Judgment Approved by the court for handing down.
R (Bridges) -v- CC South Wales & ors
with a person on the watchlist is automatically deleted without any human observation
at all and that this takes place almost instantaneously. We would hope that that feature
of the current scheme would not simply be set out in a policy document by way of
description but that it would be made clear that such automatic and almost instantaneous
deletion is required for there to be an adequate legal framework for the use of AFR
Locate.
94.
We would accept, and indeed it was common ground, that it is not for the Appellant or
for this Court to design a particular set of policies in order for them to comply with the
quality of law requirement. We are satisfied, however, that the current policies do not
sufficiently set out the terms on which discretionary powers can be exercised by the
police and for that reason do not have the necessary quality of law.
95.
We make it clear that we would not wish to be unduly prescriptive as to the content of
any new policies, for example the principle of “neither confirm nor deny” is wellestablished and would have to be respected.
96.
It might even be that, once the “who” question can be satisfactorily resolved, that will
give clear guidance as to the “where” question. This is because it will often, perhaps
always, be the case that the location will be determined by whether the police have
reason to believe that people on the watchlist are going to be at that location.
97.
We now turn in more detail to each of the three elements of the legal framework which
the Divisional Court found to be sufficient to have the quality of law in the present
context: the DPA 2018, the Surveillance Camera Code of Practice and SWP’s local
policies.
Data Protection Act 2018
98.
As Mr Beer pointed out at the hearing before us, the present context is governed not
simply by the general provisions in the DPA 2018 but by Part 3, which deals
specifically with the subject of law enforcement processing.
99.
Section 31 defines “the law enforcement purposes” in this context as:
“The purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention
of threats to public security.”
100.
Chapter 2 of Part 3 sets out the governing principles. Section 34 provides an overview
and explains that the Chapter sets out the six data protection principles. The first data
protection principle, set out in section 35(1), is that processing must be lawful and fair.
101.
Amongst the requirements of the first data protection principle, set out in section 35,
are the following. The processing of personal data for any of the law enforcement
purposes is lawful only if and to the extent that it is “based on law” and either (a) the
data subject has given consent to the processing for that purpose or (b) the processing
is necessary for the performance of a task carried out for that purpose by a competent
authority: see subsection (2).