BEIS is a competent authority within the meaning of Part 3 of the Data Protection Act 2018 (DPA 2018, article 30 and annex 7 (1)) which applies to the processing of personal data by these authorities for law enforcement purposes.
These purposes are set out in Article 31 DPA 2018 and include the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions, which could include the protection and prevention of threats to public security.
Special Category Data
Part 3 of the DPA 2018 describes the requirement for an appropriate policy document (APD) to be implemented when processing sensitive personal data for law enforcement purposes.
Sensitive processing is defined in Part 3, Section 35 (8) and is equivalent in UK. GDPR special category data. This includes:
- the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership
- the processing of genetic data, or biometric data, for the purpose of uniquely identifying an individual
- processing of health-related data
- the processing of data concerning the sex life or sexual orientation of an individual
Relevant policy document
This policy document describes our sensitive processing for law enforcement purposes and explains:
I. Our procedures to ensure compliance with repressive data protection principles
ii. Our policies regarding the retention and erasure of personal data, giving an indication of the length of time for which personal data may be kept
Description of the processed data
As part of our responsibilities under the INS Act, BEIS will carry out sensitive processing for law enforcement purposes in an area:
From time to time we may need to share information with law enforcement or anti-fraud agencies, for the purposes of a criminal investigation, who also have responsibilities under data protection law. . BEIS will no longer be responsible for the processing of data once it has been transferred in a secure and appropriate manner to the organization.
We carry out sensitive processing of all categories of data defined in part 3 article 35 (8).
Conditions of consent or Annex 8 for processing:
We carry out sensitive processing under section 35 (3) DPA 2018 only on the basis of the consent of the data subject or when this is strictly necessary for the purposes of law enforcement and fulfills one of the conditions of Annex 8 of the DPA 2018.
The relevant conditions of Annex 8 of the DPA 2018 are:
I. Statutory objectives
ii. Administration of justice
iii. Personal data already in the public domain
iv. Legal complaints
v. Judicial acts
vi. Fraud prevention
Procedures to ensure compliance with the principles
Principle of responsibility
BEIS has put in place appropriate technical and organizational measures to meet accountability requirements. These include:
- the appointment of a data protection officer who reports directly to our highest level of management
- adopt a ‘data protection by design and by default’ approach to our operations
- keep and maintain documentation of our processing activities
- adopt and implement data protection policies and ensure that we have agreements in place with all data processors, independent or joint data controllers
- implement appropriate security measures regarding the personal data that we process
- carry out a data protection impact assessment
- regularly review our accountability measures and update or modify them as needed
Data protection principles
The principles set out in part 3 of the DPA require personal data to be:
1. Treated lawfully and fairly (lawfulness and fairness).
2. Collected for specified, explicit and legitimate law enforcement purposes, and not further processed in a manner incompatible with those purposes (purpose limitation).
3. Adequate, relevant and not excessive in relation to the purposes for which they are processed (data minimization).
4. Accurate and, if necessary, up-to-date (accuracy).
5. Do not keep longer than necessary for the purposes for which it is processed (storage limitation).
6. Processed in such a way as to guarantee appropriate security, using appropriate technical and organizational measures to protect against unauthorized or illegal processing and against accidental loss, destruction or damage (integrity and confidentiality).
Principle (1): Legality and equity
Processing for law enforcement must be lawful and fair. Sensitive processing is only permitted if it is:
- on the basis of the consent of the data subject – Article 35 (4)
- is strictly necessary for law enforcement purposes; meets at least one of the conditions of Annex 8; and there is a policy in place at the time sensitive data is processed (this policy) – section 35 (5) DPA 2018
BEIS strives to ensure that the lawful processing of information is in a substantial public interest. Our processing of sensitive data for law enforcement purposes meets the first condition of Annex 8 that it is necessary for the exercise of a function conferred on BEIS as a government service and is necessary for reasons of substantial public interest. We are a competent authority and have the responsibility to seek to prevent, detect, investigate and prosecute any infringements committed in connection with the INS Law 2021.
In the circumstances where we ask for consent, we make sure:
- consent is unambiguous
- consent is given by positive action
- consent is recorded as a condition of processing
Principle (2): Limitation of the object
BEIS processes personal data for all the law enforcement purposes listed in article 31 DPA 2018. These include the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions. These include, in particular, criminal and civil offenses under the INS Law of 2021 and Law of 2006 on Fraud and Related Crimes Associated with Money Laundering and Businesses.
BEIS is authorized by law to carry out sensitive processing for any of these purposes. BEIS may process personal data collected for one of those purposes (whether by us or another controller), for one of our other law enforcement purposes, provided that the processing is necessary and proportionate to this end.
BEIS will only use data collected for law enforcement purposes for purposes other than law enforcement where we are permitted by law to do so.
Yes BEIS sharing data with another processor or controller, an agreement will be in place to document that they are authorized by law to process the data for their purposes.
Principle (3): Data minimization
BEIS collects the personal data necessary for the relevant purposes and ensures that they are not excessive. The information we process is necessary and proportionate to our purposes. When personal data is provided to or obtained by us, but is not relevant to our stated purposes, we will erase it.
Principle (4): Precision
Or BEIS becomes aware that personal data are inaccurate or out of date, having regard to the purpose for which they are processed, BEIS will take all reasonable steps to ensure that the data is erased or rectified without delay. Yes BEIS decides not to erase or rectify them, for example because the legal basis on which we rely to process the data means that these rights do not apply, we will document our decision.
Principle (5): Storage limitation
BEIS will retain the processed information for law enforcement purposes for 10 years from the closing of the case, unless there is a legitimate reason for keeping it longer.
Principle (6): Safety
Electronic information is processed within our secure network. Information on paper is handled in accordance with our security procedures.
Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data allow us to erase or update personal data at any time, as appropriate.
Retention and erasure policies
There may be instances where personal data collected during an investigation is further processed in future investigations related to national security risks. BEIS intends to retain personal information for a maximum period of ten years, in order to ensure the ISU may use this personal information lawfully and in accordance with applicable data protection legislation in order to fulfill its public mission obligations.
The data would be stored on secure government systems. Processes will be implemented to ensure that the data retention policy is followed and that data is purged or archived as needed. All Right to be forgotten / Right to erasure requests will be processed in accordance with BEIS‘legal obligations under the UK GDPR and DPA 2018.
APD revision date
This policy will be retained for the duration of our treatment and for at least 6 months after the end of treatment.
This policy will be reviewed annually or revised more frequently if necessary.