Advanced Search

How to use this Legal Guidance

CPS Public Consultations

We want to hear your views about our prosecution policy and so we conduct consultations to help inform our policy making.

There are currently no active public consultations but visit the consultations page to view expired consultations and reports

Home » Professionals » Legal Guidance » D to G » Data Protection

The Data Protection Act

Updated 11/08/08

Introduction

The Data Protection Act 1998 (DPA) came into full force on the 1st March 2000, although the transitional date for the CPS was the 24th October 2001. The aim of the Act is to protect personal privacy. Any person or organisation that processes personal data must do so, in compliance with the eight principles stated under the Act. (See point 4 in this booklet).

Top of page

The Data Protection Act 1998

The Data Protection Act 1998 confers a right of access to individuals, this means they have a right to be told if their personal data is being processed, a description of that data, why it is being processed and to whom it might be disclosed. This classification of information can be found on the public register of Data Controllers, on the Information Commissioner's website <www.ico.gov.uk> The Service is registered under the name of 'Director of Public Prosecutions.' Please also refer to the Legal Guidance, Disclosure and Covert Law Enforcement section and view both the Disclosure Manual and the Disclosure to Third Parties Chapters.

The 1998 Act applies to personal data held in all formats, whether electronic, paper, audio, visual or digital records. Processing, under the terms of the DPA, covers all conceivable manipulations of personal data including collection, use, storage, disclosure and amendment. Mere possession of such data amounts to processing.

Personal data is any recorded information about a living individual that can be identified from that data and other information, which is in the possession of the Data Controller as defined in the judgement in Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division). A summary of this judgement is available on the Information Commissioner's website.

Top of page

Requirements of the Data Protection Act 1998

There is nothing overly complicated or labour intensive about what the Act requires us to do. Providing we follow good practice in records and security management, we should meet our responsibilities. The only additional task that needs to be performed will be to respond to subject access requests. This matter is dealt with in point 12 of this booklet.

Top of page

The Principles

The Data Protection Act 1998 is underpinned by eight Data Protection principles; they state that:

  • Personal data shall be processed fairly and lawfully and not unless conditions are met.
  • Personal data shall be obtained and processed only for specified and lawful purposes and not further processed in a manner incompatible with the purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  • Personal data must be accurate and, where necessary, kept up to date.
  • Personal data must not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.

Top of page

Compliance policy

All staff should already be complying with much of what is defined in the eight principles. However, it is worth highlighting some issues that need addressing:

  • Informal filing systems or collections of personal data regarding staff or members of the public are to be discouraged. Material held by the CPS is subject to disclosure and needs to be readily available; therefore, for example, use shared drives, rather than personal filing systems wherever possible.
  • Keep personal data for no longer than necessary, follow the CPS Retention Schedules, which can be found in the Records Management Manual on the intranet. This policy applies to both paper and electronic data.
  • Before entering into a data sharing agreement, send a copy of the draft protocol to the Head of Information Management for advice.

Top of page

Rights of Individuals under the Act

Individuals have seven basic rights under the Act:

  • Access to personal data
  • Prevention of processing likely to cause damage or distress
  • Prevention of processing for direct marketing
  • Prevention of automated decision-taking
  • Rectification, blocking, erasure, destruction
  • Compensation
  • Request for assessment

Whilst a case is live, the CPS will usually claim complete exemption from the above provisions, although the HQ Information Officer has to assess this on a case-by-case basis. It is important to remember that personal data should always be objective and accurate. An individual is entitled to serve a written notice upon a data controller requiring them to cease processing personal data, if it is causing or likely to cause unwarranted substantial damage or distress to them or to another. A person who suffers damage or distress as the result of any contravention of the Act is entitled to claim compensation against individual members of staff and the CPS as an organisation.

An individual can apply to a court for an order requiring the data controller to rectify, block, erase or destroy data relating to them that is inaccurate or contains an expression of opinion based upon that inaccurate data.

Top of page

Responsibilities of Managers

Managers must within their areas of responsibility:

  • Establish DPA compliant records and security systems. Guidance can be found on the Records Management Manual and the Security Manual on the intranet.
  • Ensure that all staff are aware of the Data Protection Act 1998 Principles.
  • Recognise a Data Protection subject access request and refer to the HQ Information Officer immediately. A request under the Freedom of Information Act 2000 for personal data must also be referred to the HQ Unit.
  • Ensure that new proposals for processing personal data are referred to the Head of Information Management for advice and inclusion on the Data Protection Notification Publication.

Top of page

Procedures for Handling Subject Access Requests

The HQ Information Officer processes all subject access requests under the Act on behalf of the CPS. All requests must therefore be referred to the HQ Information Officer at HQ Ludgate Hill, to ensure a consistent response is given and relevant exemptions applied.

Subject access request forms can be obtained from either the intranet or internet site. The application form is designed to ensure relevant data is obtained in order to start a search; all requests must be in writing stating they are making a request under the Act. The CPS charges a fee of £10 for responding to subject access requests and asks for proof of identity.

If a defendant in a case wishes to obtain a copy of the papers that were served on them as part of criminal proceedings, then the CPS office concerned should provide these outside of the Data Protection Act remit, free of charge. Also, a witness or victim in a case can receive a copy of their statement, free of charge once the case is finalised. Please contact the HQ Information Officer for advice and guidance.

Top of page

Criminal Offences

The DPA sets out what may or may not be done with personal data (personal data is any information that relates/identifies a living individual). The Act creates a number of criminal offences that can only be instituted by the Commissioner or with the consent of the Director of Public Prosecutions (DPP).

The DPA creates a number of criminal offences, the most relevant DPA offences to consider are: -

Section 55(1) DPA - unlawful obtaining etc. of personal data.

It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. There are some exceptions to this - for example, where such obtaining or disclosure was necessary for crime prevention/ detection. If a person has obtained personal information illegally it is an offence to offer or to sell personal information.

There are a number of notification offences; this is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing. See section 21(1) processing without a register entry.

When prosecuting DPA cases as per the case of R v Julian Connor (Southwark Crown Court, 19 May 2003) prosecutors should remember to deduce evidence that the individuals named in each charge were alive at the time their data was obtained, and as per R v Buckley, England, Wallace and Moore (Winchester Crown Court, September 2003), the prosecution has to prove that the information was data within the meaning of Section 2(1) of the Act.

There are no custodial sentences in respect of DPA offences and no powers of arrest; all offences are punishable only by a fine. Search warrants are available to the Information Commissioner by virtue of section 50 and the powers outline at schedule 9 of the DPA.