Policing faces ‘complex’ data privacy issues

While the European General Data Protection Regulation (GDPR), which becomes UK law from next May, will have limited impact on policing activity, Information Commissioner Elizabeth Denham has cautioned that it creates uncertainty over the “complex” issue of data protection. She told a recent National Police Chiefs’ Council information practitioner event that while the GDPR did not cover how personal data is used for law enforcement purposes, these matters would fall under a separate legal instrument known as the Law Enforcement Directive. This covers the use of data for law enforcement purposes, although in simple terms, Ms Denham said in the UK “its scope could be limited to data processed for certain European Justice and Home Affairs measures”. The Directive does not automatically become UK law and the Government must implement it. “But so far the Government has not made any public announcement in terms of detail on how and when that might happen, and what their position is around data processing for domestic law enforcement,” said Ms Denham. “We’ve spoken to the Home Office and Department for Culture, Media and Sport and expressed concern about how late in the day this is being left. I’m certainly sympathetic to forces needing time to prepare for any law changes. “Maintaining appropriate data flows is essential for law enforcement and security purposes. I know from speaking to senior figures in the sector that for anti-terrorism, for security and for justice, you need to maintain access to databases – to Europol, to Eurojust and to the Schengen Information System. This needs to be a very high priority for the Government in the exit negotiations.” Ms Denham said it was a “crucial time” for information rights in the policing sector. “I’ve been here for almost a year and getting a feel for policing in the UK – what the reality is on the ground – has been a priority for me,” she explained. “It’s clear from the initial meetings I’ve had with senior leaders like [City of London Police Commissioner] Ian Dyson and [Metropolitan Police Service Commissioner] Cressida Dick that the speed of technological change, and more integrated information systems, offer ways to have a real impact on frontline policing. “But there are pressures too. The Information Commissioner’s Office (ICO) received more than 18,000 data protection complaints from members of the public last year. One in 20 concerned policing and criminal records. A similar proportion of our self-reported data breaches concern policing.” Earlier this year, Greater Manchester Police was fined £150,000 by the ICO after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post. The ICO had previously fined the force £150,000 in 2012 after an unencrypted USB stick was stolen. Ms Denham stressed that public trust in policing requires respect in how it handles personal data.” She said while the GDPR builds on the previous legislation, “it is the biggest change to data protection law in a generation”, adding that it brings a 21st century approach to the processing of personal data, providing much more protection for individuals and more privacy obligations for organisations. While there is uncertainty over the GDPR, Ms Denham said there was an “opportunity” to prepare for what is coming. “While the legislation is not clear, the direction of travel is,” she explained. “A cursory look over any data protection reform around the world brings up the same key threads running through it: more requirements to log what you’re doing with data; mandatory breach reporting; and data protection officers who are accountable to senior management. “These are all central parts of the GDPR, and it’s difficult to imagine they won’t form some part of the requirements government will set out for UK police forces.” Ms Denham said perhaps the most notable change between the current Data Protection Act and the GDPR was that the new legislation creates an onus on organisations to understand the risks t