Over the last few years, data privacy in policing has become a topic of public interest. In an age where we generate data constantly, the ethical management and exploitation of this data, both by commercial organisations and by governments, requires a change in mindset around how data is stored, safeguarded and disposed of.
It is more critical than ever that law enforcement agencies understand their obligations to comply with the Data Protection Act (in order to abide by the General Data Protection Regulation - GDPR) as well as specific requirements around managing police information. They have a duty of care to the public to protect any data that they hold, and they must be able to demonstrate that this data is obtained and processed lawfully, held securely and not exploited inappropriately. Trust is essential for public engagement with law enforcement: if there is a sense that organisations cannot be trusted to handle information this will begin to erode the philosophy of ‘policing by consent’ - the idea that the public approve of and are willing to cooperate with the police, which underpins law enforcement within the UK.
Whilst law enforcement is well-practiced at obtaining data lawfully and legitimately and storing it securely, historically there has been less focus on managing that data once it has been acquired. The 2018 Data Protection Act (the UK’s implementation of GDPR) states that data must not be held for longer than is necessary, meaning that law enforcement agencies need to know exactly what data they hold and for how long they have held it.
In addition to this they need clear data retention policies which set out how long different types of information can be retained lawfully, as well as ways of effectively implementing these policies (i.e. the ability to apply retention rules to data held in systems, and to manage reviewing and retaining or deleting it in a timely manner).
Establishing and implementing such information management policies is no simple exercise, especially when retro-fitted across multiple systems and applied across agencies that may be sharing data across investigations. Firstly, in policy terms, you need to determine the level of granularity at which to apply review, retain and delete policies. For example, do you treat a text document as a single information item which will be reviewed after five years and either entirely retained (if lawful and appropriate) or entirely deleted, or is the policy applied to every occurrence of data within it, meaning that after five years each data item would need to be reviewed and a decision made as to whether to retain or delete it. What if that information exists in other systems as well?
Secondly, the complexity and longevity of many investigations (often running across partner organisations with different remits and responsibilities) means that successful information sharing can lead to an ongoing duplication of records and increasing difficulty in understanding where data is mastered and where the responsibility for review and eventually deletion lies. With limited interoperability across disparate systems and different agencies, it can be all too easy to simply send over yet another spreadsheet. Even if managed compliantly at source, where does the responsibility for avoiding this unnecessary data proliferation lie?
Finally, policing relies on a variety of different legacy systems, some of which are only used by a single force, department or even team. It is a significant challenge to update these systems to comply with today’s data privacy requirements: retrofitting functionality to cover the review and disposal of data is costly, and diverts resources from pressing day jobs.
The concept of ‘privacy by design’ is not new and has been advocated by the Information Commissioner’s Office for many years. However, following the introduction of the 2018 Data Protection Act there is now a legal obligation to consider the entire lifecycle of personal data, from collection through to disposal.
This means shifting away from the mindset of ‘keep hold of data forever’, limiting collected data to what is needed, ensuring appropriate measures are implemented when sharing data, and ongoing review across business processes and systems.
Therefore data privacy ‘by design and default’ should be a core consideration for any new system, and we have developed a number of tools to check and confirm data privacy compliance from the concept stage right through to delivery. We start with a Data Protection Impact Assessment to consider all aspects of the project and how data will be retained and managed. We then have a series of checklists which can be used either to kick-start a new project or to review in-flight work or legacy systems.
We are conscious of the need to support compliance with Management of Police Information (MoPI), which require forces to be able to review and assess the retention of information across all systems. Having tackled the same problem several times now, we have begun to establish design patterns to enable information to be searched, identified and removed at a granular level with automated triggering across systems. Incorporating this into the design significantly reduces the time and manual effort required to manage information compliantly, as well as removing the need to implement this functionality further down the line when, as previously mentioned, it will undoubtedly be more complex and costly.
The cultural aspects of getting data privacy right shouldn’t be underestimated. As well as considering privacy from the outset when commissioning new systems, organisations need to keep thinking about it.
In practical terms a good starting point is ensuring that each new project’s impact on the data you hold is understood, and capturing this as part of your organisation’s Record of Processing Activities (RoPA). Building on this to continually catalogue information sharing agreements and protocols both internally and with external organisations can help ensure that you won’t later find yourself swamped in a quagmire of unmanageable data.
Privacy by design means taking the whole information lifecycle into account: ensuring that data is processed in accordance with the law, protected and stored securely, and that its ongoing management is considered right through to deletion. Not only can retro-fitting data privacy measures be challenging and costly, but as systems engineers we have an ethical obligation to our customers and the public to consider these from the outset. Privacy by design is a mindset and a culture - sometimes there will be no material impact on a project – but considering these principles from the beginning supports law enforcement in treating both the public’s data and their trust as the valuable commodities that they are.