The Trust can share personal data where it is necessary and proportionate to do so. The UK GDPR, together with the DPA 2018, provide a framework to allow us to share personal data with law enforcement authorities that need to process personal data for the law enforcement purposes, such as the prevention, investigation and detection of crime.
These provisions do not force us to disclose personal data, but they do allow us to disclose personal data on a voluntary basis, provided that it is necessary and proportionate to do so. In some cases it will be clear why we need to share personal data, whereas in others we may need to carefully consider the reasons for sharing.
The DPA 2018 also allows us to share personal data with law enforcement authorities in order to comply with court orders, or other legislation and legal requirements.
The form below is provided for the convenience of police forces and other organisations requesting personal data from the Trust under the Data Protection Act 2018 (DPA18). The most relevant exemption is under Schedule 2 Paragraph 2 “Crime & taxation: general” which applies to personal data disclosed by an organisation to the police for the purpose of the prevention or detection of crime or the apprehension or prosecution of offenders. (This exemption restricts the application of the GDPR data protection principles and subject rights as listed in the DPA18 under Schedule 2 Paragraph 1 to the extent that the application of those provisions would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders).
Many police forces have standard forms (often referred to as DP7 or DP9 - and previously known as “Section 29 forms”) for requesting personal or confidential patient information which Police officers may prefer to complete. The advice below applies to all requests received by the Trust, regardless of format. Please ensure you read it before submitting your request.
The Trust considers that disclosure of sensitive personal data under DPA18 Schedule 2 Paragraph 2 is lawful without consent only where any person’s vital interests are at risk (“life or death”), or where there is a substantial public interest and your investigation would be prejudiced by seeking consent for disclosure. In general this means that only requests relating to very serious crime will be considered, where the public interest overwhelmingly outweighs the patient’s individual rights and freedoms in the particular case. Under the common law duty of confidence, we apply the same threshold for requests relating to deceased patients. Disclosing non-sensitive personal data is subject to a lower public interest threshold, but you must still justify it to our satisfaction.
Please therefore provide as much justification as possible to help us decide the balance of interests. We acknowledge that providing us with detailed information of a very serious crime may, in rare cases, compromise your investigation. For such ‘unexplained’ requests please ensure that your counter signatory holds the rank of Superintendent or equivalent, in line with ACPO guidance.
The Trust is not obliged to disclose information in response to any personal data request. If we refuse your request, you may wish to reconsider your justification, seek data subject consent, or apply to the courts for a disclosure order. Our intent is not to obstruct your investigations, but to maintain a confidential health care service whilst remaining within the law.
If you need general advice about making a request for personal data under DPA18 Schedule 2 Paragraph 2, please contact your force’s Data Protection Officer in the first instance, or alternatively the Trust’s Information Governance team (
Submitting a request
All requests should be sent to our Police Liaison mailbox, this includes where the data subject is a patient from one of our hospitals or a member of Trust staff.
Please send only from PNN addresses (ending @...police.uk), or other secure domains within GSi, and do not enter any personal data in the subject line.
The Trust takes no responsibility should you email unencrypted personal data insecurely over the internet (such as to addresses ending @nhs.net) without the consent of the data subject.
Subject Access Requests
Patients seeking access to their own health records should instead use our Subject Access form.