Tag Archives: Law Enforcement Purposes

The Law Enforcement Directive: Data Subjects’ Rights (Part 1)

Earlier this month I wrote a blog post providing an introduction to the Law Enforcement Directive (“LED”); in that post I indicated that I would look separately at the rights of data subjects under the LED.  I had anticipated that I would do this earlier on in the month, but then came Cambridge Analytica and the Information Commissioner’s power to obtain a search warrant.  This is part 1 of my look at the rights of data subjects under the LED and will focus on the rights in Artciles 13-16 of the LED.

Part 3 of the Data Protection Bill will implement the provisions of the LED in the UK.  Clauses 43 to 54 of the Bill (as the Bill presently stands) make provisions in respect of the rights of data subjects under Part 3.   The rights within the Data Protection Bill are derived from the LED itself, which is very much based upon the rights contained within the General Data Protection Regulation.  Chapter III of the LED sets out the rights which Member States must make available to data subjects where personal data is being processed for the law enforcement purposes.

Information to be made available, or given, to the data subject
Article 13 of the LED makes certain provisions in relation to the information that controllers, who are processing personal data for the law enforcement purposes, should normally make available to data subjects.  The provisions of Article 13 are contained within clause 44 of the Data Protection Bill (although, I make reference to the LED Articles it should be kpet in mind that the LED is a Directive rather than a Regulation and therefore does not have direct effect.  It will be the domestic provisions upon which data subjects will rely upon in their dealings with the competent authorities, Information Commissioner and domestic courts rather than the LED’s Articles).

Controllers who are processing personal data for the law enforcement purposes are to make the following information available:

  • The identity and contact details of the controller;
  • The contact details of the data protection officer (where there is one);
  • The purposes for which the controller processes personal data;
  • The existence of the data subject’s rights to (i) subject access; (ii) rectification;  (iii) erasure of personal data or the restriction of its use; and (iv) to make a complaint to the Information Commissioner;
  • information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
  • where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations)
  • where necessary, further information to enable the exercise of the data subject’s rights under Part 3, in particular where the personal data are collected without the knowledge of the data subject

Controllers can restrict the level of information that is provided to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security (d) protect national security; or (e) protect the rights and freedoms of others.

This right to information will not be unfamiliar to anyone who is familiar with the provisions of the GDPR; however, it’s not surprising that the right is limited to a degree to take account of the nature of the personal data that falls to be dealt with under the LED and Part 3 of the Data Protection Bill.

Subject Access
The right of subject access remains a fundamental aspect of data protection law emanating from the European Union.  I have previously looked at the right of subject access within the General Data Protection Regulation on this blog.  The right of such fundamental importance that it appears within LED; Articles 14 and 15 of the LED covers the right of subject access and this aspect of the LED is to be given effect to by clause 45 of the Data Protection Bill (as it currently stands)

If you are familiar with the right of subject access under the current Data Protection Act 1998 and/or the General Data Protection Regulation, then nothing much will surprise you vwithin Articles 14 and 15 and clause 45.  The right of subject access within the LED and Part 3 of the Data Protection Bill provides the data subject the same rights as they have under the GDPR.  It must be complied within one month and no fee can generally be charged for dealing with a Subject Access Request (SAR).

The controller can restrict the data subject’s right to subject access and these provisions are presently found within clause 45(4) of the Data Protection Bill.  The controller can restrict the data subject’s right to the extent and for so long as it is a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;(c) protect public security; (d) protect national security; or (e) protect the rights and freedoms of others.  In determining whether the restriction is a necessary and proportionate measure the controller must have regard to the fundamental rights and legitimate interests of the data subject.

Where a data subject’s right to subject access under Part 3 of the Data Protection Bill is to be restricted, the Bill (in its current form) requires the data subject to be given information relating to the restriction except to the extent that to provide such information it would undermine the purpose of the restriction.  For example, if an individual who was being investigated by the Police for fraud made a Subject Access Request the police would be entitled to restrict the data subject’s rights insofar as it related to that investigation and that police would be able to do so without telling them that they have restricted their subject access rights.

The next part will look at the right to restriction of processing; the right to erasure and the data subject’s rights in relation to automated processing in the context of the LED and Part 3 of the Data Protection Bill.  Remember, the LED is due to be implemented by 6th May 2018, which is almost 3 weeks before the date upon which the GDPR becomes applicable.

Alistair Sloan

If you require any advice and assistance with matters relating to the Law Enforcement Directive or any other Privacy/Data Protection legal matter then contact Alistair Sloan on 0141 229 0880 or send him an E-mail.  You can follow Inksters’ dedicated Information Law Twitter account:  @UKInfoLaw

An introduction to the Law Enforcement Directive

Among all of the hype surrounding the General Data Protection Regulation (GDPR) some other aspects of information law are being overlooked; I have already written about the Privacy and Electronic Communications (EC Directive) Regulations 2003 and how they are forgotten about. The GDPR is not the only new piece of EU law which is due to take effect in May and which will impact data protection and privacy law in the United Kingdom. The processing of personal data by data controllers for the purpose of law enforcement falls outside of the scope of the GDPR; instead this is dealt with by the Law Enforcement Directive (LED). As the LED a Directive rather than a Regulation, the LED does not have direct effect and therefore requires to be transposed into Member States’ domestic law. This is being achieved in the UK through Part 3 the Data Protection Bill.

The LED is perhaps not as visible as the GDPR because of its much more limited scope. However, this blog aims to cover all information law bases and it would be remiss of me not to write something on it at least. The LED, and therefore the provisions of Part 3 of the Data Protection Bill, applies to what have been termed as “competent authorities” for the purposes of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”; these purposes are collectively known as the “law enforcement purposes”.

So, who needs to bother about the LED? Obviously, competent authorities have to bother about it because it governs how they process personal data for the law enforcement purposes; however, they are not the only ones. Data Subjects should also be concerned about the LED as it governs how their personal data is processed by these competent authorities and sets out what rights they have in relation to personal data processed by them for law enforcement purposes. The competent authorities are mostly set out in Schedule 7 to the Data Protection Bill; however, clause 30(1)(b) of the Data Protection Bill provides that “any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes” is also a competent authority. The most obvious competent authority is the police; however, there are quite a few others listed within Schedule 7 including Revenue Scotland, the Department for Work and Pensions, the Police Investigations and Review Commissioner and HMRC. Of course, both the Information Commissioner and Scottish Information Commissioner process personal data for the law enforcement purposes and therefore Part 3 of the Data Protection Bill would apply to them when they’re processing personal data in the capacity.  In terms of 30(1)(b) competent authorities, the most obvious example would be local authorities who are responsible for things such as Trading Standards provision and also the investigation of fraud concerning benefits administered by them.

One thing that should be noted is that the security and intelligence services (The Security Service, Secret Intelligence Service and GCHQ) are not covered by the LED. National Security falls outside of the scope of EU law and therefore the European Union has no competence to regulate these areas. Therefore, although the Security Services process personal data for law enforcement purposes, the LED does not apply to them. The Data Protection Bill does make provision for the processing of personal data by the security and intelligence agencies; this can be found in Part 4 of the Data Protection Bill (and falls outside of the scope of this blog post).

Chapter 1 of Part 3 of the Data Protection Bill provides the key definitions which require to be used when applying Part 3. The definitions are broadly the same as those to be found in the GDPR with relevant modifications being made. Therefore if you are familiar with data protection law then these definitions will not be too alien to you.

Chapter 2 of Part 3 of the Data Protection Bill sets out the six principles to be complied with when processing personal data under Part 3. Meanwhile, Chapter 3 sets out data subjects’ rights; including the right to subject access, the right to rectification and the right to erasure or restriction of processing.

The rights of data subjects under part 3 of the Data Protection Bill will be the subject of a separate blog post later in the month; however, it is suffice to say that they have a more limited scope than under the GDPR because of the nature of the processing being dealt with.

There is one final part of the Data Protection Bill to make mention of in this blog post and that is Schedule 8 to the Data Protection Bill. This Schedule sets out the conditions which must be met before a competent authority can carry out sensitive processing of personal data under Part 3. 

The LED is supposed to be transposed into Member States’ domestic law by 6th May 2018; it remains to be seen whether the Data Protection Bill will complete its passage through Parliament and receive Royal Assent in time to allow Part 3 to be commenced by then.

Alistair Sloan

If you require any advice or assistance in connection with the provisions of the Law Enforcement Directive or any other information law concern, please contact Alistair Sloan on 0345 450 0123 or send him an E-mail.