New data protection regime for the Police

Updated May 2012

New European Directive set to bring in major changes to data protection requirements

A draft European Directive which is currently before the European Parliament is set to change the way in which police forces across Europe use and process personal data. The Directive is part of a package of reforms which strengthen individuals' rights and which will require police forces to put in place additional safeguards and procedures to protect personal data.

What is happening?

The European Commission has published two new pieces of draft legislation: a Data Protection Directive which will govern the use of personal data for criminal investigations and prosecutions (the DP Crime Directive) and a Data Protection Regulation, which will govern all other uses of personal data (the General DP Regulation). Both pieces of legislation are currently in draft form and need to be approved by the European Parliament and the European Council before they come into force.

The General DP Regulation will be directly applicable in all EU Member States without any need for national legislation. The DP Crime Directive, on the other hand, will need to be implemented by the UK Government in the form of national legislation.

It is expected that both the General DP Regulation and the UK legislation implementing the DP Crime Directive will come into force in late 2014 at the earliest. However, police forces need to be aware of the upcoming changes now so that they can prepare to adapt policies and procedures in time for compliance. They will also need to ensure that any new systems being procured in the next two years are capable of complying with the technical security requirements imposed by the new regime.

What impact will the new laws have on police forces?

Dual regime

The new rules will mean that police forces are subject to a dual regime in relation to data protection requirements. The DP Crime Directive will apply only in relation to personal data that is processed for the purposes of preventing, investigating, detecting or prosecuting crimes. A separate (although similar) regime will apply to any data processing carried out by a police force which relates to non-crime related matters, such as the handling of police officer and employee data.

At present the draft legislation contains stricter requirements under the General DP Regulation than under the DP Crime Directive. It may be that the UK Government will adopt national legislation which aligns the two regimes as far as possible; however, police forces will need to be prepared to have in place different procedures and policies, depending on whether personal data is being processed for crime prevention/investigation purposes or for non-crime related purposes.

Key changes

A number of important changes will be brought in by the new legislation. A summary of the key changes is set out below.

• Data categorisation - Crime-related data will have to be categorised to indicate the individual to which it relates (for example, convicted persons, victims, witnesses, sources of information) and to indicate the accuracy and reliability of the data.
• Restricted processing conditions - The circumstances in which crime-related data may be processed will be restricted to four key areas: (i) for the purposes of preventing, investigating or detecting crime; (ii) for compliance with a legal obligation; (iii) to protect the vital interests of an individual: or (iv) for the prevention of an immediate and serious threat to public security.
• Restrictions on use of sensitive personal data - Processing of sensitive personal data for crime-related purposes (which will include DNA data) will only be permitted as expressly set out in the national implementing law, in order to protect the vital interests of an individual or if made public by the relevant individual.
• Mandatory data protection officers - It will be mandatory to have a data protection officer, whose role will include advising the force on data protection requirements and monitoring compliance. The data protection officer must be capable of exercising their function 'effectively and independently'.
• Breach notification - Police forces will have to notify the regulator of data security breaches and, if the privacy of the individual is compromised, the individual will also have to be notified.
• Expanded privacy notices - More information will need to be given to individuals at the point of data collection. For crime-related data privacy notices will have to include: the identity of the data controller (i.e. the relevant police force); details of the data protection officer; the purposes for which data will be used; the length of time for which data will be retained; the rights of the individual to access data, to have incorrect data rectified or erased, to restrict data processing in certain circumstances and the right to complain to the regulator; the recipients of personal data, including third countries or international organisations; whether the provision of information is voluntary and the possible consequences of failing to provide the data.
• Consultation obligations - Police forces will have to consult with the regulator prior to processing any sensitive personal data which forms part of a new system or in relation to certain 'risky' processing activities (although it is not entirely clear when processing will be considered to be 'risky').
• Electronic security requirements - Electronic systems used to process crime-related data will have to comply with a list of security measures, including measures designed to prevent unauthorised access, copying or removal of data, measures to enable audit trails to see who has input data into the system and to whom it has been disclosed and measures to ensure that systems are capable of being restored in the case of interruption, reporting faults and protecting against data corruption.
• Privacy by design and by default - Systems and procedures will need to be designed from the outset to ensure compliance with data protection requirements and to minimise data collection to the extent necessary for the relevant purposes.
• Increased penalties - The General DP Regulation provides for increased financial penalties for breaches, as well as mandatory audit rights for regulators. The DP Crime Directive allows the UK Government to decide on the penalties that will apply in the cases of breaches involving crime-related data; however, penalties will have to be 'effective, disproportionate and dissuasive'.

What should police forces be doing now?

At present the legislation is still in draft form. The finalised version of the new laws will undoubtedly change from the current draft text. However, the key proposals highlighted above are likely to remain in some form or another. Police forces should bear in mind the upcoming changes when procuring new systems and, when the legislation is finalised, take steps to adapt policies and procedures to enable compliance.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.