Does this section apply to us?
This section applies if you are a UK competent authority currently processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018.
If you are not a competent authority, or if you are processing personal data for non-law enforcement purposes (eg HR records), this section does not apply.
For further information, see our Guide to law enforcement processing.
What do we need to do?
- Update your processing record, privacy notice and logs with details of transfers to law enforcement partners in EU member states. The UK government has confirmed transitional adequacy provisions will allow transfers to the EU and Gibraltar for law enforcement purposes to continue, but you should review our guidance on international transfers under the law enforcement processing regime. If you are making any transfers of personal data for law enforcement purposes to EU recipients who are not relevant authorities, you need to notify the ICO (section 77(7)).
How has the law enforcement regime changed?
Part 3 of the Data Protection Act 2018 brought the EU Law Enforcement Directive EU2016/680 into UK law. This complements the UK GDPR and sets out requirements for processing personal data for criminal law enforcement purposes. Part 3 of the Data Protection Act 2018 continues to be law now that the transition period has ended, with some specific amendments to the transfer provisions to reflect that the UK is no longer an EU member state.
Most of your obligations will not be affected. The key area to consider is:
- transferring personal data out of the UK (sections 73 and 74).
How can we transfer data out of the UK?
EU member states are now third countries under Part 3. This means the rules on international transfers for law enforcement purposes will apply to transfers from the UK to the EU.
The general rule is that you can still transfer personal data to your partner law enforcement authorities in third countries (including EU member states) if the transfer is necessary for law enforcement purposes and the transfer is covered by a UK adequacy decision or an appropriate safeguard, or special circumstances (ie an exemption) applies. You can also transfer personal data to other recipients (who are not relevant authorities) if you meet some additional conditions and notify the ICO. For full details, read the international transfers section of our Guide to Law Enforcement Processing.
The UK government has confirmed transitional provisions to permit transfers to EU member states, EEA countries outside of the EU, Switzerland and Gibraltar for law enforcement purposes on the basis of new UK adequacy regulations.
The position on transfers to countries outside the EU will remain the same, and you can continue to follow our existing guidance.
How can we maintain transfers from the EU into the UK?
You can continue to receive transfers as before. The LED adequacy decision says the UK provides adequate protection for personal data transferred from EU authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
- a contract or other legally binding instrument containing appropriate safeguards; or
- the sender’s own assessment that appropriate safeguards exist. The sender can take into account the ongoing protection provided by the DPA 2018 itself when assessing appropriate safeguards.