Part 3.1 – Law Enforcement Processing
Well based on my extensive experience with two bits of legislation I can definitively say that UK legislation is not as bite-size as European Legislation. So to accommodate I’m going to break down this part into multiple installments. Here is installment 1 looking at chapters 1 – 3 of Part 3, I’ll call it 3.1.
Prepare to be amazed as we learn what law enforcement gets to do with all of our data! I let a few personal feelings slip into this one. So if you are a big fan of law enforcement controlling an unfathomable amount of data on citizens and not a fan of snarky comments this might not be the blog article for you.
Chapter 1 – Scope and Definitions
Section 29 – Processing to which this Part applies
I’m getting a little fatigued reading some of these. I believe (and I’ll let real live solicitors tell me why we can’t roll up this language into one place) that we have heard this before. But not to deprive you of the experience here is a quote:
“Any reference in this Part to the processing of personal data is to processing to which this Part applies.” That is the complete Section 29 (subsection 2).
Section 30 – Meaning of “competent authority”
I’m sure we need everything here, but they are essentially saying, “police and investigatory services (think food standards agency) but not intelligence services.” There actually really is a nice line here:
“But an intelligence service is not a competent authority within the meaning of this Part.”
I like an abridged version of this quote:
“…an intelligence service is not a competent authority…”
Section 31 – “The law enforcement purposes”
Defining this as for police work, prevention, detection and prosecution of crime.
Section 32 – Meaning of “controller” and “processor”
I’m not sure, but it feels like this is redundant. The law enforcement agency is the controller and a processor is anyone who processes data for the law enforcement agency.
Section 33 – Other definitions
There seems like a few gotcha’s in here, but we’ll wait and see what we get when these are discussed in the rest of the part. But I did notice that there is a reference to a ‘member state’ this isn’t defined just referenced. Later in the legislation, we find out that ‘member state’ is in regards to the United Kingdom.
I assume that this means the 4 countries (England, Scotland, Wales and Northern Ireland) and then possibly a handful of other territories. But why not just list them out with reference to what defines them so new ones created in the future are included as well? I understand you don’t really teach writing or composition in schools these days, but this is just poor. Common lawmakers, take an Open University course or something.
Chapter 2 – Principles
Section 34 – Overview and general duty of controller
The controller must be able to demonstrate compliance with this chapter.
Section 35 – The first data protection principle
We’re going to be able to process personal data for any reason we want because the rules are so vague competent authorities can make up any reason.
Section 36 – The second data protection principle
Now we have to be specific, explicit and legitimate when collecting data and only process that data according to those specific reasons. However, if we are also a law enforcement agency we can then use that data for anything we want as long as it’s lawful. Seems counter-intuitive to me.
You’re arrested on suspicion of driving while intoxicated. You are brought back to the station and test negative for blood alcohol level. They now have all the details associated with an arrest, as well as a blood sample and I could probably make an argument to keep DNA as well. There is nothing to say they need to get rid of that information.
Now another agency can come along and use that data for any reason they see fit as long as it’s lawful. It would be hard to argue this if you trusted law enforcement agencies to only ever do things lawfully. But would it not be tempting to start building a DNA database? Would it not be tempting to start profiling based on DNA? What if we caught a criminal based on DNA that was a familial match to your DNA in our system? It’s like you ratted on your family without giving consent.
I’m probably going a bit overboard here, but something feels off.
Section 37 – The third data protection principle
Processing should be adequate, relevant and not excessive.
I’m glad these three well-defined adjectives are not open to interpretation in any way allowing for a blanket use of any and all data to do whatever law enforcement wants. (Read sarcastically)
Section 38 – The fourth data protection principle
This section holds a neat idea of breaking down data so that it separates out data that is factual and data that is based on a personal assessment.
Also, it goes on to say that the data has to break out data by data subject type such as: suspects, convicted, victims and witnesses.
Section 39 – The fifth data protection principle
Data will not be kept for longer than is necessary for the purpose for which it was processed. Hmmm, do you think that would get you out of a murder if they happened to keep your DNA for longer than was reasonably expected and it was tested again?
Section 40 – The sixth data protection principle
All processing must be done securely.
Section 41 – Safeguards: archiving
They can archive your data unless it causes you significant distress. Can’t wait to see that one contested in court.
Section 42 – Safeguards: sensitive processing
This is a little beefier, which makes sense when you know that DNA (which movies tell us is the key to all court trials…that and on stand confessions that were badgered out of a witness – “You can’t handle the truth!”)
Chapter 3 – Rights of the Data Subject
Section 43 – Overview and scope
We’re going to give some rights to data subjects.
Section 44 – Information: controller’s general duties
What is a controller responsible for. This starts with what they have to tell a data subject. This includes the purpose for which the controller is processing personal data. There doesn’t appear to be much that can be done if they came back with a reason:
You can report the incident to the Information Commissioner’s Office, but without precedent, we just won’t know the detail required.
There is the ability for a controller to restrict the rights of access, correction or erasure, but they have to tell the data subject why and the data subject can appeal to the Commissioner. The reasons for this are like not obstructing justice and national security or public security.
I’d have all my requests denied for national security, because, I’m the bomb…and now I’m on a list somewhere.
Section 45 – Right of access by the data subject
This makes sense a data subject can request details about what is held and why by a controller. What I haven’t figured out, and maybe it will come up later is how do you find out what company to ask this question of? I hear (unconfirmed, but very plausible) that insurance companies have millions of people’s personal data. Now, this isn’t like insurance companies I have taken insurance out with. This is smaller companies that focus on data and data analysis behind the scenes. How would I ever know to contact this random question to ask specific questions about them holding my data?
Section 46 – Right to rectification
If something is wrong the data controller needs to fix that. Unless it would impede an investigation or the like.
Section 47 – Right to erasure or restriction of processing
Same as above, but not fixing data, this time it’s deleting data. Now, this gets a bit wild. You know that you call in digital forensic analysts when someone has been keeping some naughty photos on their computer (like Donald Duck with Minnie Mouse…we don’t condone interspecies relationships here at Wittin). And these analysts can revive data on hard drives because of a whole host of reasons stemming from the physical processes of storing data. Well if Brenda in accounting says she deleted your data did she actually delete it or did she just hit the delete button? Is it actually still there?
Section 48 – Rights under section 46 or 47: supplementary
Here are a few UK specifics about right to rectification or right to erasure or restriction which are generally about notifications. But this is like the third or fourth time that they go through the entire spiel about a controller being able to restrict wholly or partly the provision of info to a data subject. Can this really not be condensed?
Section 49 – Right not to be subject to automated decision-making
“A controller may not take a significant decision based solely on automated processing unless that decision is required or authorised by law.”
Is this the end of “Computer Says No” or will the computer say no and then a person looks at the screen with that answer turn to the data subject and say, “With all the data I have here, unfortunately, you are not going to be able to get a loan today.”
Section 50 – Automated decision-making authorised by law: safeguards
You can contest automated decisions. And the Secretary of State can change rules if they see fit. I still don’t think they’ve defined this role. Maybe nobody told them they have more than one Secretary of State.
Section 51 – Exercise of rights through the Commissioner
If you ever appeal to the Commissioner then this is the process. It’s fun because as subsection 3 points out:
“The Commissioner must take steps as appear to the Commissioner to be appropriate to respond to a request…”
If I was the Commissioner then drinking chocolate milk would appear to me as the most appropriate course of action on most matters. However, I’d also have to tell a data subject that they can appeal above my head to a court. Details to come in subsection 167. I can’t wait.
Section 52– Form of provision of information etc
I’m just going to quote this right here:
“The controller must take reasonable steps to ensure that any information that is required by this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear plain language.”
I am going out on a limb that this legislation will never be able to be provided to a data subject.
Section 53 – Manifestly unfounded or excessive requests by the data subject
They don’t want nuisance requests so here’s a vague section describing that you can’t.
Section 54 – Meaning of “applicable time period”
Spoiler alert, this is generally 1 month and not really to exceed 3 months.
Seeing sections that are long-winded, or references to other legislation and/or other parts of the document itself, as well as just plain redundant or overwritten addition, seems a bit sketchy to me. GDPR is starting to feel like a Haiku compared to this Nathaniel Hawthorn.
No Mrs. Horn I will not believe the five-page essay in The Scarlet Letter about the shrubbery outside the prison is an allegory for the community and social stigmatism!
Apologies I obviously had to get that off my chest after 20 years.
Law enforcement is a touchy subject. The UK, in general, has never had a large aversion to intelligence gathering organisations such as GCHQ. Northern Ireland might deviate from that stereotype though. On a scale of 1 to German, I am a little more Bavarian in my privacy outlook.
We have rules that state that data can be collected under vague rules, then another organisation can process data as well and it doesn’t appear the second organisation has to abide by the reason for collection. So a central body just collects and stores data as it is collected by all listed competent authorities. Now you have a national law enforcement database. Probably just a copy of the GCHQ database as well as the NSA and all other acronym organisations out there, but hey why not.