National Association of Business Crime Partnerships


Issue 3 - January 2019

I have been inundated this week with enquiries regarding data protection:


·       Why have Boots stopped sharing data with all BCRP’s

·       WILKO no longer share data with us

·       ASDA have stopped sharing data and so has TKMAXX

·       A major retailer has just dismissed a guard for sharing data with us.

·       How do we stop members using Whatsapp?


Whichever major retailer I speak to I get the same response. The ICO has said that they are proactively seeking a business to prosecute for a breach of data protection as a result retailers have “shut up shop” and will not share with anyone.

I met with Boots today and explained the role of NABCP and the new accreditation model. The Security & Incident Manager was very interested and said that for now Boots will share data with their top 5 at risk locations but the sharing of data generally will take some time and she has asked for a list of NABCP accredited partnerships. In the future they may well agree to resume sharing data but only with “Accredited Partnerships” The five locations are Leeds, Newcastle, Manchester, Leicester and Nottingham.

I will be contacting all five of these BCRP’s to expedite their accreditations.

I have also corresponded with WILKO and received the same response. I explained about accredited partnerships that they knew little about and they will now raise this at their GDBP Meeting next week.

I have yet to contact ASDA and TKMAXX but I am convinced that their response will be the same.

                                     +       +      +     +     +     +

Where the guarding role of a retailer is outsourced then the guard needs the authority of the owner of the data to share it. If not, there is a breach of Data Protection. The owner of personal data always remains the owner and not only does the owner have to tell the individual what they are going to do with their data there has to be a Privacy notice in place. Any security officer must have the authority of the data owner before circulating data to a BCRP.

This can be achieved by a third-party data sharing authorisation between the data owner and the security guard. There is a template for this in the NABCP Documentation in the Members area of the NABCP Website.


                                     +       +      +     +     +     +


On a number of occasions now we have reminded our members regarding the use of Whatsapp as a means of circulating personal data – DON’T DO IT unless of course you want to gain notoriety by appearing in the ICO Newsletters as being prosecuted for a data breach.

Whatsapp has been investigated by the ICO on numerous occasions the latest being in 2018 when an investigation was made regarding the harvesting of personal contact details from mobile phones. Whatsapp was bought out by Facebook in 2014 and is now the front end of Facebook Messenger. You will have heard in the news of concerns regarding Facebooks proposal to merge its messaging systems and the security of personal data.

To share personal data there must be a data controller who authorises that sharing having considered which legal gateway is the most appropriate to enable that sharing. This decision must be recorded and the reasons for sharing documented. So how can the sharing of personal data over a mobile telephone in most cases personal mobiles comply. This is covered in the ICO guidance – Bring Your Own Device. Go to:

 A guard who takes a snap-shot of a CCTV image and shares this over Whatsapp with his “mates” commits a Data Protection breach.

NABCP does not support or encourage the use of Whatsapp to share personal BCRP data and any breaches will be reported to the ICO.

This will also be checked at the assessment of your accreditation.

I advise all BCRP Managers to inform their members of this. If a breach is discovered, you should inform the Designated BCRP Member and report any breaches to the ICO.

Kylie Wroe