Law enforcement processing
The organisation’s conditions for processing sensitive data under the law enforcement provisions of Data Protection Act 2018.
Under the law enforcement processing provisions of the Data Protection Act (DPA) 2018, where a controller, the NHS Counter Fraud Authority (NHSCFA) carries out sensitive processing based on one or more of the specified conditions in Schedule 8 of the Act , it must have an appropriate policy document in place.
The policy must explain the procedures for complying with the data protection principles when relying upon one or more of the conditions set out in Schedule 8 and the organisation’s policy for the retention and erasure of personal data for this specific processing. The policy must be retained from the commencement of the sensitive data processing, until at least six months after it has ended and must be made available to the Information Commissioner upon request, without charge.
This policy explains the special requirements the NHSCFA must meet when processing personal data relating to criminal offences (including the suspected and alleged commission of an offence) and how staff can comply with those requirements while carrying out their work. The policy also satisfies the DPA’s requirement for NHSCFA to have in place an ‘appropriate policy document’ governing such processing.
Specified anti-fraud organisation - any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes.
The NHSCFA does not fall within the definition of a specified ‘anti-fraud organisation’ under Serious Crime Act 2007
Data Protection Legislation - the General Data Protection Regulation (GDPR) 2016, the Law Enforcement Directive (LED), the Data Protection Act 2018 and any accompanying regulations that may apply to the legislation detailed above.
Processing - an operation or set of operations which is performed on person identifiable data or sets of personal data, such as the:
Competent authority - either a person specified in Schedule 7 or any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.
Law enforcement purpose - the prevention, investigation, detection or prosecution of criminal offences (including alleged commission of a criminal offence) or the execution of criminal penalties, including the safeguarding against the prevention of threats to public security.
Sensitive data - in addition to criminal offence data, it also includes the processing of any of the data below, by a competent authority for a law enforcement purpose:
There are potentially three scenarios where NHSCFA may be involved in the processing of personal information for the purpose of preventing and detecting the commission of criminal offences namely:
where NHSCFA as a competent authority is performing its statutory function
where the NHSCFA is involved with, but is not performing its statutory function; and
where the processing relates to disciplinary actions, regulatory breaches or civil liabilities
This policy applies to the first two scenarios. Information processed in relation to the final scenario must be processed in accordance with the NHSCFA’s Data Protection (GDPR) Policy.
This policy therefore, should inform the activities of ALL NHSCFA staff engaged in law enforcement processing.
The NHSCFA is competent authority, falling under both of the requisite criteria under section 30 of the DPA 2018, namely:
|Processing Activity||Legislative Provisions||NHSCFA Policy|
|Where NHSCFA is exercising its statutory function as a competent authority||Part 3 of the DPA 2018||Section 5 of this policy|
|Where NHSCFA is not exercising its statutory function but processing criminal offence data||Parts 1,2 & 3 of Schedule 1 of the DPA 2018 (by virtue of section 10(4)&(5) and Article 10 GDPR)||Data Protection (GDPR) Policy|
|Where information relates to disciplinary actions, civil offences or regulatory breaches||GDPR & Part 2 DPA 2018||Dealing with DPA (Excluding SAR) Request Policy|
The aims of this policy are to:
The GDPR expressly states that its provisions do not apply to the processing of personal information by a competent authority for law enforcement purposes . EU Directive 2016/680 - the Law Enforcement Directive sets out the standards Member States’ own legislation must meet for this type of processing. In the UK this is set out in Part 3 of the DPA 2018.
Specifically, ‘law enforcement processing’ captures the processing by a competent authority of criminal offence and criminal penalty data, whether wholly or partly by automated means or where the data forms or is intended to form part of a filing system.
Where NHSCFA as a competent authority, processes personal information for a law enforcement purpose, the processing must satisfy the principles below:
More on the principles is provided below:
Data subjects must be told that their data is being collected, who is collecting it and what we intend to do with it. NHSCFA makes this information available through its privacy notice on its website. A privacy notice must be in place and made available to the subject before any information is obtained from them. Where personal information is not obtained from the subject directly a notice must be provided in each of the scenarios below at the earliest:
However, where a law enforcement purpose would be prejudiced by notifying the data subject of the processing of their data, then an exemption from the above obligations may be applied.
In addition to being fair and lawful, one of the following conditions in all cases must also be met:
Processing of sensitive data for a law enforcement purpose will only be lawful if:
In both cases NHSCFA must have in place an appropriate policy document as required by sections 35(4) & (5) of the DPA Act 2018.
Personal data collected for a law enforcement purpose must be specific, explicit and legitimate.
Personal data can be processed for a further purpose, but only where that ‘further’ processing is not incompatible with the initial processing purpose. To be compliant with this principle the NHSCFA must be authorised by law to process for the further purpose and the processing must be necessary and proportionate to that purpose.
Information collected for the purpose of an investigation must not be used for the incompatible purpose of sending marketing materials.
However, lessons learned from an investigation and/or subsequent successful prosecution could be further used by the organisation to inform prevention initiatives (although the need to use person identifiable information would be the exception) without falling foul of the processing principle.
The information collected and processed for a law enforcement purpose must be adequate, relevant and not excessive for the purpose it is collected. Only the minimum amount of information necessary to achieve the purpose in question must be processed (i.e. requested, collected or shared).
The personal data must be accurate and kept up to date. Where compatible with the processing purpose inaccurate data must be erased or rectified as soon as it is found to be incorrect.
It is also a requirement of the law, that insofar as possible, personal data based on personal assessment and opinion (including intelligence) be distinguished from that which is based on fact.
Inaccurate, incomplete or out of date information must not be shared for any law enforcement purpose. To that end:
Personal data must be kept for no longer than is necessary to achieve the law enforcement purpose. A suitable retention period must therefore be established to guide periodic reviews of the personal data held.
Once the retention period has been exceeded the information must be deleted unless further retention is justified in accordance with the ‘Archiving’ condition (see Appendix A). Information must not be retained beyond the defined organisational retention period without the reasons being specified and recorded.
Information processed for a law enforcement purpose must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The organisation’s Information Security Policy sets out these security requirements.
Data subjects have the following rights:
A data subjects rights may be restricted in whole or in part where they would conflict with a law enforcement purpose.
Where possible a distinction between data relating to the categories of individuals must be made, such as:
It should be borne in mind that some individuals could fall within more than one category, such as a ‘victim’ could also be a ‘witness’. We will only categorise the information under Part 3 of the Act where relevant to an investigation; any unused data will fall under the general provisions of GDPR (Part 2 of the 2018 Act). Any unused personal data will also be subject to the organisation’s retention periods.
Article 10 of the GDPR requires that Member States provide safeguards for the rights and freedoms of data subjects in any national law they may enact to authorise the processing of personal data relating to criminal convictions and offences.
For this reason, sub-sections 35(4)((b) & 35(5)(c) of the DPA 2018 requires controllers when processing criminal data to have an appropriate guidance document in place. Section 42 further defines the content of such a policy, in that it should:
This policy will be reviewed at least biennially; however, where there are changes to the legislative provisions it will be reviewed immediately.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.