SRMS data may be passed to a competent authority under Part 3 of the Data Protection Act 2018 (DPA 2018) for law enforcement purposes which includes the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. A ‘competent authority’ is defined under Part 3 (30) and Schedule 7 of the DPA 2018, and includes UK police forces and the UK National Wildlife Crime Unit (NWCU).
SRMS data may be passed to a competent authority under Part 3 of the Data Protection Act 2018 (DPA 2018) for law enforcement purposes which includes the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. A ‘competent authority’ is defined under Part 3 (30) and Schedule 7 of the DPA 2018, and includes UK police forces and the UK National Wildlife Crime Unit (NWCU).
The NWCU is a national police unit that provides support to all police forces and law enforcement agencies across the UK and internationally. The unit comprises an intelligence and analytical function whilst also providing direct operational support via an investigative support function. It is fully compliant to working police protocols and conventions regarding intelligence. The unit’s role is to support investigations, providing a start to finish support service for Police Wildlife Crime Officers based in all UK forces.
Personal information collected at NWCU is managed in accordance with the following legislation and policy:
- The Data Protection Act 2018
- The Human Rights Act 1998
- Freedom of Information Act 2000
- Computer Misuse Act 1990
- Government Security Classification Policy
- Statutory Code of Practice for the Management of Police Information.
Reference will also be made to relevant case law and to legal guidance and codes of practice issued by the Office of the Information Commissioner.
Any data used for a law enforcement purpose by a competent authority under Part 3 of the DPA 2018 will comply with the six data protection principles as set out in Part 3, Chapter 2 (35(1) – 40) of the DPA 2018 as follows:
- The processing of personal data for any of the law enforcement purposes must be lawful and fair.
- Personal data collected on any occasion must be specified, explicit and legitimate, and must not be processed in a manner that is incompatible with the purpose for which it was collected.
- Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
- Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
- Any personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.
- Personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
Any SRMS data passed to the NWCU may be shared with other law enforcement agencies for the purposes as described in Part 3 of the DPA 2018, complying with data protection principles as presented above using information management guidance set out in the National Intelligence Model (NIM) and the Management of Police Information (MoPI) policy documents.
Any processing carried out by police or a competent authority which is not for the primary purpose of law enforcement will be covered by the general processing regime under Part 2 of the DPA 2018.
Next section:
9. Policy review