June 7, 2025

221107 ICO to Sussex Police – ‘The Decision’

07/11/2022

7 November 2022

Our Reference: [redacted]


Dear Sir/Madam,

I am now in a position to provide the CO’s view on the concerns raised about the processing Of Mr [redacted] personal data.

The concern

To re-iterate, a third-party individual reported that Mr [redacted] vehicle had been involved in a RTA causing damage to [redacted] and that Mr [redacted] had failed to provide his contact details, as required by Section 170 of the Road Traffic Act 1988.

Mr [redacted] personal data was then disclosed to the Other party. A person relating to that third-party then used the information to commit a criminal offence against Mr [redacted]

Lawful basis

In Order to progress our investigation we asked you to provide further information, including the lawful basis used to disclose Mr [redacted] personal data.

You initially stated that Mr [redacted] details were first Obtained from DVLA under GDPR, and then further processed by [redacted] for Law Enforcement purposes (part 3 DPA 18). Due to the lawful requirement to make the disclosure under the Road Traffic Act, the information was further processed as it was compatible and necessary for the performance of a task carried out for that purpose by a competent authority.

You later clarified this to mean that Mr [redacted] details were disclosed to the other party under Article 6(1)(e) 13K GDPR ‘Public Task’.

Re-use of personal data

DPA Section 36(1) states that the second data protection principle is that personal data must not be processed in a manner that is incompatible with the purpose for which it was collected.

DPA 18 Section 36(4) states that personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.

I wrote to you on 8 July 2022, asking for details of how the disclosure was authorised by law.

I also asked how you reached the decision that the disclosure of Mr [redacted] personal data was proportionate.

You responded, stating that your previous responses had given that police processed Mr [redacted] details under LIK GDPR ‘Public Task’, but that this has been reviewed and the sharing of Mr [redacted] address was an extension of the law enforcement processing and was therefore compatible with the purpose under which it was originally obtained.

You also clarified that the details of the person driving the vehicle were provided by Mr [redacted].

Our view

You state that the information was further processed to the driver of the second vehicle for the purpose of investigation and potential prosecution through civil insurance and financial prosecution, related to a criminal offence.

However, the driver of the second vehicle is not a competent authority and is not processing the personal data for law enforcement purposes, as it is to support their civil claim.

Law enforcement purposes are defined in Part 3 Chapter 1 section 31 Of DPA 18 as:

“…the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”

This does not include civil enforcement processing, which falls under UK GDPR.

It is the ICO’s view, therefore, that it is unlikely that this personal data was shared as part of the law enforcement purposes under part 3 DPA 2018.

Lawful processing

The first data protection principle under Article 5(1)(a) UK GDPR says personal data shall be processed lawfully, fairly and in a transparent manner.

To satisfy the requirements of the principle, you need to identify a valid lawful basis for processing.

It is the ICO’s view that [redacted] has not identified a valid lawful basis for disclosing Mr [redacted] personal data.

What we will do

We keep a record of all the complaints raised with us about the way you process personal information.

The information we gather from complaints may form the basis for action we may take in the future to ensure you meet your information rights obligations.

Thank you for your co-operation with this investigation.

Yours sincerely,

case Officer
Information Commissioner’s Office

If you would like to provide us with feedback of any kind, please let me know
ICO Statement
You should be aware that the Information Commissioner often receives request for copies Of the letters we send and receive when dealing with casework. Not only are we obliged to deal with these in accordance with the access provisions of the data

You may have missed

false report

Vehicle Abandonments Raise Questions Over Theft Claims

May 13, 2025
combat theft

The State of Vehicle Taking in the UK: A Crisis of Enforcement, Not Engineering

May 5, 2025
criminal record keys

Keystone Krooks – but £1.4 million stolen!

May 4, 2025
data

2024 Vehicle Theft – how well (or otherwise) did your constabulary perform?

May 2, 2025
clear as mud

Vehicle Crime. Is Police Language Bluring Facts?

April 25, 2025