Sharing information with the police guidance for IG professionals

It is important your local organisation has a policy in place in relation to disclosures of information to the police and you are able to provide advice to colleagues in the event of a request for information from the police.

The UK GDPR and the Data Protection Act 2018 (DPA) set out exemptions from some of the rights and obligations in some circumstances. This includes the prevention and detection of crime (schedule 2 paragraph 2 of the DPA). This enables the work of the police to be exempt from a number of requirements (though not all) where meeting them would undermine work to investigate and prosecute crime. The Information Commissioner’s Office (ICO) has provided guidance on sharing personal data with law enforcement authorities.

Generally, you will be able to rely upon GDPR Article 6(1)(e) [public task] and, where it is necessary to share health information, Article 9(2)(g) [substantial public interest] as the bases for complying with data protection requirements when making a disclosure to the police for them to pursue a reasonable line of enquiry.

Whilst other Acts provide a duty to disclose information in certain circumstances, data protection law does not itself provide a duty to disclose. In addition to compliance with data protection legislation, you need to determine if there is a legal basis for setting aside the duty of confidentiality if confidential patient information is requested by the police (see next section).

There will be times where there is a:

• statutory duty to provide information to the police (see the guidance for health and care professionals section)
• legal permission to disclose information to the police that does not amount to a legal duty

In the absence of a statutory duty to disclose confidential patient information to the police:

• the explicit consent of the patient or service user is required, or
• the disclosure would need to be in the public interest
• to protect individuals or society from risks of serious harm, or
• for the prevention, detection or prosecution of serious crime, especially crimes against the person

When making disclosure in the public interest, the benefit to an individual or to society must outweigh both the patient’s and the public interest in keeping the information confidential. Your Caldicott Guardian should also be involved so that you can make a shared decision about disclosure.

Health and care professionals will also need to comply with the professional standards set by their regulators. The GMC provide advice on disclosures whether an individual is at risk of serious harm. Their guidance states ‘that in very exceptional circumstances, disclosure without consent may be justified in the public interest to prevent a serious crime such as murder, manslaughter or serious assault even where no one other than the patient is at risk.

This is only likely to be justifiable where there is clear evidence of an imminent risk of serious harm to the individual, and where there are no alternative (and less intrusive) methods of preventing that harm. This is an uncertain area of law and, if practicable, you should seek independent legal advice before making such a disclosure without consent.’ Department of Health guidance is also available on public interest disclosures.

The Access to Health Records Act should not be used as the basis for disclosing information to the police, because the police are not listed as a party who can request access to records of deceased people under the Act.

The duty of confidentiality continues to apply after death so unless you have a legal duty to share information (for example a court order), the disclosure would need to have the explicit consent of the patient or service user or be in the public interest as set out above.

Disclosures to the police would still be subject to legal redactions, for example if they contain 3rd party information. This is unless there is a justification for disclosing that information (for example, information about the 3rd party is relevant to the police investigation and disclosure will help protect the patient, the 3rd party or others from serious harm).

In some cases, the police may want to inspect the record at your premises, rather than have a copy sent. In these cases, you should agree on a time for the visit (which should be as soon as possible). Review the record ahead of the visit to ensure that you will not inadvertently disclose information that is irrelevant to police inquiries. Ideally, you should have a clinician available to help the police understand any medical terms or content that might be unfamiliar to them. You should never give the police an original health and care record to take away.

You should respond to police requests in a timely manner (this will vary depending on the amount of information relevant to the enquiry), or within the timeframe stipulated on a court order. If the request is going to take longer than anticipated to respond to, it is advisable to contact the police or court and explain the situation.

In some cases, the police may request medical information out of daytime working hours (see the health care professionals section). You should put in place local policy and procedures which set out what frontline staff should do to respond to urgent police requests out of hours including where individuals or society is at imminent risk of serious harm.

The data subject is also free to make a subject access request (SAR) and share their information with the police in that way. You should not however ask patients or service users to use the SARs process as a way for your organisation to avoid considering and appropriately responding to requests from the police.

The National Police Chiefs’ Council (NPCC) is rolling out a new standardised 3rd party material request form to request 3rd party material including health and care information. This has been developed with input from NHS England, the National Data Guardian and the Information Commissioner’s Office. See the health and care professional section for further information about this and the information which should be included in requests.