Processing personal data for law enforcement purposes: what do harbour authorities need to remember?

read time: 6 mins
16.09.24

Prosecuting authorities are entrusted with a wealth of sensitive data. With an increasing reliance on technology to gather, store and analyse this data, it’s essential that they’re not only aware of data protection laws, but have the necessary training, policies and protocols to ensure compliance. 

The Information Commissioner’s Office (ICO) is cracking down on prosecuting authorities that do not have appropriate safeguards in place. Whilst fines are reserved for the most serious of offences, if authorities are falling short of data protection standards, the ICO will issue a reprimand which is published publicly.

This article sets out the requirements of part 3 of the Data Protection Act 2018 and points out what harbour authorities need to consider when collecting personal data for law enforcement purposes. The article also advises harbour authorities on the steps to take to ensure they comply with data protection laws.

What does the law say?

Any processing of personal data by a competent authority for law enforcement purposes, will be subject to part 3 of the Data Protection Act 2018.

Amongst other things, it sets out various principles which competent authorities must comply with, including that:

  • Personal data processing must be lawful and fair.
  • The law enforcement purpose must be specified, explicit and legitimate.
  • The personal data processed must be adequate, relevant and not excessive, as well as accurate.
  • The personal data must not be kept for longer than is necessary for the law enforcement purpose for which it is processed.
  • The personal data must be processed in a manner that ensures appropriate security.

Harbour authorities are a competent authority for the purposes of part 3 of the Data Protection Act 2018 and therefore when processing personal data for the purpose of law enforcement, must comply with the above principles. 

What practical considerations are there when collecting personal data for law enforcement purposes?

Collecting and storing personal data in a dynamic environment like a harbour, is almost wholly reliant on good technology for communication. Harbour staff are often forced to think quickly when gathering evidence and this involves the regular use of phones and other recording devices to take photographs and videos, record details of incidents and communicate this information to others within the harbour.  

Whilst from an enforcement perspective, the ability to record evidence quickly and easily is essential. Enforcement authorities need to be aware that any information which they capture relating to an identified or identifiable person (rather than a corporate identity), amounts to ‘personal data’ and as such, is caught by data protection laws. 

Using technology, such as WhatsApp, to process this data is a helpful tool but recent ICO reprimands show that authorities will be penalised if employees are using personal devices to share personal data and do not have appropriate safeguards in place. 

The ICO specifically confirmed that ‘using social media messaging apps on personal devices avoids the necessary oversight supervisors and managers should have. There are official channels for law enforcement agencies to lawfully share information which should be used by staff.

Ultimately, the ICO concluded that the use of social media apps on personal devices to share personal data meant that the processing did not comply with the law enforcement data processing principles. This is because it was not lawful and fair, and it was not processed in a manner that ensured appropriate security. 

Mishandling of personal data can not only breach data protection laws, but also risks undermining the credibility of evidence. Poor security measures can lead to risks and accusations of tampering or manipulation of data. It is therefore imperative that prosecuting authorities implement robust security measures and maintain a clear chain of custody from the collection of data, through to investigation and, if relevant, prosecution. 

What about the right to be informed?

Another requirement under part 3 of the Data Protection Act 2018 is that individuals are informed about the collection and use of their personal data.  

It’s important that generic website privacy notices are up-to-date and describe to the public how the harbour authority may process personal data for law enforcement purposes. It’s also essential that harbour authorities provide contact information and information about how individuals can exercise their legal rights and lodge complaints. 

In specific cases for the purpose of enabling an individual to exercise their legal rights, the harbour authority must provide additional supporting information including the legal basis for processing, the period for which the personal data will be retained and who it will be shared with. An example of when this additional supporting information would need to be provided, is when first interviewing someone regarding a suspected or alleged offence. 

There are exemptions to the requirement to provide the additional supporting processing information to individuals though. For example, where it’s necessary and proportionate not to provide the information, because doing so could obstruct an official or legal inquiry, investigation or procedure, or prejudice the investigation or prosecution of criminal offences. 

However, competent authorities will still need to inform the individual that they are relying on this exemption, unless doing so would have the same effect of obstructing or prejudicing an investigation, and must always keep a record of why the exemption applies in the circumstances. 

What action should harbour authorities take?

Harbour authorities are often required to collect and process personal data quickly and in difficult circumstances, but this should not compromise the protection of that personal data. Harbour authorities need to ensure that they have compliant systems and processes in place so that staff collecting personal data aren’t placed in a position where they either cannot collect personal data, or to do so would mean breaching data protection laws. 

Steps that harbour authorities should take include:

  • Providing comprehensive and tailored training to staff on data protection requirements, ensuring that the training is specific to operational policing and investigations.
  • Carrying out risk assessments when setting up channels for the sharing of personal data.
  • Carrying out due diligence on third party apps before they are used for personal data sharing purposes, including reviewing the security measures in place and locations where personal data may be exported. 
  • Ensuring that staff are only using centrally approved apps, for which due diligence has been completed and the findings were satisfactory.
  • Implementing permitted usage policies for data sharing channels, to ensure that all staff understand the rules and requirements when using them.
  • Ensuring that there is sufficient oversight, by appointing administrators that are clear about their role and responsibilities, which should include removing members of the group who no longer require access to the personal data.   
  • Considering whether it’s appropriate to issue work devices in order to manage the security measures in place on them, or where necessary for staff to use personal devices, issuing clear rules on how they can be used.
  • Ensuring that individuals are properly informed about the collection and processing of their personal data.
  • Implementing encryption and access controls across the organisation, for all stages of processing.
  • Investing in secure data storage systems.
  • Conducting regular internal data processing and security audits to monitor compliance with these requirements, and remedy any non-compliance. 

Compliance with data protection laws is mandatory and failure to comply could lead to severe penalties and reputational risks, as well as risking undermining any investigation or prosecution. 

Ashfords will be running a webinar on data protection compliance for harbour authorities this Autumn. If you have any questions concerning data protection, please contact Hannah Pettit or Zoe Hunt.

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up