Law Enforcement Policy

The Data Protection Act 2018 Part 3 only applies to 'competent authorities' that are processing personal data for the primary purpose of law enforcement. It applies, but is not limited, to:

  • the police, criminal courts, prisons, non-policing law enforcement; and
  • any other body that has statutory functions to exercise public authority or public powers for any of the law enforcement purposes.

This therefore includes the Council when it undertakes a function or exercises a power in relation to the prevention, investigation, detection or prosecution of criminal offences.

The six law enforcement principles under Part 3, Chapter 2 of the Data Protection Act 2018 are the main responsibilities that Bury Council will follow when processing personal data for law enforcement purposes.

Bury Council recognises the principles are broadly the same as those in the UK GDPR, and are compatible. This will enable the Council to manage processing across the two regimes.

This policy does not cover individual rights or overseas transfers of personal data.

The six principles must be adhered to at all times and the Council must demonstrate compliance with these principles in all data processing for law enforcement purposes.

What are the principles?

Data protection principles
PrincipleDetails
FirstProcessing of personal data for any of the law enforcement purposes must be lawful and fair.
SecondThe law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;
Personal data collected must not be processed in a manner that is incompatible with the purpose for which it was originally collected.
ThirdPersonal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
FourthPersonal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;
Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
FifthPersonal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.
SixthPersonal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, "appropriate security" includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

Bury Council in processing personal data for law enforcement purposes will ensure that the processing is necessary, targeted and proportionate. The lawful basis for the processing would be either necessary for the performance of a task carried out for law enforcement or based upon consent.

If obtaining consent the UK GDPR will be applied to ensure the consent is unambiguous and involves a clear affirmative action.

If processing under a lawful basis Bury Council will identify the legal statute, common law or royal prerogative or under any other rule of law. It also meets one of the conditions for processing under Data Protection legislation. For example, Part 5 of the Police and Criminal Evidence Act 1984 confers statutory authority for the taking and retention of DNA and fingerprints (this applies to England and Wales). Also, the Domestic Violence Disclosure Scheme relies on the Police's common law powers to disclose information where it is necessary to do so to prevent crime.

What about sensitive processing?

In the context of law enforcement, the personal data you are processing will often be sensitive (also referred to as special category data). When it is, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent. Strictly necessary in this context means that the processing has to relate to a pressing social need, and you cannot reasonably achieve it through less intrusive means. This is a requirement which will not be met if you can achieve the purpose by some other reasonable means.

Sensitive processing is defined in the law enforcement provisions of the Data Protection Act 2018, as:

  • (a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
  • (b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
  • (c) the processing of data concerning health;
  • (d) the processing of data concerning an individual's sex life or sexual orientation.

Genetic data is personal data relating to the inherited or acquired characteristics of a person, e.g. an analysis of a biological sample.

Biometric data is personal data that is obtained through specific processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, e.g. DNA, fingerprints, and facial recognition.

Given the sensitivity surrounding such processing, you are required to meet at least one of the conditions set out in Schedule 8 of the Act.

What safeguards are required for sensitive processing?

If you are carrying out sensitive processing based on the consent of a data subject, or based on another specific condition in Schedule 8 of the Act, you must have an appropriate policy document in place.

The appropriate policy must explain:

  • your procedures for complying with the data protection principles when relying on a condition from Schedule 8; and
  • your policy for the retention and erasure of personal data for this specific processing.

You must retain this policy from the time you begin sensitive processing until six months after it has ended. You must review and update it where appropriate and make it available to the Information Commissioner upon request without charge.

So, to recap, if you are processing sensitive personal data:

  • it must be strictly necessary;
  • it must satisfy one of the conditions in Schedule 8; and
  • you need a policy document in place to demonstrate compliance, safeguards and processes.

What is the second principle about?

The second principle is about maintaining the purpose for processing personal data. Specific requirements about the purpose being specified, explicit and legitimate are introduced, meaning that any processing under Part 3 of the Act must be for the defined law enforcement purposes. You cannot process for a purpose that is incompatible with the original reason and justification for processing.

For example, the Crown Prosecution Service could process personal data in connection with the prosecution of a criminal offence, whereas the Police working alongside the prosecutor would only be processing the personal data in connection with the investigation of the offence.

What are principles three, four and five about?

The third principle requires that the personal data you are holding is adequate and limited to what is necessary for the purpose(s) you are processing it.

The fourth data protection principle is about accuracy. It sets out that you should take every reasonable step to correct inaccurate data. In addition, as far as possible, you need to be able to distinguish between personal data that is based on factual data and that which is based on a matter of opinion or assessment, such as a witness statement.

A new requirement is that again, where relevant, and as far as possible, you need to be able to distinguish data between different categories of individuals, such as suspects; individuals who have been convicted; victims and witnesses. You only categorise information under Part 3 that is relevant to your investigation, and other unused data falls under the general provisions of UK GDPR and Part 2 of the Act.

The fifth principle requires that you do not keep personal data for longer than is necessary for the purpose you originally collected it for. No specific time periods are given but you need to conduct regular reviews to ensure that you are not storing for longer than necessary for the law enforcement purposes.

What is the sixth principle about?

The sixth principle requires you to have technical and organisational measures in place to ensure that you protect data with an appropriate level of security. This is the same as under UK GDPR and Part 2 of the Act.

'Appropriate security' includes 'protection against unauthorised or unlawful processing and against accidental loss, destruction or damage'.

The conditions for sensitive processing in Schedule 8 of the Act are:

  • necessary for judicial and statutory purposes - for reasons of substantial public interest
  • necessary for the administration of justice
  • necessary to protect the vital interests of the data subject or another individual
  • personal data already in the public domain (manifestly made public)
  • necessary for legal claims
  • necessary for when a court acts in its judicial capacity
  • necessary for the purpose of preventing fraud, and
  • necessary for archiving, research or statistical purposes.

Again, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent. Strictly necessary in this context means that the processing has to relate to a pressing social need, and you cannot reasonably achieve it through less intrusive means

What safeguards are required for sensitive processing?

If you are carrying out sensitive processing based on the consent of a data subject, or based on another specific condition in Schedule 8 of the Act, you must have an appropriate policy document in place.

The appropriate policy must explain:

  • your procedures for complying with the data protection principles when relying on a condition from Schedule 8; and
  • your policy for the retention and erasure of personal data for this specific processing.

You must retain this policy from the time you begin sensitive processing until six months after it has ended. You must review and update it where appropriate and make it available to the Information Commissioner upon request without charge.

So, to recap, if you are processing sensitive personal data:

  • it must be strictly necessary;
  • it must satisfy one of the conditions in Schedule 8; and
  • you need a policy document in place to demonstrate compliance, safeguards and processes.