph 10 condition also requires a formal consideration of whether consent could reasonably be obtained from the data subject instead, though there is justification not to get consent if this would prejudice the overall purpose.
DPIAs and DPOs
Retailers will probably need to carry out a data protection impact assessment (DPIA) prior to sharing or receiving criminal offence data. Specific information about the processing of criminal offence data (including with whom data will be shared) must also be included in privacy information provided to data subjects. So for example notices on doors or next to CCTV cameras must include requisite warnings and links to long form information.
An organisation which plans to use CCTV, or to share or receive images or other information routinely will also have to consider if they are required to appoint a Data Protection Officer.
What is appropriate?
Coming back to the blog and to the general principle of proportionality, what happens when retailers are asked to share information they have collected? The ICO is of the opinion that it is likely to be acceptable to share crime suspect details with police, managers of neighbouring stores in a shopping centre, and local security guards. Such sharing serves various justifiable purposes, in the eyes of the ICO, such as learning if other stores have experienced similar incidents (which may prevent reoccurrences) and bringing criminals to justice.
What goes too far?
The ICO cautions that putting images in a staff room, on public social media or messaging platforms, or on public display is unlikely to be lawful, as is transmitting images via personal phones.
Images can be shared with retail or security staff, as long as this is necessary, proportionate and not indiscriminate.
Keeping comprehensive lists of criminals/blocklists
Under the Data Protection Act 2018, organisations may only keep a ‘comprehensive register’ of criminal convictions if it is under the control of a body with official authority, such as the police or probation service.
According to the ICO, a comprehensive register of criminal convictions is “any list of individuals which is made available to the public or to interested third parties (whether or not on payment of a fee) and is intended to be used as a centralised or consolidated source of information on convictions.”
It catches industry ‘blocklists’ – databases of employees shared between different employers and used as a recruitment screening tool – but only to the extent that they relate to criminal convictions. The same could apply to sharing lists of convicted criminals among a group of retailers, who are very unlikely to have official authority to maintain a comprehensive register.
Key takeaways
- Adopt a data protection by design approach: limit access; use secure settings; delete data; record decisions
- Information relating to victims or witnesses falls under normal rules about personal data
- The legal rules relating to criminal convictions and offences are different from those relating to special category personal data. Both should be considered and may apply to the same data
- Online retailers need to consider the rules and put in place policies to help their staff understand when sharing of criminal conviction or offence data is desirable and lawful, and to ensure consistency when responding to third party data requests
- Unproven allegations are more likely to have an unjustified impact on individuals than actual convictions: extra care is needed.
Link to article
