How specific does the GDPR require you to be when providing personal information to the police?

Question

According to the ICO a lawful basis is required for sharing personal information with the police:

The UK GDPR does not prevent you sharing personal data with law enforcement authorities (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. The UK GDPR and the DPA 2018 allow for this type of data sharing where it is necessary and proportionate.

If you want to share personal data with a law enforcement authority you need a lawful basis under Article 6.

Checklist

• We consider what the purpose is for sharing personal data with law enforcement authorities, and whether it is necessary and proportionate to do so.

• We identify a lawful basis under Article 6 of the UK GDPR before sharing the personal data. If the sharing of personal data was not the original intention of the processing, we consider whether this new purpose is compatible with that original purpose.

The obvious reading of this is that a data controller asked by the police for personal information should request enough details about the case such that they are able to determine a lawful basis, whether this use is necessary and proportionate, and whether this use is compatible with that original purpose. I guess the lawful basis would in many cases be 1. (e) or (f), though (f) may be excluded if police are "public authorities in the performance of their tasks":

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

How much information is a data controller required to get from the police before supplying them with an individuals personal information? It seems relevant to also ask if police are "public authorities", or if perhaps "competent authorities" is a separate class of authority.

Answer 1

Compulsory disclosure

If the LEO has a warrant (or a similar legal power), then you are under Article 6 (1)(c) and disclosure is mandatory- no further analysis required.

However, that’s not what the ICO is talking about here.

Voluntarily disclose

What the ICO is talking about, is you wanting to disclose protected information to a LEO, not the LEO demanding it from you.

In this circumstance, you need to establish a legal basis just as you would for any other disclosure third-party.

For example, if you are reporting alleged embezzlement by an employee, legitimate interest would be the basis.

Answer 2

If they have a warrant or subpoena, you have to give them everything listed

That's the rule. If the warrant is for "anything User X did on Stackexchange", then Stackexchange has to provide full logs of anything that was retained of the activity of User X. If the warrant lists "any post by User X on Day A/B/C" then that is the scope of the warrant or subpoena.

Compliance with such a document as a data controller is mandatory under the terms of those documents, and legal under the GDPR Art. 6 (1)(c):

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

   (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

The warrant or subpoena is a court order, and thus a legal obligation to which the controller is subject. The GDPR gives a carte blanche to comply with those legal obligations. There are ways to appeal for a vacation or cancellation of a warrant or subpoena, but GDPR says, you may follow it to the extent that such a document demands it.