The Information Commissioner’s Office has responded to calls from the retail industry to help tackle the growing problem of shoplifting, detailing how companies can use data protection laws to their advantage.
With British Retail Consortium figures showing shoplifting is up by 27% across ten of the largest cities in the UK, the ICO’s director of regulatory policy projects Melissa Mathieson has stressed the regulator wants businesses to be able to take action to prevent crime, but shoppers who are not breaking the law must be able to go about their day without unjustified intrusion.
In a blogpost, she explained: “Data protection law enables retailers to share criminal offence data such as images to prevent or detect crime as long as it’s necessary and proportionate.
“We’ve worked closely with retailers to show them how they can share information to prevent or detect crime in line with data protection law.”
However, Mathieson warns that information should only be made available to a limited number of people who need it to prevent and detect crimes such as shoplifting. Wider public disclosures of information, such as posting it on an online retail-related social media platform, are less likely to be justifiable.
Where retailers deem that sharing is necessary and proportionate, they must be aware that this will bring with it responsibilities around the key data protection principles such as accuracy and retention, she added.
Mathieson goes on to detail three examples where action is likely to be appropriate.
“You can share criminal offence data with the police or other relevant law authorities to prevent, detect or investigate crime. The information you give them could bring a criminal to justice and is likely to be necessary and proportionate.
“Sharing information with a manager of another store in your shopping centre is likely to be appropriate as they are in the local area and may have experienced similar instances. They may be able to share further information or help you prevent reoccurrences.
“Sharing information with the security guards of your shopping centre is also likely to be appropriate as they may come across the individual as part of their professional role. Forewarning will be useful to achieve your purpose of preventing and detecting crime.”
However, there are also a number of instances where action my not be appropriate.
Mathieson explained: “Showing images of suspected shoplifters should be limited to what is needed and only to necessary individuals such as retail and security staff via secure channels. This limits the audience to what is necessary and proportionate. Putting them up in a staff room for all to see is less likely to be appropriate.
“If neighbouring retailers want to share images between one another, they should consider putting an agreement in place where they all agree to use only secure work devices and activate auto delete settings. Without this, images could end up in personal phones and uploaded to personal cloud backups.
“You must only share personal information in a way that’s proportionate and necessary to achieve your purpose. Sharing personal information so widely is likely to be excessive.
“You must only share personal information in a way that’s proportionate and necessary to achieve your purpose. Sharing images in this way gives access to those who don’t have the appropriate authority to see them or take any action.”
Claiming that the ICO “is here to help”, Mathieson concluded: “We do a lot of work in this space – from engaging with retailers and their trade associations, engaging law enforcement authorities, to researching new technologies – and will continue to ensure we help retailers in their fight against crime while still respecting privacy rights.”