The ICO exists to empower you through information.

At a glance

When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:

  • suspected of having committed, or about to commit, a criminal offence (suspects);
  • convicted of a criminal offence;
  • individuals who are, or are suspected of being, victims of a criminal offence (victims); or
  • individuals who are witnesses, or can provide information, about a criminal offence (witnesses).

In brief

Under the fourth principle, you must ensure that any personal data you process for law enforcement purposes is accurate and, where necessary, up to date.

In all areas of policing and criminal justice, it is highly likely that any processing of personal data will involve different categories of data subject. When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:

  • suspected of having committed, or about to commit, a criminal offence (suspects);
  • convicted of a criminal offence;
  • individuals who are, or are suspected of being, victims of a criminal offence (victims); or
  • individuals who are witnesses, or can provide information, about a criminal offence (witnesses).

There may be instances where an individual falls under more than one of these categories. For example an individual may be both a victim and a witness in a certain case, or indeed an offender in one case and victim/witness in another. You will therefore be required, where relevant and as far as possible, to have processes and procedures in place to distinguish between such categories.  

Example

If a competent authority obtains a large dataset as part of an investigation, the authority only needs to categorise the personal data that is relevant to the investigation. In practice, this will be data that has operational value to a criminal investigation, rather than any other collateral data that they have also acquired. 

The competent authority will only categorise the information under Part 3 where relevant to the investigation, and any other unused data will fall under the general provisions of the UK GDPR/ Part 2 of the Act.

It is important to note that any unused personal data is also subject to strict retention periods.

You must also distinguish, so far as possible, any personal data based on facts from personal data based on personal assessment. In essence, this is the ability to distinguish between fact and opinion.  

For example, statements by victims and witnesses containing personal data are based on the subjective perceptions of the person making the statement. These statements are not always verifiable and are subject to challenge during the legal process. In such cases, the requirement for accuracy does not apply to the content of the statement but simply that a specific statement has been made.

The requirement to keep personal data up to date must also be viewed in this context. If an individual’s conviction is overturned on appeal, police must amend their records. However, they will not retrospectively alter a witness statement even if the court has found it to be unreliable.