Data protection. Guide to the Law Enforcement Provisions

Transcription

1 Data protection Guide to the Law Enforcement Provisions

2 Introduction What is it? Who does Part 3 of the DP Bill apply to? How can we comply? December

3 Introduction The Guide to the Law Enforcement Provisions explains Part 3 of the Data Protection Bill to help organisations comply with its requirements. It is for those who have responsibility for data protection for criminal law enforcement. This is a living document, which explores some frequently asked questions, and we are working to expand it in key areas. Alongside the Guide to the Law Enforcement Provisions, we have produced a 12 step guide to help organisations to prepare: Further Reading Preparing for the law enforcement requirements (part 3) of the Data Protection Bill: 12 steps to take now For organisations PDF (126.46K) Webinar: Law enforcement provisions of the Data Protection Bill About the ICO 07 December

4 What is it? What is the EU Law Enforcement Directive? The EU Data Protection Directive 2016/680, also known as the Law Enforcement Directive (LED), complements the General Data Protection Regulation (GDPR). It sets out the requirements for: the processing of personal data for criminal law enforcement purposes; the free movement of such data; and replaces the 2008 Council Framework Decision (2008/977/JHA) on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. The Directive applies to EU Member States (including the UK), who are required to transpose it into their national law in May Part 3 of the Data Protection Bill 2017 intends to implement the EU Law Enforcement Directive into domestic UK law. What is the Data Protection Bill, and how does it apply to law enforcement? The Data Protection Bill will replace the Data Protection Act 1998 (DPA 1998) for domestic processing for criminal law enforcement purposes by competent authorities. Part 3 of the Bill will also govern international transfers for criminal law enforcement purposes. In practice, this means that specific processing for law enforcement purposes by the police and other law enforcement agencies will be governed by the new provisions in the Bill. The new law enforcement provisions are intended to cover both cross-border and UK domestic processing of personal data for the law enforcement purposes. Are the Law Enforcement Provisions in Part 3 of the DP Bill different from the GDPR? It is important to read the GDPR and the law enforcement provisions of the Bill side by side. The LE provisions in the Bill only apply to competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (commonly referred to as the Law Enforcement Purposes). The LE provisions are likely to cover criminal courts, prisons and any other person that has statutory functions for any of the law enforcement purposes as well as law enforcement bodies like the police or prosecution bodies. As with the GDPR, the LE provisions demand more from organisations in terms of accountability, and enhance the existing rights of individuals, subject to appropriate restrictions. There are some key differences in the requirements of Part 3 of the Bill to: 07 December

5 categorise individuals (ie witnesses, victims, suspects, convicted perpetrators); classify if the data is fact or personal opinion/assessment; and log the specific processing actions for automated systems (ie metadata that someone did something at x time) such as collection, alteration, disclosure or erasure. 07 December

6 Who does Part 3 of the DP Bill apply to? Am I a competent authority for the purposes of the LE provisions? A competent authority for the purposes of law enforcement means a person specified in the Bill (Schedule 7) and any other person if, and to the extent that, the person has statutory functions to exercise public authority or public powers for any of the law enforcement purposes. The intelligence services (MI5, MI6 and GCHQ) are not listed as competent authorities as they are governed by the provisions in Part 4 of the Bill. Essentially, this means that a competent authority is: any public authority with powers to investigate and/or prosecute crimes and impose sentences; or any other organisations (such as a private company/contractor) empowered by law (as per 28(1) (b) of the DP Bill) to exercise those powers in a way that gives them control over the data ie as a data controller, as opposed to a data processor. Do the law enforcement purposes apply to criminal or civil functions? They refer to the processing of personal data for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Other activities conducted by organisations that are not competent authorities will fall under the GDPR rather than the LE provisions of the Bill. For example, the use of CCTV by shopkeepers or civil enforcement such as parking fines, will fall under the provisions of GDPR. Are private companies that have been contracted to conduct public functions that involve the processing of personal data for the prevention/detection of crime and prosecution of criminal offences, within the scope of a competent authority? Yes, if they fit the criteria set out above. This will depend on the basis on which the private company are empowered by law, ie if you are a data controller empowered by statute. What if I am asked to pass information to a law enforcement authority? Does that mean the processing I am doing is now captured by the LE provisions? No. Your processing is not captured by the LE provisions simply because data is passed to a law enforcement agency. If the organisation holding the data is not processing it for law enforcement purposes, then it will not be captured by the LE provisions. Once it is transferred, the receiving competent authority will then be processing it for the purposes of law enforcement. 07 December

7 Example A shopkeeper that uses CCTV will be processing the data under GDPR. It is likely that a shopkeeper is processing for their own purposes under GDPR, as they are not a prosecuting authority/law enforcement authority. If the shopkeeper passes the footage to a third party, such as the police, then the police themselves will then be processing that footage under the LE provisions of the Bill whilst the shopkeeper continues to process under the GDPR. Example Similarly, the processing of data by banks for the purposes of detecting crime, such as fraud, also initially falls under GDPR. This processing is only captured by the LE provisions when it is transferred to, and being processed by, the police/nca or any other competent authority. There may be situations where a competent authority processes data and the purposes for that processing could routinely shift from GDPR to Part 3 of the Bill. In these cases, only data that is identified for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security are required to be processed under the provisions of Part 3 of the Bill. Authorities will therefore be required to have appropriate processes and procedures in place to identify and log processing for such cases and have a clear justification for the application of any law enforcement restrictions in this respect. Will employers who conduct employment or vetting checks only for these purposes fall outside of the scope of competent authority? Employers conducting criminal records checks are likely to fall outside the scope of competent authority as the processing will not be undertaken for the purposes of law enforcement. The processing will therefore likely be under the GDPR. The primary purpose of that processing is tied into the recruitment/employment process. A data controller will fall within the scope of competent authority if they are listed in the legislation or have statutory functions for any of the law enforcement purposes. Article 10 of GDPR addresses the processing of personal data relating to criminal convictions and offences. The article states that checks of such information should be carried out in accordance with Member State law that provides appropriate safeguards for the rights and freedoms of data subjects/applicants. Within the UK, criminal records checks are undertaken through the Disclosure & Barring Service (DBS) or Disclosure Scotland. In terms of appropriate safeguards, the Police Act 1997 (for certificates) and the 07 December

8 Rehabilitation of Offenders Act 1974 as amended (for declarations), provides the required legislative provision for employers and other bodies to continue to request checks at Basic, Standard, and Enhanced level disclosures as appropriate in individual circumstances. 07 December

9 How can we comply? Are we conducting automated processing for the purposes of the LE provisions? The LE provisions have a specific requirement to keep logs of any automated processing of personal data. They do not include a definition of an automated processing system however it is interpreted that the term refers to any system which undertakes processing by automated means, and is likely to involve some human interaction. The term automated processing system is different to automated decision-making. For example, a database of criminal records or prosecution histories is an automated processing system. Is it possible to keep personal data indefinitely if needed? Do we need to inform data subjects each time a retention period changes? Under the DPA 1998 retention periods are not defined, and personal data should only be retained for as long as necessary. Similarly, the LE provisions of the Bill state that personal data processed for the law enforcement purposes must: not be kept for longer than is necessary; require appropriate time limits to be established for the erasure of personal data; and need periodic reviews of their storage. This means that where an organisation is unable to specify a date for destruction of the personal data, it must specify a time period when the retention period will be reviewed. Data subjects should be made aware of these timescales. Is it mandatory for all law enforcement agencies to have a Data Protection Officer (DPO)? All data controllers that are competent authorities will need to have a DPO in place. Some staff may currently be called DPOs, but an updated job specification may be required if it does not currently match the attributes of a DPO provided for in the legislation. For example, DPOs will be required to have expert knowledge of data protection law and practice. Will data sharing with non-competent authorities take place under GDPR or the LE provisions? Any processing that involves data sharing to non-competent authorities is likely to need to comply with GDPR. Similarly, any data sharing that takes place which does not fall under the law enforcement purposes must also be compliant with the requirements of GDPR. 07 December

10 What are the timescales for subject access requests under the LE provisions? A data controller should respond without delay and at least within one month of receipt, subject to exemptions. The relevant day means the day on which: the controller receives the request; the controller receives additional information from the data subject (if any) requested in connection with a request; or the day on which an appropriate fee (if any) charged in connection with a repeat request is paid. Is it mandatory for a competent authority to carry out DPIAs under the LE provisions? Yes, where the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope and purposes of the processing. A DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data and therefore needs to be carried out prior to any processing. Where a high risk has been identified, the controller must consult the Information Commissioner prior to the processing taking place. The timescales for the Information Commissioner to respond is six weeks. The Information Commissioner may extend this by a further period of one month, taking into account the complexity of the intended processing. 07 December