Appropriate Policy Document: Sensitive Processing for Law Enforcement Purposes under Part 3 Data Protection Act 2018
This is the appropriate policy document that sets out how Warwickshire Police will protect special category and criminal conviction data in compliance with the Data Protection Act 2018 (DPA 2018)
The purpose of this document is to explain:
Warwickshire Police procedures which are in place to secure compliance with the six data protection principles set out in Part 3 of the DPA 2018 when the processing is carried out by each force (in its capacity as controller) in reliance of one of the conditions set out in Schedule 8; and
Warwickshire Police policies regarding the retention and erasure of such personal data processed in reliance on a condition specified in Schedule 8 to the DPA 2018.
This ‘appropriate document’ reflects the requirements to have safeguards in place for sensitive processing carried out for a law enforcement purpose set out in section 42 and Schedule 1 (Part 4) of the DPA 2018.
The policy will be reviewed on an annual basis (or more regularly if circumstances require it) and updated as necessary at these reviews.
What is sensitive processing?
Sensitive processing is defined in Section 35(8) of the Act and includes the processing of:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership · genetic data, or biometric data · data concerning health · data concerning an individual’s sex life or sexual orientation
Law enforcement purposes
“Law enforcement purposes” is defined as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
As a police service it is necessary to carry out sensitive processing to fulfil the functions of the Chief Constable as both a competent authority and responsible for the policing of Warwickshire.
Section 35(4) and (5) of the Act states that sensitive processing for law enforcement purposes is permitted in only two cases:
a) the data subject has given consent to the processing for the specific purpose
at the time the processing is carried out, the controller has an appropriate policy document (APD) in place
b) the processing is strictly necessary for a law enforcement purpose, the processing meets at least one condition in Schedule 8 of the Act and at the time the processing is carried out, the controller has an APD in place.
If either of these two conditions are met, the sensitive processing will be lawful.
Compliance with Data Protection Principles
Section 34 DPA 2018 sets out the data protection principles which apply to the processing of personal data by a competent authority for a law enforcement purpose.
The procedures that Warwickshire Police has in place to ensure compliance with these when carrying out sensitive processing are set out below.
Warwickshire Police has put in place appropriate technical and organisational measures to meet the requirements of accountability (as required by Section 34(3) DPA 2018). These include:
the appointment of a Data Protection Officer (DPO) who has a key assurance, compliance and advisory role on data protection matters within the force;
a direct reporting line from the DPO to our highest management level;
the development and regular review of data protection policies and guidance for officers and staff setting how Warwickshire Police meets its data protection obligations – such as when and how a Data Protection Impact Assessment (DPIA) should be completed; and how to ensure new projects, applications or systems meet the legislative, technical and organisational requirements set out within UK data protection legislation;
the appointment and training of Information Asset Owners (IAOs) to be responsible for the management of assigned information assets, including the identification and mitigation of risks arising from the processing of personal data, and ensuring the appropriate documentation is maintained for each of our processing activities;
implementing appropriate security measures in relation to the personal data we process by using guidance, and processes (such as the DPIA) to ensure officers and staff access to personal data and/or to systems containing such are limited and monitored;
regularly reviewing of our accountability measures, and updating or amending them when required, and ensuring we take a ‘data protection by design and default’ approach to our activities, including the design of force systems.
Lawful and fair
Warwickshire Police will only undertake sensitive processing for law enforcement purposes where it has a lawful basis to do so and where the information is required for a specific reason.
The Schedule 8 DPA 2018 conditions for sensitive processing that Warwickshire Police is most likely to apply are:
Administration of justice
Protecting individual’s vital interests
Safeguarding of children and of individuals at risk
8. Preventing fraud
9. Archiving, research and statistics in the public interest
We will communicate fair processing information to individuals through the Warwickshire Police website and will also make the same information available on other formats to individuals on request.
Where consent is requested from an individual to allow sensitive processing, the individual will be provided with full details of what will happen to their data and the length of time it will be retained. They will also be advised of the right to withdraw consent at any time before the information is processed. Where consent is requested, this information will be documented and available on request.
Specified, explicit and legitimate purposes
Sensitive processing will be restricted to only that which is necessary for the relevant law enforcement purpose and it will not be used for a matter which is not a law enforcement purpose unless that use is authorised by law.
It may however, be used for another law enforcement purpose by Warwickshire Police or another organisation that is authorised to carry out law enforcement processing, providing the processing is necessary and proportionate to that purpose.
Adequate, relevant and not excessive
Any personal data collected for law enforcement purposes will be restricted to that which is necessary for the purposes of processing to meet our stated law enforcement purposes
Accurate and where necessary kept up to data
Where sensitive data is provided directly by individuals, its accuracy is checked where the expediency of the required police response does not prevent it. Data is kept uptodate where new information is provided or obtained however it is also necessary to retain historic data for delivery of the law enforcement function.
Warwickshire Police will take reasonable steps to ensure that sensitive data which is complete, inaccurate, incomplete or out-of-date is not transmitted. If inaccurate personal data is discovered to have been transmitted, the recipient will be advised of this as soon as possible. If an individual contacts Warwickshire Police to question the accuracy of their data we will respond to the request in accordance with section 46 of the DPA 2018. Where we decide not to erase or rectify the data we will document our decision.
Personal data that is presented as opinion and does not claim to be fact cannot be challenged on the grounds of inaccuracy.
Kept for no longer than is necessary
Warwickshire Police manages the review, retention and disposal of personal data in accordance with national guidance on minimum standards for the Retention and Disposal of Police Records and the College of Policing Authorised Professional Practice on Information Management and the force Records Retention Schedule.
All personal data processed by Warwickshire Police is retained for the periods set out in the records retention schedule, unless retained longer for archiving purposes.
Warwickshire Police applies the information assurance and security standards set for the National Policing Community by the Cabinet Office and the Home Office, and complies with relevant legislation relating to security.
Policy, training, technical and procedural measures are implemented to secure information, This include, but are not limited to, ensuring force buildings are secure and access restricted to those with a legitimate reason for entry.
All staff are subject to pre-employment vetting checks and periodic checks when in post. All staff are required to undertake mandatory data protection and information security training.
All security incidents involving sensitive data are recorded, investigated and assessed to determine if they meet the criteria for data breach reporting to the Information Commissioners Office under the DPA 2018.
For further information about our compliance with Data Protection law, or if you wish to contact the Data Protection Officer please contact: