The General Data Protection Regulation marks a new era in privacy law, transforming the way in which organisations across the UK & EU process, use and store personal data. With new accountability obligations and tighter rules surrounding consent, the EU GDPR seeks to update the current legislative framework to strengthen the rights of data subjects and create unity across data protection laws within all member states. While the sanctions associated with GDPR are certainly not forgiving, most would argue that the regulation itself is a step forward (despite the mass hysteria it has caused across the country.)
But the dilemma posed by digital data extends beyond businesses to public authorities, where access to personal data can play a vital role in bringing a criminal to justice – and, in some cases, saving a life. While the discussion has so far been dominated by the commercial implications of GDPR, extensions of the law published in September of last year called into question the rights of law enforcement bodies and investigatory agencies in regards to the acquisition of civilian data.
Should law enforcement be granted access to personal data?
Police handling of data has been a hot topic for quite some time, with certain notable cases drawing controversy to the methods used to obtain information. In fact, in 2016 alone, one in 20 of the 18,000 public data protection complaints related to policing and criminal records.
However, with society’s ever-increasing dependence on electronic communication, access to data such as the location of a device, the last call made by an individual or content stored on the device itself can often prove paramount in resolving crimes and even preventing threats to national security.
Which laws regulate police use of personal data?
Ahead of our exit from the EU, a new Data Protection Bill has been published by the Government to provide further guidance to UK citizens, organisations and law enforcement bodies with regards to the handling of personal data. Divided into 7 parts, the Data Protection Bill seeks to replicate existing laws of the Data Protection Act 1998 as far as possible within the context of modern technology.
Part 2 of the Bill implements certain derogations and exemptions from the GDPR: in particular, this section reduces the age of consent for children using information society services to thirteen years old, introduces a system to authorize certification providers and establishes safeguards for processing, archiving and statistical purposes.
Part 3 of the Data Protection Bill transposes the EU Law Enforcement Directive (LED) into UK law. This applies to a defined (but non-extensive) list of “competent authorites”, an umbrella term that includes any person who has statutory functions for law enforcement purposes: the police, the Courts and Tribunal service, HMRC and the National Crime Agency, to name but a few.
Similar to section 29 of the Data Protection Act, the aim of the Law Enforcement Directive is to govern “the processing of personal data by the police and other criminal justice agencies for the purpose of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data”.
Under Part 3 of the Bill, the Government sets out six data protection principles which apply to personal data processed by a law enforcement agency. These are the requirements that:
- Processing be lawful and fair
- The purposes of processing be specified, explicit and legitimate
- Personal data be adequate, relevant and not excessive
- Personal data be accurate and kept up to date
- Personal data be kept no longer than is necessary; and
- Personal data be processed in a secure manner.
Further to this, part 3 of the Data Protection Bill introduces the requirement for the categorization of data subjects (witnesses, victims, suspects and offenders) and the requirement to distinguish whether data is fact or personal opinion.
How will part 3 of the Data Protection Bill affect law enforcement?
Two decades of digitisation have called for drastic reform to data protection laws to safeguard citizens’ sensitive information, but what impact could this have on law enforcement? According to the UK Information Commissioner Elizabeth Denham, the answer is still uncertain. Speaking at the National Police Chiefs Council, Denham expressed concern at the lack of clarity provided by the Government in regards to Part 3 of the DP Bill and the GDPR:
“We’ve spoken to the Home Office and DCMS and expressed our concern about how late in the day this is being left. I’m certainly sympathetic to forces needing time to prepare for any law changes,” she said.
“And there’s a bigger picture here too. Maintaining appropriate data flows is essential for law enforcement and security purposes. I know from speaking to senior figures in the sector that, for anti-terrorism, for security and for justice, you need to maintain access to databases – to Europol, to Eurojust, and to the Schengen Information System. This needs to be a very high priority for the next government in the exit negotiations.”
The General Data Protection Regulation will come into force from the 25 th of May, and it is assumed that the principles set out in this regulation will apply to civil cases, while the Law Enforcement Directive will continue to govern police handling of data in criminal cases. Therefore, both the GDPR and the Data Protection Bill should be read alongside each other with cases assessed independently against these two interlinking pieces of legislation.
The Data Protection Bill is currently making its way round parliament for review, where all 218 pages will be scrutinized and evaluated ahead of its implementation in May of this year. If you are uncertain of the preparations you need to make ahead of GDPR and the Data Protection Bill or require advice or assistance in implementing a compliance framework in your organisation, get in touch with our team today on 0333 772 7736.