Policy paper

Appropriate Policy Document Sensitive Processing for Law Enforcement Purposes

Published 9 May 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/rural-payments-agency-data-protection-policy/appropriate-policy-document-sensitive-processing-for-law-enforcement-purposes

1. Policy Summary

Rural Payments Agency (RPA) processes personal data for law enforcement purposes relating to individuals who have committed or are suspected of committing offences and other individuals who are involved. We act as an environmental regulator under various legal powers and statutory functions. RPA is a competent authority under Data Protection Act (DPA) 2018 Part 3 Section 30(1)(a).

This policy document has been developed for RPA to meet the requirement for an appropriate policy document (APD) under DPA 2018 Part 3 Section 42. It outlines our sensitive personal data processing for law enforcement purposes and explains:

  • our procedures for securing compliance with the law enforcement data protection principles

  • our practices regarding the retention and erasure of personal data, giving an indication of how long the personal data will be retained

  • the Appropriate Policy Document for Processing of Special Categories of Personal and Criminal Offence Data applies when our processing is not for the primary purpose of law enforcement

Additional information about our Information Governance Model can also be found in RPA’s Data Protection Policy (POL/DP&G/RPA) and our Personal Information Charter (POL/DP&G/PIC).

2. Law Enforcement Purposes

These purposes are set out in DPA 2018 Section 31 and include the:

  • prevention, investigation, detection, or prosecution of criminal offences

  • execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security

Sensitive processing is defined in DPA 2018 Part 3 Section 35(8) and is equivalent to UK GDPR Article 9 Special Category Data. This includes personal data which relates to:

  • race or ethnic origin

  • political opinions

  • religious or philosophical beliefs

  • trade union membership

  • genetic data

  • biometric data for the purpose of uniquely identifying a natural person

  • data concerning health

  • data concerning a natural person’s sex life or sexual orientation

3. Description of Data Processed

We carry out sensitive processing for law enforcement purposes in two main areas:

  • criminal investigations

  • financial recovery

We carry out sensitive processing under DPA Section 35(3) only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in DPA 2018 Schedule 8.

All processing is for the first listed purpose and might also be for others, depending on the context:

  • Paragraph 1 – Statutory purposes, for example if it is necessary for the exercise of the function conferred on a person by an enactment or rule of law, and for reasons of substantial public interest

  • Paragraph 2 – Administration of justice

  • Paragraph 6 – Legal claims

  • Paragraph 9 – Archiving such as for scientific, historical, or statistical purposes  

5. Law Enforcement Data Protection Principles

We comply with the law enforcement data protection principles under DPA 2018 Part 3 Chapter 2 as set out below.

5.1 Principle 1 – Section 35 – Lawfulness and Fairness

Processing for law enforcement purposes must be lawful and fair. This means that personal data processed for any of the law enforcement purposes must be either:

  • based on the consent of the data subject – section 35(2)

  • carried out by RPA where the processing is necessary for the performance of a task

In addition, if the processing involves sensitive personal data, then this is only permissible if it is either:

  • based on the consent of the data subject - section 35(4)

  • strictly necessary for the law enforcement purpose under section 35(5) and is based on a Schedule 8 condition

  • necessary for reasons of substantial public interest. Our processing of sensitive data for law enforcement purposes normally satisfies paragraph 1 Schedule 8 condition; that it is necessary for the exercise of a function conferred on RPA by the legislation for which we act as regulator

In circumstances where we seek consent, we make sure the consent is:

  • unambiguous

  • given by a positive action

  • recorded as the condition for processing

5.2 Principle 2 – Section 36 – Purpose Limitation

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We will:

  • only collect the minimum personal data that we need for the purpose(s) for which it is collected, for example, for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties

  • only do this where authorised by law to carry out sensitive processing for any of these purposes and may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose

  • ensure that the data we collect is adequate and relevant

  • only use personal data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

5.3 Principle 3 – Section 37 – Data Minimisation

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We will:

  • not systematically collect or harvest sensitive personal data for law enforcement purposes

  • only collect the minimum personal data that we need for the purpose(s) for which it is collected ensuring that the data we collect is adequate and relevant

  • erase sensitive personal data, where we are able to. Where sensitive personal data is provided to us or obtained by us when it is not relevant to our stated purposes

5.4 Principle 4 – Section 38 – Accuracy

Personal data will be accurate and, where necessary, kept up to date. We will:

  • take particular care to do this where our use of the personal data has a significant impact on individuals

  • take every reasonable step to ensure that personal data is erased or rectified without delay if we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed

  • document our decision if we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply

Where relevant, and as far as possible, we will distinguish between personal data relating to different categories of data subject, such as:

  • people suspected of committing an offence or being about to commit an offence

  • people convicted of a criminal offence

  • known or suspected victims of a criminal offence

  • witnesses or other people with information about offences

  • where the personal data is relevant to the purpose of being pursued

5.5 Principle 5 – Section 39 – Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We will:

  • only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so

  • delete or otherwise put beyond use or rendered permanently anonymous, personal data once we no longer need it

5.6 Principle 6 – Section 40 – Security

Personal data shall be processed in a manner that ensures appropriate security of that data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. We will:

  • ensure that there are appropriate organisational and technical measures in place to protect personal data

  • have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep data safe

  • limit access to your personal data to those employees, or third parties who have a business or legal need to access it

6. Accountability Principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • the establishment of an Information Governance Model as described in the RPA Data Protection Policy (POL/DP&G/RPA). It is managed day-to-day by the Data Protection Lead who reports to both the RPA Security Risk Owner (SRO) and the Defra Data Protection Officer (DPO)

  • taking a data protection by design and default approach to our activities

  • maintaining documentation of our processing activities

  • adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors

  • implementing appropriate security measures in relation to the personal data we process

  • carrying out data protection impact assessments for our high-risk processing

  • regularly reviewing our accountability measures and update or amend them when required

7. Retention and Erasure

We take the security of our processing of sensitive personal data for law enforcement purposes very seriously. We have administrative, physical, and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage.

We will ensure, where sensitive personal data is processed that the processing is recorded, and the record sets out where possible a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our retention schedule.

7.1 Publication, Review and Monitoring

Publication date - April 2024

Version 1.0

Author - Data Protection and Governance (DP&G)

Review period - Every two years

This policy is scheduled to be reviewed again during April 2026 unless significant developments in either the RPA or the law necessitate that this be brought forward. It will be retained where we process personal data for law enforcement purposes and for a period of at least six months after we stop carrying out such processing.

Compliance with the policy will be monitored via the Data Protection Lead and the SRO reporting to Executive Team (ET) and the Audit and Risk Assurance Committee (ARAC) as required.

This policy should be read in conjunction with the following documents:

RPA Data Protection Policy

Appropriate Policy Document: Special Category Personal Data and Criminal Offence Data

Back to top