Dutourdumonde - Fotolia

ICO calls for police to end ‘excessive collection’ of personal data from rape and assault victims

The UK’s information commissioner, John Edwards, has called for prosecutors and police to end the excessive collection of personal data from victims of rape and serious sexual assault

The UK’s privacy watchdog has called for police and the crown prosecutors to “immediately stop” the practice of collecting vast amounts of sensitive personal information from victims of rape and sexual assault.

The Information Commissioner’s Office (ICO) said police were asking crime victims to consent to the disclosure of large quantities of sensitive, and in some case irrelevant, personal data, in breach of privacy laws.

The practice, which gives police access to victims’ phone data, medical history, social service records, notes of their private discussions with therapists and historic school records, is deterring victims from reporting serious crimes.

The information commissioner, John Edwards, said in an opinion published today that police and prosecutors were exposing rape and victims of sexual assault to further trauma by exposing them to excessive scrutiny.

“Victims are being treated as suspects, and people feel re-victimised by a system they expect to support them,” he said. “Change is required to rebuild trust that will enable more victims to seek the justice to which they are entitled.”

Use of Stafford statements ‘unlawful’

The ICO called for police forces to end their use of “Stafford statements” – consent forms signed by victims – that give police the right to access sensitive data about them from other organisations.

The regulator said it considered the use of the forms to access wide-ranging personal data – which could include information on people’s religious beliefs, sexuality and medical history – to be “unlawful”.

There is evidence in some cases that the Crown Prosecution Service (CPS) is asking police to conduct “fishing exercises” to access all available information about victims of abuse before prosecutors make a decision on whether to issue criminal charges.

Support groups say victims are being told to sign away their rights to privacy if they want to progress their cases.

Claire Waxman, London’s victims commissioner told the ICO: “Victims who decline to grant access are having their cases dropped at alarming rates, despite robust evidence which supports otherwise.”

Victims not confident to report crimes

The information commissioner argues that the criminal justice system is failing to win the trust and confidence of victims as their cases are investigated, leading to “very low” charge and conviction rates.

The Victims Commissioner for England and Wales found that one in five victims withdrew criminal complaints at least in part because of concerns about disclosing their private data.

For many victims, the scrutiny of their private lives was instrumental in their decision not to report a rape, the commissioner found.

Victims were concerned that their digital communications, GP, hospital, school and employment records could be disclosed during criminal proceedings. Those who did make a complaint found the scrutiny of their lives traumatic.

In another study, the London rape review 2021 found that in 58% of cases investigated, the victim withdrew their allegations.

In a further 30% of the cases investigated, the police decided to take no action and only 3% of reported crimes led to convictions.

Unnecessary and excessive requests

The ICO said in its opinion that police and prosecutors have made “unnecessary and excessive” requests for personal information.

Over-collection of data can cause victims to feel “re-victimised” and lead them to withdraw from the criminal justice system, meaning that offenders are not held to account.

“In such cases, it appears victims are subjected to a far greater level of scrutiny of their personal information than the suspects,” the ICO said.

In some circumstances, police and prosecutors are making judgements about cases based on information that is unconnected with the assault in question.

In other cases, they have made decisions based on “simplistic interpretations” of the information they received without offering the victim a chance to give an explanation.

How police and prosecutors can gather excessive data on rape victims

  • A victim is attacked by a stranger she has never met. Nevertheless, police require her to sign a statement agreeing to a full download of her mobile phone, including contacts, call logs, messages, location data and web history and social media going back several years.
  • Police request a victim’s historic school records after finding documents that suggested the victim had been caught lying as a teenager.
  • Police require sensitive medical records from a victim but go on to request her complete medical history going back to the day she was born.
  • Police obtain notes of a victim’s discussions with a trauma counsellor. The counsellor and the victim are both unaware that the notes could be later be disclosed to the defendant.

Fishing expeditions

There are suggestions that the Crown Prosecution Service may be driving the police to provide excessive amounts of data during rape and abuse cases, according to the regulator.

A review by the HM Crown Prosecution Service Inspectorate found that the CPS required police in some cases to provide all possible digital material and all possible third-party material before it would consider a charge in a rape case.

Another review found that police officers believed that the CPS’s requests for data on victims had become standard procedure and that their lines of enquiry had become too broad, resembling fishing expeditions.

The ICO said it had heard consistently through its investigation that police may be inclined to seek as much information as possible about a victim, in anticipation that prosecutors will ask for it before making a charging decision.

“At its worst, this blanket approach can be interpreted as a speculative attempt to identify evidence of the victim’s ‘bad character’ or previous history which may impact on their credibility at trial,” the ICO said.

The practice is contrary to data protection law and places a significant and unnecessary burden on the police to review the material to comply with their disclosure obligations, according to the document.

“It is clear from official reports of recent inquiries that there is a pressing need to clarify the circumstances under which investigators may process materials relating to victims in the course of their criminal investigations,” the ICO said.

Informed consent questioned

The ICO found in a report on police use of mobile phone data extraction in 2020, that victims who were suffering trauma had a limited capacity to make fully informed rational consent to police obtaining their mobile phone data.

Only a third of the victims agreed that police had clearly explained why they needed to access mobile phone records, research quoted by the ICO revealed.

Police also failed to explain how they would ensure that data would only be accessed if it was relevant and necessary to the investigation.

The imbalance of power between police and victims and the perception that a case may not continue if victims don’t agree to disclose their personal information also raises questions about whether victims can give free consent.

Once victims have given consent for police to use their private information, it was impossible for them to withdraw it, because of requirements for police to retain information gathered for the investigation.


The ICO is calling for the National Police Chief’s Council to ask all police forces in the UK to end the practice of asking victims to fill out “Stafford statements” authorising police to obtain excessive personal data.

Any personal data obtained must be adequate, relevant, not excessive and pertinent to an investigation, it said. The regulator said police chiefs should develop notifications that police can present to third parties to request data.

The ICO is calling for the National Police Chief’s Council to ask all police forces in the UK to end the practice of asking victims to fill out “Stafford statements” authorising police to obtain excessive personal data

They should make it clear whether the requests are voluntary or mandatory, explain the reason why police are seeking the information, and explain that the information could be disclosed to a defendant.

Chief constables should also update their polices and training to bring it into line with the ICO’s opinion. This includes making it clear when it is appropriate to seek access to data from victims’ electronic devices or from third-party organisations, how the information can be used, who police can disclose it to, and how it can be secured.

Police and prosecutors need to demonstrate that they have considered other, less privacy-intrusive means, before obtaining sensitive data about a victim, the ICO said. The information collected should have a clear link to the purpose of the investigation, should be limited to what is necessary, and deleted if no longer needed.

Even when organisations meet data protection requirements, victims should be involved in discussions about their data throughout the investigation, the ICO said.

Victims of rape denied dignity

Ksenia Bakina, legal officer at the campaign group Privacy International, told Computer Weekly that victims of rape and sexual assault were being denied their dignity.

“Collection of sensitive personal data from victims of rape and sexual assault by the police is deeply problematic. As we know from the previous ICO report concerning the extraction of data from mobile phones, the collected information is often excessive, disproportionate and goes beyond the reasonable line of police enquiry,” she said.

“Collection of sensitive personal data from victims of rape and sexual assault by the police is deeply problematic. The collected information is often excessive, disproportionate and goes beyond the reasonable line of police enquiry”
Ksenia Bakina, Privacy International

Claire Waxman, London’s victims commissioner, said the ICO’s report showed that the justice system was continuing to ask too much of rape victims and denying them justice.

“I originally called for this investigation after hearing about the invasive and disproportionate requests being made of victims and the lack of support in understanding their privacy rights, making rape victims feel like they were the ones on trial and forcing them out of the process. I am yet to see a case where primary school records or counselling notes hold any relevant information, yet these requests are regularly made,” she said.

Jayne Butler, CEO of Rape Crisis England & Wales, said the ICO’s recommendations had the potential to “drastically improve” the experiences of victims and survivors seeking criminal justice.

“For far too long, the police and CPS have been requesting, and at times demanding, unreasonable and excessive amounts of personal data from rape victims and survivors. It feels like to report a rape is to effectively give up your right to privacy – to expect justice you must expect scrutiny,” she said.

Unlawful privacy breaches

The ICO said it was concerned that aspects of individual investigations involving victims’ data fall short of the UK General Data Protection Regulation and the UK Data Protection Act and were therefore unlawful.

The ICO said it was likely to take enforcement action in future when police and prosecutors failed to meet the guidelines set out in the opinion.

“Breaches of law, including excessive collection of victims’ information, can leave organisations open to regulatory action,” the regulator said.

Read more on Privacy and data protection

Data Center
Data Management