Appropriate policy document - law enforcement processing

Introduction

We are responsible for investigating and prosecuting criminal offences, and we comply with Data Protection Act 2018 (DPA 2018) when processing personal data for law enforcement purposes. This policy outlines how we handle sensitive personal data, ensuring compliance with the law and explaining our retention and erasure procedures.

This document fulfils the requirements of Part 3 of the DPA 2018 and should be read alongside our data protection policy.

Scope

This policy applies to:

  • all personal data processed for law enforcement purposes
  • anyone processing personal data held by the council for law enforcement purposes

Definitions

Law enforcement purposes:

  • preventing, investigating, detecting, or prosecuting of criminal offences
  • execution of criminal penalties
  • ensuring public safety

Sensitive processing: The processing of personal data for law enforcement purposes that reveals an individual’s:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

Sensitive processing also includes:

  • the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual
  • the processing of data concerning health; and
  • the processing of data concerning an individual's sex life or sexual orientation

Sensitive processing and legal conditions

We will only carry out sensitive processing with the consent of the data subject or where it is strictly necessary for the law enforcement purposes and meets one of the conditions set out in Schedule 8 of the DPA 2018.

We carry out sensitive processing, for which an APD is required, under the following Schedule 8 conditions:

  • statutory purposes: we have a legal obligation or a substantial public interest to investigate and prosecute criminal offences
  • administration on justice: to ensure proper enforcement of the laws and regulations we are responsible for
  • legal claims: for legal proceedings, obtaining legal advice, or exercising and defending legal rights
  • preventing fraud: sharing personal data with anti-fraud organisations, for example the National Fraud Initiative

Compliance procedures

To maintain accountability we will:

  • appoint a data protection officer who reports to our highest management level
  • take a 'data protection by design and default' approach to our activities
  • keep records of our processing activities
  • ensure contracts are in place with third parties processing personal data for law enforcement purposes on our behalf
  • ensure robust security measures are in place
  • conduct data protection impact assessments for high-risk processing activities

To ensure sensitive processing is undertaken lawfully and fairly, we will:

  • only carry out sensitive processing when it is strictly necessary for law enforcement purposes
  • ensure sensitive processing is carried out with consent or under a Schedule 8 condition

To limit the processing personal data collected for law enforcement purposes we will:

  • only use personal data for non-law enforcement purposes where permitted by law
  • only share personal data with other organisations if they are legally permitted to use it

To minimise the personal data we process for law enforcement purposes we will:

  • collect only the personal data necessary for the relevant law enforcement purpose
  • erase data that is irrelevant to our purposes

To ensure that we process accurate personal data, we will:

  • ensure personal data is accurate and up to date where needed
  • be careful to maintain accuracy of personal data
  • differentiate data based upon facts from data based on opinions
  • where possible, separate data by categories that identify individuals as suspects, convicted offenders, victims and witnesses
  • take steps to prevent inaccurate or outdated data from being used
  • keep records of decisions to share personal data for law enforcement purposes

To ensure that we don’t hold personal data for longer than we need to, we will:

  • keep personal data only as long as necessary
  • set retention periods based on legal requirements and business needs
  • make our retention schedules available to the public

To maintain the confidentiality and integrity of personal data process for law enforcement purposes, we will:

  • implement robust policies and procedures to ensure secure handling of data
  • train staff to manage personal data securely
  • have experts available to offer support and guidance
  • assign specific roles and responsibilities to manage information risks
  • ensure systems allow data to be easily updated or erased and that logging records are maintained detailing the following:
    • collection
    • alteration
    • consultation (access)
    • identify of the person who accessed
    • disclosures
    • combination of records
    • erasure

Retention and erasure

Our retention and erasure practices are set out in our records management policy.

Further information

We have published a suite of related policies and privacy information on our website.

For further information please contact the DPO at  dpo@lincolnshire.gov.uk.

Policy review

We will review this policy on an annual basis.