Are we conducting ‘automated processing’ for the purposes of the LE provisions?

The LE provisions have a specific requirement to keep logs of any automated processing of personal data. They do not include a definition of an “automated processing system” however it is interpreted that the term refers to any system which undertakes processing by automated means, and is likely to involve some human interaction.  

The term “automated processing system” is different to “automated decision-making”. For example, a database of criminal records or prosecution histories is an automated processing system.

Is it possible to keep personal data indefinitely if needed? Do we need to inform data subjects each time a retention period changes?

Under the DPA 1998 retention periods are not defined, and personal data should only be retained for as long as necessary. Similarly, the LE provisions of the Bill state that personal data processed for the law enforcement purposes must:

  • not be kept for longer than is necessary;
  • require appropriate time limits to be established for the erasure of personal data; and
  • need periodic reviews of their storage.

This means that where an organisation is unable to specify a date for destruction of the personal data, it must specify a time period when the retention period will be reviewed. Data subjects should be made aware of these timescales.

Is it mandatory for all law enforcement agencies to have a Data Protection Officer (DPO)?

All data controllers that are competent authorities will need to have a DPO in place. Some staff may currently be called DPOs, but an updated job specification may be required if it does not currently match the attributes of a DPO provided for in the legislation. For example, DPOs will be required to have expert knowledge of data protection law and practice.

Will data sharing with non-competent authorities take place under GDPR or the LE provisions?

Any processing that involves data sharing to non-competent authorities is likely to need to comply with GDPR. Similarly, any data sharing that takes place which does not fall under the law enforcement purposes must also be compliant with the requirements of GDPR. 

What are the timescales for subject access requests under the LE provisions?

A data controller should respond without delay and at least within one month of receipt, subject to exemptions.

The relevant day means the day on which:

  • the controller receives the request;
  • the controller receives additional information from the data subject (if any) requested in connection with a request; or
  • the day on which an appropriate fee (if any) charged in connection with a repeat request is paid.

Is it mandatory for a competent authority to carry out DPIAs under the LE provisions?

Yes, where the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope and purposes of the processing.

A DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data and therefore needs to be carried out prior to any processing.

Where a high risk has been identified, the controller must consult the Information Commissioner prior to the processing taking place.

The timescales for the Information Commissioner to respond is six weeks. The Information Commissioner may extend this by a further period of one month, taking into account the complexity of the intended processing.