Retailers: “Oh no I can’t”.

Information Commissioner: “Oh yes you can”.

You’d be forgiven for thinking pantomime season had come early reading the newspapers over the weekend as they reported comments made Iceland retail boss Richard Walker on the Woburn Partners’ Lessons in Leadership podcast that “We’re not allowed to share known images of shoplifters on high street WhatsApp groups because of the human rights of the shoplifters” and his desire  to be able to publicise the images of shoplifters on WhatsApp groups and posters in shops and town centres, and the response by the Information Commissioner that “Data protection law enables retailers to share images to prevent or detect crime as long as it’s necessary and proportionate in the circumstances”.

The government’s April 2024 ‘Fighting retail crime: more action’ follow up to the October 2023 Retail Crime Action Plan reported the results of ONS Trends in Crime survey which showed that shoplifting offences had increased by 32% as at September 2023 compared to the previous year and were up 12% since the pre-pandemic period (year to March 2020). Incidents of acquisitive crime coupled with violence toward retail workers were also occurring with increased frequency, so retailers have legitimate concerns and obligations toward their employees and their safety. 

Data protection law does treat criminal conviction and offence data, which is defined at s.11(2) Data Protection Act 2018 as personal data relating to allegations of the commission of offences by the data subject or to proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing, as meriting special protection.

When criminal conviction and offence data is processed other than by the police, for example, Article 10 UK GDPR provides that this must be explicitly authorised by law and s.10(5) DPA 2018 provides that authorisation is afforded in the circumstances where a condition set out in Parts 1, 2 or 3 of Schedule 1 DPA 2018 is met.

In the context of retail crime, the processing of criminal conviction and offence data has a lawful basis if it is necessary for the purposes of the prevention or detection of an unlawful act, must be carried out without the individual’s consent so as not to prejudice the prevention or detection of unlawful acts and is necessary for reasons of substantial public interest, in accordance with para.10, Part 2, Schedule 1 DPA 2018.

Where processing involves the sharing of criminal conviction and offence data with a competent authority, such as the police, it is not necessary to prepare an appropriate policy document setting out how compliance with the data protection principles will be secured, but this would be required for sharing such data with other retailers and/or shopping centre operators in reliance on the prevention or detection of unlawful acts condition.

Even if a data controller is unable to establish that the processing would be in the substantial public interest, or fails to prepare an appropriate policy document, the condition at para.36, Part 3, Schedule 1 DPA 2018 could be relied upon to disapply these requirements.

In relation to personal data relating to individuals convicted of relevant offences, it may be possible to rely on the condition at para.32, Part 3, Schedule 1 DPA 2018 for personal data manifestly made public by the data subject, having regard to the application of this provision by Mr Justice Warby (as he then was) in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). Reliance on this condition would not require an appropriate policy document to be in place.

Meeting the conditions for processing criminal conviction and offence data isn’t enough, however, to bring retailers within the law. Data controllers still need to establish compliance with the data protection principles at Article 5 UK GDPR, i.e. the personal data is: processed fairly, lawfully and transparently; collected for specified, explicit and legitimate purposes and only further processed compatibly with those purposes; adequate, relevant and limited to what is necessary; accurate and kept up to date and any inaccuracies are erased or rectified without delay; retained in identifiable form only for so long as is necessary for the purposes of processing; and, processed in a manner that ensures the security of personal data.

The facial recognition retail security company Facewatch has implemented a platform and system which it states enables subscribers to share information regarding “subjects of interest” who are “known offenders” by enabling them to upload information to a database which is shared on a geographical basis and then alerts staff when an individual enters the subscriber’s premises using live facial recognition CCTV.

While Iceland’s proposal is not as high tech, and is therefore less high risk in some respects, sharing personal data of individuals via WhatsApp lacks the necessary structure and it is therefore perhaps unsurprising that the Information Commissioner’s Office advised that “If neighbouring retailers want to share images between one another, they should consider putting an agreement in place where they all agree to use only secure work devices and activate auto delete settings. Without this, images could end up in personal phones and uploaded to personal cloud back-ups.”

Compliance with data protection law is not the only applicable legal obligation, however. Communicating, whether in writing or verbally, that an individual is suspected of the commission of or has committed a criminal offence is defamatory of an individual if this cannot be proven to be true or otherwise defensible, and could entitle the individual to substantial damages, particularly where this results in them being banned from entering retail premises and this takes place in full view of other members of the public.

The Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights which protects the right to respect for private and family life, encapsulates data protection rights and the right to reputation in certain circumstances.  The right is not absolute, and interference with the right can be justified where this is in accordance with the law, and is necessary and proportionate for reasons including the prevention of disorder or crime and the protection of the rights and freedoms of others (including the right to the peaceful enjoyment of possessions). Article 8 won’t be engaged in relation to the consequential impact on reputation of an individual committing a criminal offence, but considerations as to whether a conviction is spent for the purposes of the Rehabilitation of Offenders Act 1974 and, where an individual has not been convicted of any offence, the nature of the allegation and the manner and reach by which it is shared, will be relevant considerations.

Compliance with these wider legal obligations is necessary to comply with the requirements of fairness and lawfulness of data processing. 

What must retailers do to comply with data protection law?

• Establish the lawful basis for processing personal data;  

• Prepare a privacy notice and make it available to affected data subjects, supplemented with appropriate signage on entering the retail premises;

• Prepare and make available to data subjects an Appropriate Policy Document;

• Consider whether it is necessary to carry out a mandatory Data Protection Impact Assessment (DPIA) in accordance with Article 35 UK GDPR and consider carrying out a voluntary one even if the processing is not assessed as likely to result in a high risk to affected data subjects;

• Consult with the Information Commissioner’s Office if required in advance of processing in accordance with Article 36 UK GDPR;

• Seek the advice of any Data Protection Officer (DPO), if one is in post, in connection with the proposed processing activities;

• Prepare and enter into a data sharing agreement with other retailers with whom personal data will be shared addressing issues such as the types of personal data to be shared, the categories of individual whose personal data will be shared including any vulnerable groups such as children who will be affected, the threshold for sharing data, the labels to be attached to shared data such as whether the individual is under investigation or suspected or convicted of theft, the secure mechanism to be used for sharing personal data, the minimum security requirements for the storage of data, who will be entitled to access the data, restrictions on how the data may be used and whether and it what circumstances it may be shared,  agreed personal data retention periods and secure deletion arrangements, mechanisms for dealing with any complaints or data subject rights requests and, how any regulatory enquiries or personal data breaches will be addressed, bearing in mind that if and in so far as the retailers are considered to be joint controllers then the essence of this agreement will be disclosable to data subjects in accordance with Article 26 UK GDPR;

• Implement a mechanism for individuals to raise concerns regarding the processing of their personal data and arrangements to cease processing if necessary; and,

• Maintain records of processing activities.

There is clearly scope for industry bodies, such as the British Retail Consortium, or local organisations, such as Chambers of Commerce, to seek to establish overarching mechanisms to support retailers to meet their legal and regulatory compliance obligations and minimise the administrative burdens on individual retailers, or even to seek approval for a code of conduct under Article 40 UK GDPR which retailers could abide by to demonstrate their compliance.

As to claims  by the Iceland boss that he would “take the rap” if staff were prosecuted for sharing personal data regarding shoplifters, retail staff can take comfort in the fact that in so far as they are acting in the course of their employment, they will not be personally liable for the processing of personal data which is the responsibility of their employer as data controller. While it is a criminal offence, under s.170 Data Protection Act 2018, to knowingly or recklessly disclose personal data without the consent of the data controller, this wouldn’t apply to retail staff where they were acting within the scope of their employer’s instructions and, in any event, there is a defence where disclosure is necessary for the purposes preventing or detecting crime or if they reasonably believed that they would have consent. 

If we can support you in establishing compliant arrangements for sharing criminal conviction and offence data with other retailers and shopping centre operators, or creating a scheme to support retailers to achieve this in your local area please contact us.

Find out more about our data protection and data privacy services.