The Information Commissioner has issued an investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales.
The aim of the investigation was to develop a detailed understanding of the legislative frameworks, governance arrangements, operating practices and challenges faced by those undertaking or affected by MPE. It also aimed to provide further clarity about data protection law for those responsible for processing personal data in this context.
Concerns about MPE included that:
- forces were inconsistent in their approach
- there were poor practices in information handling, including an overly wide approach to extracting data; and
- a reliance on consent as the basis for undertaking this task in circumstances where it was not appropriate.
Although the investigation observed practice in only a limited number of police forces, it gathered sufficient evidence to conclude that there are inconsistent approaches and standards of compliance by forces. This raises concerns that there is no systematic approach to justifying privacy intrusion and demonstrating that it is balanced against legitimate law enforcement purposes.
Given the sensitive data processing involved, the observed police practices increase the risk of arbitrary intrusion and affect standards of compliance when processing personal data extracted from mobile devices. This increases the risk that public confidence could be undermined.
The investigation also found that the ways the different laws governing data protection, police investigation and evidence gathering intersect in MPE operations provide additional challenges to police forces in achieving consistent and compliant practice.
The ICO’s investigation report examines the relevant data protection rules in some detail. It explains the significant requirements that an organisation must meet to rely on the legal basis of consent for data extraction. The report also describes the alternative condition for processing: where it is necessary for the performance of a task carried out for a law enforcement purpose by a competent authority.
The ICO’s report recommends that a number of measures are implemented across law enforcement to improve compliance with data protection law and regain some public confidence that may have been lost. The police and the wider criminal justice community must take action to apply these recommendations to their practice to provide the public with appropriate levels of reassurance
Recommendations
Recommendation 1: Given the complexity of this area, the ICO calls for the introduction of better rules, ideally set out in a statutory code of practice, that will provide greater clarity and foreseeability about when, why and how the police and other law enforcement agencies use mobile phone extraction.
Recommendation 2: Police should revisit and clarify the lawful basis they rely upon to process data extracted from mobile phones. This should include whether or not the Investigatory Powers Act 2016 is engaged by any aspects of the MPE they are conducting.
Recommendation 3: The police, the CPS and the Attorney General’s Office should collaborate to improve the consistency of authorising data extracts.
Recommendation 4: Police should ensure that they are conforming to the standards underpinning the integrity of MPE, as required by the Forensic Science Regulator.
Recommendation 5: Police forces should put in place more robust policies and procedures to ensure the appropriate handling and deletion of data that has been extracted but that is not relevant to a particular investigation.
Recommendation 6: Early engagement between the police and the CPS should be improved to allow the extraction, further processing and disclosure of mobile phone data to be more targeted such that privacy intrusion is minimised.
Recommendation 7: Police forces should implement measures to ensure that mobile phone data is managed in accordance with data protection legislation and retained no longer than necessary.
Recommendation 8: To meet the standards required for fair processing, police forces should make improvements to their engagement with individuals whose phones are to be examined, to ensure they fully inform those individuals about what is being proposed and what their rights are.
Recommendation 9: A national training standard should be introduced to ensure all those involved in mobile phone extraction are aware of their legal obligations.
Recommendation 10: The technology used by police forces in extracting data should be updated and future procurements should take account of privacy by design principles to ensure it supports the forces in complying with their legal obligations.
Recommendation 11: Chief officers should ensure that data protection officers are involved in and consulted on any new projects involving the use of new technologies for processing personal data.
Recommendation 12: Police forces should undertake data protection impact assessments (DPIAs) before the procurement or roll-out of new hardware or software for mobile phone extraction and processing to ensure compliance with data protection requirements. They should also ensure that up-to-date DPIAs exist for all relevant current processing.
Recommendation 13: Wider work being undertaken across criminal justice, including revisions to the Victims’ Code, the Attorney General’s Guidelines on Disclosure and the Criminal Procedure and Investigations Act 1996 Code of Practice, should incorporate measures that address data protection and privacy concerns.
