Earlier this month I wrote a blog post providing an introduction to the Law Enforcement Directive (“LED”); in that post I indicated that I would look separately at the rights of data subjects under the LED. I had anticipated that I would do this earlier on in the month, but then came Cambridge Analytica and the Information Commissioner’s power to obtain a search warrant. This is part 1 of my look at the rights of data subjects under the LED and will focus on the rights in Artciles 13-16 of the LED.
Part 3 of the Data Protection Bill will implement the provisions of the LED in the UK. Clauses 43 to 54 of the Bill (as the Bill presently stands) make provisions in respect of the rights of data subjects under Part 3. The rights within the Data Protection Bill are derived from the LED itself, which is very much based upon the rights contained within the General Data Protection Regulation. Chapter III of the LED sets out the rights which Member States must make available to data subjects where personal data is being processed for the law enforcement purposes.
Information to be made available, or given, to the data subject
Article 13 of the LED makes certain provisions in relation to the information that controllers, who are processing personal data for the law enforcement purposes, should normally make available to data subjects. The provisions of Article 13 are contained within clause 44 of the Data Protection Bill (although, I make reference to the LED Articles it should be kpet in mind that the LED is a Directive rather than a Regulation and therefore does not have direct effect. It will be the domestic provisions upon which data subjects will rely upon in their dealings with the competent authorities, Information Commissioner and domestic courts rather than the LED’s Articles).
Controllers who are processing personal data for the law enforcement purposes are to make the following information available:
- The identity and contact details of the controller;
- The contact details of the data protection officer (where there is one);
- The purposes for which the controller processes personal data;
- The existence of the data subject’s rights to (i) subject access; (ii) rectification; (iii) erasure of personal data or the restriction of its use; and (iv) to make a complaint to the Information Commissioner;
- information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
- where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations)
- where necessary, further information to enable the exercise of the data subject’s rights under Part 3, in particular where the personal data are collected without the knowledge of the data subject
Controllers can restrict the level of information that is provided to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security (d) protect national security; or (e) protect the rights and freedoms of others.
This right to information will not be unfamiliar to anyone who is familiar with the provisions of the GDPR; however, it’s not surprising that the right is limited to a degree to take account of the nature of the personal data that falls to be dealt with under the LED and Part 3 of the Data Protection Bill.
Subject Access
The right of subject access remains a fundamental aspect of data protection law emanating from the European Union. I have previously looked at the right of subject access within the General Data Protection Regulation on this blog. The right of such fundamental importance that it appears within LED; Articles 14 and 15 of the LED covers the right of subject access and this aspect of the LED is to be given effect to by clause 45 of the Data Protection Bill (as it currently stands)
If you are familiar with the right of subject access under the current Data Protection Act 1998 and/or the General Data Protection Regulation, then nothing much will surprise you vwithin Articles 14 and 15 and clause 45. The right of subject access within the LED and Part 3 of the Data Protection Bill provides the data subject the same rights as they have under the GDPR. It must be complied within one month and no fee can generally be charged for dealing with a Subject Access Request (SAR).
The controller can restrict the data subject’s right to subject access and these provisions are presently found within clause 45(4) of the Data Protection Bill. The controller can restrict the data subject’s right to the extent and for so long as it is a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;(c) protect public security; (d) protect national security; or (e) protect the rights and freedoms of others. In determining whether the restriction is a necessary and proportionate measure the controller must have regard to the fundamental rights and legitimate interests of the data subject.
Where a data subject’s right to subject access under Part 3 of the Data Protection Bill is to be restricted, the Bill (in its current form) requires the data subject to be given information relating to the restriction except to the extent that to provide such information it would undermine the purpose of the restriction. For example, if an individual who was being investigated by the Police for fraud made a Subject Access Request the police would be entitled to restrict the data subject’s rights insofar as it related to that investigation and that police would be able to do so without telling them that they have restricted their subject access rights.
The next part will look at the right to restriction of processing; the right to erasure and the data subject’s rights in relation to automated processing in the context of the LED and Part 3 of the Data Protection Bill. Remember, the LED is due to be implemented by 6th May 2018, which is almost 3 weeks before the date upon which the GDPR becomes applicable.
If you require any advice and assistance with matters relating to the Law Enforcement Directive or any other Privacy/Data Protection legal matter then contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can follow Inksters’ dedicated Information Law Twitter account: @UKInfoLaw