Using personal information to protect your business from crime
This guidance explains how data protection law applies if you are planning to share criminal offence data and provides you with resources to help you protect your business.
At the end of this guidance there is a helpful checklist to take you through the steps you need to follow.
At a glance
- Data protection law allows you to use personal information (eg gathered from CCTV) to tackle crime affecting your business.
- If the information is about criminal offences or alleged offences, then this is criminal offence data. You can use it when you have a clear reason and have the right safeguards in place.
- You can inform your colleagues about people who pose a risk to your business. However, under data protection law, it's unlikely that you could justify publicly posting images of suspected offenders.
In detail
- Can I use personal information (like CCTV images) to protect my business from crime?
- Why do these rules apply to me?
- What is "criminal offence data"?
- What steps should I take to help me to comply with the law?
- Can I share CCTV footage of someone with the police?
- Can I notify my colleagues about suspected offenders?
- Case study: Internal staff alert and barring notice
- Can I post images of suspected shoplifters on social media?
- Can I warn other businesses about suspected offenders?
- Can I use facial recognition technology (FRT) to protect my business from crime?
- Where to find more detail on facial recognition
- Quick checklist
Can I use personal information (like CCTV images) to protect my business from crime?
Yes. You can use personal information to prevent or respond to incidents such as theft, abuse or violence towards staff. But it needs to be an appropriate response to the issue you are trying to resolve. There are certain rules you need to follow to help you to comply with data protection law.
Why do these rules apply to me?
You can collect personal information in several ways, for example through CCTV, dashcams, video doorbells and incident logs. Data protection law applies when this information identifies a person.
If any of this information is about criminal offences or suspected criminal activity, it is criminal offence data. Extra protections are given to this kind of information. Criminal offence data can have a significant impact on people's lives if used without the right safeguards. This also minimises your own risk, including the impact of identifying the wrong person.
What is "criminal offence data"?
Criminal offence data is personal information about criminal convictions and offences, as well as suspected criminal activity such as shoplifting, assault or other aggressive behaviour.
Criminal offence data rules only apply to behaviour that is against the law. These rules do not apply if you are dealing with non-criminal activity, such as nuisance behaviour. However, it is still important to consider whether using personal information, like CCTV images, is fair and necessary for the situation.
What steps should I take to help me to comply with the law?
Before you collect or share information:
- Prepare your documentation:
- A data protection impact assessment (DPIA) helps you identify and reduce data protection risks when you use personal information. You must do a DPIA if what you’re planning to do is likely to result in a high risk to people. This is likely to be the case if you are processing criminal offence data. In your DPIA:
- Define your purpose such as deterrence, investigation, staff safety or all of these options.
- Identify a lawful basis. When sharing criminal offence data internally, your lawful basis under article 6 of UK GDPR is likely to be the ‘recognised legitimate interest’ crime condition. You also need a separate condition for processing criminal offence data under article 10. This is likely to be the schedule 1 substantial public interest condition of ‘preventing unlawful acts’.
- If using criminal offence data, you must have an APD. An appropriate policy document (APD) is a short document that explains how you meet your data protection duties and how long you keep criminal offence data.
- Together, a DPIA and an APD help you demonstrate that your use of criminal offence data is properly justified, controlled and reviewed. It also shows that you have identified and reduced risks to people’s rights and freedoms.
- You don’t need to do a DPIA or have an APD to solely share information with the police.
- A data protection impact assessment (DPIA) helps you identify and reduce data protection risks when you use personal information. You must do a DPIA if what you’re planning to do is likely to result in a high risk to people. This is likely to be the case if you are processing criminal offence data. In your DPIA:
- Minimise - collect only what you need and delete it when you no longer need it.
- Put in security controls such as role-based access, secure storage and transfer and train your staff.
- Provide clear signage in public areas about any CCTV or facial recognition technology (FRT) you may have and update your privacy information.
- If you are using children’s personal information you must have a compelling reason to share it to ensure this is fair. Children require specific protections around their personal information and any sharing poses a potentially higher risk. You must also have strict security controls in place to protect this information. For more information on sharing children’s data please see our data sharing code of practice.
Can I share CCTV footage of someone with the police?
Yes. You can share information with the police to help investigate an incident.
Remember to:
- share only what’s necessary to the investigation, such as a short clip of the incident;
- use a secure method of transfer, such as one provided by your local police force;
- keep your own record of what you shared, including when and why; and
- keep the original footage in line with your retention policy. However, you may need to keep it for longer for a specific purpose, for example, where the police are investigating a crime and ask for you to retain it.
Can I notify my colleagues about suspected offenders?
Yes - if it's necessary and fair.
You can inform your colleagues about people who pose a risk to your premises or employees (including partner stores in the same local area). For example, you can let your colleagues know if someone has been violent or aggressive. Make sure that your colleagues know how to handle this information.
To do this fairly, you must do the following:
- Minimise your sharing: share only what colleagues need to see, such as a still image and a short description of the risk the person poses. You should crop out or blur the faces of any third parties.
- Check for accuracy: make sure images are clear and information is limited to the known facts about the person.
- Control access: share directly only with relevant colleagues. You should not put notices up of suspected offenders in areas where the public can see them. This is because it is unlikely to be reasonable for the public to know the details of suspected offenders and may not help you tackle the problem. This would also cause you to lose control of the information and its use.
- Set time limits: review and remove any alerts when they are no longer needed.
- Document your decisions: data protection law provides options for showing your compliance:
- When sharing criminal offence data internally, your lawful basis under article 6 of UK GDPR is likely to be the 'recognised legitimate interest' crime conditiont'.
- You must complete a DPIA if what you plan to do is likely to cause a high risk to people, which will be the case when processing criminal offence data. If you need further guidance on DPIAs for small businesses, you can visit our website.
- The law also requires you to have an APD when you use this type of information. We have further guidance on APDs, including a template, available on our website.
Case study: Internal staff alert and barring notice
Scenario
A customer in Ruth's store became violent towards a cashier. Ruth wants to put up a notice for her staff about people to be careful of and those barred from the premises.
A proportionate approach
Ruth records the incident with the date and time, what happened and the specific risk the person poses.
She creates a staff-only notice behind the counter with a single still image, the person's name and description (if known), the fact that they are barred and who to contact if seen.
The notice is not visible to customers and is shared only with staff who need it (cashiers and security).
She sets a review date (eg three months) to remove or update the alert.
Ruth updates her policy documents, privacy information and incident log and ensures all her staff know not to share the information outside the business.
Can I post images of suspected shoplifters on social media?
No. Publicly posting images of suspected offenders is unlikely to be a justifiable response. If you post images of suspects on social media, you will lose control over who sees and reuses the information.
Some safer alternatives are listed below:
- Share directly with the police for investigation.
- Use internal briefings for colleagues.
- If you're part of a formally governed local business crime reduction partnership, follow its agreed process and safeguards.
Can I warn other businesses about suspected offenders?
Yes. The easiest way to share information with separate companies is through your regional or local business crime reduction partnership. These partnerships should have governance and security measures and clear rules that help ensure information is used fairly and legally.
If you participate in an accredited scheme, remember to:
- check that there is a data sharing agreement, with defined purposes and security standards;
- make sure that you understand your own roles and responsibilities and those of others in the scheme (who decides what to share, how long to keep it and how to respond to rights requests); and
- keep your own records of what you share and why.
Can I use facial recognition technology (FRT) to protect my business from crime?
Yes. FRT automatically collects and analyses biometric data to uniquely identify or recognise people. It processes the images of people to match them against a watchlist. This is a customised collection of images of people you need to identify. Its lawful use in public places has a high bar because it scans everyone in the environment, not just those already suspected or identified.
To use it lawfully, you must be able to show that it is necessary to prevent crime and that you have considered alternatives to achieving the same purpose. You must also be able to show that you have considered and minimised the risks, for example the risk of someone being wrongly identified.
If you believe there is a compelling reason to use it, you must:
- demonstrate that the processing is necessary and proportionate, which includes considering on a case-by-case basis whether someone should be added to a watchlist;
- identify an appropriate lawful basis to process biometric information; and
- complete a detailed DPIA and have an APD in place.
Where to find more detail on facial recognition
The following links provide further details of our expectations when using facial recognition technology:
Quick compliance checklists
Identify your purpose
I want to share information with the police
I want to share information with my colleagues
☐ I have identified a lawful basis, likely ‘recognised legitimate interest’.
☐ I have recorded the legal condition for processing criminal offence data, often ‘preventing unlawful acts’.
☐ I have an APD (you can use our template).
☐ I am only sharing what is necessary with a limited number of people.
☐ There are visible signs in place for any CCTV systems.
I want to share information with other businesses
☐ I have considered joining my local business crime reduction partnership.
☐ I have completed the necessary documentation, including the data sharing agreement and I am following the policies and procedures.
☐ I have made sure roles and responsibilities are clear (who decides what to share, how long to keep it and how to respond to rights requests).
☐ I have made my own record of what I share and why.
I want to install an FRT system
☐ I have considered that the use of FRT is necessary and my purpose cannot be achieved by alternative means.
☐ I have conducted a thorough DPIA to help assess and document the risks and mitigations of data sharing.
☐ I have identified a lawful basis.
☐ I have recorded the legal condition for processing both criminal offence data and biometric data.
☐ I have an APD (you can use our template).
☐ There are clearly visible signs in place for the FRT system.