Challenging Police records management: our response to the public consultation on the way Police in England and Wales record and store information

PI together with Open Rights Group (ORG) submitted a joint response to the the College of Policing public consultation on how the Police in England and Wales will be managing, recording and archiving information. Our response was also supported by Defend Digital Me, Coram Children's Legal Centre and Refugee and Asylum Participation Action Research (RAPAR)

Key points
  • The way the Police record, store, manage and delete information can pose serious threats to privacy and other fundamental rights.
  • The way police records and other information is managed needs to be subject to strong oversight and transparency measures, which are clear and implementable.
  • The proposed Code of Practice does not explain in sufficient detail how people will be safeguarded against misuse of their data.
News & Analysis
Photo by Ehimetalor Akhere Unuabona on Unsplash

The College of Policing public consultation concerned the new Code of Practice in relation to the way information is managed and recorded in the Police National Computer (PNC), Police National Database (PND) and the forthcoming Law Enforcement Data Service (LEDS).

PI and Open Rights Group (ORG) believe that the way police records and information are managed, stored and disposed of can pose serious threats to privacy and other fundamental rights. Therefore they must not only be subject to strong oversight, safeguards, and transparency measures, but these measures must also be clear and implementable, with direct lines of responsibility. Further, the obligation of transparency imposed by the General Data Protection Regulation and Data Protection Act 2018 should extend to all organisations and relevant third parties that the Police share this data with.

At the moment, the Code of Practice does not provide for this, and instead largely refers to broad principles rather than concrete measures. The Code does not explain in any real detail how the relevant principles and obligations will be achieved or implemented. Transparency is key and there is a need to address the reality of policing in the 21st Century and the ongoing real-time use of massive databases in the modern age. Policing in the UK and around the world has turned into a sophisticated data operation. We believe that the Code should be expanded to provide clarity and instruction.

Further, the Code fails to make clear what specific safeguards will be put in place in relation to the management of data and how long the data will be kept. Concrete information is needed in the final Code around the safeguards that will be implemented, how access will be allocated and reviewed in the future, who will oversee this process and the extent to which records and police information will be shared with other organisations and third parties.

Additionally, the Code of Practice does not provide what safeguards will be adopted in order to ensure that the systematic failures that have been previously highlighted in the ICO report dealing with the use of mobile phone extraction are avoided. The ICO report demonstrated numerous risks and failures by the police regarding data protection and privacy rights. The police and the CPS were not giving enough consideration to necessity, proportionality and collateral intrusion.

We are concerned that the Code of Practice does not specify what safeguards will exist to ensure that information is not revealed to unauthorised individuals. It is unclear how the information containing personal data will be safeguarded against deliberate misuse, such as so-called LOVEINT - the use of massive and intrusive databases to spy on partners, or from incorrect or invalid data.

Numerous reports recently highlighted serious problems surrounding the way Police are managing their records, from accidental deletion of records to failures to inform relevant EU countries that their citizens have been convicted of murder in the UK. Considering these issues, it is imperative that the Code of Practice provides concrete safeguards to ensure these practices do not take place. It must also outline details about redress or disciplinary measures as a result of misuse and significant failures. It is also unclear whether, as we have seen in various disciplinary proceedings before Professional Standards in the Met, disciplinary proceedings may be bypassed altogether by officers under investigation leaving their roles.

At the moment, the Code does not explain in sufficient detail how the Police will be safeguarding people, promoting accountability and understanding in relation to managing their records.

As a result of these issues, our response to consultation makes the following recommendations:

  • There should be clearer rules, providing clarity and foreseeability about when, why and how the police and other third parties are able to manage, record, store and dispose of police information and records.
  • Robust policies and procedures must be put in place to ensure the appropriate handling and deletion of data. These policies should include oversight procedures and what safeguards will be adopted to ensure that the handling and deletion of data is compliant with data protection legislation.
  • More transparency surrounding the way access controls and relevant authorisation will be assigned, controlled, monitored, and publicly notified
  • To meet the standards required for fair processing, there should be further guidance on how police forces should engage with individuals whose data has been stored on various databases (PNC/PND/LEDS) and to inform them about what their rights are.
  • Details of how the APP is to be enforced should be made clear, including details regarding the redress or disciplinary procedures as a result of misuse of records or police information.
  • More information should be provided to police officers, oversight agencies and the courts regarding the legal status of the APP and whether its provisions are binding or if they can be used as evidence within disciplinary procedures.
  • Individuals need to be clearly informed about how they can exercise their data rights, and how to seek redress, including via an easily accessible online portal.

You can read PI's and ORG's response to consultation in full by downloading the attachments below.