A blog by Elizabeth Denham, UK Information Commissioner
There are few regulators that have as broad a role as the ICO, with our data protection work particularly impacting every business and public authority.
With such a wide remit, it is important my office focuses its attention on areas where poor data protection practices can have the greatest impact on people. And when we identify those areas, it is important we work with organisations to ensure changes and improvements to comply with the law.
Our work to improve mobile phone extraction practices across the criminal justice system in the UK is a good example of that work.
Mobile phones often store enormous amounts of extremely sensitive data, reflecting not only our most private thoughts, feelings and movements, but also those of our friends and family.
From biometric, financial and medical data to personal information that reveals our location, political or religious beliefs, sexual orientation, and ethnic origin, mobile phones are powerful repositories of our daily lives.
My 2020 report explained the issues at play in England and Wales. It recommended several measures, aimed at regaining public confidence that may have been lost through previous poor practices. These measures included calling for a new code of practice to be implemented across law enforcement to improve compliance with data protection law.
Our report broke new ground. It called for a change in culture to stop unnecessary processing of personal data from mobile phones that could not be justified. It is not okay for the police to ask people to hand over their mobile phones without good reason. They must only take people's data when it is strictly necessary for a specific, reasonable line of enquiry.
That report, supported by our work with organisations including the police, victims' groups and government, has already prompted improvements.
The Court of Appeal issued a judgment that reinforced our report’s findings and recommendations. The Attorney General has revised his guidelines on disclosure, stressing the message that it is not always necessary to obtain digital materials. And the College of Policing has issued operational guidance to police in England and Wales, emphasising the need to consider alternatives to the examination of mobile phones and to extract only the minimum amount of data strictly necessary.
This is a good start, but a more strategic, coordinated approach is needed so that police and prosecutors understand and implement the required systemic changes. Crucially, the code of practice I called for a year ago, to introduce clarity, consistency and adequate safeguards whenever mobile phone extraction is being considered, is yet to be introduced despite continuous engagement from my office.
To assist police organisations in Northern Ireland and Scotland in understanding their data protection obligations in their mobile phone extraction operations, we have published two separate reports with recommendations on how to comply with the law. We have also published a follow-up to my 2020 report on the issues in England and Wales.
I am encouraged by the consensus across the UK that more needs to be done to govern mobile phone extraction practices and increase public trust.
We want people to feel confident that they can hand over their phone if asked by the police in the UK, safe in the knowledge that it will only be requested if necessary; only the minimum amount of data required will be taken; and, that their private information will be kept safe and used appropriately.
It is about respecting and safeguarding people’s privacy, which can help increase public trust and confidence in the criminal justice system.
The ICO remains committed to supporting the work that is needed to fully implement our recommendations across the UK . We will continue to engage with our stakeholders to bring influence and encourage further change in this space.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- The DPA2018 and UK GDPR gave the ICO new strengthened powers.
- The data protection principles in the UK GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
- To report a concern to the ICO, go to ico.org.uk/concerns.