Sensitive processing for law enforcement purposes - Appropriate policy document

The Crown Office and Procurator Fiscal Service (COPFS) is Scotland’s prosecution service and death investigation authority. We receive reports about crimes from the police and other reporting agencies and then decide what action to take, including whether to prosecute someone.

We also look into deaths that need further explanation and investigate allegations of criminal conduct against police officers.

We play an important part in the justice system, working with others to make Scotland safe from crime, disorder and danger.

We make our decisions independently and in the public interest. We follow the process set out in the Prosecution Code to make decisions.

Our headquarters are located at Crown Office, 25 Chambers Street, Edinburgh, EH1 1LA

This policy explains COPFS’ procedures for ensuring compliance with the data protection principles relating to sensitive processing for law enforcement purposes, as well as relevant erasure and retention policies.

This policy is a requirement under Section 42 of the Data Protection Act 2018.

Section 35(8) of the Data Protection Act 2018 defines “sensitive processing” as:

• The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership.
• The processing of genetic or biometric data, to uniquely identify an individual.
• The processing of data concerning health.
• The processing of data concerning an individual’s sex life or sexual orientation.

“Law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

It is necessary for COPFS to carry out sensitive processing to fulfil our prosecutorial and death investigation obligations. COPFS is therefore listed under Schedule 7 of the Data Protection Act 2018 as a competent authority by way of the Lord Advocate, Crown Agent and Procurator Fiscal.

Section 35 of the Data Protection Act 2018 states that sensitive processing for law enforcement purposes is only permissible if:

a. The data subject has given consent to the processing for a specific purpose

Or

b. The processing is necessary for a law enforcement purpose and meets at least one condition within Schedule 8 of the Data Protection Act 2018.

Regardless of which condition is met, the controller must also have an Appropriate Policy Document (APD) in place. If either of these conditions are met and the controller has an appropriate APD, sensitive processing will be . Due to our responsibilities, COPFS relies primarily on (b) and does not rely on consent except in certain circumstances.

Part 3 of the Data Protection Act 2018 require personal data to be:

1. Lawfulness, fairness and transparency

COPFS’ privacy notices  detail why and how we process personal data and our lawful basis for doing so.

As the prosecution and death investigation service for Scotland, our processing is necessary for a purpose of significant public interest.

2. Collected for specific, explicit and legitimate law enforcement purposes, and not processed in a way that is incompatible with the purpose that it was collected

COPFS will ensure that sensitive processing will be restricted to that which is necessary to allow us to fulfil our obligations as a criminal prosecution and death investigation service and will not be used for a matter which is not a law enforcement purpose unless authorised by law to do so.

Sensitive processing may however be used for another law enforcement purpose by COPFS or another appropriate organisation that is authorised by law to carry out law enforcement 

3. Adequate, relevant and not excessive in relation to the purpose in which it is processed.

Personal data held by COPFS is restricted to that which is necessary only for the purposes of processing.

4. Accurate, and where necessary, kept up to date. The controller must also ensure reasonable steps are taken to rectify any inaccuracies once known.

COPFS recognises the importance of accurate data. Staff are made aware of the need for accuracy and any inaccuracy identified will be rectified where appropriate.

Where this is not possible, an addendum will be added to that data advising and any reasons for not amending the data will also be recorded.

5. Kept no longer than is necessary for the purpose for which it is processed.

The COPFS Records Management Manual dictates the length of time material, including personal data, should be kept in certain circumstances. This includes when sensitive processing is carried out in accordance with Schedule 8.

Where consent for sensitive processing has previously been provided and subsequently withdrawn, the data will be destroyed in line with legislative.  

6. Processed in a manner that, by using appropriate technical or organisational measures, ensures appropriate security of the personal data.

COPFS employs both stringent technical and organisational measures to ensure the security of the data we hold.

Technical

COPFS maintains an IT Security Management System to ensure the security of data, information, IT systems and services. 

Security controls, policies, and procedures are compliant with UK and Scottish Government cybersecurity strategies and standards.

COPFS security controls and configurations are subject to annual independent audit, health check and accreditation under the UK Home Office and UK Cabinet Office PSN, PSN-P, Cyber Essentials + schemes. 

COPFS deploys security industry best practices and tools, including the Microsoft E5 security suite incorporating MS Purview, Data, Data Classification, Data Loss Prevention, and e-Discovery. 

COPFS operates an organisational-wide SOC and MDR Service, actively monitoring, identifying, and responding to vulnerabilities and threats to its IT and Information assets. 

Organisational

All entrants to COPFS are required to undergo an Enhanced Disclosure Scotland check prior to appointment and once employed, are required to undertake mandatory data protection learning.

All COPFS staff are provided with training on relevant systems and are subject to relevant policies such as our Clear Desk policy (including handling of materials in line with the Government Protective Marking Scheme) and our Acceptable Computer Use policy.

All COPFS sites are secured and accessible only to those with relevant permissions.

CCTV is also used across the COPFS estate.

Requests for the erasure of personal data will be dealt with in accordance with Section 47 and Section 48 of the Data Protection Act 2018.

Any decisions made by COPFS relating to such requests will be recorded.

This policy will be reviewed on an annual basis and updated as necessary.

This document was last reviewed on 19 September 2024.