The ICO exists to empower you through information.

At a glance

  • Part 3 only applies to competent authorities (or their processors) processing for criminal law enforcement purposes.
  • Processing for other general purposes such as HR will fall under the general processing regime in part 2 of the DPA 2018.
  • It applies to processing of personal data, which is information about identifiable living individuals.
  • Controllers determine how and why the data is processed. Processors process data on their behalf, but may share some accountability for the processing.
  • There are additional rules which apply to ‘sensitive processing’ of some specified types of particularly sensitive data.

In brief

Who does Part 3 apply to?

Part 3 only applies to competent authorities processing for law enforcement purposes. So, it applies, but is not limited, to:

  • the police, criminal courts, prisons, non-policing law enforcement; and
  • any other body that has statutory functions to exercise public authority or public powers for any of the law enforcement purposes.

The appropriate regime is based on the law that applies to the controller. So if you are a processor carrying out a law enforcement function on behalf of a competent authority, you will also be processing under this law enforcement processing regime.

Any processing carried out by a competent authority which is not for the primary purpose of law enforcement will be covered by the general processing regime under the UK GDPR(read with Part 2 of the DPA 2018.

If you are a competent authority it is very likely that you are also processing personal data under the general processing regime. For example, this may include internal HR processes and procedures, as that processing isn’t strictly for law enforcement purposes.

Identifying the correct regime is important as there are many key differences between the general processing regime and Part 3 of the DPA 2018, including differences on individuals’ rights, lawful basis for processing and governance.

What is a ‘competent authority’?

A competent authority means:

  • a person specified in Schedule 7 of the DPA 2018; or
  • any other person if, and to the extent that, they have statutory functions to exercise public authority or public powers for the law enforcement purposes.

You need to check whether you are listed as a competent authority in Schedule 7 of the DPA 2018.

If you are not listed in Schedule 7, you may still be a competent authority if you have a legal power to process personal data for law enforcement purposes. For example, local authorities who prosecute trading standards offences or the Environment Agency when prosecuting environmental offences.

Are we processing for law enforcement purposes?

If you are a competent authority, when you are deciding which regime applies, the key thing to consider is your primary purpose for the processing. This should help you identify whether the processing falls under the UK GDPR rules, or satisfies the criteria of the law enforcement purposes under Part 3 of the DPA 2018.

The law enforcement purposes are defined under section 31 of the DPA 2018 as:

‘The prevention, investigation detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

So if you are a competent authority processing for one of those purposes, you should comply with the law enforcement processing regime.

Example

A police officer is called to a disturbance where allegations of assault have been made. The officer attends the scene using their body-worn camera. Witnesses are interviewed and this footage is recorded on the body-worn camera.

The footage is recorded and processed to investigate the crime. So the processing is carried out for the prevention, investigation, detection or prosecution of criminal offences. Part 3 of the DPA 2018 applies.

What if we are processing for other general purposes?

Even if you are a competent authority, in some circumstances, you may also process data for general purposes, such as for your own HR purposes. If processing is not for the law enforcement purposes, it will fall into the general processing regime in the UK GDPR read with and Part 2 of the DPA 2018 you should refer to our Guide to the UK GDPR.

Example

A police force want to obtain information from the public about their perception of the force in general. The results will help influence how the force engage with the public. They therefore conduct a survey to capture people’s views.

Personal information is collected about individuals, but the primary purpose of the processing is to gain an insight into their opinions of the force. So the processing is not to prevent and detect crime.

In this case, the relevant regime is the general processing regime, and you should read our Guide to the GDPR.

What happens if our purpose changes?

You may begin processing information under one regime, but as circumstances progress and the purpose changes, the processing of the data will come under another regime or take place under both simultaneously.

You may initially be processing data for general administrative purposes, but as the situation changes you may identify elements of criminality. The processing would then come under Part 3 of the DPA 2018. It may be easier to identify a change in regime if the data is passed to a specialist team or department to continue the processing for a specific purpose. For example, a dedicated fraud unit may obtain information originally collected under the general processing regime for the purposes of an investigation under Part 3 of the DPA 2018.

Likewise, in certain circumstances the processing of information by a competent authority may begin under the law enforcement processing regime in Part 3 of the DPA 2018, and as circumstances change, it may switch to the general processing regime. Some information may end up being processed for different purposes and under both regimes.

Any information that is being processed for law enforcement purposes must adhere to the governance requirements of Part 3 of the DPA 2018. These include logging requirements, categorisation and obligations about the principles and rights of individuals.

Example

A Police force is dealing with an internal disciplinary matter involving a member of staff. A complaint has been referred to a professional standards department about an officer’s conduct. The complaint is not of a criminal matter.

The processing involves the use of data from various internal sources, such as HR. The primary purpose for processing the data is to investigate staff conduct and behaviour, so will be processed under the general processing regime.

As the investigation progresses, an element of criminality is discovered. The relevant data is then passed to a specific team. They will process the data to investigate the criminal aspects, so will need to comply with the law enforcement processing regime under Part 3 of the DPA 2018.

The HR department may still be processing some of the data for HR-related matters, and that will still be processed under the general processing regime.

How is personal data defined?

Any information relating to an identified or identifiable living individual. An identifying characteristic could include a name, ID number or location data. You should treat such information as personal data even if it can only be potentially linked to a living individual.

What is a controller?

A controller determines how and why personal data is processed. For the purposes of law enforcement, this will be a competent authority which is acting alone, or jointly with others.

If you are processing jointly with another competent authority, you must designate a specific controller to be the contact point for data subjects.

If you are a processor, you are processing personal data on behalf of the controller for the law enforcement purposes, but you could be sharing some accountability with controllers. This means that you could be liable for breaches. You need to review and revise your contracts to ensure that they reflect your new obligations.

What is sensitive processing?

Sensitive processing is defined in section 35(8) as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual’s sex life or sexual orientation.

Genetic data is personal data relating to the inherited or acquired characteristics of a person, eg an analysis of a biological sample.

Biometric data is personal data that is obtained through specific technical processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg fingerprint data and facial recognition.

For more information on the rules about sensitive processing, see our guide pages on the principles and conditions for sensitive processing.