Appropriate policy document: sensitive processing for law enforcement purposes
Updated 29 January 2026
Applies to England
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/defra-appropriate-policy-documents/appropriate-policy-document-sensitive-processing-for-law-enforcement-purposes
Scope
This appropriate policy document covers the following organisations:
- Department for Environment, Food and Rural Affairs (Defra)
- Animal and Plant Health Agency (APHA)
- Centre for Environment, Fisheries and Aquaculture Science (Cefas)
- Rural Payments Agency (RPA)
- Veterinary Medicines Directorate (VMD)
We process personal data for law enforcement purposes about:
- individuals who have committed offences
- individuals suspected of committing offences
- other individuals who are involved
We act as environmental regulators under various legal powers and statutory functions. We are competent authorities under Data Protection Act (DPA) 2018 Part 3 Section 30(1)(a).
This policy document has been developed for the above organisations to meet the requirement for an appropriate policy document (APD) under DPA 2018 Part 3 Section 42.
This APD sets out our sensitive personal data processing for law enforcement purposes and explains:
- our procedures for securing compliance with the law enforcement data protection principles
- our policies as regards the retention and erasure of personal data
The appropriate policy document for processing of special categories of personal and criminal offence data applies when our processing is not for the primary purpose of law enforcement.
You can find more information about our data protection policies and procedures, including the kind of personal data we hold and what it’s used for in the following:
- Personal information charter
- Personal information charter (RPA only)
- Department for Environment, Food and Rural Affairs privacy notices
- Animal and Plant Health Agency privacy notices
- Centre for Environment, Fisheries and Aquaculture Science privacy notice
- Rural Payments Agency privacy notices
- Veterinary Medicines Directorate privacy notice
Law enforcement purposes
These purposes are set out at DPA 2018 Section 31 and include the:
- prevention, investigation, detection or prosecution of criminal offences
- imposing criminal penalties, which might include the safeguarding against and preventing threats to public security
Sensitive processing is defined in DPA 2018 Part 3 Section 35(8) and is equivalent to UK GDPR Article 9 special category data. This includes personal data which relates to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric identification
- health
- sexual life, sexual orientation or both
Description of data processed
We carry out sensitive personal data processing for law enforcement purposes in 3 key areas:
- criminal investigations
- intelligence
- financial recovery
Consent or Schedule 8 condition for processing
We carry out sensitive processing under DPA Section 35(3) only with the consent of the data subject or where it is strictly necessary for law enforcement purposes and it meets one of the conditions in DPA 2018 Schedule 8.
All processing is for the first listed purpose and might also be for others, depending on the context:
- paragraph 1 – statutory purposes, for example, processing personal data when it’s necessary for a legally assigned task, and is in the substantial public interest
- paragraph 2 – administration of justice
- paragraph 6 – legal claims
- paragraph 9 – archiving etc, such as scientific, historical or statistical purposes
Law enforcement data protection principles
We comply with the law enforcement data protection principles under DPA 2018 Part 3 Chapter 2 as set out below:
Principle 1 – Section 35 – lawfulness and fairness
Processing for law enforcement purposes must be lawful and fair. This means that the processing of personal data must be either:
- based on the consent of the data subject – section 35(2)
- carried out by us where it’s necessary for performing a task
If the processing involves personal data, then this is only allowed if it is:
- based on the consent of the data subject - section 35(4)
- strictly necessary for law enforcement purpose under section 35(5) and is based on a Schedule 8 condition
- necessary for reasons of substantial public interest
Our processing of data for law enforcement purposes normally meets with the paragraph 1 Schedule 8 condition.
In circumstances where we need consent, we make sure the consent is:
- unambiguous
- given by a positive action
- recorded as the condition for processing
Principle 2 – Section 36 – purpose limitation
We will only collect personal data for specified, explicit and legitimate purposes and we will not process it in a way that is incompatible with the purposes for which it was collected. We will:
- collect the minimum personal data, for example, for preventing, investigating, detecting or prosecuting criminal offences or imposing criminal penalties
- process personal data for law enforcement purposes where we are authorised by law to do so
- process personal data that is necessary and proportionate to that purpose
- process personal data collected for purposes other than law enforcement where we are authorised by law to do so
If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.
Principle 3 – Section 37 – data minimisation
Personal data shall be adequate, relevant and limited to what is necessary for the law enforcement it is needed for. We will:
- not use automated systems for collecting and processing personal data
- only collect the minimum personal data
- delete personal data where we can and when data provided to us or obtained by us is not relevant to our purposes
Principle 4 – Section 38 – accuracy
Personal data shall be accurate and, where necessary, kept up to date. We will:
- ensure that personal data is accurate and kept up to date where necessary
- take particular care where our use of personal data has a significant impact on individuals
- make sure that personal data is deleted or corrected without delay if we become aware that it is inaccurate or out of date
- document our decision if we do not delete or correct inaccurate information, for example, when processing the data in line with regulations means these rights do not apply
Where relevant, and as far as possible, we will distinguish between personal data relating to different categories of data subject, such as:
- people suspected of committing an offence or being about to commit an offence
- people convicted of a criminal offence
- known or suspected victims of a criminal offence
- witnesses or other people with information about offences
- where the personal data is relevant to the purpose being pursued
Principle 5 – Section 39 – storage limitation
We will not keep personal data which identifies data subjects for longer than is necessary. We will:
- only keep personal data in identifiable form as long as is necessary for the purposes it was collected for, or where we have a legal duty to do so
- delete, put beyond use or permanently anonymise personal data once we no longer need it
Principle 6 – Section 40 – security
We will process and store personal data securely, protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage. We will:
- ensure that there are appropriate organisational and technical measures in place to protect personal data
- adhere to our strict security standards and procedures
- regularly train staff and third parties, who process personal data on our behalf, on how to keep personal data safe
- limit access to personal data to those staff, or third parties who have a business or legal need to access it
Accountability principle
We have put in place appropriate technical and organisational measure the accountability principle. These include:
- the appointment of a Data Protection Officer who reports directly to our Permanent Secretary
- taking a ‘data protection by design and default’ approach to our activities
- maintaining documentation of our processing activities
- adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out data protection impact assessments for our high risk processing
- regularly reviewing our accountability measures and updating or amending them when required
Retention and erasure policies
We have administrative, physical and technical safeguards in place to protect personal data against:
- unlawful processing
- unauthorised processing
- accidental loss or damage
We will ensure when personal data is processed that the processing is recorded, and the record sets out, where possible, a suitable timeframe for the safe and permanent deletion of the different date categories in accordance with our retention schedule.
Review
This policy will be kept under review with an additional formal review undertaken in 2 years. It will be retained where we process special category data and criminal offence data and for a period of at least 6 months after we stop carrying out such processing.