Data Protection Act 2018 & UK GDPR: A Detective's Guide
Overview of the Regulation
The Data Protection Act 2018 (DPA 2018), along with the UK GDPR, provides the legal framework for processing personal data in the UK. The DPA 2018 integrates the GDPR into UK law while also including provisions specific to UK interests, such as national security and law enforcement. For detectives, the DPA 2018 is vital in ensuring that personal data collected during investigations is handled lawfully, fairly, and transparently, with safeguards to protect individuals' privacy.
Key Sections for Detectives
Detectives primarily use the following sections of the DPA:
Part 3, Chapter 2: Data Protection Principles for Law Enforcement
This chapter outlines the six data protection principles that law enforcement bodies must follow when processing personal data for criminal law enforcement purposes.
What a detective can do:
Detectives must follow these principles rigorously when handling data during investigations, ensuring that they don't process excessive or irrelevant data and that they delete it when no longer needed for the case.
Example:
If a detective accesses a suspect’s call logs, they must ensure that the data is only kept for the duration of the investigation and is deleted when no longer needed.
How to request:
- Prepare a detailed application justifying the need for interception. You must include the necessity and proportionality.
- Submit the application to a senior officer (usually Assistant Chief Constable or above). The application must include the specific communications you want to intercept, the target individual or group, the rationale, and the timeframe the interception should last.
- The senior officer reviews and, if approved, submits for judicial review if the data is sensitive.
- If granted, the warrant is then sent to the data controller.
Example Warrant:
WARRANT FOR LAW ENFORCEMENT DATA PROCESSING
Issued under Part 3, Chapter 2 of the Data Protection Act 2018
[Target individual(s)]: Jane Doe
[Data requested]: Location tracking data and call logs from [start date] to [end date].
[Reason for the warrant]: To track movements in connection with a missing persons investigation.
Issued by: [Authorizing Officer]
Approved by: [Judicial Commissioner]
Part 4: Intelligence Services Processing
Part 4 governs the processing of personal data by intelligence agencies, which includes bodies like MI5 and GCHQ, but detectives working closely with these agencies may also encounter cases where these provisions apply.
What a detective can do:
When collaborating with intelligence services, detectives must ensure that the data shared or processed under this section complies with the data protection principles for intelligence work. This often involves handling bulk datasets or sensitive information gathered for national security purposes.
Example:
In counter-terrorism cases, detectives may need to collaborate with intelligence agencies to process large datasets that involve both criminal suspects and innocent individuals.
How to request:
- Prepare a detailed application justifying the need for interception. Ensure the data relates to national security and involves intelligence agencies like MI5 or GCHQ.
- Submit the application to a senior officer (usually Assistant Chief Constable or above) or intelligence personnel. The application must include the specific communications you want to intercept, the target individual or group, the rationale, and the timeframe the interception should last.
- The senior officer or intelligence personnel reviews and, if approved, submits to the Judicial Commissioner for review.
- The Judicial Commissioner must review and approve the request. The Judicial Commissioner must be satisfied that it is necessary and proportionate.
- If granted, the warrant is then sent to the data controller.
Example Warrant:
WARRANT FOR INTELLIGENCE SERVICES DATA ACCESS
Issued under Part 4 of the Data Protection Act 2018
[Target individual(s)]: Suspected Terrorist Group X
[Data requested]: Bulk communication data and social media interactions for all identified members.
[Reason for the warrant]: To prevent potential terrorist attacks.
Issued by: [Senior Intelligence Officer]
Approved by: [Judicial Commissioner]
Important Considerations
- Process personal data lawfully, fairly, and transparently.
- Collect data for specified, explicit, and legitimate purposes.
- Ensure data is adequate, relevant, and limited to what's necessary.
- Keep personal data accurate and up to date.
- Store data securely and protect against unauthorized processing.
- Be aware of data subjects' rights, even with law enforcement exemptions.
Data Controllers
Data Controllers must immediately comply with the warrant on recieving it.
When the Warrant is Recieved:
Upon receiving a warrant, the data controller must first verify its legitimacy, ensuring it is properly authorized by the relevant legal authority, such as a Judicial Commissioner or court. The warrant should clearly specify the data requested, the individuals involved, and the relevant time frame. Once verified, the controller should assess the scope of the warrant to ensure the request is proportionate and justified under data protection laws. If the warrant is valid, the controller must securely transmit the requested data and maintain confidentiality throughout the process, ensuring no unauthorized parties are informed or involved.
What to Do If They Suspect Fraud (Doubt the Warrant’s Legitimacy):
The data controller can do one of three things. These cannot however delay the compliance with the warrant without legal basis:
Internal Review: If there are doubts about the authenticity or legality of the warrant, the data controller should conduct an internal legal review. They can request additional proof or clarification from law enforcement if needed.
Request for Verification: Contact the issuing authority to confirm the legitimacy of the warrant. This may involve speaking with the law enforcement agency or judicial body that issued it.
Consult Legal Counsel: If further doubts persist, consult legal advisors to determine whether the warrant complies with data protection laws and whether it can be legally challenged.
Fighting the Warrant (If They Believe It Is Overly Broad or Unlawful):
The data controller can, in execptional circumstances (e.g., when a warrant is overly broad or appears to violate legal standards), fight the warrant. There are three ways this is done:
Insufficient Legal Basis: If the warrant is not properly authorized or lacks legal grounds.
Overly Broad Scope: If the warrant requests excessive or irrelevant data, the controller can ask for a narrower request.
Privacy Violations: If fulfilling the warrant would violate fundamental data protection principles or rights, the controller can challenge it through legal channels.
Penalties for Non-Compliance:
Fines: Non-compliance with a valid warrant can result in significant financial penalties under the DPA 2018. For serious data breaches, fines can reach up to 4% of annual global turnover or £17.5 million, whichever is higher.
Legal Consequences: Failure to comply with a lawful warrant can also lead to additional sanctions, including legal actions from the Information Commissioner’s Office (ICO). Conversely, if a company unlawfully discloses or mishandles data, they may face penalties as well.