Data protection. Guide to the Law Enforcement Provisions

Similar documents
Law Enforcement processing (Part 3 of the DPA 2018)

Access to Personal Information Procedure

How we use Personal Information

Data Protection Act 1998 Policy

Schools Subject Access Request Procedures

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Data Protection Bill: Summary of government amendments for House of Commons Public Bill Committee tabled on 6 March 2018

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Data Protection Bill [HL]

Annex - Summary of GDPR derogations in the Data Protection Bill

Port Glasgow St Andrew s Data Protection Policy

How we use Personal Information

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection Policy

Data Protection Bill [HL]

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

Information exempt from the subject access right (section 40(4) and

Clare County Council Data Access Requests Policy

Data Protection Policy and Procedure

closer look at Rights & remedies

CCTV CODE OF PRACTICE

SUBJECT ACCESS REQUEST

DATA PROTECTION POLICY STATUTORY

General Data Protection Regulation

Freedom of Information

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Beaufort Primary School and Beaufort Nursery

The forensic use of bioinformation: ethical issues

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Practical Guidance on the sharing of information and information governance for all NHS organisations specifically for Prevent and the Channel process

REGULATION (EU) 2016/679 General Data Protection Regulation

Data Protection Policy. Malta Gaming Authority

Version & Notes. Version I March Version II July Version III January Version IV January Version V.

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

European College of Business and Management Data Protection Policy

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

Data Protection. Policy & Procedure. Greater Manchester Police

International Child Protection Certificate UK. Information and Guidance for Individuals, Schools and Organisations

Subject Access Request Procedure

CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

DATA SHARING AND PROCESSING

Standard Operating Procedure

New Scotland Yard, Victoria Embankment, London, SWlA 2JL

Information Commissioner s Office. ICO response to consultation on revisions to PACE codes

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Disclosure and Barring Scheme Policy and Procedure

SCHOOL POLICY Safeguarding, Disclosure and Barring Policy

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

The Freedom of Information (Jersey) Law, 2011

Protection of Freedoms Act 2012

DURHAM CONSTABULARY POLICY

OFFICIAL - PUBLIC. Police Service of Northern Ireland. Body Worn Video (BWV) Privacy Impact Assessment. Published. Version 1.1.

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

The policy will not replace the Data Protection Act. It will show how the DBS will comply with the Act when processing your personal data.

CRIMINAL RECORDS CHECK (DBS) POLICY. Author/Reviewer: Date Approved: Jan 2006

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

BACKGROUND INFORMATION

GDPR. EU General Data Protection Regulation. ebook Version 1.2

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

Decision 031/2009 Mr L and the Scottish Prison Service. Policy relating to Asperger s syndrome. Reference No: Decision Date: 18 March 2009

DISCLOSURE & BARRING CHECKS POLICY

Saturday, 7 November 15

Plea for referral to police for investigation of alleged s.1 RIPA violations by GCHQ

Identifying arrested, charged or convicted persons

- and - OPINION. Reasons

PE-CONS 71/1/15 REV 1 EN

Derbyshire Constabulary SIMPLE CAUTIONING OF ADULT OFFENDERS POLICY POLICY REFERENCE 06/122. This policy is suitable for Public Disclosure

Data Protection. Standard Operating Procedure

Development of national legislation to implement the Convention on the prohibition of anti-personnel mines

DISCLOSURE AND BARRING SERVICE (DBS) POLICY & PROCEDURE

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

Safeguarding, Disclosure and Barring Policy

5418/16 AV/NT/vm DGD 2

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

DATA PROTECTION (JERSEY) LAW 2018

Charities & Not-for-Profits Overview of Data Protection Law

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

Disclosure & Barring Service Policy

The EDPS has limited the comments below to the provisions of the Proposal that are particularly relevant from a data protection perspective.

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

T H E P O S T C O D E F O R J E W I S H L I F E. Page Finchley Road London NW3 6ET Tel

DBS CHECKS AND EMPLOYING EX- OFFENDERS: GUIDE TO POLICY AND PROCEDURE

In the picture: A data protection code of practice for surveillance cameras and personal information. Jonathan Bamford Head of Strategic Liaison

Disclosure and Barring Service Policy (SHINE Multi Academy Trust)

Last review: January 2018 ESF Approved: February 2018 Next review: September 2020 Version 2 DISCLOSURE AND BARRING SERVICE POLICY

CONVENTION ON INTERNATIONAL TRADE IN ENDANGERED SPECIES OF WILD FAUNA AND FLORA

ICCWC Indicator Framework for Combating Wildlife and Forest Crime

DBS and Recruitment of Ex-Offenders Policy

EXECUTIVE SUMMARY. 3 P a g e

Challenges in complying with the Data Privacy Act of Damian Mapa Deputy Privacy Commissioner

1. What sort of passenger information will be transferred to US authorities?

Recruitment of Ex-offenders Policy

Transcription:

Data protection Guide to the Law Enforcement Provisions

Introduction What is it? Who does Part 3 of the DP Bill apply to? How can we comply? 3 4 6 9 07 December 2017-1.0.6 2

Introduction The Guide to the Law Enforcement Provisions explains Part 3 of the Data Protection Bill to help organisations comply with its requirements. It is for those who have responsibility for data protection for criminal law enforcement. This is a living document, which explores some frequently asked questions, and we are working to expand it in key areas. Alongside the Guide to the Law Enforcement Provisions, we have produced a 12 step guide to help organisations to prepare: Further Reading Preparing for the law enforcement requirements (part 3) of the Data Protection Bill: 12 steps to take now For organisations PDF (126.46K) Webinar: Law enforcement provisions of the Data Protection Bill About the ICO 07 December 2017-1.0.6 3

What is it? What is the EU Law Enforcement Directive? The EU Data Protection Directive 2016/680, also known as the Law Enforcement Directive (LED), complements the General Data Protection Regulation (GDPR). It sets out the requirements for: the processing of personal data for criminal law enforcement purposes; the free movement of such data; and replaces the 2008 Council Framework Decision (2008/977/JHA) on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. The Directive applies to EU Member States (including the UK), who are required to transpose it into their national law in May 2018. Part 3 of the Data Protection Bill 2017 intends to implement the EU Law Enforcement Directive into domestic UK law. What is the Data Protection Bill, and how does it apply to law enforcement? The Data Protection Bill will replace the Data Protection Act 1998 (DPA 1998) for domestic processing for criminal law enforcement purposes by competent authorities. Part 3 of the Bill will also govern international transfers for criminal law enforcement purposes. In practice, this means that specific processing for law enforcement purposes by the police and other law enforcement agencies will be governed by the new provisions in the Bill. The new law enforcement provisions are intended to cover both cross-border and UK domestic processing of personal data for the law enforcement purposes. Are the Law Enforcement Provisions in Part 3 of the DP Bill different from the GDPR? It is important to read the GDPR and the law enforcement provisions of the Bill side by side. The LE provisions in the Bill only apply to competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (commonly referred to as the Law Enforcement Purposes). The LE provisions are likely to cover criminal courts, prisons and any other person that has statutory functions for any of the law enforcement purposes as well as law enforcement bodies like the police or prosecution bodies. As with the GDPR, the LE provisions demand more from organisations in terms of accountability, and enhance the existing rights of individuals, subject to appropriate restrictions. There are some key differences in the requirements of Part 3 of the Bill to: 07 December 2017-1.0.6 4

categorise individuals (ie witnesses, victims, suspects, convicted perpetrators); classify if the data is fact or personal opinion/assessment; and log the specific processing actions for automated systems (ie metadata that someone did something at x time) such as collection, alteration, disclosure or erasure. 07 December 2017-1.0.6 5

Who does Part 3 of the DP Bill apply to? Am I a competent authority for the purposes of the LE provisions? A competent authority for the purposes of law enforcement means a person specified in the Bill (Schedule 7) and any other person if, and to the extent that, the person has statutory functions to exercise public authority or public powers for any of the law enforcement purposes. The intelligence services (MI5, MI6 and GCHQ) are not listed as competent authorities as they are governed by the provisions in Part 4 of the Bill. Essentially, this means that a competent authority is: any public authority with powers to investigate and/or prosecute crimes and impose sentences; or any other organisations (such as a private company/contractor) empowered by law (as per 28(1) (b) of the DP Bill) to exercise those powers in a way that gives them control over the data ie as a data controller, as opposed to a data processor. Do the law enforcement purposes apply to criminal or civil functions? They refer to the processing of personal data for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Other activities conducted by organisations that are not competent authorities will fall under the GDPR rather than the LE provisions of the Bill. For example, the use of CCTV by shopkeepers or civil enforcement such as parking fines, will fall under the provisions of GDPR. Are private companies that have been contracted to conduct public functions that involve the processing of personal data for the prevention/detection of crime and prosecution of criminal offences, within the scope of a competent authority? Yes, if they fit the criteria set out above. This will depend on the basis on which the private company are empowered by law, ie if you are a data controller empowered by statute. What if I am asked to pass information to a law enforcement authority? Does that mean the processing I am doing is now captured by the LE provisions? No. Your processing is not captured by the LE provisions simply because data is passed to a law enforcement agency. If the organisation holding the data is not processing it for law enforcement purposes, then it will not be captured by the LE provisions. Once it is transferred, the receiving competent authority will then be processing it for the purposes of law enforcement. 07 December 2017-1.0.6 6

Example A shopkeeper that uses CCTV will be processing the data under GDPR. It is likely that a shopkeeper is processing for their own purposes under GDPR, as they are not a prosecuting authority/law enforcement authority. If the shopkeeper passes the footage to a third party, such as the police, then the police themselves will then be processing that footage under the LE provisions of the Bill whilst the shopkeeper continues to process under the GDPR. Example Similarly, the processing of data by banks for the purposes of detecting crime, such as fraud, also initially falls under GDPR. This processing is only captured by the LE provisions when it is transferred to, and being processed by, the police/nca or any other competent authority. There may be situations where a competent authority processes data and the purposes for that processing could routinely shift from GDPR to Part 3 of the Bill. In these cases, only data that is identified for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security are required to be processed under the provisions of Part 3 of the Bill. Authorities will therefore be required to have appropriate processes and procedures in place to identify and log processing for such cases and have a clear justification for the application of any law enforcement restrictions in this respect. Will employers who conduct employment or vetting checks only for these purposes fall outside of the scope of competent authority? Employers conducting criminal records checks are likely to fall outside the scope of competent authority as the processing will not be undertaken for the purposes of law enforcement. The processing will therefore likely be under the GDPR. The primary purpose of that processing is tied into the recruitment/employment process. A data controller will fall within the scope of competent authority if they are listed in the legislation or have statutory functions for any of the law enforcement purposes. Article 10 of GDPR addresses the processing of personal data relating to criminal convictions and offences. The article states that checks of such information should be carried out in accordance with Member State law that provides appropriate safeguards for the rights and freedoms of data subjects/applicants. Within the UK, criminal records checks are undertaken through the Disclosure & Barring Service (DBS) or Disclosure Scotland. In terms of appropriate safeguards, the Police Act 1997 (for certificates) and the 07 December 2017-1.0.6 7

Rehabilitation of Offenders Act 1974 as amended (for declarations), provides the required legislative provision for employers and other bodies to continue to request checks at Basic, Standard, and Enhanced level disclosures as appropriate in individual circumstances. 07 December 2017-1.0.6 8

How can we comply? Are we conducting automated processing for the purposes of the LE provisions? The LE provisions have a specific requirement to keep logs of any automated processing of personal data. They do not include a definition of an automated processing system however it is interpreted that the term refers to any system which undertakes processing by automated means, and is likely to involve some human interaction. The term automated processing system is different to automated decision-making. For example, a database of criminal records or prosecution histories is an automated processing system. Is it possible to keep personal data indefinitely if needed? Do we need to inform data subjects each time a retention period changes? Under the DPA 1998 retention periods are not defined, and personal data should only be retained for as long as necessary. Similarly, the LE provisions of the Bill state that personal data processed for the law enforcement purposes must: not be kept for longer than is necessary; require appropriate time limits to be established for the erasure of personal data; and need periodic reviews of their storage. This means that where an organisation is unable to specify a date for destruction of the personal data, it must specify a time period when the retention period will be reviewed. Data subjects should be made aware of these timescales. Is it mandatory for all law enforcement agencies to have a Data Protection Officer (DPO)? All data controllers that are competent authorities will need to have a DPO in place. Some staff may currently be called DPOs, but an updated job specification may be required if it does not currently match the attributes of a DPO provided for in the legislation. For example, DPOs will be required to have expert knowledge of data protection law and practice. Will data sharing with non-competent authorities take place under GDPR or the LE provisions? Any processing that involves data sharing to non-competent authorities is likely to need to comply with GDPR. Similarly, any data sharing that takes place which does not fall under the law enforcement purposes must also be compliant with the requirements of GDPR. 07 December 2017-1.0.6 9

What are the timescales for subject access requests under the LE provisions? A data controller should respond without delay and at least within one month of receipt, subject to exemptions. The relevant day means the day on which: the controller receives the request; the controller receives additional information from the data subject (if any) requested in connection with a request; or the day on which an appropriate fee (if any) charged in connection with a repeat request is paid. Is it mandatory for a competent authority to carry out DPIAs under the LE provisions? Yes, where the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope and purposes of the processing. A DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data and therefore needs to be carried out prior to any processing. Where a high risk has been identified, the controller must consult the Information Commissioner prior to the processing taking place. The timescales for the Information Commissioner to respond is six weeks. The Information Commissioner may extend this by a further period of one month, taking into account the complexity of the intended processing. 07 December 2017-1.0.6 10

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback