Credit: Ashley Youngs/Pixabay

Lancashire Police will face no regulatory action over its handling of personal data during its investigation into the disappearance of Nicola Bulley earlier this year, the Information Commissioner’s Office has confirmed.

But the data watchdog has reminded all police forces that they must measure the necessity, proportionality and possible wider impact of releasing personal information to the public while working on high-profile cases.

On 15 February, Lancashire Police put out a statement describing Bulley, who had disappeared almost three weeks previously, as being a “high-risk” missing person on account of her “significant issues with alcohol”. Two days after that – and two days before her body was found – the ICO announced that it would be probing the force’s actions and asking officers to explain how and why they decided to release information publicly. 

Three months on, the regulator’s deputy commissioner for regulatory policy Emily Keaney said that “we don’t consider this case requires enforcement action [and] we’ll be able to provide further details around this decision following the inquest into Nicola Bulley’s death”.

“We have now spoken with Lancashire Police to better understand the steps they took before releasing information,” she added, in a newly published blog. “We heard in those conversations the challenging nature of considering whether and how to share personal information during fast-paced, important cases.”

Related content

• Police given new guidelines on gathering evidence from rape victims’ phones
• Proposed law tweak advises police that cloud firms should not be served warrants for customer data
• EXCL: Wall of silence surrounds plan for nationwide collection of citizens’ internet records

The ICO’s review of investigators’ work during the early weeks of the Nicola Bulley case has made it “clear that their consideration of what information to share during a fast-paced case is a challenge all police could face” – particularly in missing persons investigations, the blog post added.

Keaney set out five key questions forces should bear in mind to ensure that, when considering releasing personal information, their legal obligations in protecting data are not compromised.

The first two questions concern whether the release of the information is, respectively, necessary and proportionate to achieve the outcomes being sought. The third is whether the disclosure might impact the privacy of third parties – such as the family and friends of a missing person, victim, or suspect.

The penultimate question officers should seek to answer is whether they are “recording the factors being considered in your decision making”, while the final one asks: “what is the data protection officer’s view?”.

Keaney wrote: “When it comes to answering all of these questions, the police’s DPO will be ideally placed to draw together their knowledge of data protection, as well as their understanding of their organisation’s operating processes, to help consider the balance between privacy, the public interest, and the interests of all those involved.”

The ICO policy chief added that the watchdog will seek to raise awareness of the five-point guidance and will “continue to offer our advice and support to police” on data-protection issues.

“Data protection law does not prevent police from doing their job. It is part of helping police do that job well,” she said. “The law specifically considers the challenges law enforcement organisations may face using personal data, and asks police to consider the risks of disclosing information alongside the valuable role disclosure can play in an investigation, in particular when police are calling on the public’s help to find a missing person.”