As many readers will be aware, the European Commission is in the process of finalising the General Data Protection Regulation (the GDPR). This will set out a new legal framework governing the collection, use and disclosure of personal data by organisations across Europe. When finalised, the GDPR will replace the Data Protection Act 1998 (the Act) in the UK.
Whilst these negotiations are reaching their final stages, one would expect that post adoption, the Act would be redundant. However, there is a strong possibility that the Act may be around for longer than expected.
It is important to note that, whilst the GDPR has attracted all the attention, there are other, less highly publicised, but still important, pieces of sector specific European data protection legislation scheduled to be implemented within the same timeframe as the GDPR.
The Police and Criminal Justice Data Protection Directive (2012/0010) (the Directive) seeks to regulate the use of personal data for law enforcement purposes, specifically "for the purposes of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or the safeguarding against and the prevention of threats to public security."
The Directive will cover the use of personal data for law enforcement purposes by not just police forces, but also public organisations tasked with tackling crime. This includes Local Authorities undertaking statutory functions that could result in criminal prosecutions, such as illegal dumping of waste and trading standards offences.
Unlike the GDPR, the Directive will need to be implemented into each country's statute book. This allows member states some degree of flexibility in respect of the application of the Directive's provisions.
This means that organisations that fulfil law enforcement functions will need to comply with two data protection regimes. For most of Europe the requirements of the Directive, as implemented by national law, will apply in relation to data used for law enforcement purposes. The GDPR will apply in relation to all other uses of personal data.
This dual regime for law enforcers may sound complicated enough but in the UK the situation is even less certain. Unlike most of the rest of Europe, the UK government has an opt-out in respect of the application of European data protection legislation in relation to domestic law enforcement. The UK has partly exercised this opt-out, so whilst the UK has agreed to be bound by the Directive, when adopted, to permit the sharing and receipt of personal data for law enforcement purposes with other member states in Europe, it has opted out of the Directive's provisions in relation to the processing of personal data for law enforcement purposes within the UK.
This leaves a gap in the UK regulation, as the GDPR does not regulate use of personal data for law enforcement purposes.
This has left the UK government with a number of options:
Public bodies using personal data for law enforcement purposes need to be prepared to implement three separate but related governance regimes for personal data:
The European deadline for finalising the new legislation is the end of 2015, although this seems likely to slip into 2016. There will then be an implementation period of 18 months to two years before the new laws come into force. However, even when the final texts of the GDPR and the Directive are agreed it is still not clear what steps the UK government will take to regulate use of personal data for law enforcement purposes.
It would be precipitous to undertake any substantive work in preparation for the new regime at this point but officers should be mindful of the potential new data protection framework. Officers should identify where information is held solely for law enforcement purposes, and whether or not such data is held in systems that solely hold personal data for law enforcement purposes.
More substantive work can be undertaken to prepare for implementation of the GDPR in relation to use of personal data for non-law enforcement related purposes. Although the GDPR is still in draft form, we know that the following changes are highly likely to be implemented:
A number of these obligations are already best practice and organisations would be well advised to start implementing privacy by design principles and privacy impact assessments if they have not done so already. We also recommend that it also undertakes a 'data mapping' exercise to ensure they have a good understanding of how, why and where personal data is being collected and shared/disclosed across it. Having a good grip of data flows and the reasons why personal data needs to be used across the organisation will be an effective starting point for implementing the new legislation when it is finalised.
Contributor: Varun Shingari
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com