Professor Dan Hyde

ARCHIVED: This Practice Note has been archived and is not maintained. It examined the data protection and personal data sharing issues arising in a cross-border investigations involving US and EU companies before the decision in the case of Facebook Ireland and Schrems and IP completion day. It included information on the types of investigators may be involved, the types of interviews conducted and what issues of legal privilege may arise. It also explained what counts as personal data and how personal data can be transferred for the purposes of an investigation from the European Economic Area (EEA) to a territory outside the EEA, the changing position on the safe harbor framework and the introduction of the EU-US Privacy Shield.

This Practice Note has been archived and is not maintained. It explains the notification offences under the Data Protection Act 1998 (DPA 1998). These offences were repealed by the Data Protection Act 2018 (DPA 2018) and cannot be committed after 25 May 2018. However prosecutions can still be brought where the offence was committed before 25 May 2018. There are no equivalent notification offences under the DPA 2018. This Practice Note includes what notification was required under the DPA 1998 together with exemptions from notification. It deals with the offence of processing without an entry on the register, including the elements of the offence of processing without an entry on the register. It covers the offence of failing to notify changes including the elements of the offence required as well as the offence of failing to make particulars available including the elements of the offence required. Finally, it covers the meaning of ‘unauthorised assessable processing’ under the DPA 1998, corporate liability under the DPA 1998 and sentencing for all of the notification offences under the DPA 1998.

This Practice Note provides an introduction to how law enforcement and intelligence agencies may process personal data in accordance with Part 3 of the Data Protection Act 2018 (DPA 2018). It explains what amounts to law enforcement processing of personal data (including processing for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties and the safeguarding against and the prevention of threats to public security), who are competent authorities for the purpose of DPA 2018, Pt 3 as well as highlighting the data processing principles for law enforcement. The rights of data subjects, such as the right to be informed, the right of access, the right to rectification, the right to erasure or restrict processing and the right not to be subject to automated decision-making within a law enforcement context are also explained.

This Practice Note has been archived and is not maintained. It deals with the offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998 (DPA 1998). This offence was repealed by the Data Protection Act 2018 (DPA 2018) and cannot be committed after 25 May 2018. However prosecutions can still be brought where the offence was committed before 25 May 2018. Data protection offences which occur on or after 25 May 2018 should be prosecuted under the DPA 2018 not the DPA 1998. This Practice Note explains the elements of the offence of unlawfully obtaining data under the DPA 1998 which the prosecution has to prove, including the mental elements required, corporate liability, statutory defences and sentencing if convicted of the offence. It also explains the offence under the DPA 1998, s 56 of unlawfully requiring the production of data obtained under DPA 1998 s 56, when this prohibition applies and the penalties which will apply upon conviction.

This Q&A considers the GDPR issues that arise when instructing a third party expert in criminal proceedings addressing the ability to provide the expert with personal data to allow them to advise at the investigation stage and once a prosecution has commenced.