- Data Strategy,
- Data Protection Services,
- Public Sector
– 05 Jan, 2018
UK Policing And GDPR
The General Data Protection Regulation (GDPR) is planned to become legislation in the UK on 25th May 2018. The UK government has confirmed that the UK’s decision to leave the EU will have no impact to the enactment of the GDPR within the UK.What Is GDPR?
The GDPR will replace the current Data Protection Act 1998 in the UK and the Data Protection Directive 95/46/EC. The GDPR is designed to safeguard European Union (EU) citizens’ personal data privacy rights. The GDPR will affect all UK and European organisations and any country doing business with any European Union (EU) state.
The GDPR will give individuals far greater control and rights over their personal data in several ways including consent, the power to access their personal data, to rectify or erase information held about them, the right to be informed and the right to be forgotten, the completed erasure of their personal data.
The changes brought about by the GDPR will undoubtedly have a significant impact on all law enforcement organisations. Any law enforcement organisation that operates within the EU, or that processes data on EU citizens will be subject to the GDPR, regardless of where that information is stored.
However, where law enforcement is concerned there is one exception which will be discussed in greater detail later in this article.
GDPR And Law Enforcement
GDPR will have a similar impact on technology tools that are used for managing information within law enforcement, with those who act as data controllers or data processors being required to comply with GDPR. Law enforcement organisations must show that their systems, technology and processes are fully GDPR compliant.
With severe non-compliance penalties of EUR20 million or 4% of worldwide turnover, GDPR will make organisations fully accountable for their approach to data compliance
Whilst there are significant financial penalties for failing to comply with GDPR, the regulation also provides an important opportunity to improve the quality of stored data.
The Police And Criminal Justice Data Protection Directive
The Police and Criminal Justice Data Protection Directive (the Directive) which entered into force in May 2016 is aimed at regulating the use of personal data for law enforcement purposes, particularly “for the purposes of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or the safeguarding against and the prevention of threats to public security.”
The Directive will deal with the use of personal data for law enforcement purposes by not just police forces, but also public organisations engaged with tackling crime.
Unlike the GDPR which is a Regulation and therefore will automatically become legislation in the UK, the Directive will need to be adopted into UK legislation allowing the UK a degree of flexibility in respect of the application of the Directive’s overall provisions.
This means that organisations that fulfil law enforcement functions will need to comply with two data protection regimes. The requirements of the Directive, as implemented by UK legislation will apply in relation to data used for law enforcement purposes. The GDPR will apply in relation to all other uses of personal data.
How will this work in the UK?
The UK government has negotiated an opt-out in respect of the application of European data protection legislation in relation to UK domestic law enforcement. The UK has partly exercised this opt-out.
Therefore, while the UK has agreed to be bound by the Directive when adopted (full ratification of the Directive must be complete by 6th May 2018), which will permit the sharing and receipt of personal data for law enforcement purposes with other EU Member states, the UK has opted-out of the Directive’s provisions in relation to the processing of personal data for law enforcement purposes within the UK.
This therefore leaves a gap in the UK regulation, as the GDPR does not regulate use of personal data for law enforcement purposes. How that gap should be filled remains a topic of conversation within the UK government.
What will this mean for organisations carrying out law enforcement activities in the UK?
UK Public bodies using personal data for law enforcement purposes will need to implement three separate but related governance procedures for personal data:
- one procedure to deal with law enforcement data processed within the UK
- the Directive in relation to law enforcement data sent to or received from other member states; and
- the GDPR to control the processing of all other personal data
Despite the GDPR coming into force in May 2018, it is still not clear what course of action the UK government will take to control use of personal data for law enforcement purposes where the Directive is concerned. This is also a major concern for the Information Commissioners Office (ICO).
What can be done to prepare?
Law enforcement agencies need to identify where information is held solely for law enforcement purposes, and whether this data is held in systems that also hold personal data that is used for non-law enforcement purposes. These two groups of data will need to be separated and held independently of each other. This will avoid the possibility of cross-contamination of data.
More substantive work should now be undertaken to prepare for implementation of the GDPR in relation to use of personal data for non-law enforcement related purposes.
Policing and the use of personal data for non-law enforcement related purposes and GDPR
In the realms of policing within the UK there have been several documented incidents where police forces throughout the UK have found themselves under scrutiny from the ICO and the courts.
In Brown v Commissioner of Police for the Metropolis (2016) the Metropolitan Police were successfully sued by one of their own officers, a detective constable, for breaching personal data protection under the current Data Protection Act 1998 (DPA). The Metropolitan Police abused their position using non-existent legislation (Police Act 2007) and powers designated to investigate crime to obtain personal information about their own colleague without consent.
The DPA sets out eight key principles, one of which states that any data that is processed must be relevant to the purpose for which it is processed. Also, and more importantly, the data must not be excessive in relation to accomplishing that purpose. The points mentioned above were breached on both counts.
These incidents are not few and far between but happen across the UK where fines have been imposed by the ICO, and as a result, officers have either resigned or been sacked for major breaches of data protection.
The impact of the GDPR needs to be at the forefront of policing where the future of personal data protection is concerned for non-law enforcement related purposes. Unlike the current DPA the GDPR introduces several mandatory elements of the covering how data is accessed, used, processed and removed within the UK.
The introduction of the requirement to keep certain mandatory records while having to display a complete and comprehensive audit trail will increase administration overheads for the Data Protection Officer together with the data controllers and data processors.
What does GDPR mean for individuals?
The GDPR creates new rights for individuals while reinforcing the individual’s rights that presently exist under the DPA.
GDPR provides the following rights for individuals:
- The right to be informed
The right to be informed contains the commitment to provide ‘fair processing information’, typically through a privacy notice. It accentuates the demand for complete transparency regarding how a business will use personal data.
- The right of access
Under the GDPR, individuals will have the right to acquire proof that their data is being processed. They will have complete access to their personal data including any other additional information. This matches the information that should be provided in a privacy notice (Article 15). These are similar to the subject access rights under the current Data Protection Act.
- The right to rectification
Individuals will have the right to ensure that businesses have personal data corrected if it is imprecise or not fully complete.If a business has disclosed personal data to third parties, the business must inform the third party of the rectification where possible. Businesses must also inform individuals about the third parties to whom their data has been given.
- The right to erasure
The right to erasure is also known as ‘the right to be forgotten.’ The dictum for the basis of this right is to allow an individual to request the complete removal of their personal data without the need for the individual to justify their actions.
- The right to restrict processing
Under the DPA, individuals have a right to quash the processing of personal data. The constraint of operation is equivalent under the GDPR.When processing is limited, a business is authorised to store the personal data, but not permitted to use it for processing. The business however can keep just enough information about the individual to warrant that the restriction is respected in future.
- The right to data portability
This permits the individual to acquire and reconstitute their personal data for their own intentions spanning many different services. It allows individuals to copy, transfer or move personal data effortlessly from one technology environment to another in a guarded and protected way, without obstruction to usability.
- The right to object
Individuals have the right to object to specific types of processing covering:
- Direct marketing (Only the right to object to direct marketing is absolute. There is no need to demonstrate grounds for objecting, no exemptions which allow processing to continue)
- Processing based on legitimate interests or performance of a task in the public interest/ exercise of official authority
- Processing for research or statistical purposes
- There are obligations to notify individuals of these rights at an early stage – clearly and separately from other information
- Online services must offer an automated method of objecting
- Rights in relation to automated decision making and profiling
The GDPR provides key safeguards for individuals against the risk that a damaging decision is taken without any form of human intervention. These rights work in a similar way to existing rights under the DPA.
Will Brexit have an impact on GDPR?
In a statement made by the UK government in January 2017 the UK government confirmed that the UK’s decision to leave the EU will have no impact to the enactment of the GDPR.
In conclusion, law enforcement in the UK face two distinct areas relating to data protection. The Police and Criminal Justice Data Protection Directive permits the use of personal data where it is deemed that there is an identifiable threat to public security.
The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Thus, there remains a duty of care for all UK law enforcement agencies to protect non-law enforcement data and fully comply with the Regulation.
That said there remains a gap between The Police and Criminal Justice Data Protection Directive and the GDPR as the GDPR does not regulate use of personal data for law enforcement purposes, (a part of the Directive that the UK have chosen to opt-out from).
As stated earlier how that gap should be filled currently remains a topic of conversation within the UK government.
Paul Gillingwater MBA, CISSP, CISM, RHCE
Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18
Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.