Policy paper

Law enforcement processing: part 3 appropriate policy document

Updated 25 January 2024

Background

Part 3 of the Data Protection Act 2018 (DPA 2018) puts certain obligations upon ‘competent authorities’ - those permitted to process personal data for law enforcement purposes.

For example, when sensitive processing is undertaken for law enforcement purposes, Part 3, section 42 of DPA18 requires an Appropriate Policy Document (APD) to be in place.

This policy meets this requirement by explaining how the Ministry of Defence (MOD) complies with DPA18 when it undertakes such processing.

1. What is sensitive processing?

Sensitive processing is defined in Part 3 section 35(8) of the DPA 2018.

This includes:

• the processing of personal data revealing racial or ethnic origin
• political opinions, religious or philosophical beliefs or trade union membership
• the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual
• the processing of data concerning health
• the processing of data concerning an individual’s sex life or sexual orientation.

2. Is the Ministry of Defence a competent authority?

Yes. Section 30 of DPA 2018 defines “competent authority” as:

• “a person specified or described in Schedule 7, and
• any other person if and to what extent that the person has statutory functions for any of the law enforcement purposes.”

Schedule 7 of DPA 2018 classes: ‘any United Kingdom government department other than a non-ministerial government department’ as a competent authority.

Moreover, it names the following areas as competent authorities:

• the chief constable of the Ministry of Defence Police
• the Provost Marshal of the Royal Navy Police
• the Provost Marshal of the Royal Military Police
• the Provost Marshal of the Royal Air Force Police.

3. Law enforcement purposes

“Law enforcement purposes” are defined as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

4. Sensitive processing for law enforcement purposes

Section 35(4) and (5) of the DPA 2018 states that sensitive processing for law enforcement purposes is only permitted when:

• the data subject has given consent to the processing for the specific purpose

and

at the time the processing is carried out, the controller has an APD in place.

or

• the processing is strictly necessary for a law enforcement purpose, the processing meets at least one condition in Schedule 8 of the Act

and

at the time the processing is carried out, the controller has an APD in place.

If either of these two conditions are met, the sensitive processing will be lawful.

5. What are the conditions for processing under schedule 8 of the DPA 2018?

The conditions for sensitive processing in Schedule 8 of the Act are:

• necessary for judicial and statutory purposes – for reasons of substantial public interest
• necessary for the administration of justice
• necessary to protect the vital interests of the data subject or another individual
• necessary for the safeguarding of children and of individuals at risk
• personal data already in the public domain (manifestly made public)
• necessary for legal claims
• necessary for when a court acts in its judicial capacity
• necessary for the purpose of preventing fraud; and
• necessary for archiving, research or statistical purposes.

6. The Data Protection Principles

The principles set out in Part 3 of the Data Protection Act 2018 require personal data to be:

• processed lawfully and fairly (lawfulness and fairness)
• collected for specified, explicit and legitimate law enforcement purposes, and not further processed in a way that is incompatible with those purposes (purpose limitation)
• adequate, relevant and not excessive in relation to the purposes for which it is processed (data minimisation)
• accurate and where necessary kept up to date (accuracy)
• kept for no longer than is necessary for the purposes for which it is processed (storage limitation)
• processed in a way that ensures appropriate security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality).

7. How we will meet these principles for sensitive processing?

7.1

• as per section 35 of the DPA 2018, the areas that undertake law enforcement sensitive processing will only do so when it is necessary to fulfil our function as a public body, or with the consent of the individual
• the MOD will only undertake sensitive processing for law enforcement purposes where it has a lawful basis to do so and when the information is required for a specific reason
• this means the processing will be authorised by:

either statutes, common law or royal prerogative or any other rule of law

and

meets one of the conditions for processing under the DPA 2018.

• we will communicate fair processing information to individuals through gov.uk and make the same information available in other formats on request
• when we need your consent, you will be given full details of what will happen to your data and the length of time it will be retained. Before your information is processed, you will also be advised of your right to withdraw consent at any time. When we ask for your consent, this will be documented and made available on request
• if the processing involves taking physical data or taking of samples (as defined under section 65 of the Police and Criminal Evidence Act 1984, or The Police and Criminal Evidence Act 1984 (Armed Forces) Order 2009) this will be done in accordance with the law
• the most common Schedule 8 condition that applies to law enforcement processing is condition 1 – ‘Statutory purposes’. Other commonly used conditions are 3 – ‘Protecting individual’s vital interests’ and 4 – ‘Safeguarding of children and of individuals at risk’.

7.2 Specified, explicit and legitimate purposes

• sensitive processing will only be undertaken when it is necessary for the law enforcement purposes, unless authorised by law
• MOD - or other organisations that are permitted to do law enforcement processing - may undertake sensitive processing for other law enforcement purposes.

7.3 Adequate, relevant and not excessive

• MOD collects personal data for law enforcement purposes only when it is necessary and proportionate to do so. This is made clear during data protection training. Officers and staff are advised not to record their opinions unless required.

7.4 Accurate and where necessary kept up to date

• we will ensure (as far as possible) the data we hold is accurate and kept up to date. However, in some circumstances, we may need to keep factually inaccurate information e.g. in a statement from a victim, witness or alleged perpetrator
• when new information is provided or obtained our records are updated. However, it may also be necessary to retain historic data for effective delivery of the law enforcement function
• all officers and staff are made aware of their responsibilities regarding the accuracy of the data they process. The accuracy of personal data is checked during audits
• if personal data is found to be inaccurate it will be rectified or erased where possible. Where this is not possible, there will be an addendum to that personal data advising of its inaccuracy. When necessary, the processing will be restricted in accordance with Sections 46 to 48 of the DPA 2018. This will ensure that data will not be transmitted or made available for any of the law enforcement purposes. If inaccurate personal data has been disclosed, the recipient will be advised of this as soon as practicable.

7.5 Kept for no longer than is necessary

• we will only keep your personal data for as long as we need it to achieve the purposes we collected it for, and to satisfy any legal, accounting, or reporting requirements
• our records management policy and procedures JSP 441 is available online
• information processed by the competent authorities within MOD will also be handled in accordance with the College of Policing Authorised Professional Practice (APP) guidance on Management of Police Information (MoPI), which set out the principles of good information handling practice. The Service police agencies also have their own policy that is similar to the MoPI, but includes additional Service factors, such as the inclusion of military offences
• if MOD is conducting sensitive processing about you because it has your consent, and you decide to withdraw your consent, your data will be destroyed in line with legislative requirements
• when sensitive processing is carried out in accordance with a Schedule 8 condition, information will be retained or destroyed in accordance with the relevant section of JSP 441 and / or APP guidance on MoPI, or Service equivalent
• should consent-based sensitive processing involve taking physical data or samples (as defined in Police and Criminal Evidence Act 1984, or The Police and Criminal Evidence Act 1984 (Armed Forces) Order 2009) this will be done in accordance with the law.

7.6 Appropriate security

• the MOD has appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Technical measures

• the MOD has set internal policy to protect personal data. Our IT systems comply with government security guidance, including information security standards for the National Policing Community set by the Cabinet Office and Home Office
• MOD has access controls to protect those subject to sensitive processing for law enforcement activities. We ensure that only appropriate staff have access to the key systems as per policy and Security Operating Procedures.

Organisational measures

• all officers and staff are required to complete data protection training. All new staff, officers and contractors are vetted prior to appointment and must undergo training from Information Assurance and the Anti-Corruption Unit
• buildings are kept physically secure and access is granted only when required
• any security incidents involving personal data must be recorded, reported and comprehensively investigated
• personal data breaches will also be assessed by the MOD Data Protection Officer’s Team, to determine if they should be reported to the Information Commissioner.

7.7 Erasure of personal data

• erasure of personal data will be undertaken in accordance with Section 47 and (when necessary) Section 48 of the DPA 2018, APP guidance on MoPI and Service equivalents.

7.8 Retention and review of this policy

• this policy document will be retained in accordance with Section 42 of the DPA 2018. It will be made available to the ICO on request
• this policy will be reviewed on an annual basis (or more regularly if appropriate) and updated as required. As such, we reserve the right to update this APD at any time.

7.9 Further information

For further information about the MOD’s compliance with data protection law, please contact us at:

MOD Data Protection Officer
Ground Floor, Zone D
Main Building
Whitehall
London
SW1A 2HB

Email: cio-dpa@mod.gov.uk

We will acknowledge your enquiry within 5 working days and send you a full response within 20 working days. If we cannot respond fully in this time, we will write and let you know why and tell you when you should get a full response.