Judgment Approved by the court for handing down
26.
R (Bridges) v CCSWP and SSHD
Section 35(8) of the DPA 2018 defines “sensitive processing” as means
activities including:
“…the processing of… biometric data… for the purpose of uniquely
identifying an individual.”
27.
Section 205(1) of the DPA 2018 defines “biometric data” as:
“…personal data resulting from specific technical processing relating
to the physical, physiological or behavioural characteristics of an
individual, which allows or confirms the unique identification of that
individual, such as facial images or dactyloscopic data”.
Conditions
28.
Section 35(5) prescribes conditions which must be satisfied before the
processing of biometric data for law enforcement purposes may be permitted.
These conditions are threefold: (a) the processing is strictly necessary for the
law enforcement purpose;
(b) the processing meets at least one of the conditions in Schedule 8, and (c)
the controller has an appropriate policy document in place (see section 42).
29.
The Schedule 8 conditions include:
“1. Statutory etc purposes
This condition is met if the processing(a) is necessary for the exercise of a function conferred
on a person by an enactment or rule of law, and
(b) is necessary for reasons of substantial public interest.
2. Administration of justice
This condition is met if the processing is necessary for
the administration of justice.
…
6. Legal claims
This condition is met if the processing(a) is necessary for the purpose of, or in connection
with, any legal proceedings (including prospective
legal proceedings)…”
30.
Section 42 contains requirements in respect of the “appropriate policy
document” referred to in section 35(4), that must be in place:
“42 Safeguards: sensitive processing
(1) This section applies for the purposes of section
35(4) and (5) (which require a controller to have an
appropriate policy document in place when carrying