Appropriate policy document - law enforcement processing

We will: 

Accountability

• appoint a data protection officer who reports to our highest management level
• take a ‘data protection by design and default’ approach to our activities
• maintain documentation of its processing activities
• adopt and implement data protection policies and ensure there are written contracts in place with processors
• implement appropriate and reasonable security measures
• carry out data protection impact assessments for high-risk processing activities

Principle (1): lawfulness and fairness

Ensure sensitive processing is only carried out where it is strictly necessary for law enforcement purposes.

Ensure sensitive processing is carried out with the consent of the data subject or based on a Schedule 8 condition. 

Principle (2): purpose limitation

Only use data collected for law enforcement purposes for purposes other than law enforcement where authorised by law to do so. 

Only share data with another controller where it can be evidenced that they are authorised by law to process the data for their purpose.

Principle (3): data minimisation

Only collect personal data that is necessary and proportionate for its law enforcement purposes and ensure that data collected is not excessive.

Ensure that where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, it will be erased. 

Principle (4): accuracy

Ensure that personal data is accurate and kept up to date where necessary. 

Take particular care to ensure accuracy of personal data held. 

Where possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions.

Where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as:

• people suspected of committing an offence or being about to commit an offence
• people convicted of a criminal offence
• known or suspected victims of a criminal offence
• witnesses or other people with information about offences

Take reasonable steps to ensure that where personal data is inaccurate, incomplete, or out of date it is not transmitted or made available for any of the law enforcement purposes. 

Document decisions to make personal data available for any of the law enforcement purposes.

Principle (5): storage limitation

Only keep personal data in identifiable form for as long as is necessary.

Determine retention periods based on our legal obligations and the necessity of the data to our business needs.

Make retention schedules publicly available.

Principle (6): integrity and confidentiality (security) 

Ensure effective technical and organisational policies and procedures are in place to support secure working practices. 

Educate and train staff to handle and process personal data securely.

Ensure specialist staff are available to provide support and guidance.

Ensure appropriate roles are in place to support information risk management.  

Ensure that the systems used to process personal data for law enforcement purposes allow for the erasure or update of personal data at any point in time. Such systems shall also be capable of logging records of the following information:

• collection
• alteration
• consultation (access)
• identity of the person who accessed
• disclosures
• combination of records
• erasure