Sensitive processing for law enforcement purposes: COVID-19 loan schemes (Appropriate Policy Document)
Updated 3 July 2023
As part of Department for Business and Trade (DBT) statutory and corporate functions, we can investigate and prosecute individuals and organisations for criminal offences.
DBT is a competent authority for the purpose of Part 3 of the Data Protection Act 2018 (DPA 2018, section 30 and Schedule 7(1)) which applies to the processing of personal data by such authorities for law enforcement purposes.
These purposes are set out at section 31 DPA 2018 and include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.
Sensitive processing
Part 3 of the DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing sensitive personal data for law enforcement purposes.
Sensitive processing is defined in Part 3 section 35(8) and is equivalent to UK GDPR special category data. This includes:
- the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
- the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual
- the processing of data concerning health
- the processing of data concerning an individual’s sex life or sexual orientation
Appropriate Policy Document
This policy document outlines our sensitive processing for law enforcement purposes and explains:
i. Our procedures for securing compliance with the law enforcement data protection principles
ii. Our policies as regards the retention and erasure of personal data, giving an indication of how long the personal data is likely to be retained
Our Appropriate Policy Document: Processing of special categories of personal data and criminal offence data – explains our general processing of special category data when our processing is not for the primary purpose of law enforcement. Additional information about our more general processing can also be found in our privacy notice.
Description of data processed
We carry out sensitive processing for law enforcement purposes in 3 key areas:
i. criminal investigations
ii. intelligence
iii. financial recovery
We carry out sensitive processing of all of the categories of data defined in Part 3 section 35(8).
Consent or Schedule 8 conditions for processing
We carry out sensitive processing under section 35(3) DPA 2018 only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in schedule 8 of the DPA 2018.
The relevant schedule 8 condition for our processing is Schedule 8 paragraph 1 – statutory purposes.
The relevant conditions in schedule 8 of the Data Protection Act 2018 are:
i. For statutory purposes where DBT is processing data through exercising powers under the Police and Criminal Evidence Act 1984 and Proceeds of Crime Act 2002 (to conduct cases that involve the proceeds of crime) or any other relevant law, and where case teams ensure processing is necessary for reasons of substantial public interest.
ii. For the Administration of Justice
iii. For the Safeguarding of children and of individuals at risk where DBT is processing data of victims, witnesses or other individuals connected to investigations and prosecutions who are under 18 or are considered vulnerable or at risk. DBT case teams will ensure that processing is necessary for DBT to effectively conduct prosecutions and fulfil our statutory function and handle consent in line with the Victims’ Code of Practice.
iv. Personal data already in the public domain - this condition is met if the processing relates to personal data which is manifestly made public by the data subject.
v. Preventing fraud – where it is necessary to prevent fraud, and consists of—
a. the disclosure of personal data by a competent authority as a member of an anti-fraud organisation,
b. the disclosure of personal data by a competent authority in accordance with arrangements made by an anti-fraud organisation, or
c. the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
An ‘anti-fraud organisation’ has the same meaning as in section 68 of the Serious Crime Act 2007.
vi. Legal claims – where it is necessary for or in connection with legal proceedings or to obtain legal advice or to establish, exercise or defend legal rights.
vii. For Archiving purposes where data is contained within files that meet the criteria to be transferred to The National Archives (TNA) under the Public Records Act 1958. Where personal data is to be transferred to The National Archives, that the processing is necessary for archiving purposes in the public interest.
Procedures for ensuring compliance with the principles
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a data protection officer who reports directly to our highest management level
- taking a ‘data protection by design and default’ approach to our activities
- maintaining documentation of our processing activities
- adopting and implementing data protection policies and ensuring we have written contracts or memorandums of understanding in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out data protection impact assessments for our high-risk processing
We regularly review our accountability measures and update or amend them when required.
Principle (1): lawfulness and fairness
Processing for law enforcement must be lawful and fair. Sensitive processing is only permissible if it is:
- based on the consent of the data subject - section 35(4)
or
- is strictly necessary for the law enforcement purpose and is based on a schedule 8 condition - section 35(5)
DBT works to ensure the lawful processing of information is of substantial public interest. Our processing of sensitive data for law enforcement purposes satisfies the first schedule 8 condition that it is necessary for the exercise of a function conferred on DBT as a government department and is necessary for reasons of substantial public interest. We are a competent authority and have responsibility to seek to prevent, detect, investigate and prosecute possible offences committed in relation to the COVID-19 loan scheme.
In circumstances where we seek consent, we make sure:
- the consent is unambiguous
- the consent is given by an affirmative action
- the consent is recorded as the condition for processing
Principle (2): purpose limitation
We process personal data for all of the law enforcement purposes listed at section 31 DPA 2018. These include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. The offences include financial offences under the Fraud Act 2006 and associated money laundering and corporate offences.
We are authorised by law to carry out sensitive processing for any of these purposes. We may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose.
We will only use data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so.
If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.
Principle (3): data minimisation
We do not systematically collect or harvest sensitive personal data for law enforcement purposes. The information we process is necessary for and proportionate to our purposes. It is processed in the context of us carrying out processes which enable us to meet our stated purposes for processing.
Where sensitive personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.
Principle (4): accuracy
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.
We, as far as possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions and mark the file to reflect the distinction. There are circumstances where this is not possible.
We, where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as:
- people suspected of committing an offence or being about to commit an offence
- people convicted of a criminal offence
- known or suspected victims of a criminal offence
- witnesses or other people with information about offences
We only do this where the personal data is relevant to the purpose being pursued.
We do this by marking the file in our records. Should the status of a data subject change our systems allow us to note the reason and amend the file.
We take reasonable steps to ensure that personal data which is inaccurate, incomplete or out of date is not transmitted or made available for any of the law enforcement purposes. We do this by verifying any data before sending it externally. We also provide the recipient with the necessary information we hold to assess the accuracy, completeness and reliability of the data.
If we discover, after transmission that the data was incorrect or should not have been transmitted, we will tell the recipient as soon as possible.
We document our decision to make personal data available for any of the law enforcement purposes.
Principle (5): storage limitation
We retain information processed for the purposes of law enforcement for 7 years from closure of the matter unless there is a legitimate reason to retain it for longer.
Principle (6): security
Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Where it is necessary for us to share information with third parties, we consider the technical or organisational security measures they have in place before allowing access or transmitting data.
Electronic and hard copy information processed for the law enforcement purposes is only available to staff who carry out the processing for these purposes. Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data for law enforcement purposes allow us to erase or update personal data at any point in time. They also allow us to log the following information:
- collection
- alteration
- consultation (access)
- identity of person accessing
- disclosures
- combination of records
- erasure
Retention and erasure policies
We have a retention policy which includes personal information processed for law enforcement purposes. Our usual procedures ensure we retain personal information processed for this purpose for 7 years from the closure of the case unless there is a legitimate reason to retain it for longer.
Our retention and erasure practices are set out in our retention schedule.
APD review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually or revised more frequently if necessary.