We have a duty to co-operate with European and other international partners, including the European Commission and other data protection authorities. This co-operation includes:
- sharing information and good practice;
- helping with complaints, investigation and enforcement; and
- working together to improve understanding of data protection law, and produce common positions and guidance where appropriate and necessary.
In the European Union (EU), we co-operate across all areas, including activities related to the internal market; justice, freedom and security; and police and judicial co-operation.
We work with groups established under legislation as well as with groups and initiatives we instigate, or others who aim to promote and improve the data protection framework and its application around the world. As information flows and data sharing are no longer restricted by geographical borders and locations, there is a need to see the data protection framework in a global context and to work with other frameworks and groups around the world to establish agreement and understanding so that we can continue to uphold the rights of citizens and responsibilities of organisations in the legislation.
At European level we are part of the Article 29 Working Party, which is made up of representatives of the 28 EU data protection authorities, plus Norway, Iceland and Liechtenstein, and the European Data Protection Supervisor. The European Data Protection Supervisor oversees the protection of individuals' personal information in the institutions of the European Union. The Europa website has contact details for European data protection authorities.
European law enforcement
There are several law enforcement agencies that operate across the EU. These agencies are set up under specific conventions and regulations at a European level, which include data protection safeguards.
They are not governed by the UK Data Protection Act or data protection laws of other EU countries. The ICO helps to supervise data protection arrangements for these law enforcement agencies to safeguard data protection and uphold privacy rights.
A new regulation has entered into force enabling Europol to step up efforts to fight terrorism, cybercrime and other serious and organised forms of crime. Europol’s new powers will be accompanied with increased data protection safeguards, democratic control and parliamentary scrutiny.
The European Union Agency for Law Enforcement Cooperation (Europol) is the law enforcement agency of the European Union (EU). It supports EU Member States in preventing and combating serious international and organised crime and terrorism. Europol is based in The Hague and is made up of police officers, liaison officers, and personnel seconded from national law enforcement organisations. It also provides support to co-operation partners. Co-operation partners currently include Iceland, Norway and the United States of America. Europol is not an executive police force, it has no prosecution functionality.
The collection and processing of data are central to Europol’s work; it stores large amounts of personal data. Various Europol units, EU Member States and third parties share data for analysis.
The new Europol Regulation, implemented on 1 May 2017, set out rules to ensure a high standard of data protection and security whilst still taking into account the operational needs of Europol.
Until the new Europol Regulation was enforced, the operations of Europol were supervised by the Europol Joint Supervisory Body (JSB) which oversaw compliance with the data protection rules. The JSB published its sixth and final activity report covering the period November 2012 - April 2017.
The JSB has handed over the supervision of Europol to the European Data Protection Supervisor. There will now be a shift from supervision by certain data protection authorities in Member States, to supervision by the data protection authority tasked, by EU institutions and bodies, with supervising data processing. Cooperation with national authorities will be achieved by way of a Coordination Board which the ICO is a member of.
Schengen Information System (SIS)
The Schengen Convention 1990 was an attempt to deal with the aim of creating a Europe without internal borders, specifically relating to the free movement of persons within the European Union. At present 25 Member States as well as Norway and Iceland are part of this free travel area. The United Kingdom and Ireland are not yet full members, though they have asked for limited participation as allowed under the Treaty of Amsterdam 1999.
The Schengen Convention applies, among other things, to the areas of visa policy, asylum policy, police co-operation, policy on drugs, and the free movement of persons. An information system, the Schengen Information System (SIS), was established to facilitate the exchange of data in these areas. As the data is of a personal nature, data protection safeguards have been put in place. These safeguards include supervision by the data protection authorities.
In order to cope with the enlargement of the EU, a new SIS II was developed. This was planned to have the capacity to deal with the increased membership and has meant the implementation of a new Regulation and an upgrade to the SIS IT infrastructure.
On 13 April 2015 the UK connected into SISII but only participates in the law enforcement aspects. SISII enables participating countries to share and receive law enforcement alerts in real time for:
- persons wanted for arrest for extradition purposes, for which a warrant has been issued (Article 26);
- missing persons who need to be placed under police protection or in a place of safety, including minors and adults not at risk (Article 32);
- witnesses, absconders, or subjects of criminal judgements to appear before the judicial authorities (Article 34);
- people or vehicles requiring specific checks or discreet surveillance (Article 36);
- objects that are misappropriated, lost, stolen and which may be sought for the purposes of seizure or for use as evidence (e.g. firearms, passports etc) (Article 38).
SIRENE Bureaux are set up in all SISII participating countries, to provide supplementary information on alerts and coordinate activities in relation to alerts in SISII. In the UK’s case this is managed by the National Crime Agency. SIRENE stands for Supplementary Information Request at the National Entry.
A coordinated supervisory group, which includes the European Data Protection Supervisor and all member states, has been established under the new SIS II Regulation. The ICO is represented on this body.
Requests for access to SIS II alert data should be directed to the ACRO Criminal Records Office
Request for access to data held by UK SIRENE Bureau should be made to:
Public Information Compliance Unit
National Crime Agency
PO Box 8000
For Freedom of Information requests related to SISII please visit the Home Office website.
For further information please see the Guide of Access produced by the Coordinated Supervision Group.
Customs Information System (CIS)
The Customs Information System was established under the CIS Convention. Its aim is to assist in combating customs related crime by facilitating co-operation between European customs authorities. The abolition of border controls following the formation of the Single Market in 1993 was a motivating factor in developing CIS as a means to combat smuggling.
The centralised Customs Information System located in Brussels can be accessed by Member States and as this involves the processing of personal data, a number of data protection safeguards have been built into the system. The CIS only records data relating to the Customs and Excise area, and the type of personal data is limited to that specified in the Convention.
CIS operates with two separate databases. One relates to matters which are subject to European law, while the second relates to matters which are solely subject to national law. Data held on the CIS may be accessed by the competent authorities in the Member States. However, only the party which has inputted data may correct, amend or delete such data.
A Joint Supervisory Authority is established under the CIS Convention. The JSA is responsible for supervising CIS and consists of representatives from the national authorities, including from the ICO. The JSA can inspect the central CIS database. It also offers advice and can examine issues relating to access requests.
The European Data Protection Supervisor also has a role in supervising use of the CIS by EU institutions. A co-ordinated supervision and co-operation body consisting of JSA members and EDPS ensures that CIS is supervised consistently.
Eurodac is the European information system established for the comparison of fingerprints of asylum applicants and irregular immigrants. Eurodac facilitates the application of the 1990 Dublin Regulation which aims to determine the Member State responsible for examining an application for asylum.
On 20 July 2015 the Eurodac Recast system became operational in compliance with Regulation (EU) No 603/2013 of the European Parliament and of the Council dated 26 June 2013. The new Eurodac system ensures full compatibility with the most recent developments of the asylum legislation. The new system allows law enforcement agency, including the European Police Office (Europol), access to its fingerprints database, under strictly limited circumstances in order to prevent, detect or investigate serious criminal offences, including terrorism (Articles 5 and 7 of the Eurodac Recast Regulation).
Requests for personal data stored in Eurodac should be made to the Immigration Fingerprint Bureau. The ICO is the national supervisory for the UK use of the Eurodac system and we can be contacted should you have a complaint about the way your complaint has been handled.
At the European level, Eurodac is supervised by the European Data Protection Supervisor. View the 2014 Eurodac Annual Report.
US Department of the Treasury – Terrorist Finance Tracking Program (TFTP)
The TFTP was set up by the United States Treasury Department shortly after the terrorist attacks of 11 September 2001. Since then, the TFTP has generated significant intelligence that has been beneficial for both US and EU states in the fight against terrorism.
There is an agreement in place enabling EU citizens to make subject access requests via their national data protection authority for information held by the US Treasury Department. For UK citizens this means the request can be made via the ICO. The ICO facilitates the request making procedure and the response will come from the US Treasury Department.