UK Law Enforcement and GDPR

Transcription

1 White Paper: UK Law Enforcement and GDPR The General Data Protection Regulation and its related laws in the context of the European Union Law Enforcement Directive December 2017 AUTHOR: Paul Gillingwater, MBA, CISSP, CISM

2 Contents Introduction... 3 GDPR and Data Protection for Law Enforcement Purposes... 3 Governance... 4 Data Protection Act 2018 Part Role of the ICO... 5 Issues with the Investigatory Powers Act... 6 Fundamental Principles of Data Protection for Law Enforcement... 6 Competent Authorities More Than You Might Think... 7 Key Differences Between GDPR & LED... 9 Summary and Conclusions

3 Introduction THIS WHITE PAPER CONSIDERS THE GENERAL DATA PROTECTION REGULATION ( GDPR ) AND ITS RELATED LAWS IN THE CONTEXT OF THE EUROPEAN UNION ( E.U. ) LAW ENFORCEMENT DIRECTIVE ( LED ). IN PARTICULAR, IT LOOKS AT THE EXPECTED IMPACT OF NEW DATA PROTECTION LAWS - INCLUDING THE UNITED KINGDOM ( U.K. ) DATA PROTECTION ACT ( DPA ) CURRENTLY BEING DEBATED BY PARLIAMENT - AND SPECIFICALLY HOW PART 3 ENACTS THE UK S OBLIGATIONS UNDER THE LED. THE INTENDED AUDIENCE IS PERSONS WITHIN LOCAL AUTHORITIES, POLICE FORCES AND OTHER COMPETENT AUTHORITIES 1 WITH DATA PROTECTION RESPONSIBILITIES IN THE CONTEXT OF LAW ENFORCEMENT. GDPR and Data Protection for Law Enforcement Purposes 1: Competent authorities include Police forces (including transportation Police), Border agents, financial law enforcement agents, the Gambling Commission, Her Majesty s Prison Service and any private companies to whom official authority has been delegated, such as private prisons or data processors. Most of us know by now that GDPR is a regulation that will impact nearly all businesses in the UK, as well as across the European Union ( E.U. ) and beyond. What many people don t realise, however, is that many public institutions are also directly affected, and in some ways, they have an even more challenging implementation ahead of them. As an example, U.K. Police forces across the land are tasked with managing GDPR compliance, to protect the private data of members of the public - including staff, victims, and suspects. Fortunately, this is nothing new for them, as they have collectively been implementing active data protection and privacy measures at least since 1998, when the Data Protection Act ( DPA 1998 ) was first enshrined in U.K. law. The U.K. DPA 1998 implemented the United Kingdom s obligations under the E.U. Data Protection Directive (Directive 95/46/EC) of 1995, which means that U.K. Police have already had around nine years of experience with data protection and privacy. Furthermore, unlike most businesses, as a public institution Police forces are obliged to appoint a full time Data Protection Officer ( DPO ). 3

4 Governance A robust governance structure is also important, and this is mandated through the College of Policing and its publication of an Authorised Professional Practice ( APP ) covering data protection, which was last updated in November The APP outlines the data protection responsibilities of the DPO, Asset Owners, Senior Information Risk Owners ( SIRO ), and various other senior roles with an information management focus. A typical Police DPO s office often deals with DPA Data Subject Access Requests, Freedom of Information Act requests, and other matters relating to disclosure, data retention and information sharing with other police and non-police entities. In general, most processing of personal data by Police is not based on consent, but rather on legitimate interest. One exception is in the area of referrals to Victim Support, a registered charity which helps those who have been made victims of a crime. Data Protection Act 2018 Part 3 The GDPR itself does not make any specific provisions for the needs of law enforcement or security services, and therefore each member state of the E.U. is free to decide how to arrange matters through enabling legislation. The UK government rose to the challenge, and allocated Part 3 of the draft of the Data Protection Bill ( the Bill ) to exclusively cover how data protection should be managed by law enforcement bodies. This white paper does not include Part 4, which relates to the data protection responsibilities of security services. The GDPR itself does not make any specific provisions for the needs of law enforcement or security services, and therefore each member state of the E.U. is free to decide how to arrange matters through enabling legislation. The Bill, which is likely to be passed into law and given royal assent early in 2018, also functions as enabling legislation for the EU Law Enforcement Directive 2016 ( LED ). The latter is officially known as: Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. The LED recognises that law enforcement would have different needs than businesses, and therefore they planned for specific guidelines that govern how personal data should be processed for Law Enforcement Purposes ( LEP ). According to the E.U., the LED should be transposed into local law in all 28 E.U. member states 4

5 by May 6th, 2018, placing it a few weeks ahead of the entry into enforcement of the GDPR, which takes effect from 25th May Member states are also offered a derogation allowing legacy processing systems to remain in place until 6th May , where there is a disproportionate effort required to bring them into compliance. It is not yet clear whether the UK will invoke this derogation in respect to any of its law enforcement data processing systems, such as the PNC 3. Additional clauses of the LED allow grandfathering of existing bilateral and multi-lateral information sharing arrangements, such as Interpol, Europol and Eurojust. Good practice would suggest that such existing arrangements should be reviewed through the Data Protection Impact Assessment ( DPIA ) process, in case there are risks identified and opportunities to mitigate them. 2: The first deadline is actually 6th May 2023, with the option of a three-year extension to : The Police National Computer ( PNC ) system started in 1974 as an online registry of stolen vehicles. In 2009, it was reported that the PNC had 9.2 million personal records, 52 million driver records and 55 million vehicle records. Such international information sharing requests tend to be handled centrally within the U.K. Police, meaning that individual forces can avoid this responsibility - however, they are obliged to ensure that when they share information with other forces of the Police, that appropriate agreements are in place. Role of the ICO The relationship between Police and the Information Commissioner s Office ( ICO ) is particularly important, and will be even more so under GDPR. The ICO will in future also be responsible for monitoring implementation of the LED by competent authorities. The ICO are responsible for several pieces of legislation at present 4, including: Data Protection Act 1998 ( DPA ) Freedom of Information Act 2000 ( FOIA ) 4: In future, the ICO will be responsible for enforcement of the UK DPA (GDPR), the epr and probably the Law Enforcement Directive. PECR 2003 and the DPA 1998 will both be repealed by May Environmental Information Regulations 2014 ( EIR ) Privacy and Electronic Communications Regulations 2003 ( PECR ) Electronic Information and Trust Services Regulations 2016 ( eidas ) UK Police are subject to DPA, FOIA, PECR and EIR requests, and may in future make use of eidas as societal usage of digital signatures and identities grows. The police also make use of additional capabilities under the Investigatory Powers Act 2016 ( IPA ), however at the time of writing, a major consultation is underway, which is due to end in January

6 Issues with the Investigatory Powers Act The problems with the IPA, which govern the interception of telecommunications, network and postal communications by law enforcement and other authorized competent authorities, started in December 2016 when the Court of Justice of the European Union ( CJEU ) ruled that the IPA was essentially illegal under E.U. laws. Specifically, the Court ruled that the general and indiscriminate retention of s and electronic governments is not consistent with E.U. laws, leading the U.K. government to confirm in November 2017 that it would review and revise the IPA, thus triggering the consultation....the Court of Justice of the European Union ( CJEU ) ruled that the IPA was essentially illegal under E.U. laws. According to the Home Office, the Data Retention and Investigatory Powers Act 2014 ( DRIPA ) was found to be illegal, and therefore was replaced by the IPA in December However, that wasn t enough for the CJEU, therefore the Home Office launched a new consultation in November 2017, with a view to making further changes to the IPA in In summary, U.K. Police operate in a very complex regulatory environment, with a clear understanding of their obligations to protect the private data of members of the public, and of course their own staff and officers. Fundamental Principles of Data Protection for Law Enforcement With the introduction of the GDPR, and its close relative the EU Law Enforcement Directive, the operating rules for U.K. police are being clarified and strengthened. The fundamental rules of GDPR, as adapted for the Police, are provided in the Six Data Protection Principles for Law Enforcement: 1. Processing must be lawful and fair 2. The purposes of processing must be specified, explicit and legitimate 3. Personal data must be adequate, relevant and not excessive 4. Personal data must be accurate and kept up to date 5. Personal data must be kept no longer than is necessary 6. Personal data must be processed in a secure manner 6

7 One of the effects of the new regulation (comprising GDPR and LED as implemented in the revised DPA articles 27-52) is an increased emphasis on allowing Data Subjects to make requests of the Police DPO. Previously, Data Subjects could make requests under the DPA 1998, and authorities could charge 10 for each one. The LED changes this to make access requests cost-free, although a charge may be levied if excessive or repetitive requests are received, at the discretion of the DPO. At least one Police force expects persons who are currently guests of Her Majesty s Prison Service ( HMPS ) to exercise this facility extensively, closely followed by members of Police unions, such as the Police Federation or UNISON. It s likely that a dramatic increase in such requests will place an additional burden on the DPO s office, with the possibility that requests may take longer than the recommended statutory minimum of 30 days. This is likely to incur additional costs and demand more resources to avoid complaints and fines from the ICO. Additionally, Data Controllers within the Police are required to implement stronger protections for personal data, by taking into consideration the principles of data protection by design and default, as well as more robust processes to ensure compliance, and to work more closely with the regulator, the ICO. In practical terms, this will lead to greater transparency and accountability for the Police in their handling of personal data for Law Enforcement Purposes ( LEP ). A secondary but no less important goal of the LED is to ensure that the flow of data within and outside of the E.U. should continue without interruption, and this can only occur if U.K. data protection standards are at a minimum at the same level of the rest of the E.U. countries. Furthermore, after Brexit it is likely that the U.K. will be considered as a 3rd country for the purposes of personal data transfers, making the LED even more important for continued judicial cooperation and data sharing for LEP. A secondary but no less important goal of the LED is to ensure that the flow of data within and outside of the E.U. should continue without interruption... Competent Authorities More Than You Might Think Interestingly, the Home Office has identified around 400 competent authorities who are in scope for the Law Enforcement Directive, of whom 240 are local authorities, 45 are police forces, 31 are rail 7

8 and tramway franchises and the remainder are central government departments and agencies. Within this group, 34 are private sector businesses who are still governed by the LED, such as privately-run prisons, as well as other businesses who handle private sector contracts that involve personal data (often functioning as Data Processors.) Perhaps one of the most significant challenges facing Police forces and other law enforcement or competent authorities is the obligation to implement changes to legacy IT systems. Together with the existing digital transformation initiatives - such as the Home Office Code of Practice on Management of Police Information, or ( MoPI ) - GDPR is likely to trigger necessary changes to dozens if not hundreds of existing systems, leading to significant disruptions to projects and their budgets. This is recognized by the LED, which is why a possible derogation exists to take until 6th May 2023 (with the option of an additional three years to 2026) where disproportionate effort may be required to implement the LED logging requirement. Perhaps one of the most significant challenges facing Police forces and other law enforcement or competent authorities is the obligation to implement changes to legacy IT systems. Additionally, GDPR brings into scope personal data within printed archives or written form, such as Police notebooks, all of which must be considered regarding Data Subject Access Requests ( DSARs ). 8

9 Key Differences Between GDPR & LED Another factor that will incur significant costs is the new obligation to perform extensive DPIAs when making any changes to systems, or evaluating existing data flows and their related processes. This burden will be shared by the ICO, which has new obligations to consult with competent authorities on the processing of DPIAs. The Law Enforcement Directive also makes breach notification mandatory, whereas GDPR gives private companies the leeway to determine for themselves whether they will report breaches or not. Based on current self-reporting, approximately 5% of all data breaches reported to the ICO relate to the Police and Criminal Justice sectors, according to the ICO. Additionally, competent authorities in scope of the LED have an increased requirement to demonstrate their compliance, and to consult with the ICO while adopting a risk-based approach. The Law Enforcement Directive also makes breach notification mandatory, whereas GDPR gives private companies the leeway to determine for themselves whether they will report breaches or not.. A general list of some of the key differences between GDPR and the specific requirements of the Law Enforcement Directive is provided below: 1. The LED does not contain provisions requiring processing to be transparent. Secrecy exists for a reason, and is a standard characteristic of processing for law enforcement purposes. 2. The LED contains a requirement, where possible, to categorise data subjects by group that is, for example by witness, victim, suspect. 3. Additionally, as far as possible, the LED requires data to be clearly distinguishable between what is a fact and what is a personal assessment. 4. The LED also seeks, where practical, for steps to be taken to verify the quality of data before making transfers. 5. The information that should be made available to a data subject (subject to permissible restrictions) is less onerous than under the GDPR. 6. Data subjects in the LED do not have the same rights to object to processing as contained in the GDPR. Obviously, consent is not a factor in the majority of cases. 7. The LED contains less E.U. oversight than the GDPR. This will be especially relevant after Brexit. 9

10 8. The LED contains stronger requirements than the GDPR to demonstrate compliance, notably a logging requirement (DPA 2018 Article 60). Competent authorities will need to maintain logs of processing operations in automated processing systems around the collection, alteration, consultation, disclosure including transfers, combination and erasure of personal data (this could be the metadata that an automated processing system generates to record when data was entered, accessed and deleted and by whom). 9. The LED also contains variations in the role of the Information Commissioner as the supervisory body. Much more consultation is expected for Law Enforcement than that with private companies. 10. Under the LED a Member State may adopt provisions to restrict, wholly or partly, a data subject s rights (including erasure) under certain circumstances. The Bill seeks to utilise this key derogation just as it seeks to utilise the permissible restrictions allowed in the GDPR. The Bill gives competent authorities the power to neither confirm nor deny if information is held by allowing an individual s rights to be restricted to: a. Avoid obstructing official or legal inquiries, investigations or procedures b. Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties c. Protect public security d. Protect national security e. Protect the rights and freedoms of others Finally, it would be helpful to note that the LED is concerned with the processing of personal data once it has been collected. It does not govern the collection of such data through lawful means, such as surveillance products. This is covered instead by the Investigatory Powers Act 2016, which is currently subject to a consultation that will likely lead to changes in this area. Recall that Telecommunications and Internet Service Providers ( ISPs ) are currently obliged to maintain 12 months of meta-data on all UK Internet and Telephone service users....the LED is concerned with the processing of personal data once it has been collected. It does not govern the collection of such data through lawful means, such as surveillance products. That s not likely to change under GDPR or LED, however the retention and deletion of personal data collected under the IPA may be within scope of GDPR for deletion. 10

11 Summary and Conclusions The City of London Police Commissioner, Ian Dyson, recently said: The new Data Protection Bill will replace its 20th century predecessor with modern legislation and a package of reforms that protects both individuals and organisations, strengthens the regulator and introduces a bespoke framework for law enforcement. It is vital that policing is enabled to perform our duties by maintaining public approval of our actions. In a digital age the way we handle personal data; how we collect, store, use and dispose of it is coming under growing scrutiny. In return for willing cooperation, the public expect a proportionate balance across law enforcement of how we manage their information. It is evident that there are many challenges facing Law Enforcement and other competent authorities in managing their obligations under data protection, privacy, data retention and disclosure obligations. Such a complex compliance landscape requires high levels of investment in training, processes, procedures, policies and personnel with the goal of ensuring a higher level of capability to manage these challenges. Chaucer is a company with more than 30 years experience in assisting companies, local authorities, government departments and other entities to manage a diverse range of programmes that handle change and risk. Our in-depth knowledge of data protection and cyber security mean we are well-placed to assist organizations with their GDPR compliance journey, including an emphasis on law enforcement and governance needs. Paul Gillingwater is an Associate Partner at Chaucer, responsible for Cyber Security and Privacy advisory. He has more than 35 years experience with Internet technology, cyber security and risk management. 11

12