The General Data Protection Regulation (GDPR) restricts how personal data may be processed by a data controller. In particular, personal data may not be used for a purpose incompatible with the purpose for which the data was initially collected.
An exception to this is Section 41(b) of the Data Protection Act 2018. This allows a data controller operating in Ireland to disclose personal data to a third party to the extent that this is “necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences.“
Typically, this may arise following a request from An Garda Síochána or another law enforcement body for disclosure of information containing personal data. Such requests are not uncommon in sectors such as financial services and telecommunications, although it is up to each company to handle such requests in a legally compliant manner.
However, some data controllers might be alarmed to receive a request from the Gardaí seeking disclosure of information under Section 41(b) of the Data Protection Act 2018. This might be for information relating to named individuals or for a copy of CCTV footage. The request might be marked urgent, refer to criminal allegations, or be somewhat broad or exploratory in nature. You might feel under pressure to comply with the request.
The most important thing to know is that, unless there is a legal obligation or a mandatory reporting requirement, you don’t have to comply with a request for disclosure of personal data under Section 41(b) of the Data Protection Act 2018. However, the catch is that if you choose to comply with the request in full or in part under Section 41(b), you bear the risk as data controller. This means being satisfied that disclosing the personal data is necessary and proportionate for the purpose of preventing, detecting, investigating or prosecuting criminal offences. This places a burden on you as data controller to justify the processing and keep appropriate records to demonstrate GDPR compliance. You also have other obligations, including transparency to data subjects, data minimisation, facilitating data subject rights, and ensuring appropriate data security.
If information concerning individuals or video footage is important for a criminal investigation, the Gardaí can and often will get a District Court order or even a search warrant. And if this is served on you, there will be a legal obligation to provide the specific information, and you will have protection as a result. Depending on the circumstances, this may be preferable to complying voluntarily with a request for disclosure under Section 41(b), and taking on the risk and potential liability of getting it wrong.
And if you choose not to comply with a request for disclosure under Section 41(b) of the Data Protection Act 2018, which you are entitled to do in the absence of any other legal obligation or mandatory reporting requirement, bear in mind that the communication received may likely contain sensitive or confidential information that should not be retained unless there is a specific reason to do so.