Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
Policy Document”).20 Although this document provides some explanation of
SWP’s policies for securing compliance (as required by section 42(2)), the
narrative is brief and lacking in detail. We note that there is no systematic
identification of the relevant policies and no systematic statement of what
those policies provide. In particular, the document does not appear to address
the position of members of the public. For these reasons, we think it is open to
question whether this document, as currently drafted, fully meets the standard
required by section 42(2).
140.
It is right to observe that the description of the appropriate document in section
42(2) DPA 2018 is itself generic. We note that, when referring to the section
42 “appropriate policy”, the Information Commissioner’s website does no
more than set out what the Act says. It would be desirable to see specific
guidance from the Information Commissioner, in exercise of her powers under
Schedule 13 to the DPA 2018, on what is required to meet the section 42
obligation. In her Skeleton Argument for this hearing, the Information
Commissioner suggested that “ideally” the SWP document should be more
detailed. We agree.
141.
For the moment, we confine ourselves to the above observations. Given the
role of the Information Commissioner and the prospect of further guidance, we
do not think it is necessary or desirable for this Court to interfere at the present
juncture and decide whether the SWP’s current November 2018 Policy
Document meets the requirements of section 42(2) of the DPA 2018. In our
view, the development and specific content of that document is, for now, better
left for reconsideration by the SWP in the light of further guidance from the
Information Commissioner.
(3)
Claim under section 64 of the DPA 2018
142.
Section 64 of the DPA 2018 sets out an obligation to undertake impact
assessments.
“64 Data protection impact assessment
(1) Where a type of processing is likely to result in a high risk
to the rights and freedoms of individuals, the controller must,
prior to the processing, carry out a data protection impact
assessment.
(2) A data protection impact assessment is an assessment of the
impact of the envisaged processing operations on the protection of
personal data.
20
The full title is “Policy on Sensitive Processing for Law Enforcement Purposes under
Part 3 Data Protection Act 2018. South Wales Police (SWP) Automated Facial
Recognition (AFR). Processing biometric data to uniquely identify a person” dated
November 2018 (“the November 2018 Policy Document”).