Information Comissioner's Office (ICO) Advice
The Information Comissioner's Office (ICO) is the UK's independent body set up to uphold information rights.
The ICO published a data sharing hub which includes guidance for sharing personal data, such as CCTV and other information, with law enforcement authorities.
The ICO have also produced a toolkit which data controllers can use to see whether they can share data with law enforcement authorities.
UK GDPR does not prevent sharing of personal data with law enforcement authorities, as long as the sharing is necessary and proportionate. Data controllers will need to identify a lawful basis under Article 6 to enable sharing, if the personal data includes special category data then an additional provision must be identified under Article 9. Likewise if the data includes criminal conviction data then an additional provision must also be identified under Article 10. Data controllers should review Paragraph 10 of Schedule 1 of the DPA 2018 if they are considering sharing special category or criminal conviction data.
Can retailers share the same data with other retailers?
There is no specific answer as it will depend on each individual case as to whether or not it would be necessary and proportionate for data controllers to share data with one another. ICO suggests that data controllers carefully consider the recently published data sharing code of practice, which provides helpful information on the practical considerations that should be taken as part of determining whether or not sharing would be justified. The code is designed to help data controllers consider and document the risks and benefits for sharing. It also includes a checklist and decision form template.
Information Sharing Agreements (ISA):
Where businesses need to share information with other businesses or with police, it is good practice to have an information sharing agreement (ISA) in place. ISAs set out the purpose of the information sharing, cover what happens to the data at each stage, set standards and help clarify roles and responsibilities of all parties involved in data sharing.
For further information, please refer to the guidance on the ICO website here.
Myths busted:
There is a common misconception that data protection laws are a barrier to effective data-sharing. Follow the link to the ICO website to find out why this is not the case and where common data-sharing myths are busted. Data sharing myths busted | ICO
Link to the SME hub/helpline on ICO website: Get help and support from the ICO | ICO
For information on the data sharing code of practice: Data sharing: a code of practice | ICO
For a step-by-step guide to deciding whether to share personal data: Annex A: data sharing checklist | ICO
Link to the data sharing form for use by organisations taking the decision to share data: Data sharing decision form template | ICO
For guidance on storing data and acceptable software use when sharing information: Records management and security | ICO
For information on data sharing with law enforcement: Sharing personal data with law enforcement authorities | ICO / Can I share personal data with a law enforcement authority, such as the police? | ICO