Policy paper

Appropriate Policy Document: Sensitive Processing for Law Enforcement Purposes

Updated 27 March 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/rural-payments-agency-data-protection-policy/appropriate-policy-document-sensitive-processing-for-law-enforcement-purposes

1. Policy summary

The Rural Payments Agency (RPA) processes personal data for law enforcement purposes about:

  • individuals who have committed offences
  • individuals suspected of committing offences
  • other individuals involved in offences

RPA acts as an environmental regulator under various legal powers and statutory functions. RPA is a competent authority under Data Protection Act (DPA) 2018 (Part 3 Section 30(1)(a)).

This Appropriate Policy Document (APD) outlines our sensitive personal data processing for law enforcement purposes. It has been developed so we meet the requirement for an APD under DPA 2018 (Part 3 Section 42).

This document explains:

  • the law enforcement data protection principles and how we comply with them

  • our personal data retention and erasure practices

The APD for processing special categories of personal and criminal offence data applies when our processing is not for the primary purpose of law enforcement.

You can find further information about our Information Governance Model in RPA’s Data Protection Policy and Personal Information Charter.

2. Law enforcement purposes

Law enforcement purposes are set out in DPA 2018 (Section 31) and include:

  • preventing, investigating, detecting, or prosecuting criminal offences

  • imposing criminal penalties, which might include safeguarding against and preventing threats to public security

Sensitive processing is defined in DPA 2018 (Part 3 Section 35(8)) and is equivalent to UK General Data Protection Regulation (UK GDPR) (Article 9) Special Category Data. This includes personal data relating to:

  • race or ethnic origin

  • political opinions

  • religious or philosophical beliefs

  • trade union membership

  • genetic data

  • biometric identification

  • health

  • sexual life, sexual orientation, or both

3. Description of data processed

We carry out sensitive processing for law enforcement purposes in 2 main areas:

  • criminal investigations

  • financial recovery

4. Conditions for processing

We carry out sensitive processing under DPA (Section 35(3)) only with the consent of the data subject or where it is strictly necessary for law enforcement purposes and it meets one of the conditions in DPA 2018 (Schedule 8).

All processing is for the first listed purpose and might also be for others, depending on the context:

  • paragraph 1 – statutory purposes, for example processing data when it’s necessary for a legally assigned task and is in the substantial public interest

  • paragraph 2 – administration of justice

  • paragraph 6 – legal claims

  • paragraph 9 – archiving such as for scientific, historical, or statistical purposes  

5. Law enforcement data protection principles

We comply with the law enforcement data protection principles under DPA 2018 (Part 3 Chapter 2). The principles are set out below.

5.1 Principle 1 – Section 35 – lawfulness and fairness

Processing for law enforcement purposes must be lawful and fair. This means that the processing of personal data must be either:

  • based on the data subject’s consent (Section 35(2))

  • carried out by us where it’s necessary for performing a task

If the processing involves sensitive personal data, then this is only allowed if it is:

  • based on the data subject’s consent (Section 35(4))

  • strictly necessary for law enforcement under Section 35(5) and is based on a Schedule 8 condition

  • necessary for reasons of substantial public interest

Our sensitive data processing for law enforcement purposes normally meets with the Paragraph 1 Schedule 8 condition.

In circumstances where we need consent, we make sure the consent is:

  • unambiguous

  • given by a positive action

  • recorded as the condition for processing

5.2 Principle 2 – Section 36 – purpose limitation

Personal data shall be adequate, relevant, and limited to what is necessary for the law enforcement purposes it is needed for. We will only:

  • collect the minimum personal data, for example, for preventing, investigating, detecting, or prosecuting criminal offences or imposing criminal penalties

  • process sensitive data for law enforcement purposes where we are authorised by law to do so

  • process personal data that is necessary and proportionate to that purpose

  • use personal data for purposes other than law enforcement where we are authorised by law to do so

If we are sharing data with another data controller, we will document that they are authorised by law to process the data for their purpose.

5.3 Principle 3 – Section 37 – data minimisation

Personal data shall be adequate, relevant, and limited to what is necessary for the law enforcement purposes it is needed for. We will:

  • not use automated systems for collecting and processing sensitive personal data

  • only collect the minimum personal data

  • delete sensitive personal data, where we can, when data provided to us or obtained by us is not relevant to our stated purposes

5.4 Principle 4 – Section 38 – accuracy

Personal data will be accurate and, where necessary, kept up to date. We will:

  • take particular care where our use of personal data has a significant impact on individuals

  • make sure that personal data is deleted or corrected without delay if we become aware that it is inaccurate or out of date

  • document our decision if we do not delete or correct inaccurate information, for example, when processing the data in line with regulations means these rights do not apply

Where relevant, and as far as possible, we will distinguish between personal data about different categories of data subject, such as:

  • people suspected of committing an offence or being about to commit an offence

  • people convicted of a criminal offence

  • known or suspected victims of a criminal offence

  • witnesses or other people with information about offences

  • where the personal data is relevant to the purpose of being pursued

5.5 Principle 5 – Section 39 – storage limitation

We will not keep personal data which identifies data subjects for longer than is necessary. We will:

  • only keep personal data for the purposes it was collected for, or where we have a legal duty to do so

  • delete, put beyond use, or otherwise permanently anonymise personal data once we no longer need it

5.6 Principle 6 – Section 40 – security

We will process and store personal data securely, protecting it against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. We will:

  • ensure there are appropriate organisational and technical measures in place to protect personal data

  • adhere to our strict security standards

  • regularly train employees, and third parties who process personal data on our behalf, on how to keep data safe

  • limit access to personal data to those employees or third parties who have a business or legal need to access it

6. Accountability principle

We have put in place technical and organisational measures to meet the accountability principle. These include:

  • establishing an Information Governance Model which is managed by the Data Protection Practitioner, who reports to both the RPA Security Risk Owner (SRO) and the Defra Data Protection Officer (DPO)

  • taking a ‘data protection by design and by default’ approach to our data protection activities

  • maintaining documents of our processing activities

  • adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors

  • implementing appropriate security measures relating to the personal data we process

  • carrying out data protection impact assessments for our high-risk processing

  • regularly reviewing our accountability measures and updating or amending them when required

7. Retention and erasure

We have strict security safeguards in place to protect sensitive personal data. Administrative, physical, and technical safeguards protect personal data against:

  • unlawful processing
  • unauthorised processing
  • accidental loss or damage

We will make sure that processing of sensitive personal data is recorded. The record will set out, where possible, a suitable timeframe to safely and permanently delete the different data categories in line with our retention schedule.

7.1 Publishing, reviewing and monitoring

Publication date - April 2024

Version 2.0

Author - Data Protection and Governance (DP&G)

Review period - Every 2 years

This APD is scheduled to be reviewed during April 2026 unless significant developments in either RPA or the law necessitate that this review be brought forward. This APD will be stored where we process personal data for law enforcement purposes and kept for a period of at least 6 months after such processing stops.

Compliance with the policy will be monitored by the Data Protection Practitioner and the SRO reporting to Executive Team and the Audit and Risk Assurance Committee, as required.

Read this policy together with the following documents:

  • RPA Data Protection Policy

  • Appropriate Policy Document: Special Category Personal Data and Criminal Offence Data

You can find these documents on the Data Protection Policy page. You may also be interested in RPA’s Personal Information Charter.

Back to top