T-PD(2015)06
DRAFT PRACTICAL GUIDE REGULATING THE USE
OF PERSONAL DATA IN THE POLICE SECTOR
Report prepared by Edward Beaman, Senior Lecturer, School of Forensic &
Investigative Sciences, University of Central Lancashire, United Kingdom
The views expressed in this report are those of the author and do not necessarily reflect the official position of the Council of Europe.
Directorate General of Human Rights and Rule of Law
The Council of Europe Recommendations (87)15 of the Committee of Ministers of Member States are now 28 years old. As a result of the work carried out by Professor Joseph A. Cannataci and
Dr Mireille M. Caruna in their report “Recommendation R (87)15 – 25 years down the line”, I have been asked to provide a draft on the Principle problems still attached to the implementation of (87)15 throughout Europe.
The author agrees with the recommendations made by Professor Cannataci and Dr Caruna, in that the time has come to make the recommendation a binding instrument in some form. The problems with the recommendations come in finding that fine balance between the rights of the citizen and the ability of Policing Agencies to carry out the duties expected of them in the prevention and detection of crime, the maintenance of public order and the protection of life and property.
The majority of those people involved in policing do not wish to live in or operate a Police state, nor do they want to be restrained by unnecessary laws / rules that prevent them from carrying out their core functions. The European Code of Police Ethics states that ‘the police shall only interfere with individual’s right to privacy when strictly necessary and only to obtain a legitimate objective’.[1]
There is little difference between those that believe the citizen should have more human rights and freedoms and the beliefs of those that are responsible for policing society. Both want good governance and a just society, the difficulty often lies in the meaning of the written law and the effect it will have on policing.
It is hoped that this report may help to address the balance between the two groups in the debate and assist in showing that each can move forward to achieve the outcomes that are needed in a modern democratic society.
The author has not included in this report instances that may relate to the workings of the Security and Intelligence Agencies, as he believes he is no longer qualified to do so, having not worked in that area for a considerable time. He does however believe that in relation to the United Kingdom they would strongly argue to remain excluded under Article 4 Section 2 of the European Union Treaty.
This report has been submitted as a recommendation for a practical guide on the use of personal data by the Police based on the Principles of the recommendations in 87(15) of the Committee of Ministers.
The recommendations have been submitted in regards to policing, which includes the workings of such agencies that the general public would consider themselves policed by: Police, Customs and Revenue, Border Guards and financial investigators amongst others.
It should be made clear at the outset the writer believes that the majority of Policing Agencies do conform to the Law and agree with open governance as well as allowing the citizen as much freedom that is possible within an open democratic society.
It is intended that the recommendations follow the Principles set out in 85/15.
Principle 1 Control and Notification
1.1 There can be no practical problem with any State having an Independent Supervisory Authority (ISA) to oversee the Police sector. The heads of any such authority should not be retired or ex Senior Police or Security Service and Intelligence Agency Officers (SS & IA). It is often the case that the heads of this type of Independent Authority are bestowed upon ex Senior Police or Intelligence Officers. When this occurs it may lead the public to believe the ISA is not entirely independent.
1.2 Officers should engage with the ISA if they wish to introduce any new technical data processing measure to ensure it complies with legislation
1.3 This Principle should not cause problems for the Police and in many respects it is already the norm and complied with. The use of HOLMES and other automated systems have made the use of Ad hoc files obsolete throughout Europe.[2]
Recommendation
A mandatory ISA should oversee the recommendations that follow in this document. The ISA is to authorise all new technical means of processing data prior to its implementation as well as overseeing permanently automated files.
Principle 2 Collection of Data
2.1 In regards to this Principle, an investigator must be allowed to obtain personal data concerning either the prevention of a real danger or the investigation of a specific type of offence, not a specific criminal offence as stated in the Principle. This would allow the investigator working towards, for example the arrest of an individual for drugs offences in general, rather than a particular drugs offence under an Act or section of a State’s penal code. It is not always possible until much later in the enquiry for a particular offence to be given a particular name under a penal code. The Police work both reactively in response to a crime that has been committed but also proactively against criminals who are believed to be committing or about to commit a crime. The exact nature of that crime may not be known for some time.
2.2 There should be no problem with the recommendation of 2.2 in the majority of cases. It would need a legislative change in the United Kingdom (UK). At the present time intelligence obtained by the use of “wiretapping” or the interception of mail cannot be admitted into evidence, nor can it be referred to in a Court. It is excluded under Public Interest Immunity rules (PII)[3] and s17 of the Regulation of Investigatory Powers Act 2000. Evidence is presented to the defence prior to trial and it is obvious in many cases that the information has come from a “wiretap”. Most citizens know interception takes place and instead of surrounding the practice in some form of mystique, which often prolongs trials and mystifies jurors, it should be admitted for what it is. The methods and technical detail of how this was undertaken should be protected to assist future investigations but informing the subject that they had been subject to surveillance would not present the investigator with any unsurmountable problems.
2.3 There should be no problems in relation to Principle 2.3 and in most jurisdictions it is already being complied with. In the UK it is largely covered by the Regulation of Investigatory Powers Act 2000 (RIPA) and in accordance with Article 5 of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
It would benefit the investigator and future investigations if the technical details of the surveillance were kept secure whilst admitting to the intelligence gained. However the ability of a State to undertake technical surveillance is well recorded in relevant literature.[4]
2.4 Whilst the majority of Principle 2.4 is agreed, reference to particular movements or organisations which are not proscribed may cause problems. Police often need to investigate an organisation in some depth to consider if it should be proscribed or whether an organisation is committing offences.
In the UK, the National Front (NF) and more recently the English Defence League (EDL) are organisations which are not proscribed but need to be investigated by the Police Service if for no other reason than to prevent serious public disorder. The investigation of similar organisations needs to be undertaken to see if any criminality is taking place or if the organisation may have an effect on the State in the future. The recommendation as it is currently written in relation to movements and organisations is too narrow and could prevent lawful investigation from taking place of organisations that may be involved in undemocratic activity. Care does however need to be taken in this type of investigation so as not to include in Police files those people who are also investigating the group, such as investigative journalists.
Recommendations
The Police should be allowed to collect data in relation to a type of criminal offence, not a specific offence. Once a case has been brought to Court, a subject should be allowed to see his criminal record and a redacted version of his intelligence record.
All technical collection of data should be specifically authorised according to law. The Police should be able to investigate movements and organisations providing they can justify the reasons before a Court or the ISA.
Principle 3 Storage of Data
3.1 In my opinion there should be no problems with this Principle. Data can fall into two categories: information based on facts, even though mistakes can be made in the relation to those facts and intelligence which may be based upon facts or other hearsay information from a number of sources and which may need to be far more carefully assessed as it is likely to be more damaging to the subject.
3.2 This Principle should not cause problems for policing. All intelligence should be classified under 5x5x5 system or something similar. The 5x5x5 system classifies intelligence in relation to; [5]
Source Evaluation, is it?
a. Always reliable
b. Mostly reliable
c. Sometimes reliable
d. Unreliable
e. An untested source
Intelligence Evaluation, is it?
1. Known to be true without reservation
2. Known personally to the source but not the Officer
3. Not personally known to the source but corroborated
4. Cannot be judged
5. Suspected to be false or malicious
Handling Code,
1. May be disseminated to other law enforcement and prosecuting agencies, (including law enforcement agencies within the European Economic Area (EEA), and European Union (EU) compatible (no special conditions))
2. May be disseminated to UK non-prosecuting parties (authorisation records needed)
3. May be disseminated to non-EEA law enforcement agencies (Special conditions apply)
4. May be disseminated within the originating agency only
5. No dissemination without reference to the originator or the requirement for special handling imposed by the Officer who authorised its collection
The handling codes can cause problems between jurisdictions. If a Covert Human Intelligence Source (CHIS) passed on information to a UK Police Officer and this was later forwarded to a European investigator / prosecutor who wishes to put the intelligence in the evidence chain and asks the UK for the CHIS’s details, the UK Police are likely to refuse and this would cause discord. In a similar manner, a UK Police Officer giving evidence in a European Court following an international criminal investigation would state they were acting upon information received. This may have come from a CHIS. The European Court may ask whether a CHIS was involved in the case and if so, ask for the CHIS’s identity. In the UK, it is likely that the CHIS’s details would be protected under the Public Interest Immunity rule (PII)[6]. In a European Country this may be seen as contempt of Court. It is often thought that providing information to agencies outside the EU can be extremely dangerous to the safety of the source, even if the information is provided through INTERPOL. Article 9.2 b of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data does allow for exceptions to protect the rights and freedoms of others. Many other Countries do not have the same checks and balances that are seen as normal within the EU.
The 5x5x5 system is used to grade intelligence related to:
1. In the interest of National Security
2. Preventing or detecting crime and disorder
3. Maintaining community safety
4. Assessing or collecting any Tax or Duty imposed
5. Serving a significant public interest
It will be seen that maintaining community safety and serving a significant public interest are very wide definitions and they need to be more fully defined and addressed.
Factual information should be kept separate from intelligence. This may be an opportunity to define the meaning of intelligence and information across the EU. In the UK, facts (a criminal record) are kept on the Police National Computer (PNC)[7] whilst intelligence is kept on the Police National Database (PND). Information on the PND ought to be classified via the 5x5x5 system. Certain other computerised intelligence systems with much more restrictions on access may be in use by the anti-terrorist hubs and other units which investigate serious criminals. They should still adopt the 5x5x5 system but with more restricted access to the files by fewer people.
The PND type of information should be reviewed more frequently to check on its accuracy and reliability. It is this type of information that is more likely to be either incorrect or more harmful in itself if it is disclosed. The sharing of information (see later under Principle 5) will assist in keeping records up to date.
It is in this area that genuine mistakes are sometimes made. As an example, a file containing information, correct at the time of its input states that person X lives at Y address. The Police execute a warrant on the address at Y to find that X has recently vacated the address permanently (see Principle 5 later). Intelligence is needed for the Police to perform their core duties for public protection, the prevention and detection of crimes, but it should be balanced against the rights of the individual.
3.3 Principle 3.3 states that administrative data should NOT be subject to rules applicable to Police data. This is confusing. Administrative data should be better defined, as it is currently unclear whether PNC or similar information is classified as “administrative data“. The very knowledge of a person’s criminal record alone can be very damaging; this recommendation should be more rigorously defined and explained (see later Principle 7).
Recommendations
As far as possible, stored data should be accurate as there is no value in storing incorrect data. Data storage should be limited to that class of information allowed by National law.
Intelligence data should be assessed by a 5x5x5 system or similar and intelligence systems should remain separate from criminal record files.
Principle 4 Use of Data by the Police
Personal data collected and stored by the Police for Police purposes should be used exclusively for that purpose. Providing the definition as explained on page 2 of R 87(15) is kept to this should not cause any problems.
The Police often obtain personal data information that only they have access to and yet it is needed by other people, even outside the organisation. As an example, if person A is involved in a road traffic collision (RTC) with person B and A is taken to hospital it is likely that the personal details of B will be taken and stored by the Police. A will be unable obtain those details for his insurance company if the Police cannot release them. This may be covered by Principle 5.2.Ib below.
In major incidents the Police often collate details of persons involved. This must be shared with other agencies which are not Policing Agencies; at times it may even include the press. For this reason this regulation needs greater clarification and needs to conform to the European Code of Police Ethics.[8]
Recommendations
The Police should only share data kept by them with legitimate agencies and for legitimate reasons. This could include other agencies, the public and the press. Any misuse of Police data under National law should carry sufficient sanctions to deter any improper use.[9]
Principle 5 Communication of Data
5.1 This should not cause too much of a problem although it might need some minor legislative change in certain areas. The Police currently exchange data within their own sector although there may not be any legislation that specifically authorises the practice.
5.2ia This should not cause problems to Policing Agencies. At the present time, the Police Service in the UK provides information to the Disclosure Barring Services (DBS)[10] to allow that service to carry out its lawful duties. The PNC can currently be accessed by 56 non police bodies.[11]
5.2ib This may cover part of the concerns addressed in Principle 4 above but only in so far as it relates to public bodies and insurance companies etc. would not be covered by this section. The term “indispensable” may need defining so it has the same interpretation across the EU.
5.2iia This Principle could cover some of the concerns in Principle 4 above but it still relates to public bodies and not those outside the public sector.
5.3i Whilst the object of this regulation is clear and understood, it is considered that the wording is too strong for the intent.
There are many instances where the Police have personal data related to one person. They then pass that information to another person to assist them. This practice would not currently be covered by law and it would be far too onerous to legislate for in all instances. A simple case would be when person A loses an item. It is found by person B who hands it in to the Police. The Police contact person A, who comes to collect the item and who request the details of person B in order to thank or reward them. Principle 5.3i would preclude the police from giving the information and yet it is on the face of it an innocent request and most people in a regularly organised society would agree to it.
This could be covered by person B being asked if they consent to their details being passed to A, but this type of incident happens many times a day in all sorts of Police encounters and Principle 5.3i as written would prevent this. It might be argued that this is too trite an example and it may be said that the regulations are not meant to deal with this type of interaction. This must be made clear if that is the case as many people are now concerned not to infringe EU Law. This has caused policing to become stymied by becoming overly bureaucratic as everything has to be recorded in case it is needed later.
5.3ii This would assist in the instance referred to in Principle 4 above where the Police have information that could be provided to an insurance company. This would be of benefit to their client; the worrying words in this Principle are “exceptional circumstances”. This is an almost daily event and could hardly be seen as exceptional.
This Principle does however engage many of the concerns addressed at Principle 4 above. The Police could share information gathered with other emergency services under this Principle.
5.4 This should present few problems, although in some States it may need a minor legislative change. It should be made clear however that although it may be allowed by law it is not mandatory for one State to share information with another State. As has been explained above under Principle 3 on page 5, State A may not wish to disclose the source of its intelligence to State B even though they are willing to share the information within the intelligence.[12] The European Code on Police Ethics states that “Police organisations shall be ready to give objective information on their activities to the public, without disclosing confidential information”. Once again there may be a good case for defining the meaning of information and intelligence.
Police bodies, on this occasion, should be read in its widest sense to include all those involved in policing, which may on this occasion include SS & IA.
5.5i This Principle should not cause any problems, however it should be made clear to the agency being supplied the information whom else the information may shared with. The agency being supplied with the information should comply with any caveats that the supplying organisation insists upon. This would prevent a CHIS having protection in his home State but then being exposed in another State by the disclosure of the intelligence. It would also prevent information being relayed from State A to a third State via State B when State A would not normally share information with the third State.
5.5ii This Principle would be greatly assisted by the use of a 5x5x5 grading system mentioned above at Principle 3.2 at page 5.
There is an obvious need for this Principle to be introduced into the recommendation but it should be understood it will considerably add to the time it will take to pass information from one agency to another.
Data can be checked at the time of its original submission by use of the 5x5x5 system or similar.
At the time of its communication to another party, unless it is so close to the time of submission, it would need to re-checked for its validity. This is obviously an important and valid check to maintain the rights of a citizen; however it will take time because:
a. The original informant of the data needs to be traced and questioned.
b. Individual transfers within the criminal justice system take place often and their movements are not always easy to trace.
c. The original informants retire.
d. The original informants die.
This relates mainly to the source of intelligence data as normal criminal record type data can more easily be checked for its veracity by reference to other official data.
There should be a system in this Principle so that data still believed to be correct can be passed, even though it has not been checked for accuracy, so long as this fact is communicated to the requesting agency. This would only occur in exceptional circumstances and it should also be made clear that information passed from party A to C via B does not need to be re-checked by B as this again would be excessively bureaucratic. Party A will of course verify that the data is correct and current to the best of their knowledge and belief.
5.5iii This Principle should be acceptable to all, although it may need to be made explicit here that the data should not be passed to a third party via the recipient without the permission of the sender. This should be the case even if the receiving agency is permitted to do so under its national legislation in accord with recommendation 5.2 and 5.4 above.
5.6 This Principle should be accepted with a proviso that in exceptionally urgent cases permission can be sought either by electronic means or in retrospect in urgent cases.
Exceptional urgency would need to be fully justified to the ISA and if the ISA did not agree the data would need to be destroyed by the recipient and on no account used for prosecution. This would prevent an overzealous Officer attempting to circumvent the Principle but also allow for out of hours contacts when the authorising ISA Officer may not be available.
It should also be made absolutely clear in the Principle that this exception is NOT an excuse to circumvent the Principle.
It might need legislative changes in some States.
Recommendations
The interchange of data from the Police to any other agency must be justifiable, necessary and proportionate. There may not always be legislation that specifically allows a reason to allow such interchange but it needs to be justified to stand scrutiny to the ISA or a Court if necessary.
The supplier of the data must be allowed to place caveats on the further dissemination to the agency supplied with the information. The supplied information must be checked and given an assessment as to its reliability prior to despatch using the 5x5x5 system or similar.
Principle 6 Publicity, Right of Access to Police Files, Right of
Rectification and Right of Appeal
6.1 There is little doubt that the public should be aware about the types of files that the Police maintain. The public should have the right of access to their personal data kept on their own files (see below).[13]
Criminal record files should contain correct current information and there can be no objection to the public having access to their own file to see that the data it contains is correct. Data on this type of file will in the main be a matter of public record having been updated from open public Court records or the information on this type of file will have been provided by the individual person themselves, such things as name and address, DOB, personal description etc. The public should be allowed to check the veracity of such files.[14] There should be some form of caveat however that people can only check on one occasion after each change to their personal file. This will prevent people making daily applications for nuisance value, with which the system could not cope. A reasonable charge may also need to be included as this will be a costly process.[15]
There will however be difficulties over intelligence files kept on known career level criminals or known / suspected terrorist subjects.
It is axiomatic that access to this type of file cannot be allowed during an investigation. It should be noted that this type of investigation may be current for a number of years. Article 9 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data does allow exceptions in this area for the suppression of crime.
There should be little problem in allowing access to this type of file after conviction or acquittal, the file having been suitably anonymised to ensure that nothing can lead to the identification of a CHIS or other covert Policing method. No doubt this recommendation would receive criticism from serving Police Officers particularly in the UK, but it can be undertaken once current attitudes are challenged and changed.
The problem will come as to what point, if ever, access is given to a personal file when no charge has ever been brought.
Career criminals may be investigated for many years without a charge having been brought against them. If such people were allowed to have access to their own intelligence files every two years for example it would create bureaucratic problems having to regularly redact files for Policing Agencies. The same can of course be said for people involved in terrorist offences, it would not be sensible to give wanted terrorists access to their intelligence files until they have been caught.
The findings in the RESPECT draft law The Right to Information, Article 10 (2) at page 28 needs to be challenged in this respect if it is to be accepted by the European Parliament.
This will be the most contentious area of this Principle. Those who believe in absolute openness and freedom of access will argue that open unfettered access should take place. Those who deal with career criminals and terrorists will argue it should not or at least not until after a successful prosecution.[16]
6.2 As stated above in relation to access to an individual’s criminal record, this Principle will cause few problems as it is data that in the main is already a matter of public record albeit compiled from disparate sources. The problem will come in regards to intelligence file data mentioned above. If a fixed time scale is given under the proposed regulations it will seriously hamper ongoing Police enquiries and will also be a source of much debate which may seriously delay the introduction of much of the uncontested legislation contained in the Principle.
6.3 This section should cause few problems and indeed this is the reason for the subject having access to their own file. This will relate more to a criminal record file than an intelligence file for the reasons stated above.
Even in relation to intelligence files there should be a system of regular in house checking and any errors should be corrected as soon as possible. This not only benefits the data subject but also the Police themselves as they do not wish to act upon false information. This checking system should be made mandatory even if it means that the Police only have to check a percentage of intelligence files each year. It may prove impossible to check details of all files, however, if a great number of errors are found in the percentage checked it would encourage the Police to continue with the practice. As stated above, incorrect data in files is of no use to the Police.
6.4 This section will again cause much debate. There should be no problem with the subject’s right of access to his own criminal record file.[17] The problem will arise over the issue of access to his intelligence file for the reasons stated above. The argument is not about the facts contained in the intelligence file but it will be in regard to the disclosure of CHIS’s and other technical Police surveillance techniques which will be exposed by giving subjects access to their own intelligence file. It would be a substantial and worrying task for the police to redact information from the file. Section 6.4 does allow for this type of file not to be disclosed if it is indispensable for the performance of a legal task or for the protection of the legal rights of others. This would almost certainly be used as a blanket ban on release and this would be the cause of many individual actions which would no doubt slow down the criminal justice appeals system. See the five Constables case.[18]
6.5 This Principle has been dealt with in 6.4 above and it would be the cause considerable resourcing problems for the legal departments of each Police Service to have to justify each file so that it is not disclosable. There will be many cases where a file can be disclosed, for example when person A was thought to be involved with person B but it was quickly discovered this was not the case. The file was closed and it was stated quite clearly on the file that A had committed no illegality and was not involved with B. It is not thought that this type of file will be the subject of a request for information, most citizens have no interest in asking about their file as they know they will either not have a file or it will say nothing to their detriment.
It is the career criminal and suspected terrorist who will wish to make constant checks on their personal intelligence file. In the case of L v Commissioner of Police for the Metropolis[19] it was stated that the weight of the information which ought to be disclosed must be balanced against the right of the individual. See also T v Chief Constable of Greater Manchester Police.[20] However, public attitude, knowledge and the implementation of the Human Rights Act 1998 may have raised citizen’s awareness and many more applications might now be expected.
In the recent Supreme Court case involving John Catt [21] the Court held that overt surveillance on Catt who attended a number of demonstrations was necessary and proportionate and complied with Human Rights Law. The Court held that the Police needed operational discretion when looking at groups even though individuals might have minor intrusions into their Human Rights. This case is likely to proceed to the European Court of Human Rights.
On the introduction of the Freedom of Information Act 1998 into the UK, it was thought that many thousands if not millions of requests would be made from people wishing to have access to their file. In Greater Manchester in the UK, one of the largest conurbations in the Country, only four requests were received in the first year after the Act came to force.
6.6 The right of appeal should cause no problems in a democratic society.[22] The Police should be able to prove that any refusal to inspect a personal file is justified to an independent ISA. If they cannot justify the refusal then the subject should be enabled to gain access despite the comments above. This may require the ISA staff to have particularly high security clearance to be able to view the disputed files. This may warrant additional staff at the ISA and the subject should be made to pay a reasonable fee to prevent frivolous and vexatious applications without preventing genuine enquiries.
Recommendations
The public should be aware of the type of criminal record files kept by the Police. They should also be made aware of what type of intelligence files are kept but not the specific content.
Subjects ought to be able to access their criminal record files to check for errors and if found, they should be immediately rectified.
Intelligence files should be subject to more stringent access rules, they should not be available during an ongoing investigation and they should be redacted prior to the subject being able to read them. Intelligence files should not be subject to time element for their disclosure. Suggesting a date for disclosure would be arbitrary and as has been explained above, enquiries may take many years to conclude. To impose an arbitrary time limit would subject Police investigations to unnecessary stress as they would be forced to disclose evidence prior to the completion of enquires which makes little sense.
Principle 7 Length of Storage and Updating of Data
7.1 If data is required for certain operations or if it is taken under administration / legal rules at the time of arrest, it should be destroyed if the subject is acquitted at Court or if the data is no longer required for the enquiry.[23]
DNA is often taken and kept after acquittal or after being given voluntarily in the course of a serious enquiry. This practice should stop.[24] Technically it should be far easier to remove records as most are stored in a digital format. It should be a relatively easy task to place a marker on a criminal record file to have it removed when the conviction is spent. In the UK there are ten million criminal records on the PNC and they are currently kept until the 100th year from the subject’s date of birth.[25] It was held in L v Commissioner of Police for Metropolis that there is no problem or objection to keeping data for extended periods. The argument comes with whom and when it should be shared.
The length of time a State keeps criminal record data is different across the European Union. The UK, the Czech Republic and Slovakia appear to be retaining data for the longest periods, all until the subject’s 100th birthday.
Few people, even the best in society, are the same people they were in the past and subjects should have the right to move on from errors made previously. This would be subject to exceptions, regarding certain serious offences and subject to individual assessments made regarding the subject’s records when applying for certain occupations.
In the UK, subjects requiring access to certain occupations, such as those dealing with access to children, vulnerable adults, general practitioners, dentists, prison or police officials to name a few have to obtain a certificate to ensure their employer that they either do not have a criminal record or declare in full the detail of every relevant matter held on central records.[26] This should be made standard practice throughout the EU to allow for the free transfer of labour throughout all EU States.
These records are held by the DBS in the UK who are given access to criminal records from the Police under regulations made under Section 122 of Part V of the Police Act 1997.
7.2 Subject to the conditions above this Principle should be agreeable, although it may require an increase in administration staff at the Police, DBS and ISA level but this should not prevent it from being implemented. The fact that a 20 year old used drugs and has never committed an offence for a further 20 years should not mean that his records are kept for a further 60 years, even though he may not need to disclose this criminal record as it is spent. It is somewhat arbitrary to keep this type of record until the subject is 100 years old, although the Supreme Court in the UK would disagree.[27] [28]
Recommendations
There should be a European Union standard time laid down for the storage of data.
Data should only be stored for the purposes it was collected.
Principle 8 Data Security
It is in everyone’s interest that this Principle is complied with; the Police in particular do not want files stolen, hacked, released or deleted without their knowledge.[29]
The highest physical and technical security, subject to financial constraint, should be adopted for all data with even higher access restrictions for certain types of intelligence material.
In the UK, all Police Officers have access to the PNC criminal record files in the course of their duty. There is of course access and physical checks to obtaining this information. Far fewer Officers would be able to access the intelligence files of career criminals and even fewer with access to the security files of suspected terrorists. There is an even smaller percentage of Police Officers who are able to gain access to the intelligence files of the Security and Intelligence Services and even then only via those agencies and not with direct access.
This appears rational as it enables Police Officers to get necessary access to criminal records, which in the main only contain factual matter. However, those files could contain errors such as incorrect dates or addresses. The intelligence files of career criminals and suspected terrorists are only obtainable on a need to know basis and access is rigorously controlled. It can be appreciated that errors in this type of intelligence file can be far more damaging to the individual as they will contain far more opinion and subjective comments rather than fact.
It has already been stated above that there must be a balance kept on what is needed for the Police to perform their core duty and the rights of an individual.
Recommendations
Agencies should maintain both physical security of the data as well as password protection and they should prevent cyber-attacks on the data as far as possible.
If data is being physically moved from one place to another it should be encrypted or escorted by two people. There are far too many occasions involving the in-transit loss of a compact disc or other portable storage device containing personal information of subjects.[30]
Conclusion
There is now a need for a legally binding instrument across Europe as detailed by the findings of Professor Cannataci and Dr Caruna.
The difficulties presented in gaining agreement for this could be overcome with detailed discussions on the meaning and perceived outcomes of some of the terms used (87)15. The time may now have come for Human Rights groups and the small group of Senior Policing Officers from across Europe to come to an agreed decision on what outcomes are required and to have those decisions placed into a binding document based on the proposals of (87)15.
[1] The European Code of Police Ethics R (2001) 10 of the Committee of Ministers of Member States
[2] Home Office Large Major Enquiry System
[3] The Criminal Procedure Rules 2005 (S.I.2005 No.384)
[4] Peter Jenkins, Surveillance Tradecraft –The Professional’s Guide to Covert Surveillance Training (3rd edn Intel publishing 2010)
[5] ACPO Guidance on the National Intelligence Model (NCPE 2005)
[6] ibid 2
[7] Section 27(4) of the Police and Criminal Evidence Act 1984
[8] Article 42 of The European Code of Police Ethics R (2001) 10 of the Committee of Ministers of Member States
[9] Article 10 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[10] Section 122 of Part V of the Police Act 1997
[11] S and Marper v UK [2008] 1581.p 87 Lord Styn
[12] Recommendation 19 of The European Code of Policing Ethics R (2001) 10 of the Committee of Ministers of Member States
[13] Article 8 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[14] Article 5 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[15] Section 7 Of the Data Protection Act 1998
[16] Section 29 Data Protection Act 1998
[17] Article 8 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[18] (2009) EWCA Civ109
[19] (2009) UKSC3
[20] R on the Application of T, JB and AW and the Chief Constable of Greater Manchester Police, the Secretary of State for the Home Department, Secretary of State for Justice [2013] EWCA Civ25
[21] R (on the application of Catt) (Respondent) v Commissioner of Police of the Metropolis and another (Appellants) [2015] UKSC 9
[22] Section 117 Part V The Police Act 1997
[23] Article 5 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[24] Protection of Freedoms Act 2012
[25] Ibid 7
[26] The rehabilitation of Offenders Act 1974 (Exceptions) order 1975 (Amendments) (England and Wales) order 2013 and the Police Act 1997 (Criminal Record Certificate; relevant matters) (Amendments) (England and Wales) order 2013.
[27] Ibid 7
[28] S and Marper v UK [2008] ECHR 1581
[29] Article 5 of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
[30] David Harrison “Government record year of data loss” The Telegraph (London 6 Jan 2009) 1