38
Investigatory Powers Commissioner’s Annual Report 2019
7.25
In relation to the third group, all local authorities have received a letter reminding them of
their obligations to safeguard data obtained under their powers. At all future inspections
we will investigate whether they are holding data properly and will discuss these
obligations with them.
Data compliance self-assessment
The self-assessment request asked the following questions in relation to each power used by
the force:
• Does your authority collect data under investigatory powers?
• Does your authority retain data collected under investigatory powers?
• Does your authority retain data collected under investigatory powers on bespoke data
handling or IT systems? If so, what are they?
• Does your authority use systems outside of the primary workflow/data handling system to
back up or analyse the data? If so, what are they?
• Does your authority retain data collected under investigatory powers which is then
processed on a system outside of the organisation’s IT estate, such as a server operated by a
commercial organisation (possibly as part of a service agreement (i.e. cloud computing))?
• Are there access, retention and destruction safeguards in place across your data handling
and IT infrastructure? If so, what are they?
• Who is responsible for ensuring that these safeguards are fully enacted?
• Are you aware of any areas of your data handling or IT infrastructure which do not apply
access, retention and destruction safeguards?
• Does your authority adhere to any additional policies in relation to access, retention and
destruction of data obtained under investigatory powers?