Garda Requests for Disclosure of Personal Data

Image: https://www.flickr.com/photos/mctraba/6272473419/

The General Data Protection Regulation (GDPR) restricts how personal data may be processed by a data controller. In particular, personal data may not be used for a purpose incompatible with the purpose for which the data was initially collected.

One exception to this is Section 41(b) of the Data Protection Act 2018. This allows a data controller in Ireland to disclose personal data to a third party to the extent that this is “necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences.

Typically, this arises following a request from An Garda Síochána (or another law enforcement body) for disclosure of information containing personal data. In sectors such as insurance and financial services, requests under Section 41(b) are quite common.

However, organisations in other sectors might be alarmed to receive a request from the Gardaí seeking disclosure of information under Section 41(b). This might be for various information relating to named individuals or for a copy of CCTV footage. The request might be marked urgent, refer to serious criminal allegations, or be broad or exploratory in nature. You might feel under pressure to comply with the request.

The most important thing to know is that you are under no obligation to comply with a request made under Section 41(b) of the Data Protection Act 2018. It is completely voluntary. However, the catch is that if you choose to comply in full or in part, you bear the risk as data controller. This means being satisfied that disclosing the personal data is necessary and proportionate for the purpose of preventing, detecting, investigating or prosecuting criminal offences. This places a high burden on you as data controller, including keeping records to justify your decision and to demonstrate accountability under GDPR. You also have other obligations, including transparency to data subjects, data minimisation, facilitating data subject rights, and ensuring appropriate data security.

If information concerning particular individuals or video footage is that important for a criminal investigation, the Gardaí can (and often will) get a District Court order or even a search warrant. And if this is served on you, there will be a legal obligation to provide the information, and you will have protection as a result. In many instances, this may be preferable to complying voluntarily with a request made under Section 41(b) and taking on the risk and potential liability of getting it wrong.

And if you choose not to comply with a disclosure request made under Section 41(b), which you are fully entitled to do, the communication received will likely contain sensitive or confidential information which should not be retained unless there is a specific reason to do so.