DPA 2018: Law Enforcement Processing (Part 3)
Law Enforcement Processing (Part 3) [s.29-81]
Rule: Part 3 provides a separate data protection regime for competent authorities processing data for law enforcement purposes. It implements the EU Law Enforcement Directive (LED) in UK law.
When Part 3 Applies [s.29-30]
Part 3 applies when both conditions are met:
- Competent authority — The controller is listed in Schedule 7
- Law enforcement purpose — Processing is for:
- Prevention, investigation, detection, prosecution of criminal offenses
- Execution of criminal penalties
- Safeguarding against/prevention of threats to public security
Who Are Competent Authorities? [Schedule 7]
| Category | Examples |
|---|---|
| Police forces | All UK territorial police forces |
| Law enforcement bodies | NCA, HMRC (criminal investigations), SFO |
| Prosecution | CPS, Crown Office (Scotland) |
| Courts | When exercising judicial functions |
| Other bodies | Border Force, prison service, probation |
Data Protection Principles [s.34-42]
Part 3 has its own principles (similar but not identical to UK GDPR):
| Principle | Requirement | Citation |
|---|---|---|
| Lawfulness and fairness | Processing must be lawful and fair | s.35 |
| Purpose limitation | Only for law enforcement purposes | s.36 |
| Data minimisation | Adequate, relevant, not excessive | s.37 |
| Accuracy | Accurate and kept up to date | s.38 |
| Storage limitation | No longer than necessary | s.39 |
| Security | Appropriate security measures | s.40 |
Lawful Bases [s.35]
Processing is lawful only if:
- Legal basis exists — Based on law (statutory power, consent, contract, vital interests, or legitimate interests of controller)
- Necessary — Processing is necessary for law enforcement purpose
- Conditions met — For sensitive data, additional conditions apply
Sensitive Processing [s.35(3)-(5)]
Processing of sensitive data (racial origin, political opinions, health, etc.) requires:
- Strictly necessary for law enforcement purpose, AND
- Condition in Schedule 8 is met:
- Consent of data subject
- Necessary for legal proceedings
- Vital interests
- Already public
- Necessary for judicial acts
Data Subject Rights [s.44-54]
| Right | Description | Restrictions |
|---|---|---|
| Information | Right to be informed | Can be restricted for law enforcement |
| Access | Subject access request | Can be restricted |
| Rectification | Correct inaccurate data | Applies |
| Erasure | Delete unlawfully processed data | Limited compared to GDPR |
| Restriction | Restrict processing | Applies in specific cases |
| Not subject to automated decisions | Human involvement | Applies |
Restrictions on Rights [s.44-45]
Rights can be restricted where necessary and proportionate to:
- Avoid prejudicing law enforcement
- Protect national security
- Protect rights of others
Controller must document the restriction and reasons.
International Transfers [s.73-78]
Transfers outside UK permitted if:
| Condition | When Applies |
|---|---|
| Adequacy regulations | Secretary of State has made regulations |
| Appropriate safeguards | Binding instrument with safeguards |
| Special circumstances | Necessary for specific law enforcement purpose |
| Consent | Data subject has consented |
Logging Requirements [s.62]
Competent authorities must log:
- Collection, alteration, consultation, disclosure
- Including time and who accessed
- Logs used for verification, self-monitoring, integrity/security
Controller Obligations [s.55-71]
| Obligation | Requirement |
|---|---|
| Data protection officer | Must appoint DPO |
| Security | Appropriate technical and organizational measures |
| Breach notification | Notify Commissioner of breaches |
| Impact assessments | For high-risk processing |
| Records | Maintain processing records |