The Information Commissioner’s Office (ICO) has released an investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales.

When concerns arose about the potential for excessive processing of personal data extracted from mobile phones, the ICO launched an investigation to understand the privacy and data protection risks.

Information Commissioner Elizabeth Denham said:

“Many of our laws were enacted before the phone technology that we use today was even thought about. The existing laws that apply in this area are a combination of common law, statute law and statutory codes of practice. I found that the picture is complex and cannot be viewed solely through the lens of data protection. As this report makes clear, a whole-of-system approach is needed to improve privacy protection whilst achieving legitimate criminal justice objectives.”

The ICO’s investigation found that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted and stored without an appropriate basis in existing data protection law.

With these findings, the ICO’s investigation report examines the relevant data protection rules in some detail. It explains the significant requirements that an organisation must meet to rely on the legal basis of consent for data extraction. The report also describes an alternative condition for processing: where it is necessary for the performance of a task carried out for a law enforcement purpose by a competent authority.

Ms Denham said:

“People expect to understand how their personal data is being used, regardless of the legal basis for processing. My concern is that an approach that does not seek this engagement risks dissuading citizens from reporting crime, and victims may be deterred from assisting police.”

The ICO’s report recommends that a number of measures are implemented across law enforcement in order to improve compliance with data protection law and regain some public confidence that may have been lost. The ICO is also recommending the introduction of a new code of practice to improve MPE practices and better support police and prosecutors in their work.

Ms Denham said:

“While the work needed to implement my recommendations must not fall by the wayside, I am acutely aware that this report is issued at a time of unprecedented challenges flowing from the COVID-19 pandemic. I therefore acknowledge that the timeline for change will be longer than usual, but I am keen that we begin to make progress as soon as practicable, and I am committed to supporting that work at all stages.”

 

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  3. The General Data Protection Regulation (GDPR) is a new data protection law which applies in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.
  4. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euros) or 4% of global turnover.
  5. To report a concern to the ICO go to ico.org.uk/concerns.