The law enforcement provisions of the Data Protection Bill Thursday 19 October 2pm 1

How does the legislation fit together? General Data Protection Regulation (GDPR) Data Protection Bill The purpose of this webinar is to raise awareness of Part 3 of the Data Protection Bill (law enforcement processing) and to explore our 12 step guide in a bit more detail. But before we do, it is important to know how the legislation fits together. So, by way of background: The EU data protection reform package, which intends to replace the current Data Protection Act 1998 as we know it, will incorporate a Regulation and a Directive. You may ask: What’s the difference between a regulation and a directive? Well, a regulation and a directive work differently, and are chosen as appropriate to the subject matter. A regulation being a legal act of the European Union that becomes immediately enforceable as law in all member states, whereas a directive needs to be transposed into national law individually, and provides more flexibility. Now, most will know of the existence of the EU Law Enforcement Directive. The text came out separately, but at the same time as GDPR – General Data Protection Regulation - in May 2016. The directive was for the processing of personal data for the purposes of crime prevention, and the free movement of such data between member states. But being a directive, as explained, it is to be transposed into domestic UK legislation – and now takes the form of the law enforcement provisions within Part 3 of the UK Data Protection Bill. This is expected to be implemented by May 2018 – and is currently making its way through parliament, all 218 pages, Seven Parts, 18 schedules of it, which we shall expand on later. So moving forward, especially for domestic use, we should no longer be referring to the ‘LED’, but the Law Enforcement Provisions of the Bill (Part 3). It is therefore important the GDPR and the DP Bill are read side by side, as 2 interlinking pieces of legislation. As a side note - In terms of Brexit, the UK’s decision to leave the EU will not affect the commencement of GDPR, and the government has confirmed that the UK will be implementing the EU’s GDPR standards. How does the legislation fit together?

Law Enforcement Processing (Part 3) Data Protection Bill General Processing Law Enforcement Processing (Part 3) Intelligence Services Processing (MI5, MI6, GCHQ) The Information Commissioner ICO Enforcement Preliminary, Supplementary and Final Provision, and Schedules By implementing the EU Directive, the DP Bill is a key element of modernising our data protection laws to ensure that they are effective in practice for the years to come.  And if we take a closer look at the contents of the DP Bill, you will see that it is split into various parts (list them and explain) but for the purposes of this webinar we are going to focus on Part 3 – Law Enforcement Processing and expand on some steps to assist compliance.

What are the Law Enforcement Purposes? Prevention, investigation, detection or prosecution of criminal offences Execution of criminal penalties Safeguarding against, and prevention of, threats to public security various parts (list them and explain) but for the purposes of this webinar we are going to focus on Part 3 – Law Enforcement Processing and expand on some steps to assist compliance. Slide 4 - What are the law enforcement purposes? The definition of the “law enforcement purposes” sets the boundaries to which Part 3 of the Bill applies. Similar to the DPA (s.29) - “the law enforcement purposes” under the Bill are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. So it is likely that those involved with civil enforcement will be referring to GDPR, and if any information is passed onto law enforcement authorities for further criminal aspects, it is for law enforcement authorities themselves that will be utilising Part 3 of the DP Bill. It is also important to remember that not all processing of personal data will be for law enforcement purposes. For example, the HR department of a Police Force, is also likely to involve general processing and may be governed by the GDPR, so in practical terms organisations will have to be across both pieces of legislation.

Competent Authorities – Schedule 7 Part 3 of the Bill only relates to ‘competent authorities’ – eg. those involved in Policing, those with investigatory functions or those involved in offender management But by definition: “competent authority” means— (a) a person specified in Schedule 7 (which is not a complete list as of yet), and (b) any other person that has statutory functions for any of the LE purposes Practical examples include: Police, Courts/Tribunals, HMRC, NCA and ICO – may be subject to amendment via statutory instrument… Competent Authorities – Schedule 7 Policing, Investigatory Functions, Offender Management

How does Part 3 differ from the GDPR? Principle 1: reduced ‘transparency’ requirements The standards for consent are not as strict Principle 4: requirement for categorisation of data subjects: victims, witnesses, suspects, offenders Requirement to distinguish whether data is fact or of personal assessment/opinion Logging requirements to record metadata for automated processing systems – What’s different? Few observations  Part 3 of the DP Bill is similar but not the same as the GDPR   For the most part the principles are the same, although Part 3 does not require the same levels of ‘transparency’ within Principle 1, nor are the consent requirements as strict as the GDPR – but competent authorities will still be required to identify a lawful basis for processing.  The main differences include: categorisation requirements to: classify/identify different categories of data subjects (such as victims, witnesses, offenders)  Requirement to classify whether the data is fact or personal opinion/assessment; e.g. witness statements vs. factual evidence  There are also Logging requirements for the processing of data in automated systems: where you should be able to record of collection, alteration, consultation, disclosure, combination, erasure of data – so competent authorities will therefore need to look at the functionality of any automated systems in place

What steps can you take now? In terms of guidance – we are now out of the starting blocks for LE provisions and we have just published out ‘12 steps’ guidance. What steps can you take now?

Over coming months we’ll be working on bespoke guidance for the law enforcement provisions. The 12 Steps guidance is intended to support your preparations. Some of you will be familiar with a similar piece of guidance we published a while ago for the GDPR. It’s also worth just taking some time to familiarise yourself with the layout of the Data Protection Bill, although bearing in mind that it’s subject to change as it works its way through parliament. Part 3 is sections 27 – 79, with supporting schedules at the end of the Bill.

2. Information you hold: mapping 1. Awareness 2. Information you hold: mapping 3. Lawful basis for processing personal data Awareness: A first step is to check if your organisation is a Competent Authority under Schedule 7 of the DP Bill or have statutory functions for any of the law enforcement purposes. The intention is that this schedule will have a definitive list of bodies that fall under the law enforcement provisions. As you’d expect, it includes police forces, government bodies, and others, such as the ICO, because of our powers to investigate breaches of the laws we regulate. If you’re on the list, you should make sure that key people in your organisation are aware that the law is changing from May 2018, and how this affects responsibilities and processes.   Information you hold – mapping The law enforcement provisions contain specific requirements about accountability and having policies and procedures in place to support this. Ideally this will build on existing good practice. You should document what personal data you hold, where you hold it, where it came from, who you share it with and who is responsible for it the category of personal data whether it’s fact or intelligence identify what personal data is being processed under Part 3 of the DP Bill and what is being processed under other parts of the Bill and GDPR. Do you work jointly with other organisations? Do you use data processors? You may need to organise an information audit and review any contracts or agreements. You may have already done this. Either way, when planning your mapping exercise, take time to work out how what is required, and how the outcome can be used for other purposes, such as obligations around providing information to data subjects. Lawful Basis for processing personal data You should identify the lawful basis for your processing activity, document it and update your privacy notices to explain it, using clear and plain language.

4. Consent 5. Privacy Notices 6. Individuals Rights Consent If you rely on consent you need to consider whether this is appropriate or whether you should use another lawful basis. If consent is appropriate then you should review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents if they do not meet the standard required.   Privacy Notices You should review your current privacy notices and ensure that these are in an easily accessible form, updated and are ready by May 2018. You will need to include more detailed information including your lawful basis for processing personal data and retention periods unless an exemption applies. The ICO has published a code of practice on privacy notices, transparency and control and this is consistent with requirements under DP reforms. Individuals’ rights These are a key theme of DP reforms. You should check your systems and procedures to ensure they cover all the rights individuals may have, including deletion, and rectification, and also changes to time periods.

8. Privacy by Design: DPIAs 7. Data Breaches 8. Privacy by Design: DPIAs 9. Data Protection Officers Slide 11 Data Breaches You should ensure that you have the right procedures in place to identify, manage and investigate a breach. You will need to have processes in place to determine whether you need to report the breach to the ICO, based on the risks to individuals’ rights and freedoms. If you decide that it is necessary to report you will need to do so no later than 72 hours after becoming aware of it. You should be prepared to notify affected individuals in some cases. The ICO is adapting its operations to accommodate our additional responsibilities here. Look out for more information on our website about breach reporting.   Data protection by design and DPIAs Data Protection Impact Assessments will be mandatory where processing is likely to result in a high risk to the rights and freedoms of individuals. A new code is planned, but the existing one provides relevant guidance. Again, the ICO will be putting systems in place for formally checking DPIAs. There are also new requirements for data protection by design. In particular, if you are planning to procure a new system, you need to be aware if this. Data Protection Officers As we’ve seen, accountability and governance are cornerstones of DP reforms. The role of the DPO will be a key element of delivering this. Ensure that you designate someone to take responsibility for your data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You will be required to have a Data Protection Officer, and you may already have one under the requirements of the GDPR or a specific piece of European law enforcement legislation.

10. Logging 11. International 12. Sensitive Processing Logging You should ensure that you are able to keep logs of processing operations in automated processing systems. This will include a log of any alterations to records, access to records, erasure and disclosures of records unless an exemption applies.   International You should review procedures for transferring or sharing personal data across borders (either with relevant authorities or others) to ensure that they are compliant. Sensitive processing If you are processing sensitive personal data (which will be almost always) you will need to ensure that you are compliant with the requirements of the legislation including having an appropriate policy in place. There are more categories than in the DPA, including genetic or biometric data. Conditions for sensitive processing are in schedule 8.

Where can you follow the Bill? So - where can you follow the progress of the bill? –parliament.uk You can see that the Bill had its second reading on 10 October in House of Lords – and you can track its progress here if you are interested – all the way up to royal assent. Where can you follow the Bill?

GOV.UK – DCMS Factsheets Slide 14 GOV.UK factsheets There is of course further reading to be done at Gov.uk – where you can find fact sheets by DCMS specifically in relation to Law enforcement processing – these can be downloaded in PDF format GOV.UK – DCMS Factsheets

Slide 15 And of course – the ICO website – where we will be working on providing guidance in due course on our DP reform page - specifically for law enforcement processing, which builds on the 12 steps that Anne has just explained. Guidance: ICO Website

May 2018 - The finish line? Slide 16 Finish line? With eyes on May next year - Are we nearing the finish line? Well, timing will no doubt be tight to get the Bill finalised, but in reality that is more like the first lap completed rather than the end of the race. Of course, there will be plenty of work to do after May next year, and is the beginning of a new comprehensive and modern framework for data protection in the UK. May 2018 - The finish line?

Any Questions? Helpline: 0303 123 1113 Keep in touch by subscribing to our e-newsletter at www.ico.org.uk or find us on… www.twitter.com/iconews