Can the police share my personal data?

Disclaimer: this article is for general information. It’s not intended to be used as legal advice. For information on how to get legal advice, please see our ‘I need a lawyer’ page here.

Privacy is your human right

Article 8 in the Human Rights Act protects your right to privacy. Article 8 is a qualified right, so the police (or any public body) can interfere with your privacy if:

• There is a legal basis: a law that allows them to do so. In the UK, this will likely be the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018.
• They have a legitimate aim: the police must have a good reason to interfere with your privacy.
• The interference is proportionate: the interference must only go as far as is needed to achieve that legitimate aim.

Back to top

Personal data and data processing

What is personal data?

Your personal data is information that can identify you or that relates to you.

• Information that can identify you: this includes information that can identify you when combined with other information, such as your name, ID numbers, or location data.
• Information that relates to you: information that concerns you in some way. This includes information about you, such as your medical records. It also includes information that can be linked to you, e.g. usage of electricity on your meter.

What is data processing?

Your personal data is processed when a person or organisation does something with the data like collecting it, storing it, or sharing it.

Back to top

Police sharing your data for law-enforcement reasons

The police – as a competent authority – can share your data if this is for law enforcement purposes.

What is law enforcement processing?

Law enforcement data processing is when the main reason for a person or organisation processing your data is one of the following 3 law enforcement purposes:

1. To prevent, investigate, detect or prosecute criminal offences
2. Carry out criminal penalties (like fines or prison sentences)
3. Safeguard against and prevent threats to public security

Law enforcement data processing means you have fewer rights as an individual.

If the police want to share your data with a third party, they:

• Must have at least 1 of the law enforcement reasons as the main reason for sharing the data; and
• Should identify why they want to share your data with a third party.

If the police have another main reason for processing your data, then it’s no longer law-enforcement processing. This means that your regular data protection rights apply again (see below).

For more detailed information, see:

• the ICO’s Guide to Law Enforcement Processing
• the ICO’s Code of Practice on Law Enforcement Processing and Data Sharing.

What is a competent authority?

Only competent authorities can process personal data for law enforcement purposes.

The police count as a competent authority, which is:

• Anyone with right to exercise public authority or public powers for law enforcement purposes; or
• A person listed in Schedule 7 of the Data Protection Act 2018.

Back to top

Police sharing your data not related to law enforcement reasons

The police could still share your data with other organisations for reasons that are not related to law enforcement.

However, there are stricter rules. Before sharing your data for non-law enforcement purposes, the police must take the following steps:

1. Check if sharing your data count as processing for law-enforcement purposes

The police must first check that sharing your data is still compatible with the purpose for which the police collected it in the first place. The law enforcement purposes are explained above.

If the answer is ‘no’, then the police need to check the following:

2. Find a law that allows the police to share your data for non-law enforcement purposes

This is so that the sharing is “authorised by law”.

What does “authorised by law” mean?

The Data Protection Act doesn’t give a definition of what “authorised by law” means in this context. However, it usually means that the competent authority has

• a legal obligation to share the data – they are required to share your data by law.
•  a legal power to share the data – they have a choice whether to share your data or not. The choice the police make will depend on the situation.

This law that requires them or allows them to share the data in the first place could be found in:

• An Act of Parliament (statute law). For example, the Immigration and Asylum Act 1999 gives the police (and other public authorities) broad powers to give the Home Secretary information “for use for immigration purposes”.
• A statutory code of practice – guidance on how the statute applies
• Common law or case law. This is the law we get when judges rule on cases and clarify what the law is. The police must not use the common law in a way that goes against statute law, data protection law or the Human Rights Act.

3. Find a lawful basis for sharing your data under UK data protection law

The police need to explain what part of UK GDPR lets them share your data for something not related for a law enforcement purpose.

Article 6 of the UK GDPR lists the 6 lawful bases for processing. You can read more about them here. In order to lawfully share your information with third parties, the police would have to show that at least 1 of these 6 lawful bases applied.

4. Make sure sharing your data follows regular UK data protection law for data processing

Police sharing your data makes them data processors, so they would have to follow certain rules, like:

• Rules for processing criminal offence data. This data covers a wide range of information about people who have committed a crime (offenders) and suspected offenders. If the police want to share it, they must also follow the rules in Article 10 of the UK GDPR.
• Rules for sensitive processing of special category data (Article 9 of UK GDPR) Special category data includes your racial or ethnic data, amongst other things.
• The data protection principles under the UK GDPR.  A key principle is the data minimisation principle. Among other things, it requires the processing to be limited to what is necessary. The police shouldn’t be sharing more than they need.
• They should inform you of your individual rights if you ask. These include your right to access your data, known as a subject access request.

For more detailed information on data sharing and your rights, please see

• The ICO’s Guide on data sharing for non-law enforcement purposes
• The ICO’s Guide to Data Protection

Back to top

What about the person or organisation who my data is being shared with?

If the police lawfully share your personal data, the person or organisation who your data is being shared with must also follow data protection law. Please see the ICO’s Guide to Data Protection for more information.

Back to top

Police data sharing and your human rights

The police shouldn’t be sharing your data in a way that discriminates against you

The Human Rights Act 1998

Article 14 bans public authorities, like the police, from discriminating against you when you exercise certain rights under the European Convention on Human Rights (ECHR). This includes your Article 8 right to privacy.

Even if the police can lawfully share your personal data, they shouldn’t do so in a way that discriminates against you. If they do, this could be violating your Article 14 rights.

Discrimination under the ECHR means when

• you’re treated differently than others for certain reasons, like your health and disability; and
• there is no good reason for treating your differently.

If you think the police have violated your Article 14 rights, you might want to get legal advice.

What can I do if I think the police have shared my data unlawfully?

Make a subject access request

The Data Protection Act 2018 gives you the right to access your data held by the police, or any organisation. Please see our page on making a data subject access request for more information.

For law enforcement data processing sometimes the police can limit the information they give you, for example if there is an ongoing investigation.

However, the police should always tell you if they’re limiting the data they give you and why.

Make a data protection complaint to the police

If you make a subject access request, but you’re not happy with how the police responded, you can complain. The website of the police force involved should have a privacy notice which explains how to make a data protection complaint.

You can use ICO’s template letter.

Complain to the ICO

You can complain to the ICO against a police force if you are unhappy with their response to your data protection complaint. See the relevant section on our subject access request page, as well as the ICO’s information page about making a complaint about an organisation.

You should send your complaint to them within 3 months of your latest exchange with the police. The ICO will not investigate your concerns if there has been a delay in bringing the issue to their attention.

Get legal advice

If you believe that your rights have been breached, you can apply to a court for an order requiring the organisation to follow the UK GDPR.

Find out how to get legal help if you’re thinking of doing this.

Back to top

Other pages you might be interested in

• How do I make a subject access request?
• Your right to protest: disabled people’s rights
• How should the police treat us?
• Information about discrimination
• Information on your rights and the police

Back to top