A competent authority for the purposes of law enforcement means a person specified in the Bill (Schedule 7) and any other person if, and to the extent that, the person has statutory functions to exercise public authority or public powers for any of the law enforcement purposes.
The intelligence services (MI5, MI6 and GCHQ) are not listed as competent authorities as they are governed by the provisions in Part 4 of the Bill.
Essentially, this means that a competent authority is:
- any public authority with powers to investigate and/or prosecute crimes and impose sentences; or
- any other organisations (such as a private company/contractor) empowered by law (as per 28(1) (b) of the DP Bill) to exercise those powers in a way that gives them control over the data ie as a data controller, as opposed to a data processor.
Do the ‘law enforcement purposes’ apply to criminal or civil functions?
They refer to the processing of personal data for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Other activities conducted by organisations that are not competent authorities will fall under the GDPR rather than the LE provisions of the Bill. For example, the use of CCTV by shopkeepers or civil enforcement such as parking fines, will fall under the provisions of GDPR.
Are private companies that have been contracted to conduct public functions that involve the processing of personal data for the prevention/detection of crime and prosecution of criminal offences, within the scope of a ‘competent authority’?
Yes, if they fit the criteria set out above. This will depend on the basis on which the private company are empowered by law, ie if you are a data controller empowered by statute.
What if I am asked to pass information to a law enforcement authority? Does that mean the processing I am doing is now captured by the LE provisions?
No. Your processing is not captured by the LE provisions simply because data is passed to a law enforcement agency. If the organisation holding the data is not processing it for law enforcement purposes, then it will not be captured by the LE provisions. Once it is transferred, the receiving competent authority will then be processing it for the purposes of law enforcement.
A shopkeeper that uses CCTV will be processing the data under GDPR. It is likely that a shopkeeper is processing for their own purposes under GDPR, as they are not a prosecuting authority/law enforcement authority. If the shopkeeper passes the footage to a third party, such as the police, then the police themselves will then be processing that footage under the LE provisions of the Bill whilst the shopkeeper continues to process under the GDPR.
Similarly, the processing of data by banks for the purposes of detecting crime, such as fraud, also initially falls under GDPR. This processing is only captured by the LE provisions when it is transferred to, and being processed by, the police/NCA or any other competent authority.
There may be situations where a competent authority processes data and the purposes for that processing could routinely shift from GDPR to Part 3 of the Bill. In these cases, only data that is identified for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security are required to be processed under the provisions of Part 3 of the Bill.
Authorities will therefore be required to have appropriate processes and procedures in place to identify and log processing for such cases and have a clear justification for the application of any law enforcement restrictions in this respect.
Will employers who conduct employment or vetting checks only for these purposes fall outside of the scope of ‘competent authority’?
Employers conducting criminal records checks are likely to fall outside the scope of ‘competent authority’ as the processing will not be undertaken for the purposes of law enforcement. The processing will therefore likely be under the GDPR. The primary purpose of that processing is tied into the recruitment/employment process.
A data controller will fall within the scope of ‘competent authority’ if they are listed in the legislation or have statutory functions for any of the law enforcement purposes.
Article 10 of GDPR addresses the processing of personal data relating to criminal convictions and offences. The article states that checks of such information should be carried out in accordance with Member State law that provides appropriate safeguards for the rights and freedoms of data subjects/applicants.
Within the UK, criminal records checks are undertaken through the Disclosure & Barring Service (DBS) or Disclosure Scotland. In terms of appropriate safeguards, the Police Act 1997 (for certificates) and the Rehabilitation of Offenders Act 1974 as amended (for declarations), provides the required legislative provision for employers and other bodies to continue to request checks at Basic, Standard, and Enhanced level disclosures as appropriate in individual circumstances.