Appropriate policy document: sensitive processing for law enforcement purposes
Published 14 June 2023
Applies to England
Scope
Defra process personal data for law enforcement purposes relating to individuals who have committed or are suspected of committing offences and other individuals who are involved. We act as an environmental regulator under various legal powers and statutory functions. Defra is a competent authority under Data Protection Act (DPA) 2018 Part 3 Section 30(1)(a).
This policy document has been developed for Defra to meet the requirement for an appropriate policy document (APD) under DPA 2018 Part 3 Section 42.
This policy document sets out outlines our sensitive personal data processing for law enforcement purposes and explains:
- our procedures for securing compliance with the law enforcement data protection principles
- our policies as regards the retention and erasure of personal data, giving an indication of how long the personal data is likely to be retained
The appropriate policy document for processing of special categories of personal and criminal offence data applies when our processing is not for the primary purpose of law enforcement. Additional information about our more general processing can also be found in Defra’s personal information charter.
Law enforcement purposes
These purposes are set out at DPA 2018 Section 31 and include the:
- prevention, investigation, detection or prosecution of criminal offences
- execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security
Sensitive processing is defined in DPA 2018 Part 3 Section 35(8) and is equivalent to UK GDPR Article 9 special category data. This includes personal data which relates to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying an individual
- data concerning health
- data concerning an individual’s sex life or sexual orientation
Description of data processed
We carry out sensitive processing for law enforcement purposes in 3 key areas:
- criminal investigations
- intelligence
- financial recovery
Consent or Schedule 8 condition for processing
We carry out sensitive processing under DPA Section 35(3) only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in DPA 2018 Schedule 8.
All processing is for the first listed purpose and might also be for others, depending on the context:
- paragraph 1 – statutory etc purposes ie necessary for the exercise of the function conferred on a person by an enactment or rule of law, and for reasons of substantial public interest
- paragraph 2 – administration of justice
- paragraph 6 – legal claims
- paragraph 9 – archiving etc, such as scientific, historical or statistical purposes
Law enforcement data protection principles
We comply with the law enforcement data protection principles under DPA 2018 Part 3 Chapter 2 as set out below:
Principle 1 – Section 35 – lawfulness and fairness
Processing for law enforcement purposes must be lawful and fair. This means that personal data processed for any of the law enforcement purposes must be either:
- based on the consent of the data subject – section 35(2)
- where the processing is necessary for the performance of a task carried out for that purpose by Defra
In addition if the processing involves sensitive personal data, then this is only permissible if it is either:
- based on the consent of the data subject - section 35(4)
- is strictly necessary for the law enforcement purpose under section 35(5) and is based on a Schedule 8 condition
Our processing of sensitive data for law enforcement purposes normally satisfies paragraph 1 Schedule 8 condition that it is necessary for the exercise of a function conferred on Defra by the legislation for which we act as a regulator and is necessary for reasons of substantial public interest.
In circumstances where we seek consent, we make sure the consent is:
- unambiguous
- given by a positive action
- recorded as the condition for processing
Principle 2 – Section 36 – purpose limitation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will:
- only collect the minimum personal data that we need for the purpose(s) for which it is collected, ie for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties
- only do this where authorised by law to carry out sensitive processing for any of these purposes
- may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose
- ensure that the data we collect is adequate and relevant
We will only use personal data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so.
If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.
Principle 3 – Section 37 – data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will:
- not systematically collect or harvest sensitive personal data for law enforcement purposes
- only collect the minimum personal data that we need for the purpose(s) for which it is collected
- ensure that the data we collect is adequate and relevant
Where sensitive personal data is provided to us or obtained by us but is not relevant to our stated purposes and we are able to, we will erase it.
Principle 4 – Section 38 – accuracy
Personal data shall be accurate and, where necessary, kept up to date. We will:
- ensure that personal data is accurate and kept up to date where necessary
- take particular care to do this where our use of the personal data has a significant impact on individuals
- take every reasonable step to ensure that personal data is erased or rectified without delay if we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed
If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Where relevant, and as far as possible, we will distinguish between personal data relating to different categories of data subject, such as:
- people suspected of committing an offence or being about to commit an offence
- people convicted of a criminal offence
- known or suspected victims of a criminal offence
- witnesses or other people with information about offences
We will only do this where the personal data is relevant to the purpose being pursued.
Principle 5 – Section 39 – storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We will:
- only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so
- delete put beyond use or rendered permanently anonymous, personal data once we no longer need it
Principle 6 – Section 40 – security
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. We will:
- ensure that there are appropriate organisational and technical measures in place to protect personal data
- have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep data safe
- limit access to your personal data to those employees, or third parties who have a business or legal need to access it
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a Data Protection Officer who reports directly to our Permanent Secretary
- taking a ‘data protection by design and default’ approach to our activities
- maintaining documentation of our processing activities
- adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out data protection impact assessments for our high risk processing
- regularly reviewing our accountability measures and update or amend them when required
Retention and erasure policies
We take the security of our processing of sensitive personal data for law enforcement purposes very seriously. We have administrative, physical and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage.
We will ensure, where sensitive personal data is processed that the processing is recorded, and the record sets out where possible a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our retention schedule.
Review
This policy will be reviewed in 2 years. However, an immediate review of this policy will be triggered by legislative or organisation change. It will be retained where we process personal data for law enforcement purposes and for a period of at least 6 months after we stop carrying out such processing.