PSNI Blues
Adding to its recent data protection woes, on 26 October 2023, the Information Commissioner published details of a reprimand issued against the Police Service of Northern Ireland (PSNI) in respect of its failure “to have appropriate measures in place to prevent unlawful sharing of personal data including criminal data with the United States Department of Homeland Security (DHS)”.
The processing of personal data for law enforcement purposes, i.e. the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (see s.31 Data Protection Act 2018 (DPA 2018)), by competent authorities, such as police forces, is governed by Part 3 Data Protection Act 2018 rather than the UK GDPR, and different and additional obligations apply to transfers of personal data outside the U.K.
PSNI’s Extradition Unit was found to have unlawfully shared personal data processed for the law enforcement purposes, including criminal defence data and biometric data, with the DHS between 2016 (when the Data Protection Act 1998 was in force) and 15 October 2020, affecting 174 data subjects.
The Information Commissioner found that:
Staff accessed systems and shared data in breach of applicable policies and procedures without realising this, breaching the obligation under s.34(3) DPA 2018 that the controller be responsible for and able to demonstrate compliance;
Staff were sharing personal data pro-actively with DHS to alert them to the travel arrangements of individual data subjects outside of the process for sharing personal data with foreign law enforcement, leading to individuals being refused entry to the US, breaching the obligation under s.35(1) DPA 2018 that processing of personal data for the law enforcement purposes be fair and lawful;
Staff shared the personal data with the DHS by email without encryption or password protection, in breach of the obligation under s.40 DPA 2018 to ensure appropriate security;
The pro-active sharing of biometric data, which comprises sensitive processing for the purposes of s.35(8) DPA 2018, with DHS to disrupt or enable the disruption of travel was not for the prevention or detection of crime and in the absence of consent was therefore neither lawful nor fair, and nor did PSNI have an appropriate policy document in place, in breach of the obligation under s.42(1) to have an appropriate policy document in place when carrying out sensitive processing; and,
The pro-active transfer of personal data to enable travel disruption was not for the law enforcement purposes and was therefore contrary to s.73(1) DPA 2018, which prohibits transfers of personal data processed for the law enforcement purposes unless specific conditions are met.
Consistent with the Information Commissioner’s revised approach to public sector enforcement and having regard to the remedial action stated to have been taken by PSNI, including a review by PSNI’s Professional Standards Unit and the Police Ombudsman of Northern Ireland and the introduction of stricter controls on data sharing, notwithstanding the harm and financial cost invariably caused to affected data subjects, the Information Commissioner issued PSNI with a reprimand.
The decision highlights the importance of:
regular training and awareness raising for staff of their legal obligations;
ongoing governance and monitoring of data processing activities, including through auditing and dip sampling of processing activities and annual data protection check ups with business areas to understand how their activities might have evolved;
documenting policies and procedures and ensuring that they are understood and applied;
implementing technical safeguards, such as restricting access to and/or the ability to extract data and to flag when emails contain personal data which is proposed to be sent outside the organisation; and,
understanding the lawful routes for transferring personal data processed for the law enforcement purposes overseas and the requirements of each of these routes (and bearing in mind that additional obligations may apply in connection with certain types of personal data).
In relation to the latter, Handley Gill has produced a flowchart demonstrating the lawful bases for transferring personal data processed for the law enforcement purposes under Part 3 Data Protection Act 2018 from the UK to overseas. Click on the image below to download a pdf.
While one of those lawful bases is that the Secretary of State has made adequacy regulations, it is important to note that the recently introduced Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) (‘US Adequacy Regulations’), which came into force on 12 October 2023, enabling transfers of personal data from the UK to US entities self-certified to the EU-US Data Privacy Framework (DPF) and the UK extension, do not apply to personal data processed for the law enforcement purposes under Part 3 DPA 2018.
That is not to say that the US Adequacy Regulations are irrelevant to law enforcement transfers to America. If a transfer was proposed to take place to an entity other than a relevant authority in the third country or a relevant international organisation, and that entity was self-certified to the EU-US Data Privacy Framework and the UK extension, and the transfer would be based on either the competent authority determining that there would be appropriate safeguards in place having conducted a risk assessment under s.73(3)(b) & s.75(1)(b) DPA or the competent authority determining that special circumstances apply and the public interest in the transfer is not overridden by the fundamental rights and freedoms of data subject under s.73(3)(c) & s.76(1)(d)-(e) DPA, and the entity were to commit to treating the transferred personal data in accordance with the Principles, then the fact of the Regulations and self-certification could be a relevant factor to take into account. The Principles include an obligation to “take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data”.
Should your organisation requires support in identifying lawful grounds for transfers of personal data outside the UK, under the UK GDPR or the Data Protection Act 2018, in the design and delivery of role appropriate data protection training, or would benefit from a review of its approach to data protection compliance and recommendations for remediation, whether or not after a breach or finding of unlawful processing, contact us.
Find out more about our data protection and data privacy services.