Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

  • Personal data processed by competent authorities for law enforcement purposes under Part 3 of the DPA 2018 may be shared with another organisation or reused internally for non-law enforcement processing under the UK GDPR / Part 2 of the DPA 2018, provided that the processing is “authorised by law”.
  • As a competent authority, you need to determine what the purpose of your proposed sharing or reuse is for and whether this is “authorised by law”. This might be provided by, for example, statute, common law, royal prerogative, or statutory codes.
  • As the further processing of the personal data is no longer for law enforcement purposes, you need to have a lawful basis under Article 6 of the UK GDPR.
  • As the personal data you want to share or reuse is likely to include criminal offence data, you need to meet the requirements of Article 10. This means you need either a condition for processing, or official authority for the processing. This is in addition to identifying a lawful basis under Article 6.
  • If this includes special category data you need to identify a condition for processing under Article 9 as well as a lawful basis under Article 6.

Checklist

☐ We consider the purpose for further processing personal data (either sharing it or reusing it internally) for non-law enforcement purposes before processing in this way, and whether it is necessary and proportionate to do so. This new purpose must not be incompatible with the original law enforcement purpose.

☐ We determine whether the proposed sharing or reuse of data is “authorised by law”.

☐ We identify a lawful basis for processing under Article 6 of the UK GDPR before sharing or reusing personal data for non-law enforcement purposes.

☐ Before sharing or reusing criminal offence data for a non-law enforcement purpose, we check we have met the requirements of Article 10 of the UK GDPR. This means we either identify our official authority for the processing or identify a relevant condition in Schedule 1 of the DPA 2018. This is in addition to having a lawful basis under Article 6.

☐ We identify a condition for processing under Article 9 of the UK GDPR and any relevant condition in Schedule 1 of the DPA 2018 before sharing or reusing special category data. This is in addition to having a lawful basis under Article 6.

☐ We only process the minimum necessary amount of relevant and adequate personal data.

☐ We share or reuse the personal data in compliance with our other data protection duties and obligations.

In brief

What does the DPA 2018 say about further processing personal data originally obtained for law enforcement purposes?

As a competent authority under Part 3 of the DPA 2018, you are processing this personal data for law enforcement purposes.

The second data protection principle under Part 3 is about purpose limitation when processing personal data. Section 36(1) says:

“The second data protection principle is that—
(a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and
(b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.”

This means that there are limits on the further processing of personal data, including the reuse or sharing of personal data or both for non-law enforcement purposes.

When might we want to further process personal data for non-law enforcement purposes?

As a competent authority there are two likely scenarios in which you may want to further process personal data for non-law enforcement purposes.

The first is where you want to share personal data with a recipient that is not a competent authority and therefore won’t be processing the data for law enforcement purposes. Instead it is processing personal data for general processing purposes under the UK GDPR and Part 2 of the DPA 2018.

Example

A police force is investigating potential threats against the councillors of a local authority. The police force wishes to disclose details of the suspect, including a photo, to the local authority in order to make it aware of the potential threat to the councillors and so it can take appropriate precautions. The local authority is not a competent authority under Part 3 and so cannot process personal data for law enforcement purposes.

 

Example

A government department wants to share personal data obtained for its law enforcement purposes with other public bodies who are either not competent authorities or would not be processing under their competent authority status as part of a data sharing exercise to identify potential ‘at risk’ individuals and provide early intervention support. The further processing will not be for law enforcement purposes.

The second scenario is where you process personal data for law enforcement purposes, but you also want to reuse it for a different purpose outside the scope of Part 3 of the DPA 2018. This would be for general processing purposes under the UK GDPR and Part 2 of the DPA 2018.

Example

A complaint is made by a suspect against a police officer concerning their conduct during an arrest. Personal data of the suspect originally processed for law enforcement purposes, including details of the alleged offence, are shared internally with the force’s professional standards team in order for it to investigate the complaint. This further processing is not for law enforcement purposes if the complaint does not involve allegations of criminal activity.

 

Example

A competent authority uses personal data processed for law enforcement purposes as part of an internal audit of its investigation processes. This further processing is not for the original law enforcement purposes. As good practice, the organisation anonymises or pseudonymises the personal data before allowing other staff access to it to conduct the audit.

In practice, competent authorities may therefore want to share personal data originally processed under Part 3 of the DPA 2018 with an external third party, or reuse it internally for a different purpose. In both cases, the personal data can then be used for general processing purposes under the UK GDPR and Part 2 of the DPA 2018.

See the Guide to the UK GDPR for more information on the general processing data protection regime.

As a competent authority, can we share or reuse personal data for non-law enforcement purposes?

Yes, in limited circumstances. Part 3 of the DPA 2018 allows you to share or reuse personal data originally processed for law enforcement purposes for different purposes. Section 36(4) explains:

“Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.”

This means there is a framework for sharing or reusing personal data for non-law enforcement purposes, provided that the processing is “authorised by law”.

What does “authorised by law” mean?

The DPA 2018 doesn’t define authorised by law, but in the context of s36(4) it can be taken to mean that the competent authority has the power or is under an obligation to share or reuse personal data. Where a competent authority has a legal power to share or reuse personal data, this means it has discretion whether or not to do. Whether it is appropriate to share or reuse personal data will depend on the circumstances of the case. Authorised by law can also include an obligation to share or reuse personal data because there is a legal requirement to do so. However, this will depend in part on the nature of the legal obligation on the competent authority. It’s important to note that a disclosure (sharing) or reuse of personal data isn’t authorised simply because there is no law prohibiting it.

As a competent authority under Part 3, you must therefore determine whether any disclosure, or reuse, of personal data for non-law enforcement purposes is authorised by law. This might be provided by statute, common law, royal prerogative, or statutory codes.

  • Statute: This may be in the form of a statutory obligation or a statutory power. A statutory obligation requires a competent authority to share information with others whether within the scope of Part 3 or not. It may also include responding to requests made under the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002. A statutory power may include a power for a competent authority to disclose or reuse personal data at its discretion.
  • Statutory codes of practice: Such a code has statutory force, which generally means that you are under a legal duty to have regard to it when carrying out relevant functions, powers or obligations.
  • Common law: This is law derived from case law rather than legislation. It has been developed by courts making decisions in cases and creating binding precedents as opposed to statutory law from Parliament. However, common law does not provide unconditional power to share personal data originally collected for law enforcement purposes to other controllers processing outside the scope of Part 3 or even to reuse it within your own organisation for non-law enforcement purposes. You must still properly identify the specific common law power or duty under which you are acting. It cannot be used in a way that contravenes or conflicts with any legislation. Actions based on common law must be still be compliant with the Human Rights Act 1998 and the DPA 2018.
  • Royal prerogative: This is the body of privilege, immunity and authority inherent in the powers of the monarchy and the source of many of the executive powers of the Government. Other than UK Government Departments, a competent authority may not have prerogative powers, but there may be overlap with other powers and duties. For example, where the police have the obligation to keep the peace, and to maintain public order.

Whether the disclosure you want to make, or the reuse of personal data for a different purpose, is authorised in law depends, in part, on the specific laws to which you are subject. Some competent authorities (eg the police) may be able to rely more heavily on common law as the legal basis for their actions. However, others may be more constrained by the nature of their constitution and legal framework. For example, this may include local authorities that can only carry out activities that they are empowered to do by statute, or those activities that are reasonably secondary or incidental to those powers.

What do we need to do before sharing or reusing personal data for non-law enforcement purposes?

You should start by first identifying why you need to further process personal data for non-law enforcement purposes, and whether this new purpose is compatible with the original purpose.

You also need to identify what the legal basis is for further processing the personal data – this means whether this sharing or reuse of personal data is authorised by law.

If you can satisfy this, then you need to identify a lawful basis for processing under the UK GDPR and Part 2 of the DPA 2018.

If it includes criminal offence data, you need to meet the requirements of Article 10. This means you need either a condition for processing under Part 2 of the DPA 2018 or have official authority for the processing.

If this includes special category data, you also need a condition for processing under Article 9 of the UK GDPR or Part 2 of the DPA 2018.

See below for more details.

What about our lawful basis and conditions for processing?

When processing personal data for non-law enforcement purposes, you are no longer processing under Part 3. Instead your processing (ie the sharing or reuse) of personal data is for general processing purposes under the UK GDPR and Part 2 of the DPA 2018. You therefore need to identify a lawful basis under Article 6 of the UK GDPR to comply with the requirements of that processing regime.

Read our guidance on lawful basis for processing under the UK GDPR.

Since the personal data was originally processed for law enforcement purposes, it is likely to include criminal offence data, and if so, you need to meet the requirements of Article 10. This means you need either a condition for processing in Schedule 1 of the DPA 2018 or have official authority for the processing. It is also likely to include sensitive processing under Part 3 – this is broadly equivalent to processing special category data under the UK GDPR. If this is the case, you need to find a condition for processing special category data under Article 9. In all cases, this is in addition to a lawful basis under Article 6.

Read our guidance on special category data and criminal offence data for more information and the details of the specific conditions.

As a competent authority it is for you to determine whether you can meet a lawful basis and condition for processing before carrying out any sharing or reuse of personal data for non-law enforcement purposes. Similarly, if you have shared personal data, the organisation that receives the personal data also needs to have a lawful basis and condition for processing as appropriate for its own processing purposes.

What else do we need to consider?

In addition to this, you need to consider your obligations under other aspects of data protection law, including your accountability obligations, such as documentation requirements and carrying out DPIAs where necessary. See the Canllaw i Ddiogelu Data for more information.