AML: HMRC flexes enforcement muscle to the tune of £7.8 million
Two months ago, the introduction of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) significantly changed our data protection landscape (see our related blogs). Reference to “GDPR” became a daily occurrence in shops and offices, and received daily attention on social media and in the press.
What received little attention, however, were changes introduced about how police and criminal justice agencies process personal data - provisions that were introduced by the Law Enforcement Directive (“LED”) or, as it is formally known, “Directive 2016/6801 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA”.
This is the first in a series of blogs looking at the this overlooked element of the Data Protection Act 2018 relating to law enforcement and criminal justice.
The LED dovetails with the GDPR, which does not deal with data processing for law enforcement purposes. As it is not directly effective legislation, the LED was implemented within Part 3 of the DPA 2018. Parts 5 to 7 of the DPA, which relate to the Information Commissioner’s Office (“ICO”), enforcement of the DPA and supplementary provisions, apply to all elements of the DPA, including Part 3. Schedule 7 of the Act sets out a long list of agencies (including, for example, the FCA and HMRC) to which the provisions apply.
Whilst the LED only applies in relation to cross-border processing of personal data for law enforcement, Part 3 of the DPA also applies to the domestic processing of personal data for such purposes, the aim being to “ensure a coherent regime” across the whole of the law enforcement sector both trans-national and domestic.
The Home Office Fact Sheet provides a helpful summary of the key provisions.
Chapter 1 deals with scope and definitions and then Chapter 2 sets out the six data protection principles that must be complied with. These are similar though not identical to those under the GDPR. For example, there is no requirement under the first principle that processing must be “transparent” given the possibility of prejudice to on-going investigations.
The requirements are that:
Chapter 3 sets out the rights of the “data subject” and provides individuals with a series of rights they can exercise. These include:
However, restrictions are placed on those rights, where necessary and proportionate, in order to:
Chapter 4 imposes a range of obligations upon controllers and processors, including the requirement to appoint a data protection officer, and deals with reporting of data breaches.
Chapter 5 establishes how and when personal data can be transferred to a third country or an international organisation.
Chapter 6 provides supplementary provisions such as those relating to national security certificates and how infringements of Part 3 should be reported.
The blanket coverage given to the introduction of the GDPR means that the public in general is now more alive to the use of its data, certainly in terms of internet shopping and membership databases for example.
However, less light has been shed on how our personal data is processed by police and law enforcement. Ironically this is where the mishandling of data has the greatest potential for causing prejudice to the individual, and an activity which has long been a concern for practitioners.
Skip to content Home About Us Insights Services Contact Accessibility