The ICO exists to empower you through information.

At a glance

  • The six law enforcement data protection principles under Part 3, Chapter 2 of the DPA 2018 are the main responsibilities you should follow when processing personal data for law enforcement purposes.
  • The principles are broadly the same as those in the UK GDPR, and are compatible so you can manage processing across the two regimes.
  • There are no principles relating to individuals’ rights or overseas transfers of personal data – these are addressed in Part 3 of the DPA 2018 separately.
  • Transparency requirements are not as strict as in the UK GDPR, due to the potential to prejudice an ongoing investigation in certain circumstances.
  • You must be able to demonstrate overall compliance with all of the law enforcement data protection principles.

In brief

What are the principles?

Part 3, Chapter 2 of the DPA 2018 sets out six key principles which are your main responsibilities when processing personal data for the law enforcement purposes.

The principles are broadly the same as those in the UK GDPR, and are compatible so you can manage your processing across the two regimes.

The first data protection principle

Processing of personal data for any of the law enforcement purposes must be lawful and fair.

The second data protection principle

The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;

Personal data collected must not be processed in a manner that is incompatible with the purpose for which it was originally collected.

The third data protection principle

Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

The fourth data protection principle

Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;

Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

The fifth data protection principle

Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.

Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

The sixth data protection principle

Personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

Section 34(3) adds that:

The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.

Why are the principles important?

The principles guide and inform the processing of personal data for the law enforcement regime under Part 3 of the DPA 2018.

They don’t give hard and fast rules, but rather embody the spirit of the law enforcement regime – and as such there are very limited exceptions.

Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of Part 3.

Failure to comply with the principles may leave you open to substantial fines. Section 157(2)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of monetary penalties. This could mean a penalty of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

What is the first principle about?

The first data protection principle says that any processing for the law enforcement purposes must be lawful and fair. Lawfulness and fairness are well established requirements of data protection law.

For the processing to be lawful, section 35(2) says that it must be “based on law”. This means that the processing is authorised by either statute, common law or royal prerogative, or by or under any other rule of law. You must identify a legal basis that provides a sufficiently clear, precise and foreseeable lawful justification to process personal data for the law enforcement purposes. The necessary legal basis may be found in more than one statute or other source of law.

Example

Part 5 of the Police and Criminal Evidence Act 1984 confers statutory authority for the taking and retention of DNA and fingerprints (this applies to England and Wales).

The Domestic Violence Disclosure Scheme relies on the Police’s common law powers to disclose information where it is necessary to do so to prevent crime.

The processing must also have a lawful basis under data protection legislation. Section 35(2) explains that the processing of personal data for any of the law enforcement purposes must be either necessary for the performance of a task carried out for law enforcement purposes by a competent authority, or based on consent.

You need to be aware that any processing you carry out for the law enforcement purposes must be necessary. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving your purpose. This lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.

It is not enough to argue that processing is necessary because you have chosen to operate in a particular way. The question is whether the processing is a necessary for the stated purpose.

In terms of consent under Part 3, this has the same high standard of consent as that in the UK GDPR. This means consent must be freely given and it must be unambiguous and involve a clear affirmative action (an opt-in). Individuals also must be able to easily withdraw consent. Further guidance on consent can be found in the Guide to UK GDPR page.

There may be limited circumstances where you obtain consent from the individual whose personal data you are processing. However, in the context of law enforcement processing, consent may often not be appropriate as a lawful basis.

“Fairness” generally means you must not process personal data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. It also requires you to be, where appropriate, clear and open with individuals about how you use their information, in keeping with their reasonable expectations.

What about sensitive processing?

ICO guidance explains the meaning of ‘necessary’ as a targeted and proportionate way of achieving your purpose under Article 6 UK GDPR. Processing for a law enforcement purpose may for example, depending on each case, be ‘necessary’ if it delivers that purpose more effectively, for the benefit of society.

However, as a law enforcement authority, the information you process will often be sensitive. When it is, you must be able to demonstrate that processing for a law enforcement purpose is either based on consent or alternatively, is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA 2018.

‘Strictly necessary’, as required in some sections of Part 3 DPA 2018, imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing the information.

The standard should be more exacting for the processing of sensitive information because it carries greater risk, and may have a greater impact on individuals’ rights. As such, this requires higher levels of protection and safeguards. Whether the processing of sensitive information for any of the law enforcement purposes is ‘strictly necessary’ should depend upon the facts of each case.  

In the view of the ICO, we expect ‘strictly necessary’ under Part 3 DPA 2018 to mean that enhanced consideration and extra care should be taken to:

  • ensure that the processing of sensitive information is specific in nature and dependent on the specified law enforcement purpose;
  • clearly demonstrate why there are reasonably no less intrusive means of achieving the same purpose; and
  • clearly demonstrate how such processing will be effective in meeting the specified law enforcement purposes.

Sensitive processing is defined in the law enforcement provisions as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual’s sex life or sexual orientation.

Genetic data is personal data relating to the inherited or acquired characteristics of a person, eg an analysis of a biological sample.

Biometric data is personal data that is obtained through specific processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg fingerprints and facial recognition.

Given the sensitivity surrounding such processing, you are required to meet at least one of the conditions set out in Schedule 8 of the DPA 2018.

What safeguards are required for sensitive processing?

If you are carrying out sensitive processing based on the consent of a data subject, or based on another specific condition in Schedule 8 of the DPA 2018, you must have an appropriate policy document in place.

This document must explain:

  • your procedures for ensuring compliance with the law enforcement data protection principles; and
  • your policies on the retention and erasure of this data.

You must retain this policy from the time you begin sensitive processing until six months after it has ended. You must review and update it where appropriate and make it available to the Information Commissioner upon request without charge.

So, to recap, sensitive processing must be:

  • based on the consent of the data subject; or
  • strictly necessary for the law enforcement purpose and based on a Schedule 8 condition.

In addition, in either case you must have an appropriate policy document in place.

Our template appropriate policy document shows the kind of information this should contain.

What is the second principle about?

The second principle is about maintaining the purpose for processing personal data. Specific requirements about the purpose being specified, explicit and legitimate are introduced, meaning that any processing under Part 3 of the DPA 2018 must be for the defined law enforcement purposes. You cannot process for a purpose that is incompatible with the original reason and justification for processing.

The Crown Prosecution Service could process personal data in connection with the prosecution of a criminal offence, whereas the Police working alongside the prosecutor would only be processing the personal data in connection with the investigation of the offence. 

What are principles three, four and five about?

The third principle requires that the personal data you are processing is adequate, relevant and not excessive. This means the data must be limited to what is necessary for the purpose(s) you are processing it.

The fourth data protection principle is about accuracy. It sets out that you should take every reasonable step to correct inaccurate data. In addition, as far as possible, you need to be able to distinguish between personal data that is based on factual data and that which is based on a matter of opinion or assessment, such as a witness statement.

A new requirement is that again, where relevant, and as far as possible, you need to be able to distinguish data between different categories of individuals, such as suspects; individuals who have been convicted; victims and witnesses. You only categorise information under Part 3 that is relevant to your investigation, and other unused data falls under the general processing regime.

The fifth principle requires that you do not keep personal data for longer than is necessary for the purpose you originally collected it for. No specific time periods are given but you need to conduct regular reviews to ensure that you are not storing for longer than necessary for the law enforcement purposes.  

What is the sixth principle about?

The sixth principle requires you to have technical and organisational measures in place to ensure that you protect data with an appropriate level of security. This is the same as under the UK GDPR and Part 2 of the DPA 2018

“Appropriate security” includes “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.