Guidance

Privacy notice for personal data processed for law enforcement purposes

Updated 31 March 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/intellectual-property-office-privacy-notices/privacy-notice-for-personal-data-processed-for-law-enforcement-purposes

This privacy notice covers the personal data processing that takes place as part of The Intellectual Property Office’s (IPO) statutory functions: to prevent, detect, or disrupt intellectual property crime and assist relevant law enforcement agencies with their law enforcement duties in respect of intellectual property crime.

The IPO is a data controller for the purposes of Article 4 of the UK General Data Protection Regulation (UK GDPR) and a competent authority for the purpose of Part 3 of the Data Protection Act (DPA) 2018 which applies to the processing of personal data by such authorities for law enforcement purposes.

This privacy notice will help you to understand what personal data the Intellectual Property Office (IPO) collects about you, how the IPO uses this personal data, and what rights you have regarding your personal data.  Data processing includes the collection, use, and storage of data.

It is important that you read this notice and the Personal Information Charter, together with any other privacy notice that is provided to you on specific occasions when we are collecting or processing your personal data, so that you are aware of how and why we are using it.

1. The personal data we collect

The IPO collects personal data for the purposes of law enforcement purposes. Personal data is any information that can be used to identify a living individual, either on its own, or in combination with other pieces of data. Examples of personal data collected may include from individuals themselves, third party individuals reporting information to us, or from third parties such as other public bodies, other law enforcement agencies and local authorities.

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes.

When the IPO processes your personal data for law enforcement purposes it does so in its role in preventing, detecting, and disrupting intellectual property crime and assisting law enforcement agencies in their roles in tacking intellectual property crime.

2. Our lawful basis for processing your data

The IPO processes personal data as a Competent Authority under Part 3 of the Data Protection Act, where it is necessary or strictly necessary:

  • for the performance of a task carried out for that purpose by a competent authority

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes.  Where this is the case, providing the processing is strictly necessary for law enforcement purposes, we rely on a condition set out in Schedule 8 of the Data Protection Act 2018.   

Where the IPO processes personal data for non-law enforcement purposes, the processing will fall under the UK GDPR and Part 2 of the Data Protection Act 2018 (DPA 2018) and is necessary for:

  • compliance with a legal obligation to which the controller is subject;
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • the legitimate interests pursued by the controller

Where Special Category Data is processed, it is necessary for:

  • the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • where processing is necessary for reasons of substantial public interest

3. How we process your data

We use your personal information for the purposes outlined by our statutory functions and we may share personal data with other enforcement agencies for prosecution purposes if appropriate. 

In some circumstances we may share your personal information with law enforcement and other agencies during an investigation.  

4. Why we process your data

We process personal data for the purposes set out at Section 31 Data Protection Act 2018 and for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. Our processing is done because it is necessary for the performance of a task relating to one of these purposes.

5. Your rights

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances. 

We will provide further information directly to data subjects in specific cases to enable them to exercise their rights. This might be in cases where we are processing your personal data that was collected without your knowledge. 

We will not do this where doing so would be prejudicial to our investigation or for other reasons set out in Section 44 (4) Data Protection Act 2018. 

6. Data transfers

Your personal data may be shared with other government departments, agencies or bodies and law enforcement to reach a wider audience for the stated purpose.

Any transfers are made in line with our data protection obligations. 

7. Do we use any data processors?

We do use external service providers in the UK for the case management system we use to develop and analysing intelligence for law enforcement purposes.

8. How long we keep your personal data

Your personal data will be retained in accordance with the IPO’s data retention and disposal policies. A copy of the data retention and disposal policy can be obtained from kim@ipo.gov.uk.

9. The use of automated decision making

Your personal data is not used in any automated decision making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).

10. Change of purpose

We will process your personal data for the purpose for which we collected it. We may also process your personal data for another purpose that we reasonably consider to be compatible with the original purpose.

Please note that we might process your personal data without your knowledge or consent, in compliance with the above rules where this is required or permitted by law.

11. Contact us or make a complaint

You can contact the IPO’s Data Protection Officer if you:

  • have a question about anything in this privacy notice
  • think that your personal data has been misused or mishandled

Email: dpo@ipo.gov.uk

FAO:  Data Protection Officer

Intellectual Property Office
Concept House
Cardiff Road
Newport
South Wales
NP10 8QQ

The DPO provides independent advice and monitoring of our use of personal information.

You can also make a complaint to the Information Commissioner, who is an independent regulator:

Information Commissioner
icocasework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm
Find out about call charges

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Back to top