Teal blue graphic

ICO guidance on crime and taxation exemption

The Information Commissioner has recently released updated guidance on the application of section 29 of the Data Protection Act 1998 (DPA), the crime and taxation exemption, which can be found here.

This guidance explains that section 29 comprises of two parts:

1. It permits data controllers to share personal data that would otherwise breach the DPA, provided that it is satisfied that the recipient intends to use the personal data for one or more of the following purposes:

  • the prevention/ detection of crime; 
  • the apprehension or prosecution of offenders; and/or 
  • the assessment or collection of tax; (s29 purposes); and

that the non disclosure would or would be likely to prejudice one or more of the s29 purposes.

2.It also permits data controllers to withhold personal data from the individuals it relates to, where the disclosure would or would be likely to prejudice any of the s29 purposes. 

Sharing personal data

S29 can be a difficult exemption to apply, and is often mis-interpreted by organisations requesting disclosure, erroneously claiming that s29 places an obligation on the data controller to provide the requested personal data. The guidance confirms that s29 "allows disclosure in specific circumstances but does not require it." 

In other words, the decision to disclose (or not) lies solely with the data controller, not the requesting organisation, and the data controller needs to be satisfied that:

  • the disclosure is for one or more of the s29 purposes; and 
  • that if it was to decline to provide the personal data requested, it would prejudice or would be likely to prejudice any of the s29 purposes; 

before it makes a disclosure, as it may be required to justify why the information was provided.

It also confirms that if the data controller is not satisfied that the request meets the above criteria, it is entitled to either:-
request further information to allow it to consider whether the s29 exemption is engaged; or 
refuse the request.

It also advises that the requesting organisation can, if the request has been refused, apply for a court order for disclosure if it considers it appropriate. 

When applying for such an order, the burden lies with the requesting organisation justifying to the court that the data controller's failure to disclose the requested information would or would be likely to prejudice any of the s29 purpose(s) relied on. 

When responding to any of these applications, it is recommended that the data controller produces to the court evidence as to the deliberations taken before deciding not to disclose the requested information (including the original request, any correspondence entered into, any attempts to obtain further information and the outcome of those attempts).  If the data controller can show the court that the decision not to disclose the information under the s29 exemption, based on the information provided to it, was not unreasonable, it may avoid a costs order being awarded against it.

Even if s29 permits the data controller to release the personal data, this does not exclude the data controller from other data protection obligations, including ensuring that the personal data is kept secure. This extends to transferring the personal data securely to the requestor, and an obligation to ensure that the personal data shared is not excessive and is relevant to the purposes behind the request, for example, ensuring that CCTV footage disclosed is footage of the incident under investigation and/or footage of the alleged perpetrator, rather than the entire day's CCTV footage.

The guidance also makes it clear that s29 is not the only provision of the DPA that could permit the sharing of information for investigations. It highlights s35, which permits the provision of personal data in response to a request, where the requestor has a statutory entitlement to that information; or where the request is made for the purposes of actual or anticipated civil litigation (if the disclosure is necessary for the purposes of that actual or anticipated litigation).

Withholding personal data

The Information Commissioner makes it clear that the exemption from disclosing personal data to the data subject would only apply to personal data that would prejudice the s29 purposes, and that the data controller must, as with the disclosure provisions above, handle each request on its own merits. 

However, this does not exclude the right of the data controller to consult with other bodies where appropriate, to assess the level and/or likelihood of prejudice, before making any decision. Records of such consultation may assist if the Information Commissioner is asked to review the decision not to disclose the information under s29.

The guidance also confirms that the likelihood of prejudice will erode over time, and that there would be less strong grounds to support withholding information under s29 where the information relates to a concluded investigation. Conversely, there would be a stronger argument to support withholding personal data where the investigation is ongoing.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.

by Varun Shingari

Insights & events View all