Part 3 applies to competent authorities’ processing of personal data for law enforcement purposes:
- Wholly or partly by automated means; and
- Other than by automated means where it forms or is intended to form part of a filing system.
It is important to be aware that Part 3 applies only to processing for law enforcement purposes. That is, “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
Other processing by competent authorities will fall under the scope of the EU GDPR. On some occasions, processing will fall under both regimes.
What is a competent authority?
A competent authority under Part 3 is akin to a data controller under the EU GDPR.
Competent authorities are defined in Schedule 7 and include, but are not limited to, government departments, police commissioners and chief constables, the director general of the NCA (National Crime Agency), the director of the SFO (Serious Fraud Office), the FCA (Financial Conduct Authority), the HSE (Health and Safety Executive), the FSA (Food Standards Agency), HM Land Registry, the DPP (Director of Public Prosecutions), the Information Commissioner, and courts or tribunals.
Data protection principles
The six data protection principles set out in Part 3, Chapter 2 differ from the six data processing principles in Article 5 of the EU GDPR in only one significant way: there is no requirement for personal data to be processed transparently, because of the risk of prejudicing criminal investigations.
Personal data must be:
- Processed lawfully and fairly;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and not excessive in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary;
- Processed in a secure manner, using appropriate technical or organisational measures.
Personal data based on facts must be distinguished from personal data based on personal assessments.
Competent authorities or their processors must be able to distinguish between different categories of data subjects, such as suspects, convicts, victims and witnesses.
Where sensitive data is processed, additional safeguards must be implemented.
Data subjects’ rights
Data subjects have some of the same rights that they do under the EU GDPR, namely the right:
- To be informed;
- Of access;
- To rectification;
- To erasure or to restrict processing; and
- Not to be subject to automated decision-making.
However, there are exemptions and restrictions that can prevent data subjects from exercising some of them.
The rights to rectification, erasure and to restrict processing do not apply to “the processing of relevant personal data in the course of a criminal investigation or criminal proceedings”.
(‘Relevant personal data’ means “personal data collected in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority” – for example judges’ notes.)
Moreover, certain rights under the EU GDPR – such as the right to object and the right to data portability – do not exist under Part 3.
As with the EU GDPR, there is an accountability principle that requires competent authorities and processors acting on their behalf to implement appropriate technical and organisational measures to ensure the security of the personal data they process.
Relevant documentation must be kept, data protection measures must be implemented by design and default, data protection officers must be appointed where appropriate, and there is a duty to report certain types of data breaches to the Information Commissioner within 72 hours of becoming aware of them, where feasible.
Like under the EU GDPR, data subjects must be informed of personal data breaches without undue delay if there is likely to be a high risk to their rights and freedoms.
To learn more about Part 3 processing, book your place on our Part 3 – Law Enforcement Processing Training Course >>