In the world of Law Enforcement, Data Protection is about compliance with both the UK GDPR and the Law Enforcement Directive (LED) as implemented by Part 3 of the Data Protection Act 2018. This does not just cover the police but any ‘competent authority’ with a ‘law enforcement purpose’ e.g. local authority regulatory services.
While Part 3 is very similar to the GDPR, it is starkly different in a few key areas and can confuse those who do not deal with it regularly. A recent Scottish case shows that even the ICO can get it wrong.
As part of our growing range of practical workshops for data protection professionals, Act Now Training has launched a full day workshop on this important topic. Our expert trainer, Scott Sammons, will cover the basic requirements under the LED principles, look at practical steps, explore the LED SAR exemptions and see where you can re-use your GDPR controls for an LED purpose.
This workshop can also be customised and delivered to your organisation at your premises or virtually. Get in touch to learn more.
In October, there was a decision in the Scottish courts which will be of interest to data protection practitioners and lawyers when interpreting Part 3 of the Data Protection Act 2018 (law enforcement processing) and more generally the UK GDPR.
The General Teaching Council For Scotland v The Chief Constable of The Police Service of Scotland could fairly be described as a skirmish about expenses (known as costs in other parts of the UK) in seven Petitions to the Court of Session by the General Teaching Council for Scotland (“GTCS”) against the Chief Constable of the Police Service of Scotland (“Police Scotland”). The petitions essentially sought disclosure of information, held by Police Scotland, to the GTCS which the GTCS had asked Police Scotland for, but which the latter had refused to provide.
This case will be of interest to data protection practitioners for two reasons: (1) there is some consideration by Lord Uist as to what “authorised by law” means in the context of processing personal data under Part 3 DPA 2018 for purposes other than law enforcement purposes; and (2) it contains a salutary reminder that while advice from the Information Commissioner’s Office (ICO) can be useful, it can also be wrong; as well as the responsibilities of data controllers in relation to their decisions.
The GTCS is the statutory body responsible for the regulation of the teaching profession in Scotland. They are responsible for assessing the fitness of people applying to be added to the register of teachers in Scotland as well as the continuing fitness of those already on the register. In reliance of these functions, the GTCS had requested information from Police Scotland in order to assist it in fulfilling these duties. The information held by Police Scotland was processed by them for the law enforcement purposes; it thus fell within Part 3 of the DPA 2018. In response, the GTCS petitioned the Court of Session for orders requiring Police Scotland to release the information. Police Scotland did not oppose the Petitions and argued that it should not be found liable for the expenses of the GTCS in bringing the Petitions to the court. This was on the basis that it had not opposed them and it could not have given the GTCS information without the court’s order.
The ICO advice to Police Scotland
Police Scotland refused to supply the information without a court order on the basis that to do so would be processing the personal data for purposes other than the law enforcement purposes where the disclosure was authorised by law in contravention of the second Data Protection Principle under Section 36 of the DPA 2018 which states:
“(1) The second data protection principle is that – (a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and (b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.
(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that –
(a) the controller is authorised by law to process that data for the other purpose, and (b) the processing is necessary and proportionate to that other purpose.
(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.”
Police Scotland was relying upon advice from the ICO. That advice was that Police Scotland “would require either an order of the court or a specific statutory obligation to provide the information”, otherwise Police Scotland would be breaching the requirements of the DPA 2018. A longer form of the advice provided by the ICO to Police Scotland may be found at paragraph 10 of Lord Uist’s decision.
The ICO’s advice to Police Scotland was in conflict with what the ICO said in its code of practice issued under section 121 of the DPA 2018. There the ICO said that “authorised by law” could be “for example, statute, common law, royal prerogative or statutory code”.
Authorised by Law
Lord Uist decided that the position adopted by Police Scotland, and the advice given to them by the ICO, was “plainly wrong”; concluding that the disclosure of the information requested by the GTCS would have been authorised by law without a court order.
The law recognises the need to balance the public interest in the free flow of information to the police for criminal proceedings, which requires that information given in confidence is not used for other purposes, against the public interest in protecting the public by disclosing confidential information to regulatory bodies charged with ensuring professionals within their scope of responsibility are fit to continue practising. In essence, when the police are dealing with requests for personal data processed for law enforcement purposes by regulatory bodies, they must have regard to the public interest in ensuring that these regulatory bodies, which exist to protect the public, are able to carry out their own statutory functions.
Perhaps more significantly, the law also recognises that a court order is not required for such disclosures to be made to regulatory bodies. This meant that there was, at common law, a lawful basis upon which Police Scotland could have released the information requested by the GTCS to them. Therefore, Police Scotland would not have been in breach of section 36(4) of the DPA 2018 had they provided the information without a court order.
In essence, a lack of a specific statutory power to require information to be provided to it, or a specific statutory requirement on the police to provide the information, does not mean a disclosure is not authorised by law. It is necessary, as the ICO’s code of practice recognises, to look beyond statute and consider whether there is a basis at common law.
Police Scotland was required by Lord Uist to meet the expenses of the GTCS in bringing the Petitions. This was because the Petitions had been necessitated by Police Scotland requiring a court order when none was required. Lord Uist was clear that Police Scotland had to take responsibility for their own decision; it was not relevant to consider that they acted on erroneous advice from the ICO.
This case serves as a clear reminder that, while useful, advice from the ICO can be wrong. The same too, of course, applies in respect of the guidance published by the ICO. It can be a good starting point, but it should never be the starting and end point. When receiving advice from the ICO it is necessary to think about that advice critically; especially where, as here, the advice contradicts other guidance published by the ICO. It is necessary to consider why there is a discrepancy and which is correct: the advice or the guidance? It may, of course, be the case that both are actually incorrect.
The finding of liability for expenses is also a reminder that controllers are ultimately responsible for the decisions that they take in relation to the processing of personal data. It is not good enough to effectively outsource that decision-making and responsibility to the ICO. Taking tricky questions to the regulator does not absolve the controller from considering the question itself, both before and after seeking the advice of the ICO.
Finally, this case may also be a useful and helpful reference point when considering whether something is “authorised by law” for the purposes of processing under Part 3 of the DPA 2018. It is, however, a first instance decision (the Outer House of the Court of Session being broadly similar in status to the High Court in England and Wales) and that ought to be kept in mind when considering it.
Alistair Sloan is a Devil (pupil) at the Scottish Bar; prior to commencing devilling he was a solicitor in Scotland and advised controllers, data protection officers and data subjects on a range of information law matters.
Could a recent Supreme Court decision on information sharing lead to “terrorists” escaping justice? Part 3 of the Data Protection Act 2018 (DPA) regulates the processing of personal data for law enforcement purposes by Competent Authorities which includes, amongst others, government departments and the police.
The case of Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent)  UKSC 10 is interesting because it examines the application of GDPR’s less well-known cousin to a complex situation involving the possible extradition of alleged terrorists to the United States. The Supreme Court ruled that the UK acted unlawfully by personal data with the US that could lead to the execution of two British citizens accused of being part of an Islamic State murder squad known as “The Beatles”. Seven justices concluded that the decision in 2018 by the Home Secretary breached Part 3 of the DPA.
Shafee Elsheikh and Alexander Kotey are currently in US custody in Iraq having been linked to 27 murders in Syria carried out by “The Beatles”. In June 2015, the US made a mutual legal assistance (MLA) request to the UK in relation to an investigation into the activities of that group. The then Home Secretary, Sajid Javid, requested an assurance that any information the UK supplied would not be used by the US, directly or indirectly, in a prosecution that could lead to the imposition of the death penalty on the two men. The US refused to provide this assurance and, in June 2018, Mr Javid agreed to provide the information anyway.
Elsheikh’s mother, Maha Elgizouli, challenged (by way of judicial review) the Home Secretary’s decision to share that information with the US, not to prevent him from being prosecuted and jailed but, to protect him from the death penalty. Her claim was dismissed by the High Court, which certified two legal questions of public importance for the Supreme Court to answer:
Whether it is unlawful for the Secretary of State to exercise his power to provide an MLA so as to supply evidence to a foreign state that will facilitate the imposition of the death penalty in that state on the individual in respect of whom the evidence is sought.
Whether (and if so in what circumstances) it is lawful under Part 3 of the DPA, as interpreted in the light of relevant principles of EU data protection law, for law enforcement authorities in the UK to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.
The Supreme Court allowed the appeal. Most of the Justices dismissed the challenge brought under the common law (question 1 above) to the Home Secretary’s decision but they unanimously held that the decision failed to comply with part 3 of the DPA (question 2). Data Protection professionals, especially those in law enforcement agencies, will be particularly interested in the court’s analysis of the rules relating to international transfers, as set out in Chapter 5 of the DPA
Section 73 of the DPA, like Article 49 of the GDPR, prohibits transfers of personal data to a third country unless a number of conditions are met. Condition two is that the transfer :
“(a) is based on an adequacy decision (see section 74),
(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or
(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76)”
The court noted that the transfer in question was not based on an adequacy decision; nor was it based on appropriate safeguards which are set out in Section 75(1):
“A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—
(a) a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or
(b) the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.”
The lawfulness of the transfer therefore stands or falls on the “special circumstances” condition in section 73. This will only apply, according to section 76, if the transfer is necessary for any of the following five purposes:
“(a) to protect the vital interests of the data subject or another person,
(b) to safeguard the legitimate interests of the data subject,
(c) for the prevention of an immediate and serious threat to the public security of a member State or a third country,
(d) in individual cases for any of the law enforcement purposes, or
(e) in individual cases for a legal purpose.”
The court ruled that a transfer on the basis of special circumstances can only occur following an assessment of what is strictly necessary. Such an assessment was not made by the Home Secretary before sharing the information with the US. Hence the transfer was unlawful. Lord Carnwath said:
“The decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria.”
Furthermore, in relation to the special circumstances gateway, section 76(2) states:
“Subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”.
Lady Hale found that these “fundamental rights and freedoms” include the rights protected by the European Convention on Human Rights, the most fundamental of which is the right to life. This points towards an interpretation of section 76(2) which, even if an assessment had been made, would not allow the transfer of personal data to facilitate a prosecution which could result in the death penalty for UK citizens.
So there you have it; a very careful analysis by the Supreme Court of the international transfer provisions under Part 3 of the DPA. There must now be a further court decision over what the UK must do to comply with the law, including potentially asking the US to return the shared information. This could lead to the two individuals in question avoiding extradition to the US where they would, if convicted, face the death penalty. Of course, the UK government can still bring them back to the UK to face justice.
This and other developments will be discussed in our forthcoming information law webinars. We have created a policy pack containing essential document templates to help you meet the requirements of Part 3 of the DPA 2018.
Organisations with a role in preventing and detecting crime (e.g. councils, police, regulatory bodies etc.) not only have to comply with GDPR but also Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data for law enforcement purposes. This is a complex task requiring, amongst other things, a set of policies, procedures and notices; a daunting task especially for organisations “starting from scratch”.
Act Now has applied its 16 years of information governance experience to create a policy pack containing essential document templates to help you meet the requirements of the DPA 2018. It will save you hours of drafting and research time. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent ICO fine notices issued against British Airways and Marriott International.
We have also included template letters to deal with Data Subjects’ rights requests, including subject access. This is another hot topic. On 25thJune 2019, Enforcement Notices (under Part 3 of the DPA) were served by the ICO on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.
Data Protection Policy – providing an overarching framework for compliant processing of personal data for law enforcement purposes as required under s56 DPA 2018
Sensitive Data Processing Policy – as required under s42 of DPA 2018
Data breach reporting
Data Protection Impact Assessment template
Data Subject rights request response templates
System requirements specification – Summary of requirements to meet the audit and record keeping requirements of Part 3 of DPA 2018
Privacy Notice templates
General (for publication)
Specific (for tailoring privacy information to particular individuals as required by s 44(2) of DPA 2018)
Records and Tracking logs
Information Asset Register
Record of Processing Activity (s 61)
Record of Sensitive Data processing
Data Subject Rights request tracker
Information security incident log
Personal data breach log
Third country transfer logs
Data protection advice log
The above documents are inter-related and contain cross references, particularly across the various tracker logs.
The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format) following payment. Sequential files and names make locating each document very easy.
For only £249 plus VAT (Special Introductory Price), the policy pack gives a useful starting point for organisations of all sizes who have a law enforcement function and will save hours of drafting time and research time.
This LED processing policy pack complements the Act Now GDPR Policy Pack which covers the general processing of personal data. The GDPR policy pack has been bought by public and private organisations including local authorities, utility companies, universities and charities