About the Guide to Law Enforcement Processing
Scope and key definitions
Principles
Conditions for sensitive processing
Individual rights
The right to be informed
The right of access
The right to rectification
The right to erasure and the right to restriction
Right not to be subject to automated decision-making
Manifestly unfounded and excessive requests
Accountability and governance
Documentation
Logging
Categorisation of individuals
Data protection by design and by default
Data protection impact assessments
Data protection officers
Personal data breaches
National security provisions
Penalties
International transfers

About the Guide to Law Enforcement Processing

The Guide to Law Enforcement Processing is part of our Guide to Data Protection. It is for those who have day-to-day responsibility for data protection in organisations with law enforcement functions.

It explains the data protection regime that applies to those authorities when processing personal data for law enforcement purposes. It covers part 3 of the Data Protection Act 2018 (DPA 2018), which is separate from the UK GDPR regime.

It explains each of the data protection principles, rights and obligations. It summarises the key points you need to know and answers frequently asked questions.

Where relevant, this guide also links to more detailed guidance and other resources, including ICO guidance and relevant European guidance published by the European Data Protection Board (EDPB). EDPB guidelines are no longer directly binding to the UK regime, but are included as a useful reference resource.

This section only covers processing for law enforcement purposes. You will need to read our Guide to the UK GDPR when processing for non-law enforcement purposes.

Scope and key definitions

At a glance

In brief

Who does Part 3 apply to?

Part 3 only applies to competent authorities processing for law enforcement purposes. So, it applies, but is not limited, to:

The appropriate regime is based on the law that applies to the controller. So if you are a processor carrying out a law enforcement function on behalf of a competent authority, you will also be processing under this law enforcement processing regime.

Any processing carried out by a competent authority which is not for the primary purpose of law enforcement will be covered by the general processing regime under the UK GDPR(read with Part 2 of the DPA 2018.

If you are a competent authority it is very likely that you are also processing personal data under the general processing regime. For example, this may include internal HR processes and procedures, as that processing isn’t strictly for law enforcement purposes.

Identifying the correct regime is important as there are many key differences between the general processing regime and Part 3 of the DPA 2018, including differences on individuals’ rights, lawful basis for processing and governance.

What is a ‘competent authority’?

A competent authority means:

You need to check whether you are listed as a competent authority in Schedule 7 of the DPA 2018.

If you are not listed in Schedule 7, you may still be a competent authority if you have a legal power to process personal data for law enforcement purposes. For example, local authorities who prosecute trading standards offences or the Environment Agency when prosecuting environmental offences.

Are we processing for law enforcement purposes?

If you are a competent authority, when you are deciding which regime applies, the key thing to consider is your primary purpose for the processing. This should help you identify whether the processing falls under the UK GDPR rules, or satisfies the criteria of the law enforcement purposes under Part 3 of the DPA 2018.

The law enforcement purposes are defined under section 31 of the DPA 2018 as:

‘The prevention, investigation detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

So if you are a competent authority processing for one of those purposes, you should comply with the law enforcement processing regime.

Example

A police officer is called to a disturbance where allegations of assault have been made. The officer attends the scene using their body-worn camera. Witnesses are interviewed and this footage is recorded on the body-worn camera.

The footage is recorded and processed to investigate the crime. So the processing is carried out for the prevention, investigation, detection or prosecution of criminal offences. Part 3 of the DPA 2018 applies.

What if we are processing for other general purposes?

Even if you are a competent authority, in some circumstances, you may also process data for general purposes, such as for your own HR purposes. If processing is not for the law enforcement purposes, it will fall into the general processing regime in the UK GDPR read with and Part 2 of the DPA 2018 you should refer to our Guide to the UK GDPR.

Example

A police force want to obtain information from the public about their perception of the force in general. The results will help influence how the force engage with the public. They therefore conduct a survey to capture people’s views.

Personal information is collected about individuals, but the primary purpose of the processing is to gain an insight into their opinions of the force. So the processing is not to prevent and detect crime.

In this case, the relevant regime is the general processing regime, and you should read our Guide to the GDPR.

What happens if our purpose changes?

You may begin processing information under one regime, but as circumstances progress and the purpose changes, the processing of the data will come under another regime or take place under both simultaneously.

You may initially be processing data for general administrative purposes, but as the situation changes you may identify elements of criminality. The processing would then come under Part 3 of the DPA 2018. It may be easier to identify a change in regime if the data is passed to a specialist team or department to continue the processing for a specific purpose. For example, a dedicated fraud unit may obtain information originally collected under the general processing regime for the purposes of an investigation under Part 3 of the DPA 2018.

Likewise, in certain circumstances the processing of information by a competent authority may begin under the law enforcement processing regime in Part 3 of the DPA 2018, and as circumstances change, it may switch to the general processing regime. Some information may end up being processed for different purposes and under both regimes.

Any information that is being processed for law enforcement purposes must adhere to the governance requirements of Part 3 of the DPA 2018. These include logging requirements, categorisation and obligations about the principles and rights of individuals.

Example

A Police force is dealing with an internal disciplinary matter involving a member of staff. A complaint has been referred to a professional standards department about an officer’s conduct. The complaint is not of a criminal matter.

The processing involves the use of data from various internal sources, such as HR. The primary purpose for processing the data is to investigate staff conduct and behaviour, so will be processed under the general processing regime.

As the investigation progresses, an element of criminality is discovered. The relevant data is then passed to a specific team. They will process the data to investigate the criminal aspects, so will need to comply with the law enforcement processing regime under Part 3 of the DPA 2018.

The HR department may still be processing some of the data for HR-related matters, and that will still be processed under the general processing regime.

How is personal data defined?

Any information relating to an identified or identifiable living individual. An identifying characteristic could include a name, ID number or location data. You should treat such information as personal data even if it can only be potentially linked to a living individual.

What is a controller?

A controller determines how and why personal data is processed. For the purposes of law enforcement, this will be a competent authority which is acting alone, or jointly with others.

If you are processing jointly with another competent authority, you must designate a specific controller to be the contact point for data subjects.

If you are a processor, you are processing personal data on behalf of the controller for the law enforcement purposes, but you could be sharing some accountability with controllers. This means that you could be liable for breaches. You need to review and revise your contracts to ensure that they reflect your new obligations.

What is sensitive processing?

Sensitive processing is defined in section 35(8) as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual’s sex life or sexual orientation.

Genetic data is personal data relating to the inherited or acquired characteristics of a person, eg an analysis of a biological sample.

Biometric data is personal data that is obtained through specific technical processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg fingerprint data and facial recognition.

For more information on the rules about sensitive processing, see our guide pages on the principles and conditions for sensitive processing.

Principles

At a glance

In brief

What are the principles? 

Part 3, Chapter 2 of the DPA 2018 sets out six key principles which are your main responsibilities when processing personal data for the law enforcement purposes.

The principles are broadly the same as those in the UK GDPR, and are compatible so you can manage your processing across the two regimes.

 

The first data protection principle

Processing of personal data for any of the law enforcement purposes must be lawful and fair.

 

The second data protection principle

The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;

Personal data collected must not be processed in a manner that is incompatible with the purpose for which it was originally collected.

 

The third data protection principle

Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

 

The fourth data protection principle

Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;

Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

 

The fifth data protection principle

Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.

Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

 

The sixth data protection principle

Personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

Section 34(3) adds that:

The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.

Why are the principles important?

The principles guide and inform the processing of personal data for the law enforcement regime under Part 3 of the DPA 2018.

They don’t give hard and fast rules, but rather embody the spirit of the law enforcement regime – and as such there are very limited exceptions.

Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of Part 3.

Failure to comply with the principles may leave you open to substantial fines. Section 157(2)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of monetary penalties. This could mean a penalty of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

What is the first principle about?

The first data protection principle says that any processing for the law enforcement purposes must be lawful and fair. Lawfulness and fairness are well established requirements of data protection law.

For the processing to be lawful, section 35(2) says that it must be “based on law”. This means that the processing is authorised by either statute, common law or royal prerogative, or by or under any other rule of law. You must identify a legal basis that provides a sufficiently clear, precise and foreseeable lawful justification to process personal data for the law enforcement purposes. The necessary legal basis may be found in more than one statute or other source of law.

Example

Part 5 of the Police and Criminal Evidence Act 1984 confers statutory authority for the taking and retention of DNA and fingerprints (this applies to England and Wales).

The Domestic Violence Disclosure Scheme relies on the Police’s common law powers to disclose information where it is necessary to do so to prevent crime.

The processing must also have a lawful basis under data protection legislation. Section 35(2) explains that the processing of personal data for any of the law enforcement purposes must be either necessary for the performance of a task carried out for law enforcement purposes by a competent authority, or based on consent.

You need to be aware that any processing you carry out for the law enforcement purposes must be necessary. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving your purpose. This lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.

It is not enough to argue that processing is necessary because you have chosen to operate in a particular way. The question is whether the processing is a necessary for the stated purpose.

In terms of consent under Part 3, this has the same high standard of consent as that in the UK GDPR. This means consent must be freely given and it must be unambiguous and involve a clear affirmative action (an opt-in). Individuals also must be able to easily withdraw consent. Further guidance on consent can be found in the Guide to UK GDPR page.

There may be limited circumstances where you obtain consent from the individual whose personal data you are processing. However, in the context of law enforcement processing, consent may often not be appropriate as a lawful basis.

“Fairness” generally means you must not process personal data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. It also requires you to be, where appropriate, clear and open with individuals about how you use their information, in keeping with their reasonable expectations.

What about sensitive processing?

ICO guidance explains the meaning of ‘necessary’ as a targeted and proportionate way of achieving your purpose under Article 6 UK GDPR. Processing for a law enforcement purpose may for example, depending on each case, be ‘necessary’ if it delivers that purpose more effectively, for the benefit of society.

However, as a law enforcement authority, the information you process will often be sensitive. When it is, you must be able to demonstrate that processing for a law enforcement purpose is either based on consent or alternatively, is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA 2018.

‘Strictly necessary’, as required in some sections of Part 3 DPA 2018, imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing the information.

The standard should be more exacting for the processing of sensitive information because it carries greater risk, and may have a greater impact on individuals’ rights. As such, this requires higher levels of protection and safeguards. Whether the processing of sensitive information for any of the law enforcement purposes is ‘strictly necessary’ should depend upon the facts of each case.  

In the view of the ICO, we expect ‘strictly necessary’ under Part 3 DPA 2018 to mean that enhanced consideration and extra care should be taken to:  

Sensitive processing is defined in the law enforcement provisions as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual’s sex life or sexual orientation.

Genetic data is personal data relating to the inherited or acquired characteristics of a person, eg an analysis of a biological sample.

Biometric data is personal data that is obtained through specific processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg fingerprints and facial recognition.

Given the sensitivity surrounding such processing, you are required to meet at least one of the conditions set out in Schedule 8 of the DPA 2018.

What safeguards are required for sensitive processing?

If you are carrying out sensitive processing based on the consent of a data subject, or based on another specific condition in Schedule 8 of the DPA 2018, you must have an appropriate policy document in place.

This document must explain:

You must retain this policy from the time you begin sensitive processing until six months after it has ended. You must review and update it where appropriate and make it available to the Information Commissioner upon request without charge.

So, to recap, sensitive processing must be:

In addition, in either case you must have an appropriate policy document in place.

Our template appropriate policy document shows the kind of information this should contain.

What is the second principle about?

The second principle is about maintaining the purpose for processing personal data. Specific requirements about the purpose being specified, explicit and legitimate are introduced, meaning that any processing under Part 3 of the DPA 2018 must be for the defined law enforcement purposes. You cannot process for a purpose that is incompatible with the original reason and justification for processing.

The Crown Prosecution Service could process personal data in connection with the prosecution of a criminal offence, whereas the Police working alongside the prosecutor would only be processing the personal data in connection with the investigation of the offence. 

What are principles three, four and five about?

The third principle requires that the personal data you are processing is adequate, relevant and not excessive. This means the data must be limited to what is necessary for the purpose(s) you are processing it.

The fourth data protection principle is about accuracy. It sets out that you should take every reasonable step to correct inaccurate data. In addition, as far as possible, you need to be able to distinguish between personal data that is based on factual data and that which is based on a matter of opinion or assessment, such as a witness statement.

A new requirement is that again, where relevant, and as far as possible, you need to be able to distinguish data between different categories of individuals, such as suspects; individuals who have been convicted; victims and witnesses. You only categorise information under Part 3 that is relevant to your investigation, and other unused data falls under the general processing regime.

The fifth principle requires that you do not keep personal data for longer than is necessary for the purpose you originally collected it for. No specific time periods are given but you need to conduct regular reviews to ensure that you are not storing for longer than necessary for the law enforcement purposes.  

What is the sixth principle about?

The sixth principle requires you to have technical and organisational measures in place to ensure that you protect data with an appropriate level of security. This is the same as under the UK GDPR and Part 2 of the DPA 2018

“Appropriate security” includes “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.

 

Conditions for sensitive processing

Latest updates - last updated 09 March 2023

09 March 2023 - We have shortened a description of “strictly necessary” in the “At a glance” section for “Conditions for sensitive processing”. Further detail can now be found under the “What about sensitive processing?” section instead.

At a glance

The conditions for sensitive processing in Schedule 8 of the Act are:

Again, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent.

In brief

What are the conditions?

When undertaking ‘sensitive processing’, in order to comply with the first principle, you must either have consent for processing or be able to satisfy one of the conditions in Schedule 8. Consent should not always be a default condition as it may not be appropriate in the circumstances. You will also need an appropriate policy document in place. 

What is an appropriate policy document?

An appropriate policy document must explain:

(a) your procedures for ensuring compliance with the law enforcement data protection principles; and

(b) your policies on the retention and erasure of this data.

Our template appropriate policy document shows the kind of information this should contain. 

What are judicial and statutory purposes/administration of justice?

The sensitive processing must be necessary for the administration of justice, or the exercise of a function conferred ‘on a person’ by enactment. This covers a constable and other competent authorities.  

In addition, in order to satisfy this condition, you must be able to demonstrate that the processing is necessary for reasons of substantial public interest.

When is processing appropriate for individual’s vital interests?

This condition only applies in cases of life or death, such as if you disclose an individual’s medical history to a hospital’s A&E department who are treating them after a serious road accident. Data protection law should not be a barrier to processing data in these circumstances.

When does processing relate to safeguarding of children and of individuals at risk?

This condition is met in cases where consent is not appropriate because the individual is under 18 or at risk, but the processing is necessary for reasons of substantial public interest, and is to protect them from harm or to protect their well-being.

What about personal data already in the public domain?

This condition applies if the data subject has deliberately made the information public.

What about legal claims and judicial acts?

This condition is met if the processing is necessary for the establishment, exercise or defence of a legal claim or whenever a court is acting in its judicial capacity.

When can data be processed for preventing fraud?

You should use this condition if the processing is necessary for the purposes of preventing fraud.  If it involves sharing data with organisations that do not fall within the definition of a competent authority, the processing needs to comply with the UK GDPR, and you need to have a lawful basis for sharing the data. 

What about archiving?

You can use this condition if processing is necessary for archiving in the public interest; for scientific or historical research purposes, or for statistical purposes. However, you cannot use it if it will result in decisions being made that effect a particular individual, or is likely to cause substantial damage or substantial distress to an individual.

 

Individual rights

Part 3, Chapter 3 of the Act provides the following individual rights:

Certain rights under the UK GDPR, such as the right to object and the right to data portability, do not exist in Part 3 of the Act. Further, there are exemptions and restrictions that can, in some circumstances, be legitimately applied to prevent individuals from exercising rights.  

It is important to note that subject access rights and the rights to rectification, erasure and restriction do not apply to the processing of ‘relevant personal data’ in the course of a criminal investigation or criminal proceedings.

‘Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.

Access to ‘relevant personal data’ is governed by the appropriate legislation covering the disclosure of information in criminal proceedings, such as (in England and Wales) the Criminal Procedure and Investigations Act 1996.

This provision only applies if the judge or other judicial authority is the controller and the relevant personal data is contained in a judicial decision or in other documents which are created during a criminal investigation or proceedings and made by or on behalf of the judge or judicial authority. For example, the ‘relevant personal data’ may be contained in judge’s notes.

You must communicate any information in clear and plain language that you are required to provide in Part 3. It is also your duty more generally to assist individuals to exercise their rights.

Similar to the UK GDPR, the Act includes further provisions for individuals to exercise their rights through raising a complaint with the Information Commissioner, or taking matters to court.

The next sections explain each of these in more detail.

The right to be informed

At a glance

In brief

How should we provide this information?

The information you supply about the processing of personal data must be:

What information must we supply as a minimum?

You must make this information generally available to the public:

What information should we supply to an individual?

You should supply the following information to enable an individual to exercise their rights: 

The right to this information is a qualified right, subject to restrictions that prevent any prejudice to an ongoing investigation or compromise to operational techniques.

Example

You have a generic privacy notice on your website which covers basic information about the organisation, the purpose you process personal data for, a data subject’s rights and their right to complain to the Information Commissioner.

You have received intelligence that an individual was present when a crime took place. On first interviewing this individual, you need to provide the generic information, as well as the further supporting information, to enable their rights to be exercised. You can only restrict the fair processing information you are providing if it will adversely affect the investigation you are undertaking.

In what circumstances may we limit the provision of further supporting information?

You may restrict the provision of further information where it is necessary and proportionate to:

You need to justify any restriction you apply as necessary and proportionate, and apply it on a case by case basis. It is important to balance the rights of the individual against the harm disclosure would cause.

You also must inform the individual when this limitation is in place, explaining its existence and the reasons, unless providing this information itself will undermine the purpose of imposing the restriction. Regardless, you still need to inform the individual about the process of raising a complaint with the Information Commissioner or taking matters to court.

You should keep a record of your decisions to rely on any restriction, and provide this reasoning to the Information Commissioner if required.

 

The right of access

Latest updates - last updated 10 February 2023

10 February 2023 - We have published detailed guidance on the Part 3 right of access, and updated our in-brief guidance to reflect this.

At a glance

Checklists

Preparing for Part 3 subject access requests

□ We know how to recognise a request and we understand when the right of access applies.

□ We understand what information is being used for law enforcement purposes, and when to use Part 3 to deal with the SAR.

□ We have a policy for recording verbal requests.

□ We understand what steps we need to take, if necessary, to verify the requester’s identity.

□ We understand that we must respond to requests within one month.

□ We understand when we can restrict the right of access and are aware of the information we still need to provide to people when we do so.

□ We understand the nature of the supplementary information we must provide to respond to a subject access request.

□ We have suitable information management systems in place to allow us to locate and retrieve information efficiently.

Complying with Part 3 subject access requests

□ We have processes in place to ensure that we respond to a request without undue delay and within one month of receipt.

□ We understand how to perform a reasonable search for the information.

□ We understand what we should consider if a third party makes a request on someone’s behalf.

□ We understand how to deal with requests for personal information contained within logs of information.

□ We understand how to deal with requests for unstructured manual data.

□ We understand that we must provide the information in a concise, intelligible and easily accessible form, using clear and plain language.

□ We understand that we should generally provide people with a copy of their personal information and other supplementary information.

□ We have processes in place for when we may consider restricting someone’s right of access, and have a system for recording our reasons.

□ We understand what we should consider if a request includes information about others.

□ We understand that, in circumstances where we are joint controllers, we must have joint arrangements in place. These must set out the responsibilities of each joint controller, and designate one of the joint controllers as the “contact point” for SARs.

□ We can deliver the information securely and in the correct format.

In brief

What is the right of access in Part 3 of the DPA 2018?

The UK GDPR does not apply to personal information used for any of the law enforcement purposes. There is a separate regime in Part 3 of the DPA 2018 which gives people a right to access their personal information used for a law enforcement purpose.

The right of access in Part 3, commonly known as subject access, gives people the right to access their personal information, as well as other supplementary information. It helps people to understand how and why you are using their data, and check you are doing so lawfully.

How do we recognise a Part 3 subject access request (SAR)?

Someone can make a Part 3 SAR verbally or in writing, including on social media. A request is valid if it is clear that the person is asking for their own personal information. They do not need to use a specific form of words, refer to legislation or direct the request to a specific contact. 

Before responding to a SAR, you must determine whether you are using the personal information for any of the law enforcement purposes. If you are a competent authority, and your primary purpose for processing the information is for one of the law enforcement purposes, you must deal with the SAR under Part 3.

What should we consider when responding to a Part 3 request?

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. The time limit begins the day after you receive the request. You must not extend the time limit for any reason. While you may ask the person to clarify their request, you must not ‘stop the clock’ after doing so. You must still comply with the request within the deadline.

Under Part 3, you must keep logs of information about your processing activities.

Unstructured personal data is manual information that is not, or is not intended to form, part of a “filing system”. Unstructured manual data obtained for law enforcement purposes is not included in the Part 3 processing regime. If you receive a SAR for this type of personal information you will need to treat it as SAR under the UK GDPR.

How should we supply Part 3 information to the requester?

People have the right to access their personal information. Where possible, you should provide with them a copy of their personal information, and other supplementary information (which largely corresponds with the information that you should provide in a privacy notice).

You must respond to requests in writing, and provide the information in a concise, intelligible, and easily accessible format using clear and plain language. You could provide the information in its existing format, if this is the most accessible form. For example, where you cannot convey the full context and meaning of the information solely in writing. This may include providing secure access to CCTV footage, or audio recordings. You do not have to create transcripts to respond to a request, if you do not already have them.

In certain circumstances you could provide the person with access to their information, rather than providing them with a copy. Our detailed guidance further explains these circumstances.

Can we restrict the right of access under Part 3?

Yes – but only in specific circumstances.

People have the right to obtain confirmation of whether or not you process their information, and to access it.

You may restrict these rights, in full or in part, if it is necessary and proportionate in order to:

In considering whether to apply a restriction, you must also consider the person’s fundamental rights and interests. You must provide them with any information you do not need to restrict access to.

What should we consider when acting as joint controllers?

Where two or more competent authorities jointly determine the purposes and means of the processing of personal information, they are acting as joint controllers.

If you are acting as a joint controller, you must ensure that:

Joint controllers must, in their joint arrangements, name one of the joint controllers as the contact point. You must not appoint a third party as the contact point, or have more than one contact point.

The joint arrangements must set out very clearly the duties of each joint controller in relation to SARs.

What should we do if the Part 3 request involves information about other people?

You should consider first whether it is possible to comply with the request without disclosing information that identifies another person.

If this is not possible, you should consider whether it is reasonable to apply a restriction. In reaching this decision, you must balance the rights and  interests of the person making the request with the rights and freedoms of the other person.

If you can demonstrate, on balance, that applying a restriction is necessary and proportionate to protect the rights and freedoms of the other person, then you could refuse to provide the information.

Our detailed guidance provides further information on what you need to consider in these circumstances.

What do we need to consider if a court processes personal data for law enforcement purposes?

People do not have a right to access their personal data by making a SAR if it is contained in:

The DPA 2018 describes such information as “relevant personal data”.

Can the ICO enforce the right of access under Part 3?

Yes. In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation. The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply or to seek compensation. It is a matter for the court to decide, in each particular case, what action to take.

If you are a joint controller, you are only liable to the extent you are responsible for the specific action in question, under the terms of the joint arrangements.

In more detail – ICO guidance

We have produced more detailed guidance on the Part 3 right of access.

The right to rectification

At a glance

In brief

When should we rectify personal data?

You must rectify inaccurate personal data when it becomes apparent, or, if an individual requests it. If personal data is identified as inaccurate as a matter of fact, or incomplete, you must seek to amend this by rectifying or completing the data. If you are unable to correct it, you could provide a supplementary statement to rectify personal data which is inaccurate if appropriate. In circumstances such as policing, you can keep accurate records of allegations made, even if the allegations are unfounded.

Example

The right to rectification applies, in particular, to matters of fact. For example, there may be inaccuracies in the details of a criminal conviction held on the Police National Computer. An individual may receive a copy of their criminal record and request that an incorrect entry for Grievous Bodily Harm is corrected to Actual Bodily Harm, or vice versa, to reflect the correct conviction. The controller may restrict the right to rectification if, for example, it obstructs an investigation, such as a request to rectify the content of a witness statement.

If you need to maintain personal data for the purposes of evidence, you must restrict its processing (instead of rectifying it). There is further information in the next section about restricting the processing of personal data.

If this happens, an individual may raise a complaint with the Information Commissioner.

What do we need to do to comply?

An individual can make a request for rectification verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, including those made by telephone or in person. You may wish to check with the requester that you have understood their request as this can help avoid later disputes. We also recommend that you keep a log of verbal requests.

If you have reasonable doubts about the identity of an individual, you can request more information to confirm their identity. You can put dealing with the request on hold until you receive further information to establish their identity.

Your request for verification should be reasonable and proportionate, taking into consideration the nature of the personal data you hold and your relationship with the individual.

If you have disclosed the personal data in question to third parties, you must inform them of the rectification. The third parties also have to rectify the information they hold. You must also inform the competent authority (if any) where the inaccurate personal data originated from.

If you refuse a request for rectification, you must tell the individual, informing them of their right to raise a complaint with the Information Commissioner or taking matters to court.

What if the request is manifestly unfounded or excessive?

If requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:

You have to be able to demonstrate how a request is manifestly unfounded or excessive.

How long do we have to comply?

You must respond to the request without delay and at the latest within one calendar month, from the first day after the request was received.

Example

If you receive a request on 30 June the time limit will start on 1 July and the deadline will be 1 August.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.

For practical purposes if a consistent number of days is required (eg for a computer system), you should adopt a 28-day period to ensure compliance is always within a calendar month.

When can we limit the provision of information?

If you receive a request for rectification, you must inform the individual in writing whether you have granted the request; and if you have refused, the reasons why, as well as the process for raising a complaint with the Information Commissioner or taking matters to court.

You may limit the provision of information to:

You need to justify any restriction you apply as necessary and proportionate. Again, you should also consider whether refusal or rectification in itself prejudices an ongoing investigation, as it may well indicate to an individual that you are processing their personal data.

You still need to inform the individual about their right to raise a complaint with the Information Commissioner or take matters to court.

In addition, you should keep a record of your decisions and provide this reasoning to the Information Commissioner, if required.

 

The right to erasure and the right to restriction

At a glance

In brief

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Individuals also have the right to restrict the processing of their personal data.

The Act defines the restriction of processing as the ‘marking of stored personal data with the aim of limiting its processing for the future’.

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that you respect the restriction in future.

Restriction could involve measures such as transferring data to a separate system, or limiting the access through the use of passwords and other access controls.

What do we need to consider when deciding if the right to erasure applies?

Individuals have a right to have personal data erased or to restrict its processing.

You must erase personal data without undue delay if:

We recognise that complete deletion of personal data in electronic systems can often be problematic, but you should ensure that you have adequate systems and storage media in place to comply with an individual’s request for erasure. If deletion is not technically possible, you should at least take steps to put the personal data ‘beyond use’.

What do we need to do to comply with requests for erasure or restriction? 

The Act does not specify how to make a request, so an individual can do so verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request as this can help avoid later disputes. We also recommend that you keep a log of verbal requests.

If you have reasonable doubts about the identity of an individual, you can request more information to confirm their identity. You can delay dealing with the request until you receive further information to establish their identity.

Your request for information to verify a requester’s identity should be reasonable and proportionate, taking into consideration the nature of the personal data you hold and your relationship with the individual.

If you have disclosed the personal data in question to third parties, you must inform the third party about the erasure or restriction of the personal data. The third parties will also have to erase or restrict the personal data they hold.

You must tell an individual if you are not going to erase or rectify the personal data they have requested that you amend. You must also inform them of their right to raise a complaint with the Information Commissioner or take the matter to court.

What if the request is manifestly unfounded or excessive?

If requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:

You have to be able to demonstrate how a request is manifestly unfounded or excessive.

How long do we have to comply?

You must respond to the request without delay and at the latest within one calendar month, from the first day after the request was received.

Example

If you receive a request on 30 June the time limit will start on 1 July and the deadline will be 1 August.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.

For practical purposes if a consistent number of days is required (eg for a computer system), you should adopt a 28-day period to ensure compliance is always within a calendar month.

When should we restrict processing?

You are required to restrict the processing of personal data for the law enforcement purposes in two situations:

If restriction is based on the latter, you should inform the individual before you lift the restriction.

Example

A local authority is investigating a suspect for benefit fraud. As part of this investigation, factually inaccurate personal data about the suspect (such as an age/ethnicity) has been received from a third party. However this inaccurate record needs to be retained as evidence to account for how the local authority first carried out the investigation and the source of this information. They should not erase or rectify this information, but restrict it as it forms evidence against the suspect. They should not process this inaccurate personal data for any other purpose.

When can we limit the provision of information?

If you receive a request for rectification, you must inform the individual in writing whether you have granted the request; and if you have refused, the reasons why, as well as the process for raising a complaint with the Information Commissioner or taking matters to court.

You may limit the provision of information where it is necessary and proportionate to:

Any restriction you apply needs to be justified as necessary and proportionate. In deciding on proportionality it is important to balance the rights of the data subject against the harm disclosure would cause. You can only limit the information you provide to the extent that it would prejudice the purposes stated above.

There is also an obligation to inform the data subject when this limitation is in place, explaining its existence and the reasons unless providing this information itself undermines the purpose of imposing the restriction. You still need to inform the individual about recourse to the Information Commissioner and the Court process.

You should keep a record of your decisions and provide this reasoning to the Information Commissioner if required.

 

Right not to be subject to automated decision-making

At a glance

In brief

When does the right apply?

Individuals have the right not to be subject to a decision when:

You must ensure that individuals are able to:

To qualify as human intervention, you must ensure that you carefully analyse the decision and consider all the available input and output data, rather than just a token review. This should be carried out by someone who has the authority and competence to change the decision.

This right does not specifically refer to profiling. However, profiling is defined in section 33 as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

Profiling and automated decision-making can be combined activities of the same process, or can be carried out separately. There may be cases of automated decisions made with (or without) profiling and profiling which may take place without making automated decisions.  This right will therefore apply to any profiling which involves some form of automated processing.

The right does not apply when a decision does not have an adverse legal or similarly significant effect on someone.

Example

An automated processing system could include an IT database of criminal records or prosecution histories, where data is input or accessed by staff via automated means.

‘Automated decision making’ only comes into play where the controller takes a ‘significant’ decision based solely upon automated processing, often without any human interaction. This is a decision that produces an adverse legal effect concerning the individual or otherwise affects the individual.

How do we comply?

You should inform an individual if you make a ‘qualifying significant decision’ about them.

The individual has one month to request for you to review the decision, or take a new decision not based solely on automated means. You must consider the request including any information provided by the individual. You need to respond to the individual within one month of receipt of their request and outline the steps you have taken as well as the outcome.

The DPA 2018 does not specify how an individual must make a request, so they can make it verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes.

 

Manifestly unfounded and excessive requests

Latest updates - last updated 10 February 2023

10 February 2023 - We have updated our Part 3 guidance on manifestly unfounded and excessive requests to align with our new policy lines on this topic in the UK GDPR right of access guidance.

At a glance

Checklists

Responding to manifestly unfounded and excessive requests

□ We understand when we can refuse a request and are aware of the information we need to provide to people when we do so.

□ We understand the considerations we need to account for when deciding if a request is manifestly unfounded or excessive.

In brief

What types of requests can we consider as manifestly unfounded or excessive?

People have the right to request:

For further information about these rights, please see our Guide to Law Enforcement Processing.

If you process personal data for law enforcement purposes and you consider a request exercising any of these rights as manifestly unfounded or excessive, you could refuse to comply with the request.

Alternatively, you could charge a reasonable fee to deal with the request (see When can you charge a fee?).

What general considerations should we take into account when deciding if a request is manifestly unfounded or excessive?  

You should determine whether a request is manifestly unfounded or excessive on a case-by-case basis. You should also consider the individual circumstances.

Whilst there may be characteristics that are indicative of a manifestly unfounded or excessive request, you should only use these as a guide. You must not presume that a request is manifestly unfounded or excessive just because someone has previously submitted manifestly unfounded or excessive requests. 

The inclusion of the word “manifestly” means it must be obvious or clear that the request is unfounded or excessive. You must have evidence as to why you consider a request to be manifestly unfounded or excessive. You must be able to explain the reasons for your decision to the person and, if asked, to the Information Commissioner’s Office (ICO).

What does manifestly unfounded mean?

A request may be manifestly unfounded if the person clearly has no intention to exercise their right or if the request is malicious in intent. They may also use the request to harass an organisation, with no real purpose other than to cause disruption. The term ‘manifestly’ indicates that organisations should provide evidence which demonstrates why the request is unfounded.

Factors that may indicate a manifestly unfounded request include where:

This is not a simple tick list that automatically means a request is manifestly unfounded. You should consider a request in its own context, and consider all the circumstances. The onus is on you to demonstrate that a request is manifestly unfounded.

You should consider the particular situation and whether the person genuinely wants to exercise their rights. If they do want to exercise their rights, it is unlikely that the request is manifestly unfounded. In most cases, use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request.

Example

A person is unhappy with the outcome of a complaint to a regulator. They post online that they plan to make a request for the company to delete their information every day, until the employee that dealt with their complaint is fired.

You have already responded to their first erasure request. It is clear that their intention is to threaten or disrupt your organisation. You refuse these further requests on the grounds that they are manifestly unfounded.

What does manifestly excessive mean?

To determine whether a request is manifestly excessive, you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate, when balanced with the burden or costs involved in dealing with the requests.

This means taking into account all the circumstances of the request, including:

In most cases, a request is not excessive just because the request covers a large amount of information, even if you find it a burden. As noted above, you should consider all the circumstances of the request. If it is a request for access, you could also consider asking them for more information to help you locate the information they are looking for.

A repeat request may not be excessive if a reasonable amount of time has passed since their last request. You should consider the following when deciding whether a reasonable amount of time has passed:

If it is unlikely that there have been any changes to the information between requests, you could decide you do not need to respond to the same request twice.

If you have deleted information since the last request, you should let the requester know.

If you have collected new information since their last request then it may not be an excessive request (at least not for the new information).

Requests about the same issue are not always excessive. Someone may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the organisation did not handle previous requests properly, or if a response to a previous request provided someone with new information that they were not previously aware of, prompting a new request. However, in other circumstances, a request which effectively repeats the substance of a previous request may be excessive. This depends on the circumstances.

A request may be excessive if someone makes a new request before you have had the opportunity to address an earlier request. However, this is only the case if the substance of the new request repeats some of the previous request. It is unlikely to be excessive if the overlapping request is about a separate set of information.

A request for information is not automatically excessive just because the information was previously made available as part of the criminal justice system. However, if a person has already received exactly the same information through an alternative statutory disclosure mechanism, this may be a factor to consider in deciding whether a request is excessive. In deciding whether such a request is excessive you should take into account the wider circumstances of the request, including:

The rights that are impacted may vary in the circumstances. The amount of weight you attach to the person’s rights, freedoms or legitimate interests will depend on how compelling or trivial they are.

For further guidance on considering how people’s rights may be affected, see ‘What rights and interests may be impacted by restricting an individual’s right of access?’. For further information on handling requests where you have already provided the information, please see ‘Do we have to respond to the SAR if the person has an alternative means of accessing their information?’. These pieces of guidance are about the right of access. However the principles are also relevant to determining the impact to other Part 3 rights.

Example

One month ago, you responded to a person’s subject access request for their information, which included their conviction history. Since then, they have made a new request for their information and asked you to include their conviction history again. Since their last request, the only new information you have collected covers a call to your complaint department.

You consider the amount of time you need to provide all the information, including their conviction history which contains a lot of documents, compared to only providing new information. You decide that it would be excessive to provide all the information, especially because of:

  • the overlap in information;
  • the volume of information in their conviction history; and
  • the time elapsed since the last request.

You refuse to respond to the whole request again, and tell the person that their request is excessive. However, you do provide them with the new information that you have collected since their last request.

What should we do if we refuse to comply with a request?

If you refuse to comply with a request, you must inform the person of:

As mentioned above, if you believe a request is manifestly unfounded or excessive you must be able to demonstrate this to the person and, if asked, to the ICO.

When can you charge a fee?

You could charge a reasonable fee if you decide that a request is manifestly unfounded or excessive, but you choose to respond to it. However, you are not required to charge a fee, and you can still refuse to deal with the request (on the grounds that it is unreasonable or excessive). This is the case even if the person tells you they are willing to pay a fee.

If you decide to charge a fee, you must notify the requester and explain why. You do not need to take further action in response to the request until you receive the fee. The time limit for responding to the request begins once you have received the fee. You should request the fee as soon as possible and, at the latest, within one month of receiving the request. You should not unnecessarily delay requesting it until you are nearing the end of the one month time limit. If you decide on a reasonable fee, you must be able to justify the cost, in case the requester makes a complaint to the ICO.

Section 53(4) allows for the Secretary of State to specify limits on the fees that organisations may charge to deal with a manifestly unfounded or excessive request by way of regulations. However, at present there are no regulations in place. As such, it is your responsibility as an organisation to ensure that you charge a reasonable rate.

For further guidance on the factors that you should consider when determining a reasonable fee and how you should respond to a request when you are charging a fee, you should follow our UK GDPR right of access guidance – ‘Can we charge a fee?’.

Example

An accused person repeatedly makes SARs for a file containing personal information about their arrest. You have given them the same file before, and you have not collected any more information since their initial request. The request is excessive, but you decide to respond to the request because you think they may have lost the file.

You tell the person you are charging them a fee for this information, based on administration costs. Once you receive the fee, you provide the information within one calendar month.

Accountability and governance

You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are legally required in certain circumstances that pose a risk to the rights and freedoms of individuals.

Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many will already have good governance measures in place.

What is the accountability principle?

Part 3, Chapter 2 of the Act requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility as data controller.

How can we demonstrate that we comply?

You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

In addition, you must:

Such measures could include: 

Documentation

At a glance

In brief

What do I need to record?

You must maintain internal records of processing activities including:

If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out including:

You and any associated processor may be required to make these records available to the Information Commissioner on request.

 

Logging

At a glance

If you operate automated processing systems (any IT database), you must keep logs for at least the following processing actions:

In brief

What is the purpose of logging?

It is to enable you to monitor and audit internal processing within any automated processing systems you use, and to know which third parties you have shared data with so that you can inform them of changes to the data should you need to. In addition, logging enables you to monitor systems for inappropriate access and/or disclosure of data, to verify the lawfulness of any processing, and to ensure the integrity and security of personal data. 

Example

If an officer or member of police staff is suspected of inappropriately accessing the Police National Computer to check on a neighbour, family member or friend, the logging should show what was available to them at the time, which will assist with any potential internal investigations.

The law enforcement provisions do not include a definition of ‘automated processing system’ however it is interpreted to mean any system that undertakes processing by automated means, and is likely to involve human interaction (for example input of or access to data) at some point.

If you operate automated processing systems (any IT database), you must keep logs for at least the following processing actions:

It is important that you do not record the data itself in your logs of erasure, as there is no need to retain a duplicate record of what you have erased. The requirement is to produce metadata which displays, for example, what a specific person on a specific date erased. The ‘what’ does not have to detail the content of the record/information that has been deleted – it can simply record that record X was updated by a specific individual.

Logs must also record, where possible, the identity of the person who accessed (consulted) the data, the reason for the access, and the date and time of any associated action. You should also record the identity of any recipients, in cases of disclosure – this is particularly important as you will need to inform the recipients if you delete, amend or restrict the processing of this data following a request from the individual.

There are however limitations to what you can use logs for. Any logs that you keep for the above processing actions may only be used for one or more of the following purposes:

You (and any associated processor) may be required to make these records available to the Information Commissioner upon request.

 

Categorisation of individuals

At a glance

When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:

In brief

Under the fourth principle, you must ensure that any personal data you process for law enforcement purposes is accurate and, where necessary, up to date.

In all areas of policing and criminal justice, it is highly likely that any processing of personal data will involve different categories of data subject. When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:

There may be instances where an individual falls under more than one of these categories. For example an individual may be both a victim and a witness in a certain case, or indeed an offender in one case and victim/witness in another. You will therefore be required, where relevant and as far as possible, to have processes and procedures in place to distinguish between such categories.  

Example

If a competent authority obtains a large dataset as part of an investigation, the authority only needs to categorise the personal data that is relevant to the investigation. In practice, this will be data that has operational value to a criminal investigation, rather than any other collateral data that they have also acquired. 

The competent authority will only categorise the information under Part 3 where relevant to the investigation, and any other unused data will fall under the general provisions of the UK GDPR/ Part 2 of the Act.

It is important to note that any unused personal data is also subject to strict retention periods.

You must also distinguish, so far as possible, any personal data based on facts from personal data based on personal assessment. In essence, this is the ability to distinguish between fact and opinion.  

For example, statements by victims and witnesses containing personal data are based on the subjective perceptions of the person making the statement. These statements are not always verifiable and are subject to challenge during the legal process. In such cases, the requirement for accuracy does not apply to the content of the statement but simply that a specific statement has been made.

The requirement to keep personal data up to date must also be viewed in this context. If an individual’s conviction is overturned on appeal, police must amend their records. However, they will not retrospectively alter a witness statement even if the court has found it to be unreliable.

Data protection by design and by default

At a glance

In brief

What is data protection by design?

Under the UK GDPR and Part 3 of the Act, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities.

If you are processing personal data for law enforcement purposes, you must implement these measures by default, to ensure that you only process personal data for a specified and necessary purpose.

In particular, you must ensure that by default, you put safeguards in place to prevent personal data being made available to an indefinite number of people without an individual’s intervention.

Example

An authority responsible for courts and tribunals are building new IT systems for storing or accessing personal data. Prior to any live use, the authority is required to review their privacy and data protection compliance and perceived risks from the start of the project, rather than adding on such considerations at the end. This process could involve undertaking a Data Protection Impact Assessment (DPIA). 

 

Data protection impact assessments

At a glance

In brief

What is a data protection impact assessment?

Data protection impact assessments or DPIAs (previously known as privacy impact assessments or PIAs) are a tool that can help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

When do we need to conduct a DPIA?

You must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

You must take into account the nature, scope, context and purposes of the processing when deciding whether or not it is likely to result in a high risk to individuals’ rights and freedoms.

How do we carry out a DPIA?

A DPIA must contain:

When do we need to send our DPIA to the ICO?

If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.

The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.

The Information Commissioner will respond within six weeks. This timescale may increase by a further month, depending on the complexity of the processing you intend to carry out.

For detail on how to submit a DPIA to the ICO, please see ‘Do we need to consult the ICO?’.

Example

A police force is considering using a commercially available drone system for surveillance purposes. By conducting a DPIA prior to any purchase of the equipment or processing taking place, the force can establish whether or not the equipment offers adequate security for the recording, and if the use of the system is proportionate or poses a high risk to the rights and freedoms of any individuals. 

If they discover high risks after conducting a DPIA, and cannot easily mitigate any residual risk, the police force should consider consulting with the Information Commissioner for further guidance or approval.

Data protection officers

At a glance

In brief

When do we need to appoint a data protection officer for Law Enforcement processing?

Under the Part 3 of the Act, you must appoint a data protection officer (DPO) unless you are a court, or other judicial authority acting in a judicial capacity.

You may appoint a single data protection officer to act for a group of controllers, taking into account their structure and size.

Regardless of whether the UK GDPR or Part 3 of the Act obliges you to appoint a DPO, you must ensure that relevant staff have sufficient skills and expertise to discharge your obligations.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Part 3, Chapter 4 of the Act:

What does the Part 3 of the Act say about employer duties?

You must ensure that:

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

You can also contract out the role of DPO externally.

Does the DPO need specific qualifications?

The UK GDPR or Part 3 of the Act does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.

Personal data breaches

At a glance

In brief

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What breaches do we need to notify the ICO?

You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If left unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.  

What information must a breach notification to the Information Commissioner contain?

You must include:

When do we have to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

The duty to tell an individual about a breach does not apply if:

Where a communication of a breach would involve disproportionate effort, you must make the information available to individuals in another, equally effective way, such as a public communication.

You may restrict the information, either wholly or partly, that you provide to individuals affected by a breach under certain circumstances. This is when doing so is a necessary and proportionate measure:

What information should we tell individuals who have been affected by the breach?

You must give individuals information including:

How do we notify a breach?

You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the DPA 2018 recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.

If the breach is sufficiently serious to warrant notification to the public, you must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to £8.7m or 2 per cent of your global turnover.

To notify the ICO of a personal data breach, please see our pages on reporting a breach.

What should we do to prepare for breach reporting?

You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will help decision-making about whether you need to notify the Information Commissioner or the affected individuals.

In light of the tight timescales for reporting a breach, it is important to have robust breach detection, containment, management and mitigation policies and procedures in place.

 

National security provisions

At a glance

Checklist for using the national security provisions

We are a competent authority processing for law enforcement purposes.

Our processing is fair and lawful, and we comply with the data protection principles.

We comply with the data protection rights and obligations wherever possible, unless a restriction or limitation is necessary and proportionate to protect national security.

We have considered the rights and legitimate interests of the individual, and have concluded that applying the national security provisions are a necessary and proportionate measure in the circumstances.

We can point to a link between giving full effect to individuals’ rights, or fully complying with our personal data breach obligations, and a potential adverse effect on national security.

We have considered whether a national security certificate is applicable in the circumstances.

We do not apply the national security provisions in a blanket manner, but only to the extent required to protect national security.

We have considered whether we can inform the individual of the use of the provision, or whether this would itself undermine national security.

We have recorded the use of the provision and can demonstrate its necessity and proportionality in light of the individual’s rights and legitimate interests.

In brief

Does this guidance apply to us?

This guidance applies to you if you are a competent authority processing for law enforcement purposes related to national security.

The rules governing law enforcement processing are set out in Part 3 of the DPA 2018.

If you are a competent authority processing data for a non-law enforcement purpose (eg for national security purposes only), the UK GDPR will apply to this processing. You should refer to our Guide to the UK GDPR.

If you are not a competent authority, and are processing personal data under the UK GDPR, different provisions apply. You should read our Guide to the UK GDPR.

The intelligence services themselves (or processors acting on their behalf) are covered by a separate regime. For more information, see our Guide to Intelligence Services Processing.

Further reading – ICO guidance

About the DPA 2018

What are the national security provisions?

The rights that individuals have when their data is being processed for law enforcement purposes are set out in sections 44 to 49 of the DPA 2018.

Some of these rights may be limited or restricted in certain circumstances. These circumstances are laid out in the provisions which set out the right. One of these circumstances is when restricting the right is necessary and proportionate to protect national security.

Section 68 sets out your obligations as a controller to inform individuals of a personal data breach which would be likely to result in a risk to their rights and freedoms. This obligation can be limited under certain circumstances. One of these circumstances is when limiting the information you provide is necessary and proportionate to protect national security.

For ease of reference, these restrictions and limitations are referred to in this guidance as the national security provisions.

You must still comply with the data protection principles, and with your accountability and governance obligations.

Further reading – ICO guidance

Principles
Accountability and governance

What does national security cover?

National security is not specifically defined and can be interpreted in a flexible way to adapt to changing threats. Thirty years ago, it would have been difficult or even impossible to predict the threats that developments in computer and communications technology could give rise to, or how such developments could be exploited by terrorists or hostile states. It is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government. For example, it can cover:

What are the effects of the national security provisions?

The provisions may permit you to restrict some of the data protection rights of individuals. The effects vary depending on the different rights. But in each instance, you can only apply the provision where this is a necessary and proportionate measure to protect national security.

Under the right to be informed, individuals have the right to be given privacy information about the collection and use of their personal data. You may be able to withhold some of this information, where this is necessary and proportionate to protect national security. Specifically, you may be able to withhold information about:

You should provide as much of this information as you can, and only restrict the information where necessary and proportionate to protect national security.

Under the right of access, you may be able to withhold confirmation that you are processing personal data about a particular individual, and refuse to provide access to the data. Again, you should provide access to as much of the data as you can, and only withhold data where necessary and proportionate to protect national security.

Under the rights to rectification, erasure and the restriction of processing you would normally have to inform an individual exercising these rights whether you had refused their rights. However, you may be able to avoid informing them of this, to the extent that this is a necessary and proportionate measure to protect national security.

When dealing with a personal data breach, you would normally have to notify individuals who may be affected, if the breach is likely to result in a high risk to their rights and freedoms. However, you may be able to withhold this notification, where necessary and proportionate to protect national security.

When are the national security provisions likely to apply?

You can rely on the national security provisions to restrict individuals’ rights or limit your personal data breach obligations, if you can show that doing so is a necessary and proportionate measure to protect national security. This is linked to human rights standards, which mean that any interference with privacy rights must be necessary and proportionate in a democratic society to meet a pressing social need.

Although you are permitted to apply the national security provisions, where necessary and proportionate, you cannot do this in a blanket manner. Instead you need to consider applying the national security provisions on a case-by-case basis. In particular, it’s not enough simply that the processing is related to national security. You must consider the actual consequences to national security if you had to provide the relevant information to the individual. If you can reasonably provide that information without affecting national security, you must do so (subject, of course, to any other restrictions that might apply in the specific circumstances).

When you consider whether to rely on a provision to withhold information, you must also consider whether you should withhold it “wholly or partly”. In practice, this means that you must try and provide as much information to individuals as possible, and only withhold what is necessary to protect national security. So, if you can provide some information without posing any significant risk to national security, you must do so.

You don’t need to show that providing the information would lead to a direct or immediate harm or threat. It is enough to show that there is a real possibility of an adverse effect on national security in a broader sense. For example, in freedom of information cases, courts have recognised that terrorists can be highly motivated. There may therefore be grounds for withholding seemingly harmless information on the basis that it may assist terrorists when pieced together with other information.

So, before withholding information you must first consider the fundamental rights and legitimate interests of the individual, and how these may be affected.

You must then consider whether withholding the information is a necessary and proportionate measure to protect national security. Keep in mind that there may be circumstances where the adverse effect on an individual could outweigh any trivial, or hypothetical risk to national security.

You must disclose it if, having considered this, you conclude that withholding the information is not necessary or proportionate.

If you decide to apply a national security provision, you should be able to make a reasoned and convincing argument about why this was necessary and proportionate. We may ask you for these arguments if we have received a complaint. You may base these on hypothetical scenarios, as long as they are realistic and credible.

For example, you may need to limit your response to a request under the right of access. You may apply a national security provision in order to provide a consistent “neither confirm nor deny” (NCND) response about whether you process data for national security purposes. This may be necessary even in a case where there is no direct impact on national security, so that nothing can be inferred in other cases which might have more of an impact on national security.

You can apply this type of NCND response as a general policy. However, you should be able to make a reasoned argument about its use and demonstrate it to the ICO if required. You should still consider whether there are any special circumstances which mean you don’t need to rely on the general NCND policy in a particular case.

The following example illustrates the process that a competent authority might go through to consider the application of the national security provisions. Although in practice you might consider the application of other restrictions first, this example shows how the process might work and how you may take NCND considerations into account.

Example

A police force receives a subject access request from an individual who is a subject of a covert counter-terrorism investigation. The police can apply a national security provision to restrict the individual’s access to their personal data if this would risk harm to the investigation. For example by tipping off the individual about the investigation, or providing them with an opportunity to evade or frustrate the investigation.

Before applying the provision, the police need to consider whether the individual’s rights or legitimate interests would be adversely affected. The individual’s right of access would clearly be adversely affected. The police need to consider whether restricting the individual’s right to access their personal data is a necessary and proportionate measure in light of the purpose for which they are restricting the rights, and the importance of the investigation in protecting national security.

The police do not have to inform the individual that their rights have been restricted, or the reasons for the restriction, if doing so would harm the investigation and pose a risk to national security. The police still need to inform the individual in general terms of their right to complain to the ICO or to apply to a court.

Once the investigation is complete, the police do not have to revisit the original subject access request, but if they receive a new request, they have to consider whether the restriction is still necessary. For example, to protect confidential sources, or other associated investigations. They also need to consider whether the restriction could be fully or partially removed.

Further reading – ICO guidance

The courts have considered a very similar exemption in the context of freedom of information requests. For more information, see our guidance on the FOI exemption for safeguarding national security.

What should we do if we restrict individuals’ rights?

If you have restricted an individual’s rights, you should normally inform them about:

However, you may not have to inform individuals about the restriction and the reasons for it, if providing this information would itself undermine the purpose of the restriction.

Instead, you may consider issuing a more non-committal response. However, you should still provide anything which does not undermine the restriction. Wherever possible, also provide them with some information about their rights, in general terms. So, if you have refused to comply with an individual’s request, you must still tell them about their right to complain to the ICO, or to apply to a court.

Individuals have the right to ask the ICO to check that any such refusal or restriction was lawful. This does not mean that the individual is able to circumvent the restriction and exercise their rights through the ICO instead. In many cases, we may be unable to be very specific about our findings because that might in itself reveal information which would prejudice the purposes the exemptions are designed to protect.

You need to record the restriction, and your reasons for applying it, so that you can show the ICO your reasons, if requested. You need to be able to show that you have applied the restriction only as far as necessary. Remember that you can apply the restriction wholly or partly to the right, and you should avoid applying it wholly unless that is necessary for protecting national security.

What is a ministerial certificate?

Section 79 of the DPA says that certain Ministers of the Crown (specifically, a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can sign a certificate which is conclusive evidence that the restriction is a necessary and proportionate measure to protect national security.

It is important to remember that a certificate is not required in order for you to rely on the national security provisions. In fact in most cases, you will determine for yourself whether a restriction or limitation is required to safeguard national security (ie the application of a national security provision).

The provisions and the ministerial certificate do different things. The provisions, as detailed above, are always available and you may properly apply them to safeguard national security, with or without a ministerial certificate. Ministerial certificates are meant to give greater legal certainty that national security is applicable for specified data processing. This is because certificates certify that a restriction is a necessary and proportionate measure to protect national security.

In this context, a ministerial certificate is admissible as conclusive evidence that a restriction of an individual’s rights or a limitation on a controller’s obligations is necessary to protect national security.

These certificates can apply in advance, or they can be issued retrospectively for a restriction applied by a competent authority. The ICO publishes some details of all national security certificates which have been issued, including the text of the certificate where possible. However, there may be some cases where the text of the certificate is sensitive and cannot be published. In these cases, we publish the fact that a certificate was issued, the date it was signed, and which minister signed it.

If a relevant certificate is in place, you can rely on it to demonstrate that the restriction is necessary and proportionate. However, you should always consider whether you need to apply a restriction, or rely on any associated certificate, in a particular case. Individuals may challenge inappropriate reliance on a ministerial certificate in the Tribunal.

If you consider that a certificate is required, you can apply to a Minister of the Crown to issue a national security certificate under section 79. Details of the process for doing this are on the Home Office website, and linked to from the National Security Certificate page of the ICO website.

Individuals directly affected by a certificate can appeal against it to the Upper Tribunal. The certificate may be quashed if the Tribunal considers that the Minister did not have reasonable grounds for issuing it.

Individuals may also appeal to the Tribunal on the basis that the restriction the competent authority is relying on does not fall within the general description in the certificate.

For more information on ministerial certificates, see the Guide to Intelligence Services Processing.

 

Penalties

At a glance

In brief

What penalties can the Information Commissioner issue?

The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis.

Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 - the higher maximum and the standard maximum.

What is the higher maximum?

The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.

What is the standard maximum?

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

 

International transfers

Latest updates - last updated 09 March 2023

09 March 2023 - We have provided clarification about what, in our view, “strictly necessary” means for law enforcement international transfers. This imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing and transferring the information. This update can be found under point one of the “Can we make a transfer to recipients other than relevant authorities?” section.

At a glance

Checklists

  We have checked whether we are a competent authority as defined by Schedule 7 of the DPA 2018.  
  We have checked that the recipient is a relevant authority.  
  We have confirmed whether the data was received from another competent authority.  
  The transfer is necessary for one of the law enforcement purposes.  
  The transfer is covered by adequacy regulations.  
  If not, we are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.  
 

We are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.

 
 

If not, we have identified special circumstances which still require the data to be transferred.

 
  We have taken steps to ensure that the data will not be further transferred elsewhere, and we have ensured that appropriate safeguards and conditions for any such onward transfer are in place, including limits on the extent of these transfers.  
  If the transfer is to a recipient who is not a relevant authority, we have checked it meets the additional conditions, and we have notified the ICO.  
  We have documented the transfer.  

In brief

What are the general principles for the transfer of personal data?

There are three conditions that you have to meet before you can make a transfer:

However it is still possible to transfer personal data to a body which is not a relevant authority, if you meet certain additional safeguards. See Can we make a transfer to recipients other than relevant authorities?

If the data is obtained from a competent authority in another EU member State, then that competent authority has to authorise the transfer. Except if:

In such cases you must inform the relevant competent authority which would have been responsible for authorising the transfer without delay.

Is the transfer covered by an adequacy decision?

You may transfer personal data if the transfer is covered by UK adequacy regulations.

Adequacy regulations confirm that a particular third country (or a specified territory or sector in a third country) or international organisation has an adequate data protection regime to protect personal data. This is sometimes referred to as an ‘adequacy decision’.

There are adequacy regulations in place to cover transfers to:

The ICO’s role in assisting the Home Office with this work is set out in a Memorandum of Understanding between the two authorities. Any future adequacy regulations will be finalised in accordance with this Memorandum and issued by the UK Government.

Can we make a transfer subject to appropriate safeguards?

If there is no ‘adequacy decision’ about the country, territory or sector for your restricted transfer, you may still make the transfer on the basis that other appropriate safeguards exist to ensure that individuals’ rights are enforceable and effective legal remedies are available following the transfer.

Appropriate safeguards may be provided for by:

You must document the transfer, and provide this documentation to the Information Commissioner on request. You must record:

You must ensure that any personal data you have transferred is not further transferred to another third country without your authorisation, or authorisation from another UK competent authority, and any authorisation can only be given where the transfer is necessary for any of the law enforcement purposes.

Are there any special circumstances? 

Sometimes, you may need to transfer personal data when there is neither a finding of adequacy, nor appropriate safeguards in place. This can only take place in certain, specified circumstances, referred to as the ‘special circumstances’. These are listed in the DPA 2018 as the five circumstances where the transfer is necessary:


  1. To protect the vital interests of the data subject or another person;
  2. To safeguard the legitimate interests of the data subject;
  3. For the prevention of an immediate and serious threat to the public security of third country;
  4. In individual cases for any of the law enforcement purposes; or
  5. In individual cases for a legal purpose.

There are a few things to keep in mind.

You need to document the transfer, and provide those records to the Information Commissioner on request. You must record:

These are the same details that you are required to record for transfers on the basis of appropriate safeguards.

Items 4 and 5 of the special circumstances provide for a degree of flexibility, but in those cases it is necessary for you to specifically consider the rights and freedoms of the individual whose data you are transferring. If those rights and freedoms override any public interest in the transfer, then the transfer cannot take place on the basis of special circumstances. Items 4 and 5 are case-specific and this safeguard is there to make sure that the individual’s interests remain at the heart of matters. In such cases, if the transfer is still necessary, you will need to apply another lawful basis for the transfer.

A transfer is deemed to be necessary under item 5: 

In each case, the circumstances must link directly back to any of the law enforcement purposes to which Part 3 of the Act relates.

Can we make a transfer to recipients other than relevant authorities?

For the most part, it is expected that transfers will take place between ‘relevant authorities’, or relevant international organisations ie to any (legal) person in the third country (or operating internationally) who has functions comparable to those of a ‘competent authority’ for the purposes of Part 3 of the DPA 2018.

Sometimes, however, you may need to transfer personal data to a recipient that is not a relevant authority. Before you can do this, you must meet all four of these additional conditions:

   
  1. 1. The transfer is strictly necessary in a specific case, for the performance of a task by the transferring controller, as provided by law for any of the law enforcement purposes.

In item 1, ‘strictly necessary’, as required in some sections of Part 3 DPA 2018, imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing the information.

Further, the transfer must be for the performance of a task for which you have a lawful purpose under the law enforcement provisions of Part 3 of the DPA 2018.

 
   
  1. The fundamental rights and freedoms of the data subject do not override the public interest concerning the transfer.

Item 2 means that the rights and freedoms of the data subject can override any public interest in the transfer, so if the rights and freedoms of the data subject in not having their data transferred to the intended recipient are of equal or greater importance than the public interest in transferring the data, then the transfer shall not take place.

 
   
  1. The transferring controller considers that the transfer to a relevant authority in the third country would be ineffective, or inappropriate.

Item 3 means that, where possible, transfers to a third country should be undertaken to a relevant authority in that country, and it is only in circumstances where transferring the data to such a relevant authority would be ineffective or inappropriate, that a transfer to another recipient should be contemplated. Transfers may be ineffective, for example, if the transfer is time-critical and the relevant authority would be unable to act on the transfer in sufficient time. A transfer may be inappropriate if the transfer to the relevant authority might prejudice the purposes of the transfer, for example if the data relate to allegations of corruption or impropriety in the relevant authority and there is a risk that the transfer may tip-off relevant personnel within that authority that an investigation is underway.

Where you have transferred data to a body other than a relevant authority, you must inform the relevant authority in that country of the transfer, unless, as above, that would be ineffective or inappropriate.

 
   
  1. The transferring controller sets out the specific purposes for which the data may be processed by the intended recipient and informs them of these.

You need to document the transfer, and you also need to notify the Information Commissioner about the transfer. This is different to other types of transfers, where you record the details but only have to provide them to the Commissioner on request.

 

What happens to subsequent transfers?

It is important that control of personal data is not lost once you have transferred it. It is vital that the rights and freedoms of individuals are still uppermost. Therefore, if the data you transferred is to be subsequently transferred elsewhere, it is important that those rights and freedoms continue to follow the data. For this reason, there are certain provisions that you must observe before any subsequent transfer can take place.

Firstly, you must make it a condition of the transfer that any subsequent transfer must be authorised by you, or another competent authority. It would be sensible to have agreements in place with any other competent authorities who you may consider allowing to make such an authorisation. 

Secondly, any authorisation can only be for a transfer which is necessary for any of the law enforcement purposes, and you must give consideration to:

If you originally received the data from a competent authority in an EU member state, that competent authority must first authorise the transfer before you in turn can authorise it. This creates a chain of accountability, linking back to the original competent authority which first held the data, which ensures that the original competent authority retains a measure of control and influence over any processing of that data.

The only exception is if the transfer is necessary for the prevention of an immediate and serious threat to the public security of a third country, or to the essential interests of an EU member state (note, not the essential interests of any third country) and you cannot obtain authorisation from the originating competent authority in good time. If that happens, then you should inform the originating competent authority without delay.