Many of today’s newspapers report (once again) that police forces are refusing to name wanted suspects because of Data Protection and Human Rights. It’s tempting to assume that by now, everyone knows that the Data Protection Act does not prevent the disclosure of wanted suspects’ names and photos, so when another newspaper makes an FOI request for the most wanted, the inevitably craven and risk-averse responses don’t really need to be debunked. Surely we all know that the cops either don’t want to get into nuanced conversations about the operational reasons not to name the suspects, they are too cowardly to use Data Protection to justify disclosure, or they just plain don’t understand the process? Is it really worth pointing out why the decision is so knuckle-headed?

Admittedly, without seeing all of the responses, I can’t be certain how bad they really are – all we have are selected quotes. I must also acknowledge that my judgement is clouded by having recently made FOI requests to a number of police forces, an experience that makes me assume that everything these forces have done is wrong. Nevertheless, it doesn’t look good – Humberside Police apparently told the Daily Mail that it wasn’t in the public interest to disclose sensitive personal data, despite the DP exemption in FOI not having a public interest test. Meanwhile, Leicestershire Police claimed a suspected murderer and rapist, could not be named because it went against the ‘principles of fairness’, while Staffordshire said its response was “processed in line with individuals’ rights”, which means either that Staffordshire have received a valid Section 10 notice from each of the suspects in question, or they don’t know what they are talking about. 18 other forces are cited by the Mail as having claimed that Data Protection prevents disclosure.

The only force who appear to have a leg to stand on are Nottinghamshire, who used Section 30(1) of FOI. S30 applies to investigations, so presumably Nottinghamshire are arguing that if they haven’t already named the suspects, it isn’t in the public interest to release them in response to an FOI. I can’t say for certain if this decision is correct, but the use of S30 suggests that Nottinghamshire’s decision is based on operational reasons related to their ongoing investigation. On that basis alone, they deserve the benefit of the doubt in a way that any force using S40 does not.

Rather than spend another 500 words calling police FOI and DP decision makers an assortment of rude names (which was my original plan for this blog), permit me to explain exactly why the use of Data Protection is always nonsense in these situations.


Section 40 of FOI defers entirely to the Data Protection Act when the request is for personal data about someone else. Essentially, if a disclosure of personal data would breach any of the Data Protection principles, if it would breach a valid Section 10 notice issued by the data subject, or if it would be exempt from subject access (i.e. the subject would not receive it themselves if they asked for it). In practice, the Information Commissioner considers that if the disclosure will not breach the first Data Protection principle, S40 is not a barrier. The forces must be arguing that disclosure of the wanted suspect’s data breaches the first principle.


The first principle says that the processing of data – here, the disclosure – must be FAIR, LAWFUL, and ACCORDING TO A SET OF CONDITIONS.


Fair means what it says in the dictionary, and it also means that the data subject must be informed of how their data will be used. The ICO is fond of the notion of ‘reasonable expectations’ – you don’t need to tell people how their data will be used if it’s obvious. This would plainly apply in these circumstances; a suspect cannot expect that their data will be suppressed while they are being hunted. In any case, S29 of Data Protection removes the requirement to use data fairly in any situation where doing so would prejudice the apprehension or prosecution of offenders. Therefore, if disclosure of the suspects’ identities would assist in their capture, fairness is no barrier.If disclosure will prejudice attempts to recover them, the FOI S30 exemption used by Nottinghamshire is the right exemption. The problem that would motivate the police is the effect on their investigation rather than the personal data issue.


Lawful means that police forces cannot breach *other* laws by the processing of personal data. This could be why Human Rights were cited by some of the forces. If disclosure of the personal data would breach a suspect’s Article 8 rights to privacy, the disclosure would be unlawful, and so DP would be a barrier. But this is nonsense. The right to privacy is not an absolute right, and can be interfered with in a variety of circumstances, including where it is necessary in the interests of national security, public safety, for the prevention of disorder or crime. You can, if you like, argue that naming the suspects interferes with their privacy (I don’t think it does) but even if it does, if publication of the names will assist in their capture, the interference would clearly be necessary to protect public safety or prevent crime. It’s lawful, unless the police argue that disclosure will impair their investigation. If they thought that, they would use Section 30 of FOI.


The data in question is sensitive personal data, as it relates to the alleged commission of crime. This means that each force has to meet two conditions in order to disclose: once from Schedule 2  and one from Schedule 3.

Schedule 2 is easy – we can pick from 5 (the processing is necessary for the administration of justice or the processing is necessary for the exercise of public functions in the public interest) or 6 (the processing is necessary for legitimate interests that do not cause unwarranted prejudice to the rights and freedoms or interests of the subject). The first two might be preferable to the balancing exercise required by the third, but if you really think that disclosing the name of a wanted man causes unwarranted prejudice to their rights, you are a moron.

Schedule 3(7)(1)(a) gives us administration of justice again while 3(7)(1)(b) gives us exercise of functions conferred on any person. The DPA was amended in 2000, which also allows any disclosure of sensitive data necessary to prevent or detect an unlawful act.

The only problem here would be if the force believed that disclosure would prejudice their ability to catch the wanted suspects. For the third time, if this is the case, Data Protection is not what they are worried about. They may have good operational reasons not to want to disclose, but they are choosing instead to hide behind Data Protection, which has the dual problem of making them look like politically correct idiots, and damaging the reputation of Data Protection which, as I have demonstrated, can easily be used to justify the disclosure. It took me 30 minutes to write this, and I would happily use it as a justification to disclose personal data; the only reason not to would be an operational reason, and FOI provides much better exemptions to protect the integrity and effectiveness of police investigations.

The only possible explanation I can think of for why the police cling to this idea that DP is a barrier to disclosure is that someone is feeding them terrible advice and guidance about how DP really works, and nobody is willing to stick their necks out and question it. This paints a terrible picture of the information rights culture in policing, and someone needs lay down the law as a matter of urgency.