Principles
Latest updates - 04 November 2025
04 November 2025 - We have updated this section of the guidance to reflect amendments from the Data (Use and Access) Act. The guidance now includes a section on consent for law enforcement purposes.
About this guidance
This guidance discusses in detail the principles for using personal information under part 3 of the Data Protection Act 2018 (DPA). It is aimed at ‘competent authorities’ who process personal information for any of the law enforcement purposes.
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.
Legislative requirements
Must refers to:
- legislative requirements within our remit; or
- established case law (for the laws that we regulate) that is binding.
Good practice
Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this also complies with the law.
Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.
At a glance
- Part 3, chapter 2 of the DPA sets out the six law enforcement data protection principles you must follow when using personal information for law enforcement purposes.
- The principles are broadly the same as those in the UK GDPR and are compatible, so you can manage processing across the two regimes.
- Transparency requirements are not as strict as in the UK GDPR because of the potential to prejudice an ongoing investigation in certain circumstances.
- You must be able to demonstrate overall compliance with all the law enforcement data protection principles.
Checklists
First data protection principle
We have identified an appropriate basis in law that provides a clear and foreseeable lawful justification for using personal information for the law enforcement purposes.
We have identified an appropriate lawful basis under data protection legislation.
We have checked that the processing is necessary for the relevant law enforcement purpose, and are satisfied that there is no other reasonable and less intrusive way to achieve that purpose.
We have considered how the processing may affect the people concerned and can justify any negative impact.
We only handle people’s information in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
We understand the safeguards required for sensitive processing.
Second data protection principle
We have clearly identified that any processing is for defined law enforcement purposes.
If we plan to use personal information for a new purpose, we check that this is compatible with our original purpose.
Third data protection principle
We only collect personal information we need for our specified purposes.
We have sufficient personal information to properly fulfil those purposes.
We periodically review the information we hold.
Fourth data protection principle
We ensure the accuracy of any personal information we create.
We have appropriate processes in place to check the accuracy of the personal information we collect, and we record the source of all such information.
As far as possible, our records can clearly distinguish between personal information based on facts and that based on a matter of opinion or assessments.
As far as possible, our records can clearly distinguish between 'personal information about different categories of people, such as suspects, people who have been convicted, victims and witnesses.
We comply with the right to rectification and carefully consider any challenges to the accuracy of the personal information we hold.
Fifth data protection principle
We carefully consider and can justify how long we keep personal information.
We have a policy with standard retention periods where possible, in line with documentation obligations.
We regularly review our information and erase or anonymise personal information when we no longer need it.
Sixth data protection principle
We have appropriate technical and organisational measures in place to ensure the security of the personal information we use. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal information.
In brief
- What are the principles?
- Why are the principles important?
- What is the first principle about?
- When is consent appropriate?
- What about sensitive processing?
- What safeguards are required for sensitive processing?
- What is the second principle about?
- What are principles three, four and five about?
- What is the sixth principle about?
What are the principles?
Part 3, chapter 2 of the DPA sets out six key principles that are your main responsibilities when you use people’s information for law enforcement purposes.
The first data protection principle
You must process personal information for any of the law enforcement purposes lawfully and fairly.
The second data protection principle
You must ensure that the law enforcement purpose you collect personal information for on any occasion is specified, explicit and legitimate.
You must not process the personal information you collect in a way that is incompatible with the purpose you originally collected it for.
The third data protection principle
You must ensure that the personal information you process for any of the law enforcement purposes is adequate, relevant and not excessive in relation to the purpose you’re processing it for.
The fourth data protection principle
You must ensure that the personal information you process for any of the law enforcement purposes is accurate and, where necessary, kept up to date.
You must take every reasonable step to ensure that you erase or rectify without delay any personal information that is inaccurate, having regard to the law enforcement purpose you’re processing it for.
The fifth data protection principle
You must not keep personal information you process for any of the law enforcement purposes for longer than is necessary for the purpose you’re processing it for.
You must establish appropriate time limits to periodically review the need to continue to store the personal information for any of the law enforcement purposes.
The sixth data protection principle
You must process the personal information you process for any of the law enforcement purposes in a manner that ensures appropriate security of the information, using appropriate technical or organisational measures. In this principle, 'appropriate security' includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Why are the principles important?
The principles guide and inform how you use personal information for the law enforcement regime under part 3 of the DPA.
Complying with the principles is a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of part 3.
Section 157(2)(a) of the DPA states that infringements of the basic principles for processing personal information are subject to the highest tier of fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
What is the first principle about?
The first data protection principle underpins all processing for law enforcement purposes. It says that you must ensure that any processing you do for the law enforcement purposes is lawful and fair. Lawfulness and fairness are well-established requirements of data protection law.
Lawfulness
For the processing to be lawful, section 35(2) says that it must be “based on law”. This means that you must ensure that your use of personal information is authorised by either statute, common law or royal prerogative, or by or under any other rule of law. You must identify a legal basis that gives a sufficiently clear, precise and foreseeable lawful justification to process personal information for the law enforcement purposes. You may find the necessary legal basis in more than one statute or other source of law.
Example
Part 5 of the Police and Criminal Evidence Act 1984 gives statutory authority for taking and retaining DNA and fingerprints (this applies to England and Wales).
The Domestic Violence Disclosure Scheme relies on the police's common law powers to disclose information where this is necessary to prevent crime.
You must also have a lawful basis under data protection legislation for your processing. Section 35(2) explains that you must ensure that your processing of personal information for any law enforcement purposes is either:
- necessary for the performance of a task carried out for law enforcement purposes by a competent authority; or
- based on a person’s consent.
'Necessary' means a targeted and proportionate way of achieving your purpose under article 6 UK GDPR. You must ensure that any processing you carry out for law enforcement purposes is necessary, but this does not mean that it always has to be essential.
Processing for a law enforcement purpose may be ‘necessary’ if it delivers that purpose more effectively, for the benefit of society. This lawful basis does not apply if you can reasonably achieve the purpose by less intrusive means. You must ensure that your processing is necessary for the stated purpose and not simply because you’ve chosen to operate in a particular way.
Fairness
In general, fairness means that you should handle personal information in ways that people would reasonably expect. It requires you to be clear and open with people about how you use their information, in keeping with their reasonable expectations. It is not fair to process information in a way that is unexpected, misleading or unduly detrimental to the people concerned.
When is consent appropriate?
In most cases consent is not an appropriate basis to rely on when using someone's data for law enforcement purposes.
Consent under part 3 s33(1A) is defined as:
“a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.”
This definition aligns with the same high standard of consent in the UK GDPR. You must make sure that any consent you receive is:
- Freely given: giving people genuine choice and control over how you use their data. People must be able to refuse consent without detriment, and be able to withdraw consent easily at any time.
- Specific and informed: clearly explain to people what they are consenting to in a way they can easily understand. The request for consent must be prominent, concise, separate from other matters and in clear and plain language.
- Unambiguous: it is obvious that the person has consented, and what they have consented to. There must be a clear signal that they agree.
- Involve a clear affirmative action (an opt-in): a deliberate action or indication to opt in or agree to the processing. This includes an opt in box but also extends to signing a consent statement and oral confirmation. Failure to opt out is not consent as it does not involve a clear affirmative act of opting in. Also you cannot rely on silence, inactivity, default settings or pre-ticked boxes.
Consent requires giving people genuine choice and ongoing control over how you use their data, and ensuring your organisation is open and accountable.
In most cases, consent is not an appropriate lawful basis for law enforcement because:
- you may hold a clear power imbalance over the person;
- people may fear negative consequences for refusing, meaning their consent isn’t freely given;
- people may struggle to withdraw consent easily;
- you already have statutory or common law powers to use the information meaning you will use the information anyway without consent.
An appropriate lawful basis you may use instead is the processing is necessary for the performance of a task carried out for the law enforcement purposes by a competent authority. Where this is the case, you should not use consent as the lawful basis for using personal information. This is because people would not have a free and genuine choice.
Whichever lawful basis you use you should keep people informed about how you will use their data, unless there is an exemption. This includes telling them about the likelihood of information being shared with other parties.
There are some circumstances when consent may be appropriate as a lawful basis for law enforcement processing. This will only be where you can offer people a genuine choice.
Example
A police force and local authority have come together to implement a local crime prevention strategy after a sudden increase in break-ins in the area. The police can refer the victims of the break-ins to the scheme so the local authority can install free burglar alarms for them.
The police tell a property owner (the victim of a break-in) about the scheme. They ask the owner if they consent to some of their personal information being shared with the local authority so they can take part in the scheme. This will include their name, the fact that they have been burgled, and the address where the burglar alarm is to be fitted.
The owner doesn't have to have the burglar alarm fitted if they don't want to. They are also informed that, if they change their mind, they have the right to withdraw their consent and not take part in the scheme.
The overall purpose is for crime prevention. The information that the police provide before the referral means that any consent is fully informed, and there should be no circumstances under which the property owner would feel pressured to give their consent.
If you’re relying on consent, you must keep clear records to demonstrate the consent you’ve obtained. In addition, people have the right to withdraw their consent at any time. Prior to obtaining consent you must tell people that they can withdraw consent, and offer them easy ways to do so. It must be as easy to withdraw consent as it was to give it. If possible, people should be able to withdraw their consent using the same method as when they gave it.
Further Reading
Further guidance on consent can be found in our UK GDPR guidance on consent and in detail guidance on consent.
What about sensitive processing?
Sensitive processing is defined in the law enforcement provisions as:
“(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) the processing of data concerning health; or
(d) the processing of data concerning an individual’s sex life or sexual orientation.”
Genetic data is personal information relating to the inherited or acquired characteristics of a person (eg analysis of a biological sample).
Biometric data is personal information that is obtained through specific processing relating to a person's physical, physiological or behavioural characteristics. This processing enables you to identify a particular person (eg by fingerprints or facial recognition).
As a law enforcement authority, the information you process is often sensitive. When it is, you must be able to demonstrate that processing the information for a law enforcement purpose is either:
- based on consent; or
- strictly necessary - in this case, it must also satisfy one of the conditions in schedule 8 of the DPA.
Again, in most cases you’re not able to offer people a genuine choice when using their information for criminal law enforcement purposes, so consent is not an appropriate basis.
'Strictly necessary', as required in some sections of part 3 DPA, imposes a higher standard than ‘necessary’, and in practice requires a more rigorous justification for why you’re processing the information.
The standard is stricter for processing sensitive information because it carries greater risk and may have a greater impact on peoples’ rights. This means it requires higher levels of protection and safeguards. Whether the processing of sensitive information for any of the law enforcement purposes is ‘strictly necessary’ depends upon the facts of each case.
We expect ‘strictly necessary’ under part 3 DPA to mean that you should take more consideration and extra care to:
- ensure your processing of sensitive information is specific in nature and dependent on the specified law enforcement purpose;
- clearly demonstrate why there are reasonably no less intrusive means of achieving the same purpose; and
- clearly demonstrate how your processing is effective in meeting the specified law enforcement purposes.
What safeguards are required for sensitive processing?
If you’re carrying out sensitive processing based on a person’s consent or on another specific condition in schedule 8 of the DPA 2018, you must have an appropriate policy document in place.
You must include the following explanations in this document:
- your procedures for ensuring compliance with the law enforcement data protection principles; and
- your policies on the retention and erasure of this information.
If you process sensitive information for a number of different law enforcement purposes, you do not need a separate policy document for each condition or processing activity – one document can cover them all.
You must retain this policy document from the time you begin sensitive processing until six months after you finish. You must review and update it where appropriate and make it available to us on request without charge.
In summary, you must ensure that your sensitive processing is:
- based on a person's consent; or
- strictly necessary for the law enforcement purpose and based on a schedule 8 condition; and
- in either case, you must have an appropriate policy document in place to show compliance with the data protection principles and your broader obligations.
Further reading
We have produced an appropriate policy document template to demonstrate the kind of information this should contain.
What is the second principle about?
The second principle is about maintaining the purpose for processing personal information. Specific requirements are introduced about the purpose being specified, explicit and legitimate. This means that you must ensure that any processing you do under part 3 of the DPA 2018 is for the defined law enforcement purposes.
Example
The Crown Prosecution Service could process personal information in connection with the prosecution of a criminal offence, whereas the police, working alongside the prosecutor, would be processing the personal information in connection with the investigation of the offence.
You must not process personal information for a purpose that is incompatible with the original reason and justification for processing. This is the case whether the personal information was collected by the person the information is about or otherwise.
What are principles three, four and five about?
The third principle requires that the personal information you’re processing is adequate, relevant and not excessive. This means you must limit the information to what is necessary for the purpose(s) you’re processing it for.
The fourth data protection principle is about accuracy. It says that you must take every reasonable step to correct inaccurate information. In addition, as far as possible, you must be able to distinguish between personal information that is based on fact and that which is based on opinion or assessment.
Where relevant, and as far as possible, you must be able to distinguish between the information of different categories of people, such as suspects, people who have been convicted, victims and witnesses. You should only categorise information under part 3 that is relevant to your investigation.
The fifth principle requires that you must not keep personal information for longer than is necessary for the purpose you originally collected it for. No specific time periods are given, but you must conduct periodic reviews to ensure that you’re not storing information for longer than necessary for law enforcement purposes.
What is the sixth principle about?
The sixth principle requires you to have technical and organisational measures in place to ensure that you protect information with an appropriate level of security. 'Appropriate security' includes "protection against unauthorised or unlawful processing and against accidental loss, destruction or damage".
This is the same as under the UK GDPR and part 2 of the DPA. However, what is deemed appropriate may be different based on the types of information you’re using. For example, a competent authority processing personal information for law enforcement purposes under part 3 is likely to need to have different technical and organisational measures than a controller carrying out general processing under the UK GDPR.
Further reading
- UK GDPR guidance on data protection principles
- Commissioner's opinion on the processing of victims’ personal data in rape and serious sexual offence investigations
- UK GDPR guidance on consent and In detail guidance on consent
- What is sensitive processing?
- Conditions for sensitive processing
- A guide to data security