This Guide to Law Enforcement processing highlights the key requirements of Part 3 of the Data Protection Bill.
This part of the Bill transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. For international transfers, it also replaces the 2008 Council Framework Decision (2008/977/JHA) on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters.
Although this guide details Part 3 of the Bill, you also need to be aware of the wider legal framework, in particular Part 2 of the Bill, which covers aspects of the GDPR that allow for national derogations in specific instances. Part 2 also sets out the scope and definitions for general processing under the GDPR.
Any processing of personal data by the Intelligence Services (GCHQ, MI5 and MI6) is covered under Part 4 of the Bill. We will publish guidance for this specific area separately in due course.
It is important to note that this is a living document and may change to reflect any changes to the Bill as it makes its way through Parliament.
It also includes links to further guidance from the ICO and other relevant reading.
Alongside the Guide to the Law Enforcement Processing, we have produced a 12 step guide to help organisations to prepare: