Data Protection & Law Enforcement: DPA 2018 & EU Law for UK Data Sharing, Assignments of Law

Download Data Protection & Law Enforcement: DPA 2018 & EU Law for UK Data Sharing and more Assignments Law in PDF only on Docsity! Explanatory Framework for      Adequacy Discussions Section F: Law Enforcement Overview This section provides an overview of the UK's law enforcement                    data protection regime. It outlines principles, data subject rights,                  and obligations in the law enforcement context. It will cover the                      DPA 2018 and domestic application of EU law for data sharing,                      and detail relevant aspects of common law and legislation on                    police powers. Section F: Law Enforcement Introduction This section provides an overview of the UK’s law enforcement data protection regime. It is structured as follows: ● Part I sets out the wider context for law enforcement data processing, including the historical development of the policing model, and its legislative bases. ● Part II summarises key elements of the DPA 2018 for law enforcement processing, with a focus on principles and the rights of data subjects. ● Part III summarises key accountability and compliance obligations. These include data protection by design and default; security requirements; data protection officers; and data protection impact assessments. ● Part IV summarises provisions on international transfers in the law enforcement context. ● Part V sets out key oversight and enforcement mechanisms, including the ICO. More detail on the ICO and alternative redress routes is in Section G of this pack. Section F: Law Enforcement The model of “policing by consent” operates on the basis that the power of the police comes from the common consent of the public, as opposed to the power of the state. Such consent is not provided by particular individuals but is based on public approval of the existence, actions and behaviour of law enforcement authorities, and on their ability to secure and maintain public respect and trust. 4 A vital component of public consent is the protection of civil liberties, which the police must obtain while balancing the need to ensure public security. UK authorities are constantly vigilant to maintain public security whilst upholding the principle of respect for privacy. Part 3 of the DPA 2018 strengthens the rights and protections of data subjects, while ensuring that the law enforcement agencies can continue to process personal data to prevent and investigate crime, bring offenders to justice, and keep communities safe. Legislative Bases of the Policing Model There are two types of law in the UK which together make up the UK legal framework: ● Legislation​: ​The UK legislature consists of the UK Parliament (in Westminster, London), the Scottish Parliament, the National Assembly for Wales and the Northern Ireland Assembly. They are responsible for passing primary legislation (Acts of Parliament) and delegating and approving secondary ​legislation (typically more detailed rules). ● Common Law: Sometimes also known as customary law, or judge made law, common law is created by the judiciary through the decisions in the cases they hear. The defining feature of the common law is that it is based on precedent and is underpinned by the principle of ​stare decisis (standing by decisions of higher courts). The conclusions the judges reach are normally recorded as court judgments, and collectively these form part of the common law. In practice, this means a judge presiding over a case will check to see if a similar situation has come before a court previously. If a precedent was set by a court of equal or higher standing, the judge will in most instances follow the decision. UK legislation provides a comprehensive framework for the powers, scope and limits of police force activity. It is important to note that the UK has three separate legal systems: one each for Scotland; England and Wales ; and Northern Ireland. This reflects its historical 5 origins. Devolution has provided for the transfer of some powers from the Westminster Parliament to the Welsh Assembly in Cardiff, the Northern Ireland Assembly in Belfast and the Scottish Parliament in Edinburgh. ​UK Parliament will not normally legislate on matters that are 4 This is one reason why UK police forces are not routinely armed. 5 England and Wales share the same legal system. Section F: Law Enforcement within the legislative competence (i.e. jurisdiction) of the Scottish Parliament, the National Assembly for Wales or the Northern Ireland Assembly without the relevant devolved legislature’s consent. Whilst data protection is a reserved matter and the UK DPA applies across the UK, policing is an example where policy is devolved. As such, there is often similar, but different, legislation applicable to policing in England and Wales; Scotland; and Northern Ireland. Acts of Parliament Over the past 25 years, the UK Parliament has passed a number of key pieces of legislation which relate to the powers of law enforcement agencies in the UK. Most of this legislation has been subject to amendment, since it was originally passed to keep the law up to date with modern developments. Some of the key pieces are below to give an indication of other legislation – aside from the DPA 2018 – that provide for information management requirements. Perhaps most important is the Police and Criminal Evidence Act 1984 (PACE) (England and 6 Wales) which sets out the key powers of police officers in England and Wales including: ● stop and search; ● arrest; ● detention; ● investigation; ● identification; and ● interviewing of detainees. Similar legislation exists in Scotland by virtue of the Criminal Justice (Scotland) Act 2016 and 7 in Northern Ireland by virtue of the Police and Criminal Evidence (Northern Ireland) Order 1989 (SI 1989/1341). 8 PACE and the devolved equivalents provide safeguards and limitations to these powers. 9 Since their enactment, they have been subject to further amendments, for example, to ensure compliance with the Human Rights Act 1998. Part VI of PACE requires the Home Secretary to issue Codes of Practice. The ‘PACE Codes’ (A-H) provide for the exercise of 10 these powers in an operational context in England and Wales, in a way that protects the rights of the public, ensures fairness to individuals, and is compatible with the British model of policing by consent. 6 https://www.legislation.gov.uk/ukpga/1984/60/contents 7 http://www.legislation.gov.uk/asp/2016/1/contents/enacted 8 http://www.legislation.gov.uk/nisi/1989/1341/contents 9 See also Sections 16, 18 and 32 of PACE. 10https://www.gov.uk/guidance/police-and-criminal-evidence-act-1984-pace-codes-of-practice#pace-codes-of- practice Section F: Law Enforcement In Scotland, the Criminal Justice (Scotland) Act 2003 , along with common law, provide a 11 robust retention schedule for the taking, retaining and deleting of samples and profiles of both victims and suspects of crime. The Protection of Freedoms Act 2012 (PoFA) was brought in in response to the 2008 12 judgment of the European Court of Human Rights in the case of ​S and Marper v UK . In this 13 case, the court ruled that the blanket retention of DNA profiles taken from innocent people posed a disproportionate interference with the right to respect for private life, in violation of Article 8 of the European Convention on Human Rights. The judge commented favourably on the ​Criminal Procedure (Scotland) Act 1995 and PoFA was enacted across England and Wales. PoFA, like the Criminal Procedure (Scotland) Act, aims to strike a balance between protecting the freedoms of those who are innocent of any offence whilst ensuring that the police continue to have the capability to protect the public and bring criminals to justice. Some of the principle UK Law Enforcement Agencies are also subject to the Investigatory Powers Act 2016 and Regulation of Investigatory Powers Act 2000 . These regimes are 14 15 covered in detail in ​Section H​ of the pack and will not be covered here. Whilst not specific to law enforcement – UK Law Enforcement are required to act consistently with the European Convention on Human Rights (ECHR). The Human Rights Act 1998 (HRA) gives effect to certain rights contained within the ECHR in domestic law (the 16 ‘Convention rights’, as defined in Section 1 HRA). The HRA provides that all public bodies must act compatibly with those ECHR rights, and individuals can rely on those Convention rights when bringing claims in domestic courts. As a result, law enforcement agencies must ensure compliance with the ECHR. For example, when processing data, they must comply with the right to respect for private and family life, ensuring any interference with this right is permissible with the convention right. Similarly, the Equality Act 2010 legally protects people from discrimination in the 17 workplace and in wider society. The Act introduced the Public Sector Equality Duty which means that public bodies (not specifically law enforcement) must consider all individuals when carrying out their day-to-day work – in shaping policy, in delivering services and in relation to their own employees. 11 http://www.legislation.gov.uk/asp/2003/7/contents 12 http://www.legislation.gov.uk/ukpga/2012/9/contents/enacted 13 http://www.bailii.org/eu/cases/ECHR/2008/1581.html 14 http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted 15 http://www.legislation.gov.uk/ukpga/2000/23/contents and the Regulation of Investigatory Powers (Scotland) Act 2000 (http://www.legislation.gov.uk/asp/2000/11/contents) 16 http://www.legislation.gov.uk/ukpga/1998/42/contents 17 ​http://www.legislation.gov.uk/ukpga/2010/15/contents​. In Northern Ireland, the equivalent legislation is the Northern Ireland Act 1998; http://www.legislation.gov.uk/ukpga/1998/47/section/75 Section F: Law Enforcement The MoPI Code ensures that there is broad consistency between forces in the way information is managed. This not only encourages effective use of available information within and between individual police forces and other agencies, but also the fair use of data. MoPI sets out the principles governing the management of information (including personal data) which the police service may need to manage and use. It Includes guidance on a range of processing activities such as: ● Collection and Recording:​ accurate assessment and timely analysis of information. ● Evaluation: Police information undergoes evaluation appropriate to the policing purpose for which it was collected and recorded. All police information is evaluated to determine provenance, accuracy, continuing relevance to a policing purpose and what action, if any, should be taken. ● Common process for managing police information: Information comes from various sources and is received in different ways. As a result, it may be necessary to link information collected for one policing purpose to information collected elsewhere for a different purpose. ● Retention, Review, and Disposal: The review of police information is central to risk-based decision making and public protection. Records must be regularly reviewed to ensure that they remain necessary for a policing purpose and are adequate and up to date. The guidance also recognises that the police service creates a plethora of records during the delivery of policing, and it is these records that the guidance is primarily trying to manage by setting the minimum standards for processing activities. They are, however, not mandatory and there are occasions when individual police forces may deviate from them for a variety of technical, operational and organisational reasons. Even in these scenarios, forces ​are still required to comply with the requirements of Part 3 of the DPA 2018​. Furthermore, Part 3 of the DPA 2018 is a comprehensive regime to govern data processed for law enforcement purposes. This means that, even when the police use their common law powers to process data, they do so within the limits imposed by the DPA 2018. A decision to perform any sort of data processing - particularly using common law powers – must comply with the requirements of MoPI, and balance the rights of the individual against those of the public in general or any specific member or members of the public. This includes contemplating the impact of processing on the private life of the individual involved, whilst taking into account any adverse effect processing might have on the avoidance or detection of crime. Section F: Law Enforcement Although MoPI does not apply to Scotland, under the Code of Practice, the Scottish Police Services Authority are required to establish an Information Management Strategy , 22 complying with guidance and standards issued under the MoPI Code. The resultant Strategy is very similar to the MoPI. The PSNI are not required by law to follow MoPI; however, they endeavour to voluntarily adopt the principles within their law enforcement processing. By way of contrast, the National Crime Agency cannot rely on common law powers. It is a creature of statute and therefore must operate within the confines of the legislation that established it – the Crime and Courts Act 2013 . Under Part 1 of the Act, the NCA has a 23 function in respect of tackling serious and organised crime, and a wider criminal intelligence function in respect of all types of crime. 24 Its activities in relation to serious and organised crime include tackling the importation/supply of drugs and firearms; human trafficking; sexual abuse; high-end money laundering; organised immigration crime; and tackling cybercrime. By virtue of this legislation, NCA officers may be designated with the powers and privileges of a constable and the law enforcement powers of an officer of Revenue and Customs, an immigration officer and a general customs official. This enables them to effectively fulfil their broad functions and deploy techniques that are not available to the police. The suite of powers which are exercisable by NCA officers enable them to do a range of things crucial to any criminal investigator including gaining entry to property, searching (people and premises), seizing goods, detaining and arresting suspects and executing warrants. This will result in processing the personal data of victims, witnesses and suspects, as the police do. In addition, the NCA has a power to provide assistance to foreign governments, and overseas bodies carrying out functions of a public nature. For the purposes of the discharge of any function of the NCA, it may enter into arrangements for co-operating with other persons (in the United Kingdom or elsewhere). These functions and the information gateway in Section 7 of the Act permit the NCA officers to exchange data with their international counterparts subject to compliance with the DPA 2018. PART II: THE CURRENT REGIME - DPA 2018 This section contains information on: 22 ​https://www.nrscotland.gov.uk/files/record-keeping/public-records-act/element3-SPSAStrategy.pdf 23 In Northern Ireland, the equivalent legislation is the Northern Ireland Act 1998; http://www.legislation.gov.uk/ukpga/1998/47/section/75 24 The NCA requires the permission of the Lord Advocate to act in Scotland. Section F: Law Enforcement ● the development of the law enforcement data processing framework and background to the 2018 reforms ● key elements of the UK’s law enforcement data protection framework. This includes scope; definitions; principles; rights; and restrictions. Other obligations and provisions on international transfers are covered in ​Parts III and IV​ of this section. Development of the Law Enforcement Data Processing framework The UK has placed great significance on ensuring the correct balance between the rights of the data subject and the operational effectiveness of our law enforcement community. It has historically been at the forefront of data protection. As far back as the 1970s, it began taking steps to address the gap in the governance of personal information. ● The Younger Committee on Privacy established ten principles for the handling of 25 personal data that were to influence data protection statutes in Europe. ● In 1984, the UK’s first Data Protection Act became law, drawing on the principles 26 contained in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) . Although narrow 27 in focus – it only applied to personal data stored on a computer – it instilled data protection standards across the board, including for law enforcement processing. ● In 1995, the European Union passed the Data Protection Directive (95/46/EC) which brought in a common standard for data protection throughout the European Union. This was transposed into UK law by the Data Protection Act 1998 . Although the 28 Directive did not apply to data processing for law enforcement purposes, the then Government extended it to cover all processing of personal data in the UK in order 29 to create a single data protection regime. As a result, law enforcement agencies in the UK were required to comply with the provisions of the Act. The DPA 1998 set out the rights of data subjects, alongside a number of exemptions to those rights including for crime and taxation. It 30 established the post of Information Commissioner and provided them with a number of powers of enforcement. ● In 2008, the then Government transposed the Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (the ‘Framework Decision’). 25 https://api.parliament.uk/historic-hansard/lords/1973/jun/06/privacy-younger-committees-report 26 http://www.legislation.gov.uk/ukpga/1984/35/pdfs/ukpga_19840035_en.pdf 27 https://www.coe.int/en/web/data-protection/convention108-and-protocol 28 http://www.legislation.gov.uk/ukpga/1998/29/contents 29 Except for processing by private individuals for domestic purposes 30 including for crime and taxation Section F: Law Enforcement ● by appearing in Schedule 7 of the DPA 2018; or ● by carrying out a statutory function for a law enforcement purpose. All UK Government Departments are included in Schedule 7. This means, for example, the Home Office (HO) is a competent authority for the purposes of Part 3. Non-ministerial Government Departments and other organisations, such as the Commissioners for HMRC, are also listed in Schedule 7 where appropriate. Others, such as local authorities which are not named in Schedule 7 may still be a competent authority if they have a legal power to process personal data for law enforcement purposes. Example 1: A local authority processes personal data as part of a trading standards prosecution. Local authorities are not listed in Schedule 7; however, the local authority is carrying out a statutory function and prosecuting is a law enforcement purpose (see below). Section 222 of the Local Government Act 1972 permits local authorities to take prosecutions in the interests of the inhabitants for their areas. In this instance, the local authority would be operating as a competent authority. Competent authorities do not include those carrying out private prosecutions; nor does it include the intelligence services as they are governed by Part 4. ‘Law enforcement purposes’ is defined in Section 31 of the Act as ‘​for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. When determining whether processing is for a law enforcement purpose, it is important to assess whether the ‘​primary purpose’ of the processing is law enforcement. It must therefore be more than incidental to the processing. In some circumstances, crimes will be detected, even though there is no intention to carry out law enforcement action. It is important to reflect on the wording within Section 31 which says the processing has to be carried out ‘for the purpose of’ law enforcement. If a law enforcement action is not contemplated at the time the processing takes place, it is unlikely the processing will be more than merely incidental to law enforcement and it cannot ​therefore be done under Part 3. Section F: Law Enforcement Example 2: A foreign national seeks to enter the UK as a visitor by confirming he will leave within the required 6 month period. On closer inspection, the Border Force Officer finds evidence to suggest he is planning to stay in the UK. Using deception to enter the UK is a criminal offence; however, the officer administratively removes the individual in line with Home Office policy rather than pursuing a criminal prosecution. The officer’s role requires her to process personal data. Although the officer in the above example has detected a crime, this still remains incidental to her primary purpose: to identify and administratively remove offenders. The processing of personal data therefore takes place under Part 2 (general processing). There will be instances in which data is collected for a purpose other than law enforcement, and the circumstances change in that the data is later used for a law enforcement purpose. In most of these situations, it will be clear when the primary purpose changes as specialist teams will take over the case; for instance, Fraud Units or Prosecution Teams. Example 3: HM Passport Office (HMPO) receives an application for a new passport. During the process, they carry out standard checks to ascertain the genuineness of the application and discover potential fraud. They pass the case to their specialist fraud unit. The application in the above example is initially processed under the general processing provision (Part 2). Even though as part of their standard checks they are looking for fraudulent applications, this remains part of the general processing, since detecting crime is not the ‘primary purpose’ of processing a passport application. Once the potential fraud is detected and it is handed to the specialist fraud unit, the primary purpose of the processing changes. This is made clear by the fact the primary function of a fraud unit is to detect and prevent crime. At this point, Part 3 (law enforcement) applies. Data collected and processed in accordance with Part 3 may also sometimes be further processed under Part 2 to assist in the formulation of policy or operational planning. The regime which applies will depend on the primary purpose for any further processing. The section below provides further definitions found in Part 3 of the DPA 2018. The UK has, as noted copied out the LED wherever possible. The list below represents where the UK has diverged or expanded on that provided for in the LED but still remained within the spirit of Section F: Law Enforcement the legislation. This is included here to aid understanding of the Act. Sections 3 and 205 of the DPA 2018 include definitions of other expressions used in Part 3: ● Controller​: this is either the competent authority which, either alone or jointly, determines the purposes and means of the processing of the personal data, or one which is required to do so by virtue of an enactment. This has the same practical effect as the LED definition. ● Processor: this is identical to the definition under Article 3(9) of the LED, except that it clarifies that an employee of a controller is not a processor and uses the term ‘person’ in lieu of ‘natural or legal person, public authority, agency or other body’. This latter change reflects the fact that the term ‘person’ is defined as “includ[ing] a body of persons corporate or unincorporate” under Schedule 1 of the Interpretation Act 1978; hence public authorities, agencies and other bodies are already captured. ● Employee​: this is an individual who holds a position, whether paid or unpaid, which falls under the direction and control of another person. ● Recipient: this is identical to the definition set out under Article 3(10) of the LED, except that the UK has not transposed the latter part of the definition relating to processing by public authorities. This is because all public authorities will, in any case, be bound by the appropriate Part of the DPA 2018. ● Third country: this is a country or territory other than the UK (following the UK’s withdrawal from the European Union). ● Personal data: this is identical to the definition set out under Article 3(1) of the LED, except that, for clarity, the UK has separated out the definition of ‘identified or identifiable natural person’ and have used the term ‘identifiable living individual’ in lieu of ‘natural person’. This latter change is in order to bring Part 3 of the DPA 2018 in line with recital 27 of the GDPR, which clarifies that it does not apply to deceased persons. ● Processing: this is identical to the definition set out under Article 3(2) of the LED, except that the UK has omitted the words “whether or not by automated means” since the definition applies to all processing of personal data. ● Pseudonymisation:​ this term is not used in the DPA 2018. ● Profiling/ Genetic data/ Biometric data/ and data concerning health​: these definitions are identical to those set out in Articles 3(4), 3(12), 3(13), and 3(14) respectively, of the LED except that the UK has used the term ‘individual’ in lieu of ‘natural person’. This is because ‘natural person’ is not a term which is used in UK law. Section F: Law Enforcement for. They must retain the policy document, reviewing and updating it as necessary, and must make it freely available to the ICO upon request. Section 61(1) requires controllers to keep a record of the categories of processing that they are responsible for and Section 61(3) requires processors to keep a record of the categories of processing activities they carry out on a controller’s behalf. Section 61(1) sets out that these records must include, for example, the name and contact details of the controller, the purposes of processing and a description of the categories of data subject and personal data processed by them. Additionally, where the processing is of sensitive data, the controller, or (where the processing is carried out by a processor acting on their behalf) the processor, must state: ● whether the sensitive processing is carried out on the basis of consent or, alternatively, which of the conditions set out in Schedule 8 are relied on; ● how the processing satisfies the requirement that it be lawful and fair; and ● whether personal data is retained and erased in accordance with the policy document and if not, state why. Principle that purposes of processing be specified, explicit and legitimate The second data protection principle in Section 36 of the DPA 2018 is one of purpose limitations, stating that firstly, ​“​the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate” and secondly, 40 “personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected”. 41 The DPA 2018 provides that personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose, whether by the controller that collected the data or by another controller. 42 However, it can ​only ​be processed if the controller is authorised by law to process the data for the other purpose, and the processing is necessary and proportionate to that other purpose. For example, the Crown Prosecution Service could process personal data in 43 relation to the prosecution of an offence, and Her Majesty’s Prison Service could process the same data to ensure the execution of a criminal penalty. This provision ensures the smooth flow of personal data through the criminal justice system. 40 Section 36(1)(a). 41 Section 36(1)(b). 42 Section 36(3). 43 Section 36(3). Section F: Law Enforcement Additionally, personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law. 44 Principle that personal data be adequate, relevant and not excessive The Third Data Protection Principle set out under Section 37 of the DPA 2018 requires that personal data processed for any of the law enforcement purposes must be adequate, relevant, and not excessive in relation to the purpose for which it is processed. This is focussed on data minimisation and ensuring competent authorities store and access personal data for a legitimate reason. Principle that personal data be accurate and kept up to date The fourth data protection principle in Section 38 of the DPA 2018 adds that personal data must be accurate and, where necessary, kept up to date. Should it be the case that personal data is inaccurate, every reasonable step must be taken to ensure that it is erased or rectified without delay. 45 When rectifying or erasing inaccurate data, regard needs to be paid to the law enforcement purpose for which it is processed. This ensures that both the rights of data subjects and 46 the operational needs of law enforcement agencies are recognised. The above point was carefully considered during the drafting stages of the Data Protection Bill, as there may be specific and limited operational reasons why data cannot be rectified. Most likely this will be if the inaccurate personal data in question needs to be preserved in its original form for evidential purposes. Additionally, it would not be appropriate to require controllers to correct data in all cases, for example if the inaccuracy is contained within a witness statement, which is necessarily one person’s belief as to the facts concerning a particular allegation. This position is also in line with recital 30 of the LED concerning accuracy, as it relates to personal data based on subjective perceptions such as witness statements. In practice, it is logical for the competent authorities to ensure their personal data is up to date. It is critical for criminal investigations, for example, that intelligence relied on is accurate. High-quality data allows policing to establish where, when, and how often crime is happening. This ensures: ● victims of crime are provided with access to appropriate support services; ● the public are given accurate information about crime in their area; 44 Section 36(4). 45 Section 38(1)(b). 46 Section 38(1)(b). Section F: Law Enforcement ● the police can plan their work in support of victims and meet the demands of investigations based on accurate information and intelligence. Section 38(2) provides that personal data processing must distinguish between data based on facts and that based on assessment, such as a witness statement. Section 38(3) requires personal data be categorised so there is a clear distinction between the personal data relating to victims, witnesses, suspects, and those convicted. In this section, the UK has transposed the requirements of Article 6 and clarified the language used to ensure the requirements are widely understood by Competent Authorities. The UK is in the process of developing a set of standardised principles that will support LEAs in taking a standard approach to these requirements. Principle that personal data be kept for no longer than is necessary The fifth data protection principle in Section 39 of the DPA 2018 sets out that “personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed”. 47 It further requires that “appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes”. This requirement is in line with Article 5 of the LED which requires Member 48 States either to set appropriate time limits for erasure or, as the UK has done, require them to carry out periodic reviews. Personal data held by the police, for example, are subject to strict retention and destruction schedules. Much operational data held by the police, with some exceptions, is governed by MoPI which explicitly stipulates that data associated with all but the most serious public protection matters must be subject to periodic review and destroyed where retention cannot be justified by the review. Operationally, the fifth data protection principle also applies to archiving activities. Law enforcement are permitted to archive personal data if it is conducive to the public interest, for example for historical or scientific purposes or to enable the compilation of statistics. However, Section 41 provides a ​robust safeguard to this provision by expressly prohibiting archiving that is specifically related to an individual or is likely to cause significant distress to the data subject. Principle that personal data be processed in a secure manner The sixth data protection principle in Section 40 of the DPA 2018 covers security and confidentiality. It stipulates that “personal data processed for any of the law enforcement 47 Section 39(1). 48 Section 39(2). Section F: Law Enforcement ● the existence of the rights of data subjects to request from the controller access to, and rectification of, their personal data (subject to exemptions - see ‘restrictions and safeguards’ below); and ● the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner. They must also, in specific cases, provide the data subject with the following information: ● information about the legal basis for the processing; ● information about the period for which the personal data will be stored or, about the criteria used to determine that period; ● where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations); and ● such further information as is necessary to enable the exercise of the data subject’s rights under Part 3. 55 Right of access by the data subject The right of access enables data subjects to obtain a copy of their personal data as well as other supplementary information. It helps data subjects to understand how and why Competent Authorities use their personal data and to verify the lawfulness of any processing. Section 45 of the DPA 2018 entitles a data subject to obtain confirmation from a Competent Authority as to whether or not their personal data is being processed, and, where that is the case, requires them to grant access to the personal data along with pertinent information that enables data subjects to exercise their rights. This includes the purposes of, and legal basis, for the processing; the categories of personal data concerned; and the recipients or categories of recipients to whom the personal data has been disclosed. The information to which the data subject is entitled must be provided in writing, without undue delay, and within one month. Right to rectification, erasure and restriction of processing Under Section 46, a Competent Authority must, if requested by the data subject, rectify any inaccurate personal data belonging to them. Although in practice, Competent Authorities may have already taken steps to ensure that the personal data was accurate when it was first obtained, this right imposes a specific obligation to reconsider the accuracy upon request. Where personal data is inaccurate because it is incomplete, the controller must, if requested by a data subject, complete it. If they are unable to correct it, they may if it is appropriate to 55 ​For example, where the personal data was collected without the knowledge of the data subject. Section F: Law Enforcement do so provide a supplementary statement to rectify personal data. For example, competent authorities are allowed to keep accurate records of allegations made, even if the allegations are unfounded. Where a Competent Authority would be required to rectify personal data under this section but it is required as evidence, such as a witness statement, which is necessarily one person’s belief as to the facts concerning a particular allegation, they must – instead of rectifying the personal data – restrict its processing. This approach affords protection to the data subject, while maintaining the integrity of the criminal justice process. Where a Competent Authority rectifies personal data, it must notify the organisation (if any) from which the inaccurate personal data originated. If the data has been disclosed, the controller must also notify the recipients of the rectification. This helps all controllers domestic and international to comply with the fourth Data Protection Principle. As well as rectifying data, the DPA 2018 places an obligation on Competent Authorities to erase personal data where the processing of the personal data would infringe one of the Data Protection Principles , or where the controller has a legal obligation to erase the data. 56 Though this is not an absolute right, in practice, the controller should conduct periodic reviews of their retention policies to ensure compliance. Where the controller ​would ordinarily be required by the Data Protection Principles to erase personal data, but it is required, for example as evidence, they must, instead, restrict its processing. Where a data subject contests the accuracy of personal data, but the claim cannot be verified, the controller must restrict its processing. In summary, if requested to erase data by the data subject, the controller must look at the requirements under Section 47 of the DPA 2018. They must erase the data or restrict access where there is a legal obligation to do so, or where the processing infringes on the principles in Part 3. Right not to be subject to automated decision-making Section 49 of the DPA 2018 prohibits a controller from making a significant decision or a decision that adversely impacts the data subject based solely on automated processing unless that decision is required or authorised by law . A ‘significant decision’ is one which 57 56 Particularly relevant is the Fifth Data Protection Principle, which requires that personal data be kept for no longer than is necessary. What constitutes “no longer than is necessary” will depend on the class of data (for example DNA and fingerprints, which have a retention period governed by the Protection of Freedoms Act 2012). 57 It is unlikely that an automated decision will be made in the law enforcement context, given the considerable element of human intervention in this space (e.g. police officers). Section F: Law Enforcement has an adverse legal effect on the data subject, or which otherwise significantly affects them. Purely ‘automated ​decision making​’ applies to decisions, often based on algorithms, made wholly without human input. By contrast, decisions involving automated ​processing 58 require the final decision to be made by a human. For example, in the UK speeding cameras are used to enforce speed limits and capture vehicles travelling over the legal limit; when the limit is triggered the camera takes a picture of a vehicle registration for further processing. This is automated processing and enables police forces to produce a ‘speeding ticket’ enforcement notice. Before any such ticket is issued a member of police staff – either warranted or civilian – will intervene to ensure the enforcement is legitimate (though a route of appeal is still available). The UK Government is not currently aware of any wholly automated decision making processes which would fall within Part 3 of the Act. However, to ensure that the rights of data subjects are maintained, sections 49 and 50 of the DPA 2018 enable data subjects to request not to be subject to automated decisions if it might have a significant legal effect on them. If a significant decision is required by law , Section 50 requires the Controller to inform the 59 data subject a decision has been taken based solely on automated processing and provide them with 21 days to ask the controller to reconsider the decision or retake the decision with human intervention. Whilst it is not current practice in law enforcement processing, it is possible automated decision-making could evolve in a law enforcement context as technology in this space continues to become prevalent. It is therefore possible that new, additional safeguards will be needed as a result of future developments in this area. Consequently, Section 50 of the DPA 2018 creates a power to make regulations to allow the Secretary of State to impose additional safeguards or amend the existing safeguards. This adds a degree of future proofing to the UK framework and is an important safeguard to protect citizen’s rights. This power would be subject to the affirmative process. This means that explicit approval would be required by both Houses of Parliament which adds an additional layer of scrutiny to the power. 58 Automated processing is when an operation is carried out on personal data using pre-determined fixed parameters which allow for no discretion by the system and does not involve further human intervention in its operation to produce a result or output. It is regularly used in law enforcement to filter down large data sets to manageable amounts for a human operator to then use. 59 This is referred to in the DPA 2018 as a ‘qualifying significant decision’. Section F: Law Enforcement national security certificates which have been issued, ensuring greater transparency on the use of such certificates than under the previous data protection legislation The ICO will publish details of all national security certificates which have been issued, including the full text of the certificate where possible. There may be some cases where the text of the certificate is sensitive and cannot be published. In those cases, the fact of the certificate, the date it was signed, and which minister signed it, will still be published. Any person directly affected by the issuing of any certificate may appeal to the tribunal to challenge the decision to issue the certificate. Such an appeal would be heard by the Upper Tribunal which would apply judicial review principles when determining the appeal. In applying such principles, the Upper Tribunal would be able to consider a wide range of issues, including necessity, proportionality, and lawfulness. This would enable, for example, the Upper Tribunal to consider whether the decision to issue the certificate was reasonable, having regard to the impact on the rights of data subjects and balancing the need to safeguard national security. PART III: ACCOUNTABILITY AND COMPLIANCE The LED requires Competent Authorities to adopt a proactive, systematic, and accountable attitude towards data protection compliance on a wholesale basis. Sections 55 to 71 of the DPA 2018 place both ​general obligations – such as the duty to cooperate with the ICO – and ​specific obligations on Competent Authorities – for example, the requirement that they have in place a Data Protection Officer (“DPO”). This ensures accountability and compliance and is important in a law enforcement context as it helps to maintain public trust. These sections do not apply a “one size fits all” approach to accountability and compliance. Rather, they ask Competent Authorities to implement technical and organisation measures that are appropriate to the risks to individuals’ rights and freedoms that arise from 63 processing, while the oversight of the ICO and DPO in contrast remain constant. Any measures that are implemented must also be reviewed and updated where necessary. It is also worth noting that Article 21 of the LED provided Member States with the power to designate ‘Joint Controllers’ and, within this provision, which controller should be the lead controller. The UK has chosen not to implement this, as it may not account for the nuances of the relationship between controllers in common. 63 Section 66 further emphasises that security of personal data held must be at a level appropriate to the risks of processing. Section F: Law Enforcement Instead, Section 58 requires joint controllers to ensure there is an unambiguous apportionment of responsibilities to ensure accountability, and to decide which controller will provide which function. This section also contains a derogation allowing Member States to allow data subjects to bring proceedings against each of the controllers involved. The UK has not restricted the rights of the data subject in this respect thereby giving effect to the derogation. Furthermore, ​Part 3 of the DPA 2018 sets out various measures to ensure the accountability of controllers and processors. These include: ● Data Protection by Design and Default: Section 57 of the DPA 2018 places a requirement on controllers to implement appropriate technical and organisational measures to ensure that only personal data which is necessary for each specific purpose of the processing is processed. It also aims to restrict access to data. For example, the Police National Database allows the police service to share local information and intelligence on a national basis. It is available to all forces and some of the National agencies, but access is restricted to those officers who are appropriately trained to handle intelligence and also those with a legitimate need to access the data. This section also enables Competent Authorities to become more cost effective by “designing-in” data protection and privacy at the start of system or project development, thereby avoiding often costly attempts to retrofit these after implementation. Significantly, this places data protection at the heart of system design and processing operations. It is​ identical ​to Article 20 of the LED except for: ○ Removal of the reference to Member State or Union law and EU mechanisms, bodies or institutions; and ○ Removal of examples such as pseudonymisation or data minimisation. ● Security of Measures​: Section 66 of the DPA 2018 emphasises that each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. It is identical ​to its LED counterpart (Article 29) except for summarising various concepts set out under Article 29, such as data media control, storage control, and user control under “unauthorised interference” in Section 66. ● Processing carried out on behalf of a controller: Sections 59 and 60 provide a suite of measures to ensure that, where a controller delegates the processing to another organisation, that organisation meets the requirements of the DPA 2018. These are Section F: Law Enforcement identical ​to their LED counterparts (Articles 22–23). The DPA 2018 provides for the processor to be liable for their activities in essentially the same way as a controller. If a situation arises whereby a processor begins to determine the purpose and means of processing, in breach of Part 3 of the DPA 2018, they then, by default, become a controller in respect of that data. Importantly, this means that the processor then takes on the liabilities of a controller in their own right and would be required to demonstrate compliance as such. In a Part 3 context, this means that if the processor is not a “Competent Authority” as defined in Part 3, they move to the UK GDPR regime and would be subject to the additional requirements of that regime. Even so, given that the data being processed may well be of a sensitive nature, it is entirely appropriate that the person or organisation who determines the means and purpose of that processing is held legally responsible. ● The Designation of Data Protection Officers (DPO): Sections 69–71 of the DPA 2018 set out the requirement to regarding the designation, position, and tasks of the DPO. This requirement did not exist in the previous legislation (Data Protection Act 1998) but it is not a new concept amongst the Law Enforcement community, where a similar role for data protection implementation and advice is long established. This part is​ identical​ to its LED counterpart (Article 32), except for: ○ the replacement of the reference to Member State or Union law to domestic law; ○ exempting courts and other independent judicial authorities when acting in their judicial capacity from that obligation. This is legislated for in the LED; 64 ○ an additional subparagraph (Section 70(3)) making clear that the DPO should not be asked to perform any duties that could give rise to a conflict of interest. ● Data Protection Impact Assessments: Sections 64 and 65 of the DPA 2018 outline the circumstances in which controllers are required to carry out a data protection impact assessment, as well as cases in which prior consultation with the ICO is necessary. These are​ identical​ to their LED counterparts (Articles 64–65) except for: ○ Removal of the reference to Member State or Union law and EU mechanisms, bodies or institutions; and ○ Replacement of the term​ “supervisory authority”​ with the ICO. 64 Article 32(1). Section F: Law Enforcement PART IV: INTERNATIONAL TRANSFERS The UK applies high standards of data protection and enshrines the rights of data subjects within its legal framework for international transfers of law enforcement data to countries outside of the EU. This part explains the provisions set out in: ● the DPA 2018 ● the Data Protection, Privacy and Electronic Communications Regulations 2019 DPA 2018 The DPA 2018 provides the legal framework for competent authorities to transfer personal data to third countries. Before transferring data, competent authorities must (in line with 66 the LED) meet three conditions: ● the transfer must be necessary for any of the law enforcement purposes; ● the transfer must be based on: ○ an adequacy decision in respect of the third country; or 67 ○ if not based on an adequacy decision, the existence of appropriate safeguards; or ○ if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances; and ● The transfer must be to: ○ a relevant authority (i.e. the equivalent of a competent authority) in the third country; ○ a ‘relevant international organisation’ e.g. an international body that carries out functions for any of the law enforcement purposes; or ○ a person other than a relevant authority, provided it is strictly necessary for performing one of the law enforcement purposes; there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer; the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate; and the recipient is informed of the purposes for which the data may be processed. As highlighted above, transfers to third countries without an adequacy decision may be made with assurance that appropriate safeguards are in place. These safeguards may be provided through: ● a legal instrument providing appropriate safeguards for the protection of personal data binds the intended recipient; or 66 Chapter 5 of Part 3 of the DPA 2018. 67 ​Currently no adequacy decisions have been made with respect to law enforcement specifically. Section F: Law Enforcement ● an assessment performed by the controller which, having assessed all the circumstances surrounding transfers of that type of personal data to a third 68 country, concludes that appropriate safeguards exist. Where the transfer is based on the latter point, the transfer’s date, time, and justification, the name of and any other pertinent information about the recipient, and a description of the personal data transferred must be documented, and provided to the ICO upon request. If a transfer is not based on an adequacy decision or appropriate safeguards, it may be based on special circumstances, which are: a. to protect the vital interests of the data subject or another person; b. to safeguard the legitimate interests of the data subject; c. for the prevention of an immediate and serious threat to the public security of a member state or third country; d. in individual cases for any of the law enforcement purposes; or e. in individual cases for a legal purpose (such as in relation to legal proceedings or to obtain legal advice). When a transfer is made, the transfer’s date, time and justification, the name of and any other pertinent information about the recipient, and a description of the personal data transferred must be documented, and provided to the ICO upon request. If the competent authority determines that the fundamental rights and freedoms of the data subject override the public interest in the transfer then transfers under points d and e above are prohibited. Onward transfers Where personal data is transferred from the UK to third countries or international organisations, any subsequent transfer must only, in principle, take place after the 69 competent authority from which the data was obtained has given its authorisation (the original transfer should provide the recipient with any specific handling conditions). When deciding on a request for the authorisation of an onward transfer, the competent authority that carried out the original transfer should take due account of all relevant factors, including: a. the seriousness of the circumstances leading to the request for authorisation of the subsequent transfer; 68 ​This could include whether the body has any co-operation agreements with Europol or Eurojust, the level of confidentiality applied to the data, ensuring the data will not be processed for other purposes than for the purposes of the transfer. In addition, it is likely to include a consideration of human rights such as ensuring that the data would not be used to impose the death penalty on an individual or any other form of cruel and inhuman treatment. 69 ​See last paragraph of this section. Section F: Law Enforcement b. the purpose for which the personal data was originally transferred; and c. the standards of data protection which apply in the country or international organisation to which the data will be transferred. The competent authority that carried out the original transfer should also be able to subject the onward transfer to specific conditions. Such specific conditions can be described, for example, in handling codes. If the personal data was originally received from a competent authority in another EU Member State, that authority must first authorise any onward transfer unless the controller determines that the transfer is necessary for the prevention of an immediate and serious threat either to the public security of a Member State or a third country or to the essential interests of a Member State, and it cannot be obtained in good time (in which case the relevant authority must be informed without delay). Data Protection, Privacy and Electronic Communications Regulations 2019 In the process of transferring data with third countries, the UK has no plans to lower its data protection standards below those enshrined in the DPA 2018. The legislation the Parliament has recently passed (the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the DPPEC Regulations)) further illustrates this. 70 Paragraph 42 of Schedule 2 to the DPPEC Regulations effectively replicates the provisions of Article 36 of the LED, and inserts these into Section 74 of the DPA 2018. It differs from the 71 previous drafting of Section 74 (which was operable prior to the UK’s exiting of the EU), in the single sense that it repatriates the power to make an adequacy decision regarding a third country from the European Commission to the Secretary of State. Reviews of an adequacy decision will take place at an interval of no more than four years. Transitional Adequacy Provisions for EU Member States The UK has already taken steps to maintain existing outgoing flows of data as an interim measure in a no deal scenario from the UK to the EU Member States and Gibraltar through the DPPEC Regulations. 70 These were debated and approved by Parliament and made by the Minister on the 28th February 2019. They are available at: http://www.legislation.gov.uk/uksi/2019/419/contents/made 71 Paragraph 42 of Schedule 2 to the DPPEC Regulations is available at: http://www.legislation.gov.uk/uksi/2019/419/schedule/2/paragraph/42/made Section F: Law Enforcement To ensure greater compliance, the IPCO has a significantly expanded staff compared to its predecessor organisations, including a team of inspectors, in-house legal and technical expertise, and a Technical Advisory Panel (TAP) to provide expert advice. The IPCO is also responsible for keeping the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities under review. To reflect their functions, the police and law enforcement bodies have more limited powers under the investigatory powers legislation compared to the intelligence community (UKIC). 76 Even though these powers are less frequently used, IPCO’s inspections ensure that the law enforcement community are aware of their obligations. The IPCO report to the Prime Minister on a half-yearly basis with respect to the carrying out of the Interception of Communications Commissioner's functions. The IPCO’s aim is to provide effective oversight to ensure that the conduct of public authorities is compliant in relation to the following statutory functions: ● Interception of Communications under Chapter 1 of Part 1 ​Regulation of Investigatory Powers Act 2000​ (RIPA); ● Acquisition and Disclosure of Communications Data under Chapter 2 Part 1 of RIPA; ● Encryption notices issued by the Secretary of State under Part 3 of RIPA in relation to the information obtained under Chapter 1 Part 1 RIPA; and ● Complaints of unintentional unlawful electronic interception (which attract a civil monetary penalty) under section 1(1.A) of RIPA. Her Majesty’s Inspectorate of the Constabulary and Fire and Rescue Services (HMICFRS) and Her Majesty's Inspectorate of Constabulary in Scotland (HMICS) The HMICFRS has statutory responsibility for the inspection of the police forces, and since July 2017 the fire and rescue services, of England and Wales. The HMICS provides independent scrutiny of both Police Scotland and the Scottish Police Authority (SPA). They function as inspectorates, rather than as a regulator, and therefore while they may submit recommendations to police forces to improve their performance, they do not directly hold these forces to account. These recommendations are made public and forces consider HMICFRS’ ratings as a serious matter. 77 Case Study: Police National Computer Audits 76 For further information on UKIC and the IPA, please see Section H of the pack. 77 For example, Kent Police received an ‘Inadequate’ in the CDI inspections of 2017. They followed the Inspectorate’s recommendations and made a series of extensive improvements to their management of data. The force was subsequently rated ‘Outstanding’ in the same inspections of 2018. Section F: Law Enforcement The Inspectorate have consistently engaged in data handling and information management by police forces over the past decade. In 1998, a Police Research Group Report was produced which highlighted concerns and issues relating to the quality of data being inputted onto the Police National Computer (PNC). In 2000 the HMIC (prior to their taking on of fire and rescue inspections) report ​‘On the Record’ investigated data quality and the management of PNC data. The report recommended that HMIC should monitor force performance against a set of targets embedded in the Association of Chief Police Officers (ACPO) PNC Compliance Strategy. A further two reports were produced by HMIC in 2001 and 2002. The Metropolitan Police Service’s (MPS) PNC Steering Group were one of the forces across the United Kingdom that ​responded to the Inspections (as is their statutory responsibility), with updates on their commitment to implementing the inspectorate’s recommendations. This included developing risk assessed Force Data Protection Officer audit programmes. Following the first run of this programme, the MPS identified resources required and allocated them under the management of the Data Protection Officer. In 2003, the HMIC PNC Compliance Audit Team was formed to carry out focused PNC inspections of all forces in England and Wales and on invitation from HMIC (Scotland) to inspect the Scottish police forces. Further reports on the PNC were published between 2004 to 2010. This audit function was recently extended to cover non police use of PNC. Biometrics Commissioner The Biometrics Commissioner is independent of government. The Commissioner’s role is to keep the retention and use by the police of DNA samples, DNA profiles, and fingerprints under review. The statute introduced a new regime to govern the retention and use by the police of DNA samples, profiles, and fingerprints. The Commissioner does not have jurisdiction in Scotland, except in respect of his power to review national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints. The role further includes: ● deciding applications by the police to retain DNA profiles and fingerprints (under section 63G of the Police and Criminal Evidence Act 1984); ● reviewing national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints; and ● providing reports to the Home Secretary about the carrying out of their functions. Section F: Law Enforcement Where an individual is arrested for, but not charged with, specific offences, their DNA profile and fingerprint record will normally be deleted. However, the police can apply to the Biometrics Commissioner for permission to retain their DNA profile and fingerprint record for a period of up to 3 years. The application must be made within 28 days of the police decision not to proceed with a prosecution. If the police make such an application, the Biometrics Commissioner would first give both them and the arrested individual an opportunity to make written representations and then, taking into account factors including the age and vulnerability of the victim(s) of the alleged offences, and their relationship to the suspect, make a decision on whether or not retention is appropriate. If the Biometrics Commissioner agrees to allow retention, the police will be able to retain that individual’s DNA profile and fingerprint record for a period of up to 3 years from the date the samples were taken. At the end of that period, the police will be able to apply to a District Judge (Magistrates’ Courts) for a single 2 year extension to the retention period. If the application is rejected, the force must then destroy the DNA profile and fingerprint record. Where the Biometrics Commissioner considers that the making, or renewal, of an application to allow retention is unnecessary, he has the power to order the destruction of the DNA profile or fingerprint record in question Surveillance Camera Commissioner The Office of the Commissioner was created under the Protection of Freedoms Act 2012 to further regulate CCTV in England and Wales. The Act required a code of practice about surveillance camera systems to be produced and it sets out new guidelines for CCTV and automatic number plate recognition. The role of the Surveillance Camera Commissioner is to: ● encourage compliance with the surveillance camera code of practice; ● review how the code is working; and ● to provide advice to ministers on whether the code needs amending. The Commissioner has no enforcement or inspection powers. They work with relevant authorities to make them aware of their duty to have regard to the code. The 78 Commissioner further: ● provides advice on the effective, appropriate, proportionate, and transparent use of surveillance camera systems; 78 The Commissioner is not responsible for enforcing the code, inspecting CCTV operators to check they are complying with the code, providing advice regarding covert surveillance, and providing advice regarding domestic CCTV systems. Section F: Law Enforcement The PACE Codes of Practice regulate police powers in England and Wales and protect 85 public rights. These strike a balance between the powers of the police and the rights and freedoms of the public. Code D is particularly relevant to the processing of data by the police. It concerns the principal methods used by police to identify people in connection with the investigation of offences and the keeping of accurate and reliable criminal records. The provisions of the PACE coupled with Code D (and read alongside MoPI) are designed to make sure fingerprints, samples, impressions, and photographs are taken, used, and retained, with identification procedures carried out only when justified and necessary for preventing, detecting, or investigating crime. Failure to observe the requirement detailed in PACE can have very serious consequences affecting the viability of trials. Section 57 of the Criminal Justice (Scotland) Act 2016 requires the Lord Advocate to issue a Code of practice about investigative functions. This included the questioning, and recording of questioning, of persons suspected of committing offences, and the conduct of identification procedures involving such persons. To a lesser extent, Code E and Code F which cover the audio and visual recording of interviews with suspects in a police station or other suitable location, are also broadly relevant to information management, particularly as they engage the sixth Data Principle on the secure processing of personal data. Both Codes issue security requirements on all recordings, from sealed master recordings to those taken on secure digital networks or away from a police station. Section 200 of the DPA 2018 requires that the ICO produce and publish guidance about how they propose to perform their legislative duty to have regard to the PACE Codes of Practice when investigating offences and charging offenders. The issue of such guidance is aimed to assist the police in its obligations to ensure that personal data be adequate, relevant, and not excessive for the purpose(s) they are being processed, in line with the Data Protection Principles. This also ensures that PACE and the DPA 2018 offer a consistent message on privacy. Protection of Freedoms Act 2012 The Protection of Freedoms Act 2012 (“PoFA”) brings in a number of changes across the 86 criminal justice landscape in England and Wales and has been seen as part of a rebalancing exercise of rights in favour of the individual. Of particular relevance, Part 1 Chapter 1 of the Act covers the retention of DNA and fingerprints by the police. The equivalent provisions in Northern Ireland are contained 85 https://www.gov.uk/guidance/police-and-criminal-evidence-act-1984-pace-codes-of-practice 86 http://www.legislation.gov.uk/ukpga/2012/9/contents/enacted Section F: Law Enforcement within the Criminal Justice (Northern Ireland) Act 2013. The Act has yet to be commenced; however, PSNI have taken an operational decision to start complying with the provisions of the Act, likely from September, on a non-statutory basis. In Scotland, the equivalent provisions are contained in the Criminal Procedure (Scotland) Act 1995, although the provisions in relation to the Biometrics Commissioner will be implemented via the Scottish Biometrics Commissioner Bill . 87 The legislation strikes a balance between protecting the freedoms of those who are innocent of any offence, whilst ensuring that the police continue to have the capability to protect the public and bring criminals to justice. PoFA was enacted in response to the 2008 judgment of the European Court of Human Rights (ECHR) in the case of ​S and Marper v UK​. In this case, the court ruled that the blanket 88 retention of DNA profiles posed a disproportionate interference with the right to respect private life, in violation of Article 8 of the European Convention on Human Rights. In regard to biometric data, PoFA amended Part V of PACE to only allow for the indefinite retention of fingerprints and DNA profiles on convicted adults, or adults who have been charged but hold a previous conviction. The Act excludes under-18s, and non-convicted adults from indefinite biometric data retention, and reduces the length of time for which data on these persons can be retained. PoFA also goes beyond the 2008 ECHR judgment in its protection of the right to respect privacy. The Act requires all DNA samples to be destroyed within 6 months of being taken , 89 regardless of whether the subject has faced or is facing a conviction. This allows sufficient time for the sample to be analysed and a DNA profile to be produced for use on the database. Any data retained is limited in its use by the police for the purposes of national security, conducting a terrorist investigation, the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution, and the identification of a deceased person. Section 20 of PoFA establishes the independent office of Commissioner for the Retention and Use of Biometric Material (the ‘Biometrics Commissioner’: see above). PoFA also makes a contribution towards safeguarding the vulnerable and criminal records. Criminal records disclosure is required for anyone working or involved in activities with vulnerable groups. Chapter 2 takes some activities completely outside the scope of the 87 https://www.parliament.scot/parliamentarybusiness/Bills/111859.aspx 88 https://hudoc.echr.coe.int/eng#{"fulltext":["S & Marper"],"documentcollectionid2":["GRANDCHAMBER","CHAMBER"],"itemid":["001-90051"]} 89 The only exception to this is if the sample is required for use as evidence in court. Section F: Law Enforcement regime, and changes the rules relating to disclosure, giving applicants, rather than the Disclosure and Barring Service, greater control over who is provided with their information. On data protection more broadly, PoFA gives the right to have certain data provided in an electronic form suitable for reuse, and amends provisions relating to the appointment, role, and tenure of the Information Commissioner. PoFA also created the role of Surveillance Camera Commissioner, which as detailed above, encourages compliance with the Surveillance Camera Code of Practice . ​The code sets out 90 twelve guiding principles which strike a balance between protecting the public and upholding civil liberties; they affirm the principles of necessity and proportionality that underpin Part 3 of the DPA 2018. Redress Outside of ICO enforcement action, there are clear judicial routes for redress available to data subjects such as through the First Tier Tribunal (General Regulatory Chamber) and the Upper Tribunal. More detail is available on these routes in ​Section G​. 90 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/282774/ SurveillanceCameraCodePractice.pdf