Sharing Information and Data

When successful, data sharing can lead to better problem solving involving all stakeholders (police, business and the public) so that, fundamentally, levels of retail crime, violence and abuse are reduced.

Definition and Scope:

The Data Sharing task and finish group defined five characteristics of data sharing in order to help scope the work of the group, and its relationship to the work of the reporting group.

• Incident Type– the reporting of a crime relates, in general, to one incident involving one or more individuals which requires some form of police action whereas data sharing will not usually relate to one incident but could relate to an individual or individuals, or a number of similar incidents;
• Purpose of sharing data– data sharing is usually focused on a situation or individuals as part of a problem-solving activity for ongoing issues whereas reporting of an incident will usually require a police intervention;
• Timing– data sharing may relate to some ongoing activity but is usually done after the event as part of a problem-solving exercise (either a generic problem or an existing, immediate and ongoing problem in a specific area) whereas reporting will always be done at the time and require a more immediate, live response;
• Information flow– the reporting of specific crime is usually from business to police whereas data sharing can be from business to police but also police to business and business to business; and 
• Action– perhaps most critically the result of data sharing is likely to be multi-stakeholder problem-solving involving enforcement, business, regulatory and potentially voluntary organisations whereas the action resulting from the report of a crime will ideally be some form of police intervention.

Principles of Data Sharing: 

The UK GDPR sets out seven key principles which retailers should consider when sharing and processing information:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

For further information, click here. 

For more guidance on sharing information in compliance with GDPR, refer to the ICO website: Data sharing information hub | ICO

For guidance on how to report incidents to police: REPORTING (brc.org.uk)

While it is clear that there will be no single model which fits all but based on the examples given on this webpage it is clear there are potentially several models for businesses to discuss with relevant police forces. All these have in common some key characteristics:

• Constructive and meaningful engagement between the police and businesses which results in visible action being taken, such as (but not exclusively): advice, increased patrols or enhanced action;
• Strong buy-in from businesses to make the relationship with the police a priority and a willingness to examine all options to develop policies which support data sharing;
• Robust, GDPR compliant IT systems– of which there are several - to ensure data can be shared in a way that poses manageable risk to businesses, individuals or the police;
• A focus on problem-solving the issue using interventions from not only the police but also businesses, other regulators and the voluntary sector.

We have provided examples of successful partnerships but there can often be difficulties with sharing data effectively so that it leads to a reduction in retail crime, violence and abuse. We should not try and set a one size fits all in terms of what data would be helpful to share.

For organisations | ICO

ICO very recently published their data sharing hub. This includes guidance for sharing personal data, such as CCTV and other information, with law enforcement authorities. 

ICO have also produced a toolkit which data controllers can use to see whether they can share data with law enforcement authorities. 

UK GDPR does not prevent sharing of personal data with law enforcement authorities, as long as the sharing is necessary and proportionate. Data controllers will need to identify a lawful basis under Article 6 to enable sharing, if the personal data includes special category data then an additional provision must be identified under Article 9. Likewise if the data includes criminal conviction data then an additional provision must also be identified under Article 10. Data controllers should review Paragraph 10 of Schedule 1 of the DPA 2018 if they are considering sharing special category or criminal conviction data.

Can retailers share the same data with other retailers?

There is no specific answer as it will depend on each individual case as to whether or not it would be necessary and proportionate for data controllers to share data with one another. ICO suggests that data controllers carefully consider the recently published data sharing code of practice, which provides helpful information on the practical considerations that should be taken as part of determining whether or not sharing would be justified. The code is designed to help data controllers consider and document the risks and benefits for sharing. It also includes a checklist and decision form template.

Information Sharing Agreements (ISA):

Where businesses need to share information with other businesses or with police, it is good practice to have an information sharing agreement (ISA) in place. ISAs set out the purpose of the information sharing, cover what happens to the data at each stage, set standards and help clarify roles and responsibilities of all parties involved in data sharing.

For further information, please refer to the guidance on the ICO website here.

Myths busted:

There is a common misconception that data protection laws are a barrier to effective data-sharing. Follow the link to the ICO website to find out why this is not the case and where common data-sharing myths are busted. Data sharing myths busted | ICO

Link to the SME hub/helpline on ICO website: Get help and support from the ICO | ICO

For information on the data sharing code of practice: Data sharing: a code of practice | ICO

For a step-by-step guide to deciding whether to share personal data: Annex A: data sharing checklist | ICO 

Link to the data sharing form for use by organisations taking the decision to share data: Data sharing decision form template | ICO

For guidance on storing data and acceptable software use when sharing information: Records management and security | ICO

For information on data sharing with law enforcement: Sharing personal data with law enforcement authorities | ICO / Can I share personal data with a law enforcement authority, such as the police? | ICO

Myths busted:

There is a common misconception that data protection laws are a barrier to effective data-sharing. Follow the link to the ICO website to find out why this is not the case and where common data-sharing myths are busted. Data sharing myths busted | ICO 

For a quick reference guide to the data sharing code: Navigating the data sharing code | ICO 

For information on urgent data sharing: Data sharing in an urgent situation or in an emergency | ICO 

For information on data sharing with law enforcement: Sharing personal data with law enforcement authorities | ICO / Can I share personal data with a law enforcement authority, such as the police? | ICO 

Further ICO guidance: Policies and procedures | ICO 

For guidance on storing data and acceptable software use when sharing information: Records management and security | ICO 

For information on the support available to employees, click here.

It is easiest to see how effective data sharing can lead to better outcomes for businesses and police; below are three examples: 

• In Sussex, police have developed a photo gallery, including details such as names, types of offence committed (e.g., shoplifter, violence towards staff), of prolific offenders gathered from a range of businesses. This information is shared internally in the police and across participating businesses using a GDPR compliant process. As a result, a number of individuals have been arrested by the police having been identified in the community. In addition, businesses have been able to manage their engagement with these offenders more proactively reducing the risk to their colleagues and their business.
• The Co-op, like other businesses has an internal risk assessment of stores to inform security investment and deployment decisions which is made up of a range of aggregated data about the store from layout, turnover, staffing levels, security measures in place, total number of incidents in store and their timing– none of the data is specific to an individual. This data has been shared with Nottinghamshire police who as a result have changed their assessment of the risk posed at each store and consequently changed deployment decisions to where they now understand the highest risk to be. This has resulted in reduction of crime at those stores.
• The National Association of Business Crime Partnerships (NABCP) works across the country through Business Crime Reduction Partnerships (BCRPs) and are the umbrella body representing these BCRPs at a national level. Business Crime Reduction Partnerships (BCRPs) perform a valuable function as part of local community efforts to reduce crime and anti-social behaviour which affects businesses, their staff, customers and the community. The NABCP facilitates a huge number of partnerships and schemes, which oversee data being shared and outcomes being delivered.
  
  Fundamentally, an agreed process, IT interface and outcomes make it easy for business and police to engage in problem-solving and produces results.

Case study- prolific and persistent offender targeting a convenience store:

It had been identified by a convenience retailer that one of their stores was being repeatedly targeted by an unknown offender. The offences ranged from theft to anti-social behaviour. This individual had committed 16 offences over a two-week period. Store colleagues recognised the individual and could describe them but could not put a name to the person. Colleagues feared for their safety when the individual entered the store and the losses to the business were mounting. The store identified the individual as ‘baseball cap’, an item of clothing the individual wore when entering the store to partially cover their face.

The store reported that the individual lived in a flat across the road from the store, they were able to confirm the address of the flat to support police enquiries. This individual was reported by the store to the National Business Crime Solution with details of the Crime Reference Number.

NBCS applied to the force for an image of the individual, the individuals address and date of birth details via the agreed NBCS / Police force ISA. Police responded positively to the request with the details. NBCS were then able to securely share this information not only with this store but also with other stores belonging to this retailer and NBCS member stores across the area.

Thanks to the sharing of this intelligence the store was able to report a name against further offences and provide details of identity. This supported police in taking action against this individual promptly which led to the offending stopping. This individual has not committed any further offences against this store. Furthermore, other businesses local to the area are now able to prevent further offences by identifying the individual and deterring the crime before it has been committed by offering excellent customer service, thereby preventing violence and protecting business interests while reducing demand on policing.

The individual was identified as a vulnerable person with specific needs pertaining to feeding her children. Following the identification, the individual was signposted to the appropriate support services where they are now receiving the appropriate support.

Case study- Business Crime Reduction Partnerships (BCRP)

Tadascz arrived in the UK from Poland 5 years before his problems began. Finding employment with a national retailer he was respected and worked hard but he developed an alcohol addiction and was sacked for coming to work drunk or smelling of alcohol. 

With no income he was evicted from his home and started to sleep rough at the back of shops in the Town Centre. Complaints started to pour in with excrement and litter being left near the temporary shelter he had built. He stole food and alcohol on a daily basis and was known to be resorting to drugs. 

The local BCRP incorporated into the local Business Improvement District started to problem solve with their Town Centre members and partners. 

The BCRP shared information with Framework and regular checks were made early morning on his health and welfare. Temporary accommodation was found for him, and information shared with the local council and permanent accommodation was found. 

The Council drug and alcohol team were informed, and he was offered help and support and regularly attended group sessions. 

The BID Ambassador accompanied him to the DWP as he was embarrassed to go alone, and he was entitled to state benefit. 

Tadascz is now seen regularly in town, clean smart and now in regular employment again. 

Information sharing at a local level works.

Additional case studies from the ICO: 

• Supermarket providing privacy information to customers
• A data sharing arrangement in the private sector relating to the use of new software

Ineffective data sharing can lead to negative outcomes for businesses and police. Please refer to the ICO website linked below for further information. 

Data sharing – when is it unlawful? | ICO