Categorisation of individuals
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
At a glance
When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:
- suspected of having committed, or about to commit, a criminal offence (suspects);
- convicted of a criminal offence;
- individuals who are, or are suspected of being, victims of a criminal offence (victims); or
- individuals who are witnesses, or can provide information, about a criminal offence (witnesses).
In brief
Under the fourth principle, you must ensure that any personal data you process for law enforcement purposes is accurate and, where necessary, up to date.
In all areas of policing and criminal justice, it is highly likely that any processing of personal data will involve different categories of data subject. When processing personal data for the any of the law enforcement purposes, you must provide, where relevant and as far as possible, a clear distinction between different categories of personal data, such as people who are:
- suspected of having committed, or about to commit, a criminal offence (suspects);
- convicted of a criminal offence;
- individuals who are, or are suspected of being, victims of a criminal offence (victims); or
- individuals who are witnesses, or can provide information, about a criminal offence (witnesses).
There may be instances where an individual falls under more than one of these categories. For example an individual may be both a victim and a witness in a certain case, or indeed an offender in one case and victim/witness in another. You will therefore be required, where relevant and as far as possible, to have processes and procedures in place to distinguish between such categories.
Example
If a competent authority obtains a large dataset as part of an investigation, the authority only needs to categorise the personal data that is relevant to the investigation. In practice, this will be data that has operational value to a criminal investigation, rather than any other collateral data that they have also acquired.
The competent authority will only categorise the information under Part 3 where relevant to the investigation, and any other unused data will fall under the general provisions of the UK GDPR/ Part 2 of the Act.
It is important to note that any unused personal data is also subject to strict retention periods.
You must also distinguish, so far as possible, any personal data based on facts from personal data based on personal assessment. In essence, this is the ability to distinguish between fact and opinion.
For example, statements by victims and witnesses containing personal data are based on the subjective perceptions of the person making the statement. These statements are not always verifiable and are subject to challenge during the legal process. In such cases, the requirement for accuracy does not apply to the content of the statement but simply that a specific statement has been made.
The requirement to keep personal data up to date must also be viewed in this context. If an individual’s conviction is overturned on appeal, police must amend their records. However, they will not retrospectively alter a witness statement even if the court has found it to be unreliable.