Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Amberhawk - Law Enforcement Parts of the Data Protection Bill
1. LAW ENFORCEMENT PARTS OF
THE DP BILL
Divergence from the Applied GDPR
chris.pounder@amberhawk.com
1
2. DP BILL FOR LAW ENFORCEMENT
• PART 3. Law Enforcement Processing (Clauses 27-79)
Implements the LED for law enforcement data processing
• Schedule 7 (List of competent authorities covered by LED)
• Schedule 8 (Conditions for sensitive processing under Part 3)
• PART 4. Intelligence Services Processing (Clauses 80-111):
adopts data protection standards for intelligence services data
processing.
• Schedules 9-11 (Conditions for processing, sensitive
processing and other exemptions under Part 4)
2
3. LAW ENFORCEMENT PURPOSES
The “law enforcement purposes” are:
• the “prevention, investigation, detection or prosecution of
criminal offences” and
• “execution of criminal penalties, including the safeguarding
against and the prevention of threats to public security”
Any processing not for a law enforcement purpose (e.g. Human
Resources) is subject to the GDPR elements of the DP Bill
CCTV – is that processing for a law enforcement purpose?
Answer “NO” if the controller is not a competent authority
3
4. WHO DOES “LAW ENFORCEMENT”?
• All organisations in Schedule 7 (i.e. the usual suspects)
And
• any other person if and to the extent that the person has
statutory functions for any of the law enforcement purposes
• (e.g. Trading standards for Local Authority)
4
5. COMMENTS ON DEFINITIONS
1. If a law requires personal data to be processed for a law
enforcement purpose, then the organisation that is required
by law to processes the personal data is the controller (like
S.1(4) DPA).
2. The grounds for the processing are limited to (a) data subject
consent or (b) necessary for the functions of a competent
authority. Processing policies needed for both (e.g. how
consent is obtained; what are the functions). Policies are
subject to FOIA/FOISA requests
3. There is no “special personal data” but there is “sensitive
processing” of personal data
5
6. COMMENTS ON PRINCIPLES
1. If the processing is necessary for a law enforcement purpose,
then the fairness provisions are negated if informing the data
subject would be likely to “undermine” the law enforcement
purpose
2. Disclosures from one law enforcement purpose for any
further law enforcement purpose by another controller is
likely to be compatible.
3. Fourth Principle requires;
– Facts separate from opinions
– Distinction between suspects, convicted, victims and
witnesses
6
7. COMMENTS ON SECURITY
• Security Principle in general applies to ALL processing of
personal data for a law enforcement purpose.
For automated processing, each controller & processor must:
• do an evaluation of the risks (e.g. DPIA)
• prevent unauthorised processing or unauthorised
interference with the systems used in connection with it,
• ensure that it is possible to establish the precise details of any
processing that takes place (logging requirements in Cl. 60)
• ensure that systems function properly and may, in the case of
interruption, be restored
• ensure that stored personal data cannot be corrupted if a
system used in connection with the processing malfunctions 7
8. COMMENTS ON TRANSFERS (Clauses 71-75)
Data transfers to “comparable” law enforcement agencies in Third
Countries for law enforcement purposes can occur when:
• an adequacy decision exists for that Third Country
• there is not an adequacy decision but there are alternative
safeguards for the transfer (e.g. binding contract or the
organisation transferring can assess adequacy; Brexit option?)
• there is neither of the above but special circumstances apply for
the transfer to the Third Country (e.g. vital or legitimate
interests of data subject; serious security threat)
In the last two cases, the transfer has to be fully documented (e.g.
date, time, justification for transfer, details of recipient etc)
8
9. COMMENTS ON RIGHTS
Several rights apply (e.g. right of access to personal data,
rectification, erasure, restriction).
Rights negated if satisfying the right:
• obstructs an official/legal inquiry, investigation or procedure
• prejudices the prevention, detection, investigation or
prosecution of criminal offences or the execution of criminal
penalties;
• jeopardises public security, national security or the rights and
freedoms of others.
Rules similar to “FOIA’s neither confirm nor deny” apply
But ICO can check whether exemption is properly applied
9
10. FINAL COMMENTS (LED LIKE GDPR)
• “Personal data” and “filing system” definitions the same
• A Data Protection Officer is definitely needed
• Data Protection Impact Assessments and prior notification of
a high risk that cannot be mitigated
• Data Loss reporting within 72hrs at the latest
• Data Protection by Design included in procurement processes
• Must have detailed records of processing activities (in
addition to the detailed logging arrangements)
• Processor arrangements and sub-contracting procedures
• Joint controllership rules identified in advance.
10