Judgment Approved by the court for handing down
37.
R (Bridges) v CCSWP and SSHD
Unlike the SC Code, there is no requirement for SWP to have regard to the
AFR Guidance. This guidance was first published in October 2018 and republished without changes in March 2019 (i.e. after the two deployments of
AFR about which the Claimant complains).
The Information Commissioner
38.
The Information Commissioner published high level guidance on the
safeguards for law enforcement processing under Part 3 of the DPA 2018, and
in particular as the appropriate policy to be issued:
“What safeguards are required for sensitive processing?
If you are carrying out sensitive processing based on the consent
of a data subject, or based on another specific condition in
Schedule 8 of the Act, you must have an appropriate policy
document in place.
The appropriate policy must explain:
-
your procedures for complying with the data protection principles
when relying on a condition from Schedule 8; and
-
your policy for the retention and erasure of personal data for this
specific processing.
You must retain this policy from the time you begin sensitive
processing until six months after it has ended. You must review
and update it where appropriate and make it available to the
Information Commissioner upon request without charge.”
39.
The Information Commissioner states that, whilst further clarification and
detail is required (particularly in relation to the specific Schedule 8 condition
relied on for AFR, and on lawfulness and fairness), she is of the view that the
SWP’s current document does meet the requirements to constitute an
overarching “appropriate policy document” within s.42 of the DPA 2018. We
agree.
SWP Documents
SWP Policy Document
40.
SWP have issued a policy document entitled “Policy on Sensitive Processing
of Law Enforcement Purposes, under Part 3 Data Protection Act 2018”
(Version 2.0, November 2018) (“the Policy Document”).
The Policy
Document sets out SWP’s policy as regards compliance with the six Data
Protection Principles in Part 3 of the PDA 2018:
“3. Compliance with Data Protection Principles