This Guide to Law Enforcement processing highlights the key requirements of Part 3 of the Data Protection Act 2018.

This part of the Act transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. For international transfers, it also replaces the 2008 Council Framework Decision (2008/977/JHA) on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters.

Although this guide details Part 3 of the Act, you also need to be aware of the wider legal framework, in particular Part 2 of the Act, which covers aspects of the GDPR that allow for national derogations in specific instances. Part 2 also sets out the scope and definitions for general processing under the GDPR.

Any processing of personal data by the Intelligence Services (GCHQ, MI5 and MI6) is covered under Part 4 of the Act. We will publish guidance for this specific area separately in due course.    

It is important to note that this is a living document and may change to reflect any statutory instrument or the ICO’s Policy positions. 

It also includes links to further guidance from the ICO and other relevant reading.

Alongside the Guide to the Law Enforcement Processing, we have produced a 12 step guide to help organisations to prepare: