- Legal background
- Responding to requests for information
- Emergency situations
- Status of these guidelines
These guidelines are intended to cover situations where the School receives requests from agencies connected with law enforcement for personal data about students, staff or other individuals whose information is in the School's custody. Usually, such requests will come from the police. However, other government agencies may also request data for law enforcement purposes, such as the Department for Work and Pensions, local authorities, HM Customs and Revenue and UK Visas and Immigration (UKVI).
Personal data held by SOAS must be managed in accordance with the General Data Protection Regulation and the Data Protection Act (2018), collectively "data protection law". In general, care should be taken to ensure that the processing of data disclosed to law enforcement agencies is "lawful and fair" in accordance with the first principle of the GDPR, and that the processing is covered in the School's Privacy Notices.
However, the Data Protection Act 2018 (DPA) includes exemptions which allow personal data to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the data, and regardless of the purpose for which the data were originally gathered. In particular, personal data may be released if:
- The information is required for safeguarding national security (section 110 of the DPA); or
- Failure to provide the data would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty (Schedule 2 Part 1 Paragraph 2 of the DPA).
Personal data may also be disclosed without contravening the DPA where the disclosure is required by law. For example, the Social Security Fraud Act 2001 requires education institutions to provide any information to authorised officers of the Department for Work and Pensions or local authorities which they require for the investigation of fraud against the state benefit system. Refusal to provide the information can lead to prosecution of the institution.
Before we release data to a law enforcement agency, we need to ensure that the information is being provided to a genuine and properly authorised investigation. If we are not satisfied that there are valid grounds for releasing the information, the DPA does not oblige us to do so: the exemptions in the Act are permissive. However, if we refuse to release the information, law enforcement agencies may obtain a court order requiring us to provide it. As indicated above, we may also face penalties under other legislation which requires us to disclose data.
SOAS seeks to co-operate with the police and other agencies in the prevention and detection of crime, and the maintenance of a safe environment for the School and the wider community. Personal data which are necessary for a legitimate investigation will normally be released. Sections 2 and 3 set out the procedures that should be followed when responding to requests for data, to ensure there are adequate safeguards in place to protect the School against the claim that information has been released contrary to the DPA.
The following points apply to routine requests for personal data. See Emergency Situations for what to do if the urgent disclosure of data appears to be necessary to protect the life or health of individuals.
(1) It is important that SOAS responds to requests in a consistent and co-ordinated way, using the most up to date information. To facilitate this, staff who receive a request for personal data from a law enforcement agency must forward it as soon as possible to one of the following individuals, who will co-ordinate the School's response:
- Requests for data about current or former students, those applying to become students or unsuccessful applicants: pass to the SOAS Registry and copy to the Information Compliance Manager.
- Requests for data about current or former staff or job applicants: pass to the Human Resources Operations team in Human Resources, and copy to the Information Compliance Manager.
- All other requests for personal data: pass to the Information Compliance Manager.
The above staff will ensure that the request is handled in accordance with the remainder of these procedures.
(2) Except in Emergency Situations, SOAS must only disclose personal data in response to an adequate and properly authorised written request.
Police forces have standard forms (known as "212" forms, relating to the relevant part of the DPA which provides for the exemption, Schedule 2 Part 1 Paragraph 2) for requesting personal data, in accordance with guidance issued by the Association of Chief Police Officers (ACPO). The form should certify that the information is required for an investigation concerning national security, the prevention or detection of crime, or the apprehension or prosecution of offenders, and that the investigation would be prejudiced by a failure to disclose the information. This provides us with a legal basis for supplying the data under the DPA exemptions. Staff should compel police authorities who make requests for personal data, apart from in emergency situations, to complete a "212" form.
Other law enforcement agencies may not use standard forms. However, any request should:
- Be in writing, on headed paper, and signed by an officer of the agency.
- Specify the type of information which is required - the categories and extent of the information requested should not be open-ended, and should be proportionate to the purpose
- Describe the nature of the investigation (e.g. citing any relevant statutory authority to obtain the information).
- Certify that the information is necessary for the investigation.
If a properly completed form or letter is received, the data should normally be disclosed. However, remember that we can (and should) refuse to provide the information if we have reason to doubt that the request is genuine.
(3) Copies of the form or letter used to request personal data, other correspondence with the law enforcement agency and a copy of any data released should be retained by the School for 6 years.
(4) Questions or issues relating to written requests from law enforcement agencies should be directed to the Information Compliance Manager.
An emergency situation is one where we have reason to believe that there is a danger of death or injury to a member of SOAS or any other person. The police and other emergency services may urgently require personal data from us, and may not have time to complete a formal written request (see Responding to Requests for Information). In these circumstances, any staff member who has access to the data can legally disclose the information, but the safeguards below need to be met:
(1) If possible, seek the authorisation of a senior manager before providing the data.
(2) If the request is received by telephone, ask the caller to provide a switchboard number, and call them back through the organisation's switchboard before providing the data. This provides a basic (though not foolproof) way of checking that the call is genuine. Take contact name and identification number (if applicable) of the caller.
(3) Ask the enquirer to follow up their request with a formal written request, so that we have this on file. Keep a record of the enquiry and your response, and pass details to the Information Compliance Manager as soon as possible.
(4) Do not be bullied into disclosing data if you have any doubt as to the validity of the request. Ask the enquirer to submit the request in writing, and refer the enquiry to those staff who normally deal with written requests (see Responding to Requests for Information).
These guidelines were approved by the School's Information Strategy Committee on 21 February 2006. They will be reviewed from time to time as necessary.
Last updated November 2020