SFO OPERATIONAL HANDBOOK
The SFO Operational Handbook is for internal guidance only and is published on the SFO’s website solely in the interests of transparency. It is not published for the purpose of providing legal advice and should not therefore be relied on as the basis for any legal advice or decision. Some of the content of this document may have been redacted.
The Data Protection Act 2018 (DPA 2018) superseded the DPA 1998 on 25 May 2018 and was implemented with the aim of modernising data protection laws and enhancing the rights of citizens to control their personal data.
The Act updated data protection laws and supplemented the EU General Data Protection Regulation (GDPR). It also implemented a specific Law Enforcement Directive and extends UK data protection law into areas not covered by the GDPR.
This policy is written with reference to two types of processing carried out by the SFO – general processing which is governed by the GDPR and ‘Part 2’ of the DPA 2018, and processing for law enforcement purposes which is governed by ‘Part 3’ of the Act. More detail on the distinction is set out below.
All business areas of the SFO are likely to hold personal data and in some areas, ‘special categories of personal data’, ‘criminal offence data’ or data subject to ‘sensitive processing’. The SFO determines how and why that personal data is processed, and is therefore a ‘controller’ under the DPA 2018. The SFO is also designated a ‘competent authority’ for law enforcement purposes under Schedule 7 of the Act.
This policy sets out the procedures that staff should follow when dealing with personal data, in order for the SFO to meet its legal obligations.
Further guidance is available on the Information Commissioner’s Office website.
Definition of personal data
Personal data is information relating to an identifiable living individual. An individual may be identified directly by name, identification number, location data, online identifiers including IP address, or by other means.
Information is also personal data where individuals can be indirectly identified using the information held by a controller in combination with additional information. This additional information may also be held by the controller, or be available from another source where it is reasonably likely that the SFO or a third party could use it to identify an individual.
General processing and law enforcement processing
The SFO is a data controller with regard to two types of processing: (i) general processing under the GDPR and Part 2 of the DPA 2018, and (ii) processing for law enforcement purposes under Part 3 of the Act. To distinguish between the two and ensure that the SFO is compliant with the relevant part of the law, it is necessary to determine the primary purpose of processing.
- Part 3: Processing for law enforcement purposes means processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security. This encompasses the processing of personal data in connection with the SFO’s core task of investigating and prosecuting serious or complex fraud, bribery and corruption. Examples include personal data used as evidence in a prosecution or intelligence collected or shared during an investigation.
- GDPR and Part 2: Any processing of personal data which is not for the primary purpose of law enforcement constitutes general processing. This captures processing in relation to the SFO’s corporate functions and includes personal data for recruitment or employment purposes, and general correspondence with members of the public.
In the rest of this policy the terms ‘general processing’, ‘Part 2 processing’ and ‘processing under part two’ are used interchangeably; ditto the terms ‘law enforcement processing’, ‘Part 3 processing’ and ‘processing under Part 3’.
Special categories of personal data, sensitive processing and criminal offence data
‘Special categories of personal data’ under Part 2 and ‘sensitive processing’ under Part 3 are the phrases used to describe the most sensitive types of personal data, which are afforded a greater level of protection when processed. These were referred to as ’sensitive personal data’ under the DPA 1998.
Both phrases are now defined to capture information about an individual’s:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- whether they are a member of a trade union
- physical or mental health or condition
- sex life or sexual orientation
- genetic data
- biometric data
Processing of personal data under Part 2 which relates to criminal offences is also subject to enhanced safeguards.
Data protection principles
Anyone within the organisation who holds or processes personal data must comply with the six data protection principles which are defined separately under both Part 2 (general processing) and Part 3 (law enforcement processing) of the DPA 2018.
The principles described in Parts 2 and 3 are broadly consistent and the key differences are noted below:
- Processing to be lawful, fair and transparent – under Part 3 processing must be lawful and fair
- Purposes of processing to be specified, explicit and legitimate
- Personal data processed to be adequate, relevant and limited to what is necessary – under Part 3 personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed
- Personal data to be accurate and where necessary kept up to date – under Part 3 there are additional requirements where relevant and as far as possible to categorise data subjects (such as suspects, offenders, victims and witnesses) and distinguish personal data based on fact from personal data based on personal assessment
- Personal data to be kept no longer than necessary
- Personal data to be processed in a manner that ensures appropriate security
For both general and law enforcement processing there is an additional requirement for the SFO to be responsible for, and be able to demonstrate compliance with the principles described above. This is referred to as the ‘accountability principle’.
Lawful bases for processing personal data under Part 2
The SFO must have a lawful basis in order to process personal data under Part 2. There are six available lawful bases for general processing and most of these require that processing is ‘necessary’. ICO guidance indicates that if the same purpose can reasonably be achieved without the processing, it will not be necessary and there will not be a lawful basis.
The lawful basis must be determined and documented before processing begins. The SFO’s privacy notices set out the lawful bases for our general processing, and will be kept under review and updated before any new processing activities are undertaken.
The lawful bases for processing are listed in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed under Part 2:
- Consent– the individual has given clear consent to processing for one or more specific purposes.
- Contract– the processing is necessary for the performance of a contract to which the individual is party or in order to take steps at their request before entering into a contract.
- Legal Obligation– the processing is necessary to comply with a common law or statutory obligation (not including contractual obligations).
- Vital Interests– the processing is necessary to protect someone’s life.
- Public Task– the processing is necessary to perform a task in the public interest or in the exercise of official authority (this covers public functions and powers set out in law).
- Legitimate Interests– the processing is necessary for legitimate interests pursued by the SFO or a third party unless such interests are overridden by the individual’s interests, rights and freedoms (this basis cannot be relied upon where processing is necessary to perform a public task).
If special category or criminal offence data is being processed, it is also necessary to identify an additional condition for processing in compliance with Schedule 1 to the DPA 2018.
Sensitive processing under Part 3
Sensitive processing under Part 3 is permitted only on the basis of consent or where the processing is strictly necessary and one of the conditions in Schedule 8 to the DPA 2018 is met. According to ICO guidance, strictly necessary means that the processing has to relate to a pressing social need which cannot reasonably be achieved through less intrusive means. The conditions in Schedule 8, of which at least one must satisfied, are as follows:
- necessary for judicial and statutory purposes – for reasons of substantial public interest
- necessary for the administration of justice
- necessary to protect the vital interests of the data subject or another individual
- personal data already in the public domain (manifestly made public)
- necessary for legal claims
- necessary for when a court acts in its judicial capacity
- necessary for the purpose of preventing fraud
- necessary for archiving, research or statistical purposes
In addition sensitive processing must be in accordance with the SFO’s Sensitive Processing Policy, referred to under DPA 2018 as our “appropriate policy document”.
Under the DPA 2018, individuals have more control over their personal data and eight basic rights which apply to general processing under Part 2 and to some degree to law enforcement processing under Part 3.
The table below provides a description of the rights and which types of processing they apply to:
Part 3 (Law Enforcement Processing)
Right to be informed
Individuals have the right to be informed how personal data is collected and processed. Information provided through the all staff and external privacy notices.
Restricted under Part 3
Right of access
Individuals can request access to their personal data.
Restricted under Part 3
Right of rectification .
Individuals can request rectification of inaccurate or incomplete personal data
Restricted under Part 3
Right of erasure
Individuals can request deletion of personal data – also known as the right to be forgotten.
Restricted under Part 3
Right to restrict processing
Individuals can request restriction or suppression of their personal data.
Restricted under Part 3
Right to data portability
Individuals can obtain and reuse their personal data for their own purposes across different services e.g. changing gas suppliers.
Not a right under Part 3
Right to object
Individuals can to object to the processing of their personal data.
Not a right under Part 3
Rights in relation to automated decision making and profiling
Individuals have rights with regard to solely automated decision making and profiling, including rights to challenge such a decision or request human intervention.
Restricted under Part 3
Should you receive a request citing any of these you must forward it to the Information Officer immediately (email@example.com) for logging and processing. If you are unsure about whether you have received such a request, contact the Information Management and systems team for advice.
The DPA 2018 provides very short timescales – one calendar month – to respond to these types of requests so it is important that requests are forwarded on to the Information Officer as soon as they are received.
The most likely type of request is under the right of access (referred to as a “Subject Access Request”), where an individual can exercise the right to request a copy of their personal data. Note however the other types of request, including where individuals can object to the processing of their personal data.
The right to make a request for access to personal data held by the SFO does not necessarily mean that access will be granted and exemptions may apply. Comparable limitations also apply to other individual rights relating to personal data processed under Part 2.
In the case of personal data processed for law enforcement purposes, s.45(4) allows the SFO to restrict the rights of subject access (where necessary and proportionate) to avoid:
- obstructing an official or legal inquiry, investigation or procedure; or
- prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties
Further exemptions exist to restrict the rights of subject access to protect public security, national security, and the rights and freedoms of others.
It is also of note that individual rights to rectification, erasure and restriction of processing may be restricted under Part 3 where personal data must be maintained for evidential purposes.
Where individual rights are restricted it may also be permissible to restrict the reasons provided; for example, where giving reasons would prejudice the law enforcement functions which the restriction is intended to protect. The rationale for restricting a response must however be recorded internally and the requester must be informed of their right to complain to the Information Commissioner.
It is also possible to refuse to deal with a subject access request, or a request concerning most of the other individual rights, on the basis that the request is manifestly unfounded or excessive. Any such refusal must be justified by the SFO.
Exemptions under Part 2
There are a number of exemptions which may apply to personal data processed under Part 2 (general processing) in certain qualifying circumstances. These exemptions are listed in Schedule 2 to the DPA 2018. Different categories of exemptions release the controller from different obligations under the act. The two most likely to be of relevance to the work of the SFO concern ‘crime and taxation’ and ‘legal proceedings’. Both release the data controller from their obligations in respect of:
- Article 13 – personal data collected from data subject: information to be provided;
- Article 14 – personal data collected other than from data subject: information to be provided;
- Article 15 – confirmation of processing, access to data and safeguards for third country transfers;
- Article 16 – right to rectification;
- Article 17 – right to erasure;
- Article 18 – restriction of processing;
- Article 19 – notification obligation regarding rectification or erasure of personal data or restriction of processing;
- Article 20 – right to data portability);
- Article 21 – objections to processing;
- Article 5 (general principles) so far as its provisions correspond to the rights and obligations mentioned above
- Article 5(1)(a) – lawful, fair and transparent processing, other than the lawfulness requirements set out in Article 6;
- Article 5(1)(b) – purpose limitation.
These exemptions do not release the controller from the need to have a lawful basis for processing as set out above so when processing in this context you will still need to identify the correct lawful basis.
The exemptions must be applied on a case by case basis, and should be used only when it is necessary to do so.
- Crime and taxation exemption: The Act recognises that it is sometimes appropriate to disclose personal data for purposes to do with criminal justice or taxation. In such cases, individual rights may be restricted. In appropriate circumstances, this also enables other controllers to lawfully share personal data in connection with SFO investigations and prosecutions.
- Legal proceedings: This exemption allows for disclosure of personal data where necessary for the:
- purpose of, or in connection with, legal proceedings (including prospective legal proceedings)
- purpose of obtaining legal advice
- purposes of establishing, exercising or defending legal rights
Data Protection governance
The SFO is responsible for all aspects of processing personal data in line with the DPA 2018, and must be able to demonstrate that measures and safeguards are in place to ensure compliance. The purposes and legal bases on which the SFO processes personal data are outlined above, and in more detail in our Privacy Notice on the SFO website.
The SFO processes personal data in all aspects of its corporate functions and operational casework. As such, all staff must ensure that they are aware of the principles outlined in this policy and that they are followed when handling and processing personal data. Staff must ensure that:
- They complete the Responsible for Information e-learning module on Civil Service Learning at least on an annual basis
- They can identify what personal data they handle and ensure that it is processed and appropriately protected in line with the data protection principles
- They know who to go to seek further guidance on data protection, and how to escalate if a breach may have occurred
- Where necessary, they keep records that demonstrate how processing activities comply with the principles outlined in this policy
To support staff in this regard, the SFO will:
- Appoint a Data Protection Officer who will raise awareness, monitor, and advise on the SFO’s obligations
- Make training and guidance available to all staff on their responsibilities and the processes they should follow
- Ensure appropriate levels of technical security and access control around official SFO systems
- Maintain documentation that provides evidence of our processing activities and safeguards, including this policy
Alongside the responsibilities outlined above, there are a number of individuals and teams within the SFO which are responsible for implementing the organisational measures that ensure compliance. They include:
- A Data Protection Officer (DPO) who is tasked with monitoring compliance with the DPA, our data protection policies, awareness-raising, training, and audits. They will provide advice on the SFO’s data protection obligations – including as part of the highest level of organisational governance – and provide a point of contact for the Information Commissioner’s Office.
- The Information Management and Systems (IMS) team, who support the DPO by providing day-to-day advice and guidance to all staff. They also help to maintain appropriate records of processing activities and work with staff to ensure as far as possible that information systems and management policies are properly aligned with the DPA 2018.
- The Departmental Security Unit (DSU) who advise on all aspects of information risk and security and maintain a log of all information breaches, working with the DPO to ensure necessary reporting to the Information Commissioner’s Office. They also provide training and assurance to the Information Asset Owner (IAO) network alongside the IMS Team and maintain an IAO handbook.
- The Correspondence and FOI team who oversee the logging, allocation and response to requests concerning individual rights.
- A network of Information Asset Owners across the SFO who are accountable for understanding and addressing risks to information in their area, as well as maintaining an information asset register that records all personal data and the purpose and legal basis for processing.
Personal data breaches
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If you become aware that a personal data breach may have occurred you must notify the Departmental Security Unit as soon as possible, and follow steps set out in the SFO’s personal data breach handling process below.
The SFO has an obligation to notify the Information Commissioner’s Office (ICO) within 72 hours of being made aware of the breach if it is to result in a risk of the rights and freedoms of individuals. The DSU will liaise with the Data Protection Officer and Senior Information Risk Owner to make that determination, and if necessary make the report to notify the ICO.
The SFO has a personal data breach handling process which identifies the actions you must follow should you become aware that a breach may have occurred.
Data Protection Impact Assessments (DPIA)
A DPIA is a process intended to help identify and minimise data protection risks. One must be conducted under Parts 2 and 3 prior to carrying out any processing which is likely to result in a high risk to the rights and freedoms of individuals. Examples of where a DPIA would be required include the use of new technologies or the processing of special categories of personal data on a large scale.
ICO guidance indicates that a DPIA under Part 3 must contain:
- at least a general description of the processing operations and the purposes
- an assessment of the risks to the rights and freedoms of individuals
- the measures envisaged to address those risks
- the safeguards, security measures and mechanisms in place to ensure personal data is protected
- a demonstration of how compliance with Part 3 would be achieved, taking into account the rights and legitimate interests of the data subjects and any other people concerned
If a DPIA identifies a high risk which cannot be reduced, the SFO needs to consult the ICO and processing must not begin until this has been done.
A template for completing DPIAs can be obtained from the Information Management and Systems team. When completing a DPIA advice should be sought from the SFO’s Data Protection Officer.
The Information Commissioner’s Office (ICO)
The Information Commissioner is the supervisory authority for the purposes of Parts 2 and 3 of the Act, and is responsible for the regulatory framework under which the SFO processes personal data.
The SFO is required to proactively demonstrate compliance with the Act, and must work with the Information Commissioner by providing access to information and relevant documentation describing our processing activities where necessary. The powers of the ICO under the DPA 2018 include:
- issuing notices requiring data controllers to provide information
- conducting data protection audits of data controllers
- issuing enforcement notices, warnings, reprimands, practice recommendations and other orders requiring specific actions by data controllers to resolve breaches of data protection legislation
- issuing monetary penalties
The Information Commissioner can issue a monetary penalty for failing to comply with Parts 2 and 3 of the Act. There are two tiers of penalty – the higher maximum and the standard maximum.
The maximum penalty that may be imposed is:
- the higher maximum amount: which is in the case of an undertaking, the higher of 20,000,000 EUR or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, or in any other case 20,000,000 EUR; or
- the standard maximum amount: which is in the case of an undertaking the higher of 10,000,000 EUR or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, or in any other case 10,000,000 EUR.
International transfers under Part 3
Pursuant to Part 3, the SFO has to document the lawful basis for transferring personal data to ‘third countries’ (meaning non EU member States, including Jersey, Guernsey and Isle of Man) for law enforcement purposes.
It is important to assess whether the primary purpose of the processing is law enforcement. If the transfer is not being made for one of the law enforcement purposes, it will be necessary to consider whether it can be effected under Part 2 and the online form for international transfer should not be used. In these circumstances please contact the IMS Team for further advice.
The provisions concerning international transfers under Part 3 are contained in sections 72 to 78 of the DPA 2018. Section 73 lists the general principles for transfer, while sections 74 to 77 set out the statutory criteria for the actual transfer.
Section 73: general principles – three conditions
Personal data may not be transferred to a third country unless the following three conditions are met:
- Condition 1: The transfer is necessary for the any of the law enforcement purposes; and, in the case of personal data that was originally made available to UK by another EU member state or competent authority in another EU Member State, authorisation is given by the originator.
- Condition 2: The transfer is based on one of the following:
An adequacy decision for the third country or international organisation (see section 74)
Note that there are currently no adequacy decisions for the purposes of the Law Enforcement Directive (implemented into UK law by Part 3 of the DPA 2018).
There being appropriate safeguards in the third country or international organisation (see section 75)
Transfers on this basis require a binding legal instrument containing adequate safeguards (section 75(1)(a)) or an assessment by the SFO that adequate safeguards exist (section 75(1)(b)). The ICO must also be informed where the SFO makes such an assessment (section 75(2)).
Special circumstances (see section 76)
Transfers on this basis may be made for five different reasons; the reason most likely to be relied upon by the SFO is where the transfer to a third country or international organisation ‘is necessary in individual cases for any of the law enforcement purposes’ (section 76(1)(d)).
Specific consideration must be given to whether the transfer is necessary for the purpose intended before any personal data is transmitted. If the transfer is not necessary then personal data must not be sent. These considerations should be recorded in an international transfer form.
Note also that section 76(1)(d) does not apply if the SFO determines that fundamental rights and freedoms of the data subject override the public interest in the transfer. This includes the transfer of personal data to facilitate a prosecution in another jurisdiction which could result in the death penalty.
- Condition 3: The intended recipient is a relevant authority in a third country, a relevant international organisation, or a person in a third country other than a relevant authority and the conditions in section 77 are met (see further guidance on section 77 below).
Under Condition 2 where the SFO transfers under appropriate safeguards or in special circumstances, we are required to document details of the transfer. That includes the date and time of transfer, information relating to the recipient, justification of transfer and a description of the personal data. The justification must include consideration to the necessity of the transfer, as well as whether the rights and freedoms of the data subject override the public interest in the transfer.
This documentation must be provided to the Information Commissioner on request.
Section 77: international transfers to persons other than relevant authorities
For international transfers under Part 3, a ‘relevant authority’ means any person based in a third country that has functions comparable to those of a competent authority (section 72(2)) – in essence, competent authorities are persons with statutory functions for law enforcement purposes such as the SFO (section 30(1) and Schedule 7 to the DPA 2018).
Where the SFO intends to make an international transfer to a person other than a relevant authority, four additional conditions must be met. Examples of such persons in the context of SFO investigations are US based internet and communications service providers such as Google and Apple on whom we might wish to serve a RIPA preservation request.
The additional conditions are:
- Condition 1: The transfer is strictly necessary in a specific case for the performance of a task of the SFO as provided by law for any of the law enforcement purposes
- Condition 2: The SFO has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer
- Condition 3: The SFO considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled)
- Condition 4: The SFO informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed
Where a transfer is made in reliance on section 77, a relevant authority in the third country must be informed without undue delay unless this would be ineffective or inappropriate (section 77(6)). The transfer must also be documented and the Information Commissioner must be informed (section 77(7)). Please contact the DPO for more information.
As outlined above transfers involving sensitive processing must be made on the basis of consent or where the processing is strictly necessary and one of the conditions in Schedule 8 to the DPA 2018 is met. In addition, sensitive processing must be in accordance with the SFO’s sensitive processing policy.
Retention and disposition
To comply with the fifth data protection principle, the SFO must not keep personal data longer than is necessary for the purposes for which it is processed.
In some cases information will be retained beyond the period of processing where personal data is required for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Decisions regarding retention and disposition of personal data will be undertaken in line with the SFO’s Review, Retention and Disposal Policy.
Version OGW 2, Published 7 July 2020 © Crown Copyright, 2020.
This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ or write to the Information Policy Team, The National Archives, Kew, Richmond, Surrey, TW9 4DU.
Any enquiries regarding this publication should be sent to the Serious Fraud Office, 2-4 Cockspur Street SW1Y 5BS email: firstname.lastname@example.org