Businesses may be approached by the police and other law enforcement agencies to provide information relating to their staff or their customers. What do businesses need to consider to ensure their best interests are protected?

It can feel unsettling when your business is contacted by the police with a request for information. But police requests are not unusual and don’t automatically imply wrongdoing on the part of the business. Such requests are made in the context of wider criminal investigations. Although the business may not be implicated, there may well be suspicion in relation to its customers or even its employees. The information sought may be personal, confidential, commercially sensitive, or reputationally significant. It is crucial not to respond hastily but instead to assess the request carefully and ensure your organisation’s interests remain protected.

How Should a Business Respond?

1. Verify authenticity
   Before taking any steps, confirm that the request is genuine. Fraudsters sometimes pose as law enforcement officials to gain access to confidential information. Always check credentials, ask for identification if in person, and ensure any email addresses or correspondence are legitimate. Don’t be afraid to ask questions—the police will expect a degree of due diligence.
2. Determine if compliance is mandatory
   Informal requests made over the phone, by email, or in person carry no legal obligation. Just because a request is in a written format does not make it compulsory to comply. However, if the request comes in the form of a Statutory Notice, Court Order, or Warrant (which should be apparent on the face of the document) then a legal obligation arises. Failure to comply could lead to penalties and could result in the business coming under greater scrutiny.
3. Assess the scope
   Provide only the information specifically requested. Over-disclosure of information may create unnecessary risk, particularly when personal or commercially sensitive data is involved. If the request is unclear or seems excessively broad, seek clarification. Police requests should always be proportionate and focused. They should not require a business to dedicate an inordinate amount of time or resources to collating the information requested.
4. Consider the nature of the data
   Police may request a wide range of material – details of employees, employee records, CCTV footage, visitor logs, information about vehicles ownership or use of company assets, or details of transactions with or the provision of services to customers. Much of this information may be confidential, personal or commercially sensitive. Evaluate carefully what is being sought and the potential implications of disclosure.
5. Review data protection obligations
   Ordinarily, businesses are prohibited from disclosing personal data. However, there is an exemption where disclosure is necessary to support the prevention or detection of crime. If the data requested may constitute personal data, the police should acknowledge this in writing and confirm that the provision of such information will not breach data protection law.
6. Weigh any wider implication
   Think beyond the immediate disclosure. If the request concerns a customer, are you permitted to inform them, or must the request remain confidential? Could the matter affect your ongoing relationship with that customer? Are there regulatory consequences to consider—for example, under anti-money laundering laws?
7. Keep accurate records
   Document the request, your response and any other discussions with the police. A clear audit trail will help demonstrate that the business acted responsibly and in good faith if any questions later arise.
8. Know when to seek legal advice
   Certain situations may warrant legal input. Consider obtaining advice if:

• The request is accompanied by a statutory notice, warrant, or court order.
• The scope of the request seems excessive or unclear.
• Sensitive employee, customer, or commercial data is involved.
• Disclosure could expose the business to liability.
• There is any suggestion of wrongdoing by the business or its staff, including invitations to attend police interviews.

Police requests for information should never be ignored, but neither should they be accepted without question. By verifying the legitimacy of the request, carefully assessing its scope, and considering the wider implications,  businesses can ensure their interests are protected.