One of the forgotten elements of the Data Protection regime in the UK is the Law Enforcement Directive LED.
The LED, which came out at the same time as the GDPR, looks to set the rules for processing Personal Data for the purposes of ‘law enforcement’ by ‘competent authorities’. (And yes, as someone that has worked in the public sector for many years, I can chuckle at the term legitimately). The UK implemented the requirements of the LED for Law Enforcement processing via Part 3 of the Data Protection Act 2018 (DPA 2018).
Most of the ‘noise’ around Data Protection has been around EU GDPR/UK GDPR. And yes, the majority of entities processing Personal Data will indeed need to comply with the GDPR in it’s various instances (EU/UK etc). However, ‘Data Protection’ legislation in the United Kingdom is more than just the GDPR – the LED seems to get forgotten about.
The requirements of the LED are very similar to that of the GDPR. Concepts like the principles, the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIAs), the rights etc are all very similar. There are, however, some key differences.
For example, one of the requirements of the LED (and in the DPA 2018) is the following from Part 3, Section 62 (1);
A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
(d)disclosure (including transfers);
Otherwise referred to as ‘logging’ any automate systems must keep in essence a full audit log of how the Personal Data has been processed under the above headings. This data can also only be used for certain purposes, disciplinary or security reasons for example.
Schedule 20, Part 4, Section 14 (1) of the DPA2018 also outlines that competent authorities have until the 6 May 2023 to implement these requirements for any systems constructed before 6 May 2016. Any systems built since the 6 May 2016 should already have these logging requirements built in.
The Information Commissioner’s Office (ICO) have produced some guidance on logging but nothing particularly specific. For example there are no examples in there, or specific guidance on if this logging data can be something like ‘metadata’ or, in some instances on sharing and ‘consulting’ data, it has to be something more substantial as it has to record the ‘why’ with the what and when.
Another little ‘nuance’ of the legislation is that because it is purpose driven, an authority could find itself in a process where the GDPR and Pt3 DPA2018 apply to different aspects. People assume, for example, that all the processing conducted by a Police force will be entirely Pt3 DPA2018 when, in fact, it is a lot more complex than that. That makes dealing with SARs alone a little more complex!
If you think that you are using Personal Data to support your statutory criminal law enforcement purpose, and you are a ‘competent authority’, take a look at the range of courses available from Act Now Training. Specifically looking at Part 3 DPA 2018 the full day course will focus in on the key requirements and we discuss approaches and risks around the various requirements. Dates of courses and details of how to book (with me!) can be found on the Act Now website.
For example, GDPR compliance and tools will help with some of it, but not all of it. Have you scoped out yet what areas and changes might be needed for your organisation to implement the requirements of the LED/Pt3 DPA2018? If not, can I help you scope out some of this work and give you a forward plan? If so, get in touch!