At a glance
- The six law enforcement principles under Part 3, Chapter 2 of the Act are the main responsibilities you should follow when processing personal data for law enforcement purposes.
- The principles are broadly the same as those in the GDPR, and are compatible so you can manage processing across the two regimes.
- There are no principles relating to individuals’ rights or overseas transfers of personal data - these are addressed in the Act separately.
- Transparency requirements are not as strict, due to the potential to prejudice an ongoing investigation in certain circumstances.
- You must be able to demonstrate overall compliance with all of the law enforcement principles.
What are the principles?
The first data protection principle
Processing of personal data for any of the law enforcement purposes must be lawful and fair.
The second data protection principle
The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;
The third data protection principle
Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
The fourth data protection principle
Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;
Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
The fifth data protection principle
Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.
The sixth data protection principle
Personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
What is the first principle about?
Fairness and lawfulness are well established requirements of data protection law. You need to be aware that any processing you carry out for the law enforcement purposes must be necessary. In practice, the lawful basis would either be necessary for the performance of a task carried out for law enforcement purposes by a competent authority, or based on consent. There may be circumstances where you obtain consent from the individual whose data you are processing, although this may only be appropriate in certain circumstances in the context of law enforcement.
Many of the lawful basis for processing depend on the processing being necessary. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.
It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is a necessary for the stated purpose.
In terms of consent, this aligns with GDPR and it must be unambiguous and involve a clear affirmative action. Further guidance on consent can be found in the Guide to the GDPR.
‘Fairness’ generally requires you to be, where appropriate, clear and open with individuals about how you use their information, in keeping with their reasonable expectations.
‘Lawful’ processing means authorised by either statute, common law or royal prerogative, or by or under any other rule of law. It also meets one of the conditions for processing under Data Protection legislation. For example, Part 5 of the Police and Criminal Evidence Act 1984 confers statutory authority for the taking and retention of DNA and fingerprints (this applies to England and Wales). Also, the Domestic Violence Disclosure Scheme relies on the Police’s common law powers to disclose information where it is necessary to do so to prevent crime.
What about sensitive processing?
In the context of law enforcement, the personal data you are processing will often be sensitive. When it is, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent. Strictly necessary in this context means that the processing has to relate to a pressing social need, and you cannot reasonably achieve it through less intrusive means. This is a requirement which will not be met if you can achieve the purpose by some other reasonable means.
Sensitive processing is defined in the law enforcement provisions as:
(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) the processing of data concerning health;
(d) the processing of data concerning an individual’s sex life or sexual orientation.
Genetic data is personal data relating to the inherited or acquired characteristics of a person, eg an analysis of a biological sample.
Biometric data is personal data that is obtained through specific processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg DNA, fingerprints, and facial recognition.
Given the sensitivity surrounding such processing, you are required to meet at least one of the conditions set out in Schedule 8 of the Act.
What safeguards are required for sensitive processing?
If you are carrying out sensitive processing based on the consent of a data subject, or based on another specific condition in Schedule 8 of the Act, you must have an appropriate policy document in place.
The appropriate policy must explain:
- your procedures for complying with the data protection principles when relying on a condition from Schedule 8; and
- your policy for the retention and erasure of personal data for this specific processing.
You must retain this policy from the time you begin sensitive processing until six months after it has ended. You must review and update it where appropriate and make it available to the Information Commissioner upon request without charge.
So, to recap, if you are processing sensitive personal data:
- it must be strictly necessary;
- it must satisfy one of the conditions in Schedule 8;
- you need a policy document in place to demonstrate compliance, safeguards and processes.
What is the second principle about?
The second principle is about maintaining the purpose for processing personal data. Specific requirements about the purpose being specified, explicit and legitimate are introduced, meaning that any processing under Part 3 of the Act must be for the defined law enforcement purposes. You cannot process for a purpose that is incompatible with the original reason and justification for processing.
For example, the Crown Prosecution Service could process personal data in connection with the prosecution of a criminal offence, whereas the Police working alongside the prosecutor would only be processing the personal data in connection with the investigation of the offence.
What are principles three, four and five about?
The third principle requires that the personal data you are holding is adequate and limited to what is necessary for the purpose(s) you are processing it.
The fourth data protection principle is about accuracy. It sets out that you should take every reasonable step to correct inaccurate data. In addition, as far as possible, you need to be able to distinguish between personal data that is based on factual data and that which is based on a matter of opinion or assessment, such as a witness statement.
A new requirement is that again, where relevant, and as far as possible, you need to be able to distinguish data between different categories of individuals, such as suspects; individuals who have been convicted; victims and witnesses. You only categorise information under Part 3 that is relevant to your investigation, and other unused data falls under the general provisions of GDPR and Part 2 of the Act.
The fifth principle requires that you do not keep personal data for longer than is necessary for the purpose you originally collected it for. No specific time periods are given but you need to conduct regular reviews to ensure that you are not storing for longer than necessary for the law enforcement purposes.
What is the sixth principle about?
The sixth principle requires you to have technical and organisational measures in place to ensure that you protect data with an appropriate level of security. This is the same as under GDPR and Part 2 of the Act.
‘Appropriate security’ includes ‘protection against unauthorised or unlawful processing and against accidental loss, destruction or damage’.
Relevant provisions in the Act
See sections 34 to 42, Chapter 2