Police mobile phone data extraction practices could be unlawful, ICO report finds
Police forces around the country are routinely extracting “excessive” amounts of personal data from the mobile phones of suspects, victims and witnesses without adequate legal justification and in potential breach of data protection laws, the Information Commissioner has warned.
In a report published today (June 18) Elizabeth Denham has warned the unnecessary extraction of such data risks undermining public confidence in the criminal justice system and could even deter people from reporting crimes.
The report follows last year’s introduction of digital consent forms introduced by the National Police Chiefs’ Council (NPCC) and Crown Prosecution Service (CPS). Victims of rape and other sexual offences were told that if they failed to hand over their phones for inspection, charges against their alleged attackers might be dropped.
The proposals were introduced in a bid to reduce the number of sexual offence cases that collapsed because crucial evidence had emerged at the last minute.
The Information Commissioner’s Office (ICO) report found that data extraction procedures were inconsistent across forces in England and Wales with many officers having a limited understanding of the relevant laws. The ICO called for a new statutory code of practice to provide “greater clarity”.
Some forces were found to be retaining large volumes of data, including intimate details of the private lives of device owners as well as their family, friends and colleagues. In many cases the photographs, messages, emails and social media posts were being stored in unencrypted format presenting “considerable risks to privacy”.
Ms Denham said the current consent forms should be withdrawn they fail to adequately explain the legal basis for the police’s digital intrusion into their private lives.
“Many of our laws were enacted before the phone technology that we use today was even thought about. The existing laws that apply in this area are a combination of common law, statute law and statutory codes of practice. I found that the picture is complex and cannot be viewed solely through the lens of data protection. As this report makes clear, a whole-of-system approach is needed to improve privacy protection whilst achieving legitimate criminal justice objectives,” she said.
“People expect to understand how their personal data is being used, regardless of the legal basis for processing. My concern is that an approach that does not seek this engagement risks dissuading citizens from reporting crime, and victims may be deterred from assisting police.”
The report recommends that a number of measures are implemented across law enforcement to improve compliance with data protection law and regain some public confidence that may have been lost. The ICO is also recommending the introduction of a new code of practice to improve mobile phone extraction practices and better support police and prosecutors in their work.
Ms Denham said: “While the work needed to implement my recommendations must not fall by the wayside, I am acutely aware that this report is issued at a time of unprecedented challenges flowing from the Covid-19 pandemic. I therefore acknowledge that the timeline for change will be longer than usual, but I am keen that we begin to make progress as soon as practicable, and I am committed to supporting that work at all stages.”
In a joint response to the report, the NPCC, CPS and the College of Policing said: “Police investigators must balance the need to follow all reasonable lines of inquiry, guaranteeing a fair trial, with the need to respect privacy. We thank the Information Commissioner for this detailed and thoughtful report, which acknowledges the complexity of this issue, and the growing volumes of data which exist in criminal cases. We will now carefully consider the recommendations of the report.
“We note that the Commissioner recognises the need for consistency in how digital evidence is processed for use in criminal investigations. We have all committed to working with stakeholders to get this right and will be continuing this work in light of the recommendations in this report.”
The NPCC and CPS added: “The principles underpinning all work to date were to seek to provide that clarity and consistency, both to victims and to forces. We accept that more work is needed to make sure that the information provided to victims and witnesses about how their data is used is clear and easily understood.”
Responding to the report, Silkie Carlo, director of civil liberties campaign group Big Brother Watch, said: “The ICO’s report confirms our long-held view that the police’s default approach to demanding digital strip searches of victims of crime is unlawful, damaging and needs to end.
“Hundreds of people, mainly women victims and survivors of rape and sexual assaults, have been denied justice simply for trying to protect their legal rights when faced with unjustified requests for years of irrelevant data. The police and CPS’s failure to observe basic privacy rights has done irrevocable damage within our justice system and no doubt has allowed dangerous criminals to walk free.
“The onus is now on the Government, the CPS and police to engage with us and victims’ groups to bring about urgent reforms that afford victims’ legal rights to privacy, consent and above all justice.”