Part 3 of the Data Protection Act 2018 transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK Law and sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’ (LEP).
Law enforcement purposes include processing for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Any processing which is carried out for a primary purpose, other than a law enforcement purpose, will be covered by the Part 2 of the DPA 2018 under the general processing regime. For example, this may include internal HR processes and procedures.
In the context of law enforcement, the personal data we are processing will often be sensitive. When it is, we must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 of the DPA 2018 or is based on consent.
Whose personal data we process for law enforcement purposes
In order to carry out the purposes described above, Northamptonshire Police may obtain, use and disclose personal information relating to a wide variety of individuals including but not limited to;
offenders and suspected offenders
witnesses or reporting persons
individuals passing information to Northamptonshire Police
victims, whether current, past or potential.
Types of personal information we process for law enforcement purposes
In order to carry out our statutory responsibility we will process varying types of personal data, this includes;
your name and address
racial or ethnic origin
religious or other beliefs of a similar nature
physical or mental health
offences and alleged offences
outcomes and sentences
physical identifiers including DNA, fingerprints, and other genetic samples
photograph, sound and visual images
information relating to safety
incidents, and accident details.
We will use only the minimum amount of personal information necessary to fulfil a particular purpose or purposes. Personal information can be held on a computer, in a paper record such as a file or images, but it can also include genetic and biometric data as well as other types of electronically held information such as body worn or CCTV images.
Where we get personal information from
The data we process for law enforcement purposes come from a wide variety of sources, including;
other law enforcement agencies
HM Revenue and Customs
international law enforcement agencies and bodies
Prisons and Young Offender Institutions
partner agencies involved in crime and disorder strategies
private sector organisations working with the police in anti-crime strategies
voluntary sector organisations
approved organisations and people working with the police
Independent Office for Police Conduct
Her Majesty’s Inspectorate of Constabulary
government agencies and departments
emergency services such as the Fire Brigade, National Health Service or Ambulance
relatives, guardians or other persons associated with the individual
individuals passing information
Northamptonshire Police and local authority CCTV systems
body worn video
correspondence sent to us.
There may be times where we obtain personal information from sources such as other police services and our own police systems such as our local information system.
How we handle personal information
We handle personal information according to the requirements of Part 3 of the new Data Protection Act 2018. Your personal information held on our systems and in our files is secure and is accessed on a need to know basis by our staff, police officers, or data processors working on our behalf.
We will ensure that your personal information is handled fairly and lawfully with appropriate justification. We will only use your information for lawful purposes and in connection with our requirement to uphold the law, prevent crime, bring offenders to justice, and protect the public.
We will strive to ensure that any personal information used by us or on our behalf is compliant in terms of accuracy, relevance, and adequacy and will not be excessive. We will attempt to keep it as up to date as possible and will protect your data from unauthorised access or loss.
We will review your data to ensure it is still required and we have a lawful purpose to continue to retain it. If there is no lawful purpose then your data will be securely destroyed.
Who we share personal information with
To enable Northamptonshire Police to meet their statutory duty, we may be required to share your data with other organisations that process data for a law enforcement purpose, in the UK and/or overseas, or in order to keep people safe. These organisations include;
other law enforcement agencies (including international agencies)
partner agencies working on crime reduction initiatives
partners in the criminal justice arena
authorities involved in offender management
international agencies concerned with the safeguarding of international and domestic national security
third parties involved with investigations relating to the safeguarding of national security
other bodies or individuals where it is necessary to prevent harm to individuals.
We are also required to share law enforcement data for another purpose where an exemption applies or the organisation demonstrates there is a lawful basis for doing so. These organisations include, but are not limited to;
family courts and individuals party to proceedings
solicitors or individuals in connection with legal advice or proceedings
central and local government departments/agencies
other emergency services
court ordered disclosures.
Disclosure of personal information will be considered on a case-by-case basis, to ensure that only personal information appropriate for the identified purpose and circumstances is disclosed, with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal information are situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the legislation.