Consultation outcome

Addendum - correction to the code of practice

Updated 16 March 2023

Corrections to footnotes 26 and 85

This addendum updates errors in footnotes 26 and 85 found on pages 15 and 63 of the code of practice. The footnotes should be ignored.

The footnotes incorrectly suggest that the National Police Chiefs Council (NPCC) Data Processing Notice (DPN) meets the requirements of a suitable policy document as defined in section 42 of chapter 2, part 3 of the Data Protection Act 2018 (DPA) when carrying out sensitive processing.

Competent authorities are required to have an appropriate policy document in place when undertaking sensitive processing (for law enforcement purposes) as defined in the DPA.

Section 42 of chapter 2, part 3 of the DPA requires a policy document that both:

• explains the controller’s procedures for securing compliance with the data protection principles (see section 34(1)) of the DPA) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question
• explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained

The NPCC’s DPN notices as of 9 March 2023 are not currently designed to meet these requirements.

Footnote changes will be made to the code of practice when the next revision is released.