Law enforcement processing safeguards policy

Norfolk County Council has statutory functions for law enforcement purposes. These purposes are for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. 

General areas of law enforcement are listed in appendix A below.  

Most of our processing of personal data is, however, for purposes other than law enforcement e.g. education, highways, transport planning, passenger transport, social care (children and adults), libraries, waste disposal and strategic planning. This general processing is not for the primary purpose of law enforcement and is covered by the General Data Protection Regulation and Part 2, Chapter 2 Data Protection Act 2018 (DPA 2018). See our Privacy Notices and Special Category Data and Criminal Offences Data Policy for more information about this processing

Sensitive processing

Section 35 DPA 2018 states that, in order to comply with the first data protection principle (processing must be lawful and fair), where the processing for the law enforcement purposes includes sensitive processing, the processing will be permitted if the requirements of section 35(4) are complied with. 

Sensitive processing is defined at section 35(8) DPA 2018 as the processing of:

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
  • Genetic data, or of biometric data, for the purpose of uniquely identifying an individual
  • Data concerning health
  • Concerning an individual’s sex life or sexual orientation

Section 35(4) and (5) states that sensitive processing for law enforcement purposes can only be undertaken 

  • Where the data subject has given consent to the processing or
  • The processing is strictly necessary for law enforcement purposes and
  • In respect of both bullet points above, we have an appropriate policy document under section 42 DPA 2018 in place

This document satisfies the requirements of section 42 and is therefore an appropriate policy document in support of our compliance with the first data protection principle.

Procedures for securing compliance with the DPA 2018 data protection principles 

Part 3, Chapter 2 of the DPA 2018 sets out six data protection principles for law enforcement purposes: - 

First principle

Processing for law enforcement purposes must be lawful and fair. 

It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing is necessary for the law enforcement purpose, or the processing meets at least one of the conditions in Schedule 8.

Our processing for law enforcement purposes satisfies Schedule 8 in that it is necessary for the exercise of a function conferred on Norfolk County Council by the legislation and is necessary for reasons of substantial public interest. 

Where personal data is retained as a public record to be transferred to the National Archives, the processing is necessary for archiving purposes in the public interest. 

There may also be limited circumstances where we seek consent and in these circumstances, we make sure the consent is:

  • Unambiguous
  • Given by an affirmative action
  • Recorded as the condition for processing

Second principle

Personal data collected for law enforcement purposes must be specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We process personal data for all the law enforcement purposes listed above. 

We may process personal data collected for one of these purposes providing the processing is necessary and proportionate to that purpose.

We will only use data collected for a law enforcement purpose for purposes other than law enforcement, where we are authorised by law to do so. 

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose. 

Third principle

Personal data collected for any of the law enforcement purposes must be ‘adequate, relevant and not excessive’.

We do not systematically collect sensitive personal data for law enforcement purposes. The information we process is necessary for and proportionate to our purposes. It is processed in the context of us carrying out processes which enable us to meet our stated purposes for processing. 

Where sensitive personal data is provided to us or obtained by us but is not strictly relevant to our law enforcement functions, we will erase or return it if it is practicable to do so and if it would not compromise or undermine our law enforcement functions.

Fourth principle

Personal data must be accurate and where necessary kept up to date.

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision. 

We, as far as possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions and mark the file to reflect the distinction. There are circumstances where this is not possible. 

We, where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as 

  • People suspected of committing an offence or being about to commit and offence 
  • People convicted of a criminal offence
  • Known or suspected victims of a criminal offence 
  • Witnesses or other people with information about offences 

We only do this where the personal data is relevant to the purpose being pursued. We do this by marking the file. 

We take reasonable steps to ensure that personal data which is inaccurate, incomplete or out of date is not transmitted or made available for any of the law enforcement purposes. We do this by verifying any data before sending it externally. We also provide the recipient with the necessary information we hold to assess the accuracy, completeness and reliability of the data. 

If we discover, after transmission that the data was incorrect or should not have been transmitted, we will tell the recipient as soon as possible. 

We document our decision to make personal data available for any of the law enforcement purposes. 

Fifth principle

Personal data must be kept for no longer than necessary.

We have a corporate retention schedule and retain information processed for the purposes of law enforcement in accordance with the retention schedule unless there is a legitimate reason to retain it for longer. 

Sixth principle

Personal data must be processed for law enforcement processes in a manner that ensures appropriate security of the personal data using appropriate technical or organisational measures.

Electronic information is processed within our secure network and shared via secure email and SharePoint. Hard copy information is processed within our secure premises and outside our premises (for example, at court) in a secure manner.

Electronic and hard copy information processed for the law enforcement purposes is only available to staff who carry out the processing for these purposes. Our electronic systems and physical storage have appropriate access controls applied. 

The systems we use to process personal data for law enforcement purposes allow us to erase or update personal data at any point in time. They also allow us to log the following information: 

  • Collection
  • Alteration
  • Access
  • Identity of person who accessed
  • Disclosures
  • Combination of records
  • Erasure

Further information

For further information about the County Council’s compliance with data protection law, please contact us by: 

  • Emailing the Information Compliance Team at information.management@norfolk.gov.uk
  • Writing to the Information Compliance Team, Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2DH 

Alternatively, if you wish to contact our Data Protection Officer, you may do so by:

  • Emailing the DPO at: dpo@norfolk.gov.uk.
  • Writing to the DPO, Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2DH

Appendix A 

Statutory Law Enforcement Functions 

Trading Standards Service

  • Fair Trading
  • Food Standards and Safety 
  • Animal Health & Welfare 
  • Weights and Measures
  • Non-Automatic Weighing Instruments 
  • Product Safety

YOT 

  • Youth court order breaches. 

Children’s Services 

  • Non attendance at school 
  • Child employment 
  • Child performance 

Planning

Highways 

Health and Safety

Was this webpage helpful?