Public Services > Police

Data commissioner calls for government action on police data handling laws

Neil Merrett Published 08 June 2017

Elizabeth Denham says that as GDPR comes into effect, the lack of legislative certainty on the justice-focused Law Enforcement Directive creates significant technology issues for forces to address


While the European General Data Protection Regulation (GDPR) becoming UK law from next May will have limited impact on law enforcement, information commissioner Elizabeth Denham has said there remains significant uncertainty regarding data protection in the sector.

Speaking this week at the National Police Chiefs' Council (NPCC) Information Practitioner event, the UK data regulator said GDPR did not cover how personal data is used for law enforcement purposes, with these matters falling under the separate legal instrument known as the Law Enforcement Directive.

The Law Enforcement Directive, which covers how data is processed for certain European justice and home affairs measures, is still required to be implemented into UK law by the government. 

Denham said there had not been any public announcement from government with details of how and when this will happen, or a broader position on data processing in domestic law enforcement.

“We’ve spoken to the Home Office and DCMS and expressed our concern about how late in the day this is being left. I’m certainly sympathetic to forces needing time to prepare for any law changes,” she said.

“And there’s a bigger picture here too. Maintaining appropriate data flows is essential for law enforcement and security purposes. I know from speaking to senior figures in the sector that, for anti-terrorism, for security and for justice, you need to maintain access to databases – to Europol, to Eurojust, and to the Schengen Information System. This needs to be a very high priority for the next government in the exit negotiations.”

Hope and opportunity

Amidst uncertainty and a lack of definitive understanding about the Law Enforcement Directive, Denham said that there must now be trust that a future government would resolve these requirements by May 2018, while noting that there was opportunity for law enforcement organisations, not least in embracing broader requirements of GDPR.

“Firstly, there is an opportunity to prepare for what is coming. While the legislation is not clear, the direction of travel is. A cursory look over any data protection reform around the world brings up the same key threads running through: more requirements to log what you’re doing with data,” she said. “Mandatory breach reporting. And data protection officers who are accountable to senior management.  These are all central parts of the GDPR, and it’s difficult to imagine they won’t form some part of the requirements government will set out for UK police forces.”

Denham argued that as opposed to the Data Protection Act, GDPR was devised to encourage organisations to better understand risks to the personal information of others and how breaches could be mitigated.

“It’s a demand that senior leadership move away from seeing the law as a compliance exercise and instead build a culture reflecting the value of properly caring for data,” she said.

The data commissioner argued that police forces would not be exempt from having to respond to this culture shift, especially with regard to accountability in domestic legislation.

The next 12 months

During her speech, Denham said that with a year until GDPR becomes UK law, police forces were still struggling to answer a number of questions in regard to their work on data protection, as well as the reasons for retention of records for a prolonged period of time.

“It’s a full year since my predecessor Christopher Graham was asking in a foreword to this event how it could be proportionate for an arrest record to be held on PNC until an individual reaches 100 years of age,” she said.

“My view is no different. The law requires proportionality. That gives plenty of room for police forces to hold some data longer than, say Tesco hold your Clubcard info. But that does not mean that you can ignore data retention principles.”

Denham also raised concerns about the use of emerging technologies such as body worn video and Automated Number Plate Recognition (ANPR) and how this may impact data privacy rights.

“Data protection law should not unduly prevent the police from detecting, investigating and deterring crime, but it does demand proportionality,” she said.

“There are similar questions to ask around techniques that collect large and indiscriminate amounts of personal data. I’ve spoken to police officers and security specialists. I understand the benefits that come from new and better use of ANPR, from drone technology and body worn cameras. But detecting crime does not mean a free pass.”

Despite a shifting narrative in the UK regarding how citizens understand information rights, Denham said there was also a sense that people were concerned or felt they have lost control of their data.

“That sense of loss of control impacts their trust in organisations. A police force isn’t like a business – it’s not as simple as to say people will take their custom elsewhere. But failing to recognise that having access to people’s personal information means you have to act with great responsibility will have consequences,” she said.

“As I spoke about earlier, the government will need to step in to set out data protection law for law enforcement. Any government doing that would surely take on board the views of the electorate.”

Data breach challenge

The information commissioner noted that there were challenges with police handling of data, noting that one in 20 of the 18,000 public data protection complaints in 2016 were related to policing and criminal records.

A notable example of these concerns was reflected in a fine of £150,000 issued by the ICO earlier this year for Greater Manchester Police following the loss of three DVDs containing interview footage with victims of violent or sexual crimes.

“But I am not here to examine where our office has had to investigate or enforce the law in this sector,” said Denham.  “I am here to underline public safety and individual rights are not in competition  - public trust in policing requires respect in how you handle personal data.”

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.