The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Sensitive processing for law enforcement purpose

As part of the Information Commissioner’s statutory functions, we can investigate and prosecute individuals and organisations for offences committed under the legislation we regulate (including Data Protection Act 2018, Freedom of Information 2000, etc.). The Information Commissioner is named as a competent authority for the purpose of Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at section 31 DPA 2018 and include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.

Sensitive processing

Part 3 of the DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing sensitive personal data for law enforcement purposes.

Sensitive processing is defined in Part 3 section 35(8) and is equivalent to GDPR special category data. This includes:

  • the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
  • the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
  • the processing of data concerning health;
  • the processing of data concerning an individual’s sex life or sexual orientation.

This policy document

This policy document outlines our sensitive processing for law enforcement purposes and explains:

i) Our procedures for securing compliance with the law enforcement data protection principles;

ii) Our policies as regards the retention and erasure of personal data, giving an indication of how long the personal data is likely to be retained.

Our policy document – our processing of special categories of personal data and criminal conviction data explains our general processing of special category data when our processing is not for the primary purpose of law enforcement. Additional information about our more general processing can also be found in our privacy notice and staff privacy notice.

Description of data processed

We carry out sensitive processing for law enforcement purposes in three key areas:

  • i) Criminal investigations
  • ii) Intelligence
  • iii) Financial recovery

We carry out sensitive processing of all of the categories of data defined in Part 3 section 35(8) except for the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual.

Consent or Schedule 8 condition for processing

We carry out sensitive processing under section 35(3) DPA 2018 only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in schedule 8 of the DPA 2018.

The relevant schedule 8 condition for our processing is Schedule 8 paragraph 1 – statutory purposes.

Where personal data is retained as a public record to be transferred to The National Archives, our condition is Schedule 8 paragraph 9 – that the processing is necessary for archiving purposes in the public interest.

Procedures for ensuring compliance with the principles

Accountability principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • The appointment of a data protection officer who reports directly to our highest management level.
  • Taking a ‘data protection by design and default’ approach to our activities.
  • Maintaining documentation of our processing activities.
  • Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
  • Implementing appropriate security measures in relation to the personal data we process.
  • Carrying out data protection impact assessments for our high risk processing.

We regularly review our accountability measures and update or amend them when required.

Principle (1): lawfulness and fairness

Processing for law enforcement must be lawful and fair. Sensitive processing is only permissible if it is:

  • based on the consent of the data subject - section 35(4);

or

  • is strictly necessary for the law enforcement purpose and is based on a Schedule 8 condition - section 35(5).

Our processing of sensitive data for law enforcement purposes satisfies the first Schedule 8 condition that it is necessary for the exercise of a function conferred on the ICO by the legislation for which we act as a regulator e.g. Data Protection Act 2018 and is necessary for reasons of substantial public interest. We are required to seek to prevent, detect, investigate and prosecute possible offences contained in the Data Protection Act and Freedom of Information Act. The ICO working to ensure the lawful processing of information is of substantial public interest.

In circumstances where we seek consent, we make sure:

  • The consent is unambiguous
  • The consent is given by an affirmative action
  • The consent is recorded as the condition for processing

Principle (2): purpose limitation

We process personal data for all of the law enforcement purposes listed at section 31 DPA 2018. These are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. The offences are under data protection or freedom of information legislation.

We are authorised by law to carry out sensitive processing for any of these purposes. We may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose.

We will only use data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

Principle (3): data minimisation

We do not systematically collect or harvest sensitive personal data for law enforcement purposes. The information we process is necessary for and proportionate to our purposes. It is processed in the context of us carrying out processes which enable us to meet our stated purposes for processing.

Where sensitive personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.

Principle (4): accuracy

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

We, as far as possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions and mark the file to reflect the distinction. There are circumstances where this is not possible.

We, where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as

- People suspected of committing an offence or being about to commit an offence
- People convicted of a criminal offence
- Known or suspected victims of a criminal offence
- Witnesses or other people with information about offences

We only do this where the personal data is relevant to the purpose being pursued.

We do this by marking the file in our records. Should the status of a data subject change our systems allow us to note the reason and amend the file.

We take reasonable steps to ensure that personal data which is inaccurate, incomplete or out of date is not transmitted or made available for any of the law enforcement purposes. We do this by verifying any data before sending it externally. We also provide the recipient with the necessary information we hold to assess the accuracy, completeness and reliability of the data.

If we discover, after transmission that the data was incorrect or should not have been transmitted, we will tell the recipient as soon as possible.

We document our decision to make personal data available for any of the law enforcement purposes.

Principle (5): storage limitation

We have a corporate retention schedule and retain information processed for the purposes of law enforcement for 6 years from closure of the matter unless there is a legitimate reason to retain it for longer.

Principle (6): security

Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Where it is necessary for us to share information with third parties we consider the technical or organisational security measures they have in place before allowing access or transmitting data.

Electronic and hard copy information processed for the law enforcement purposes is only available to staff who carry out the processing for these purposes. Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data for law enforcement purposes allow us to erase or update personal data at any point in time. They also allow us to log the following information:

  • Collection
  • Alteration
  • Consultation (access)
  • Identity of person who accessed
  • Disclosures
  • Combination of records
  • Erasure

Retention and erasure policies

We have a corporate retention schedule which includes personal information processed for law enforcement purposes. Usually, we retain personal information processed for this purpose for 6 years from the closure of the case unless there is a legitimate reason to retain it for longer.

Our retention and erasure practices are set out in our retention schedule.

APD review date

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed annually or revised more frequently if necessary.