Prosecuting authorities are entrusted with a wealth of sensitive data. With an increasing reliance on technology to gather, store and analyse this data, it’s essential that they’re not only aware of data protection laws, but have the necessary training, policies and protocols to ensure compliance.
The Information Commissioner’s Office (ICO) is cracking down on prosecuting authorities that do not have appropriate safeguards in place. Whilst fines are reserved for the most serious of offences, if authorities are falling short of data protection standards, the ICO will issue a reprimand which is published publicly.
This article sets out the requirements of part 3 of the Data Protection Act 2018 and points out what harbour authorities need to consider when collecting personal data for law enforcement purposes. The article also advises harbour authorities on the steps to take to ensure they comply with data protection laws.
Any processing of personal data by a competent authority for law enforcement purposes, will be subject to part 3 of the Data Protection Act 2018.
Amongst other things, it sets out various principles which competent authorities must comply with, including that:
Harbour authorities are a competent authority for the purposes of part 3 of the Data Protection Act 2018 and therefore when processing personal data for the purpose of law enforcement, must comply with the above principles.
Collecting and storing personal data in a dynamic environment like a harbour, is almost wholly reliant on good technology for communication. Harbour staff are often forced to think quickly when gathering evidence and this involves the regular use of phones and other recording devices to take photographs and videos, record details of incidents and communicate this information to others within the harbour.
Whilst from an enforcement perspective, the ability to record evidence quickly and easily is essential. Enforcement authorities need to be aware that any information which they capture relating to an identified or identifiable person (rather than a corporate identity), amounts to ‘personal data’ and as such, is caught by data protection laws.
Using technology, such as WhatsApp, to process this data is a helpful tool but recent ICO reprimands show that authorities will be penalised if employees are using personal devices to share personal data and do not have appropriate safeguards in place.
The ICO specifically confirmed that ‘using social media messaging apps on personal devices avoids the necessary oversight supervisors and managers should have. There are official channels for law enforcement agencies to lawfully share information which should be used by staff.’
Ultimately, the ICO concluded that the use of social media apps on personal devices to share personal data meant that the processing did not comply with the law enforcement data processing principles. This is because it was not lawful and fair, and it was not processed in a manner that ensured appropriate security.
Mishandling of personal data can not only breach data protection laws, but also risks undermining the credibility of evidence. Poor security measures can lead to risks and accusations of tampering or manipulation of data. It is therefore imperative that prosecuting authorities implement robust security measures and maintain a clear chain of custody from the collection of data, through to investigation and, if relevant, prosecution.
Another requirement under part 3 of the Data Protection Act 2018 is that individuals are informed about the collection and use of their personal data.
It’s important that generic website privacy notices are up-to-date and describe to the public how the harbour authority may process personal data for law enforcement purposes. It’s also essential that harbour authorities provide contact information and information about how individuals can exercise their legal rights and lodge complaints.
In specific cases for the purpose of enabling an individual to exercise their legal rights, the harbour authority must provide additional supporting information including the legal basis for processing, the period for which the personal data will be retained and who it will be shared with. An example of when this additional supporting information would need to be provided, is when first interviewing someone regarding a suspected or alleged offence.
There are exemptions to the requirement to provide the additional supporting processing information to individuals though. For example, where it’s necessary and proportionate not to provide the information, because doing so could obstruct an official or legal inquiry, investigation or procedure, or prejudice the investigation or prosecution of criminal offences.
However, competent authorities will still need to inform the individual that they are relying on this exemption, unless doing so would have the same effect of obstructing or prejudicing an investigation, and must always keep a record of why the exemption applies in the circumstances.
Harbour authorities are often required to collect and process personal data quickly and in difficult circumstances, but this should not compromise the protection of that personal data. Harbour authorities need to ensure that they have compliant systems and processes in place so that staff collecting personal data aren’t placed in a position where they either cannot collect personal data, or to do so would mean breaching data protection laws.
Steps that harbour authorities should take include:
Compliance with data protection laws is mandatory and failure to comply could lead to severe penalties and reputational risks, as well as risking undermining any investigation or prosecution.
Ashfords will be running a webinar on data protection compliance for harbour authorities this Autumn. If you have any questions concerning data protection, please contact Hannah Pettit or Zoe Hunt.
