DPA 2018 Part 3: Law enforcement processing
Part 3 of the DPA (Data Protection Act) 2018 applies to competent authorities’ processing of personal data for law enforcement purposes.
This is permitted as long as it occurs:
- Wholly or partly by automated means; and
- Not by automated means where it forms, or is intended to form, part of a filing system.
Note that Part 3 applies only to processing for law enforcement purposes
This is defined as: “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
Other processing by competent authorities will fall under the scope of the UK GDPR (General Data Protection Regulation). On some occasions, processing will fall under both regimes.
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
What is a competent authority?
A competent authority under Part 3 is like a data controller under the GDPR.
Competent authorities are defined in Schedule 7 of the DPA 2018 and include, but are not limited to:
- Government departments
- Police commissioners and chief constables
- The director general of the NCA (National Crime Agency)
- The director of the SFO (Serious Fraud Office)
- The FCA (Financial Conduct Authority)
- The HSE (Health and Safety Executive)
- The FSA (Food Standards Agency)
- HM Land Registry
- The DPP (Director of Public Prosecutions)
- The Information Commissioner
- Courts or tribunals
Data protection principles
The six data protection principles set out in Part 3 differ from the six data processing principles in Article 5 of the GDPR in only one significant way: there is no requirement for personal data to be processed transparently, because of the risk of prejudicing criminal investigations.
Under Part 3 of the DPA 2018, personal data must be:
Personal data based on facts must be distinguished from personal data based on personal assessments.
Competent authorities or their processors must be able to distinguish between different categories of data subjects, such as suspects, convicts, victims and witnesses.
Where sensitive data is processed, additional safeguards must be implemented.
- Processed lawfully and fairly;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and not excessive in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary; and
- Processed in a secure manner, using appropriate technical or organisational measures.
Data subjects’ rights
Data subjects have some of the same rights that they do under the GDPR, namely the right:
- To be informed;
- Of access;
- To rectification;
- To erasure or to restrict processing; and
- Not to be subject to automated decision-making.
However, there are exemptions and restrictions that can prevent data subjects from exercising some of them.
The rights to rectification, erasure and restrict processing do not apply to “the processing of relevant personal data in the course of a criminal investigation or criminal proceedings”.
(“Relevant personal data” here means “personal data collected in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority” – for example, judges’ notes.)
Moreover, certain rights under the GDPR – such as the right to object and the right to data portability – do not exist under Part 3.
As with the GDPR, there is an accountability principle that requires competent authorities and processors acting on their behalf to implement appropriate technical and organisational measures to ensure the security of the personal data they process.
Relevant documentation must be kept, data protection measures must be implemented by design and by default, DPOs (data protection officers) must be appointed where appropriate, and there is a duty to report certain types of data breaches to the Information Commissioner within 72 hours of becoming aware of them, where feasible.
Like under the GDPR, data subjects must be informed of personal data breaches without undue delay if there is likely to be a high risk to their rights and freedoms.
Part 3 of the DPA 2018 is functionally unaffected by the changes introduced by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 on 1 January 2021.