Introduction
We, as part of our statutory functions, can investigate and prosecute certain criminal offences. We are a competent authority for the purpose of Part 3 of the Data Protection Act 2018 (DPA 2018), which applies to the processing of personal data by such authorities for law enforcement purposes.
Part 3 of the DPA 2018 requires an appropriate policy document (APD) to be in place when undertaking sensitive processing of personal data for law enforcement purposes.
This document:
- outlines our sensitive processing for law enforcement purposes
- explains our procedures for securing compliance with the law enforcement data protection principles
- explains our policies regarding the retention and erasure of personal data processed for law enforcement purposes
This appropriate policy document satisfies the requirements of Part 3 of the DPA 2018.
This document should be read alongside our data protection policy.
Law enforcement purposes are defined at Section 31 of the DPA 2018 as the:
- prevention, investigation, detection, or prosecution of criminal offences
- execution of criminal penalties; and
- safeguarding against and the prevention of threats to public safety
Sensitive processing is defined at Part 3, section 35(8) of the DPA 2018 as:
- the processing of personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual
- the processing of data concerning health; and
- the processing of data concerning an individual’s sex life or sexual orientation
Scope
This policy applies to:
- all processing of personal data for law enforcement purposes
- any individual processing personal data held by the council for law enforcement purposes
Sensitive processing and relevant Schedule 8 conditions
We carry out sensitive processing of all categories of data defined in Part 3, section 35(8) except for the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual.
We shall carry out sensitive processing under Section 35(3) of the DPA 2018 only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions set out in Schedule 8 of the DPA 2018.
We carry out sensitive processing, for which an APD is required, under the following Schedule 8 conditions:
Schedule 8(1) – statutory purposes
For example:
- where we have a legal obligation to investigate and prosecute criminal offences.
- where it is in the substantial public interest for us to investigate and prosecute a criminal offence
Schedule 8(2) – administration of justice
For example:
- to ensure the appropriate enforcement of breaches of the laws and statutes that the we are responsible for implementing
Schedule 8(6) – legal claims
For example:
- for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) that we are engaged in
- to obtain legal advice
- for establishing, exercising and defending legal rights
Schedule 8(8) – preventing fraud
For example:
- disclosures of personal data to an anti-fraud organisation, such as the through the National Fraud Initiative
Procedures for ensuring compliance with the law enforcement data protection principles
We will:
Accountability
- appoint a data protection officer who reports to our highest management level
- take a ‘data protection by design and default’ approach to our activities
- maintain documentation of its processing activities
- adopt and implement data protection policies and ensure there are written contracts in place with processors
- implement appropriate and reasonable security measures
- carry out data protection impact assessments for high-risk processing activities
Principle (1): lawfulness and fairness
Ensure sensitive processing is only carried out where it is strictly necessary for law enforcement purposes.
Ensure sensitive processing is carried out with the consent of the data subject or based on a Schedule 8 condition.
Principle (2): purpose limitation
Only use data collected for law enforcement purposes for purposes other than law enforcement where authorised by law to do so.
Only share data with another controller where it can be evidenced that they are authorised by law to process the data for their purpose.
Principle (3): data minimisation
Only collect personal data that is necessary and proportionate for its law enforcement purposes and ensure that data collected is not excessive.
Ensure that where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, it will be erased.
Principle (4): accuracy
Ensure that personal data is accurate and kept up to date where necessary.
Take particular care to ensure accuracy of personal data held.
Where possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions.
Where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as:
- people suspected of committing an offence or being about to commit an offence
- people convicted of a criminal offence
- known or suspected victims of a criminal offence
- witnesses or other people with information about offences
Take reasonable steps to ensure that where personal data is inaccurate, incomplete, or out of date it is not transmitted or made available for any of the law enforcement purposes.
Document decisions to make personal data available for any of the law enforcement purposes.
Principle (5): storage limitation
Only keep personal data in identifiable form for as long as is necessary.
Determine retention periods based on our legal obligations and the necessity of the data to our business needs.
Make retention schedules publicly available.
Principle (6): integrity and confidentiality (security)
Ensure effective technical and organisational policies and procedures are in place to support secure working practices.
Educate and train staff to handle and process personal data securely.
Ensure specialist staff are available to provide support and guidance.
Ensure appropriate roles are in place to support information risk management.
Ensure that the systems used to process personal data for law enforcement purposes allow for the erasure or update of personal data at any point in time. Such systems shall also be capable of logging records of the following information:
- collection
- alteration
- consultation (access)
- identity of the person who accessed
- disclosures
- combination of records
- erasure
Retention and erasure of personal data, further information and review
Our erasure practices are set out in our records management policy.
We have published a suite of related policies and privacy information on our website.
For further information please contact the DPO at dpo@lincolnshire.gov.uk.
Policy review
We will review this policy on an annual basis.