Mobile phone extraction in policing The Information Commissioner has investigated the process known as Mobile Phone Extraction (MPE), used by police forces when conducting criminal investigations in England and Wales. This followed concerns that:
• forces were inconsistent in their approach;
• there were poor practices in information handling, including an overly wide approach to extracting data; and
• a reliance on consent as the basis for undertaking this task in circumstances where it was not appropriate.
The aim of the investigation was to develop a detailed understanding of the legislative frameworks, governance arrangements, operating practices and challenges faced by those undertaking or affected by MPE. It also aimed to provide further clarity about data protection law for those responsible for processing personal data in this context.
The investigation and its findings call into question the appropriateness of some of the current police practices in MPE. This report recommends that a number of measures are implemented across law enforcement in order to improve compliance with data protection law and regain some public confidence that may have been lost.
The original policing principles1 set out in 1829 by Sir Robert Peel intended to define an ethical police force and are still relevant and continue to underpin policing today. One of these principles is:
“to recognise always that to secure and maintain the respect and approval of the public means also the securing of the willing cooperation of the public in the task of securing observance of laws.”
The way that people use their phones today could not have been envisaged at the time that key criminal justice legislation was formulated. Today, people see mobile phones as extensions of themselves; they have become unique repositories of our personal information, generating huge amounts of data and often hold the most intimate and private details of our everyday lives. Mobile phone usage continues to grow exponentially with all generations routinely interacting through phones and applications. Mobile phones are used in such a range of activities that even a cursory analysis of their contents can reveal detailed insights into thoughts, movements and personal preferences.
Such is the richness of information contained on, and accessed by, mobile phones that they are increasingly a key source of evidence in criminal investigations. Recognising this, and the Peel principles, means that MPE in the policing context needs to take proper account of data protection and privacy quite apart from what the law strictly requires. Without doing so, the confidence of complainants2 and witnesses could be undermined to the detriment of the police’s ability to do their important work.
Whilst the investigation observed practice in only a limited number of police forces, it gathered sufficient evidence to conclude that there are inconsistent approaches and standards of compliance by forces. This raises concerns that there is no systematic approach to justifying privacy intrusion and demonstrating that it is balanced against legitimate law enforcement purposes.
Given the sensitive data processing involved, the observed police practices increase the risk of arbitrary intrusion and impact standards of compliance when processing personal data extracted from mobile devices. This increases the risk that public confidence could be undermined.
The investigation also found that the ways the different laws governing data protection, police investigation and evidence gathering intersect in MPE operations provide additional challenges to police forces in achieving consistent and compliant practice.
The Commissioner recognises the absolute right to a fair trial and the important part that relevant mobile phone data might play in criminal investigations and fair proceedings. The Commissioner recommends, however, that further improvements are introduced to demonstrate that the processing involved is in accordance with the law and to ensure that there are sufficient safeguards in place and routinely applied to guard against arbitrary interference with individuals’ rights.
It is acknowledged that this is a complex area, engaging not just data protection law but also criminal justice and human rights legislation. Whilst the primary focus of the investigation was data protection, it would have been remiss not to consider the end-to-end process from identification of a requirement for the data, through its extraction and use, to its ultimate deletion. The investigation therefore examined the key parts of relevant law in order to explain how different legislation intersects and how these laws need to be applied to MPE.
The Commissioner’s findings also address the nature of the engagement with owners of phones and provide clear direction about the sensitive nature of data processed through mobile phone extraction and the higher thresholds that must be met for this to be lawful and justifiable. In particular, a default position of, in some cases, extracting as much data as is available (as opposed to seeking specific data) is challenged.
Recommendation 1: Given the complexity of this area, the Commissioner is calling for the introduction of better rules, ideally set out in a statutory code of practice, that will provide greater clarity and foreseeability about when, why and how the police and other law enforcement agencies use mobile phone extraction.
Recommendation 2: Police should revisit and clarify the lawful basis they rely upon to process data extracted from mobile phones. This should include whether or not the Investigatory Powers Act 2016 is engaged by any aspects of the MPE they are conducting. The report focuses on two conditions for law enforcement processing that data protection legislation provides: the Consent3 of the data subject or, where Consent is not appropriate, the processing is strictly necessary to carry out the law enforcement task. From the perspective of the data protection regulator, the report makes clear that in the context of law enforcement processing, including MPE, achieving the standards of Consent (in data protection terms) is deliberately challenging. This is to ensure that the individual has meaningful choice and control over how their data is used. The investigation found that the practices being adopted presently did not always demonstrate the conditions needed for Consent to be valid. If opting to rely on Consent, the police must ensure that they are meeting these high standards.
The investigation concludes that this alternative condition for processing (strictly necessary for a law enforcement purpose) is more appropriate and the police should carry it out with clear communication with the owner of the phone and, wherever possible, their co-operation. In other words, this alternative should not be regarded as simply a coercive option invariably imposed upon complainants and witnesses. With either condition, there are clear obligations on the police to meet the requirements for sensitive processing and uphold the safeguards that the law requires for this type of processing. Given the number of different agencies and organisations involved in making such an arrangement work, an overarching code of practice covering the relevant parts of the criminal justice system may also provide the opportunity to clarify the role consent has in MPE.
Recommendation 3: The police, the Crown Prosecution Service and the Attorney General’s Office should collaborate to improve the consistency of authorising data extracts. This should be implemented across England and Wales, to increase public confidence in the accountability of the police and the criminal justice process when undertaking these intrusive actions.
Recommendation 4: Police should complete their work to ensure that they are conforming to the standards underpinning the integrity of MPE, as required by the Forensic Science Regulator.
Recommendation 5: Police forces should put in place more robust policies and procedures to ensure the appropriate handling and deletion of data that has been extracted but that is not relevant to a particular investigation.
Recommendation 6: Early engagement between the police and the Crown Prosecution Service should be improved as envisaged in the Attorney General’s report4 in order to allow the extraction, further processing and disclosure of mobile phone data to be more targeted such that privacy intrusion is minimised.
Recommendation 7: Police forces should implement measures to ensure that mobile phone data is managed in accordance with data protection legislation and retained no longer than necessary.
Recommendation 8: To meet the standards required for fair processing, police forces should make improvements to their engagement with individuals whose phones are to be examined, to ensure they fully inform those individuals about what is being proposed and what their rights are. This will involve providing detailed privacy information and working to improve the current notices given to those whose phones are to be examined.
Recommendation 9: A national training standard should be introduced to ensure all those involved in mobile phone extraction are aware of their legal obligations.
Recommendation 10: The technology used by police forces in extracting data should be updated and future procurements should take account of privacy by design principles to ensure it supports the forces in complying with their legal obligations.
Recommendation 11: Chief officers should ensure that data protection officers are involved in and consulted on any new projects involving the use of new technologies for processing personal data.
Recommendation 12: Police forces should undertake data protection impact assessments (DPIAs) prior to the procurement or roll-out of new hardware or software for mobile phone extraction and processing to ensure compliance with data protection requirements. They should also ensure that up-to-date DPIAs exist for all relevant current processing.
Recommendation 13: Wider work being undertaken across criminal justice, including revisions to the Victims’ Code, the Attorney General’s Guidelines on Disclosure and the Criminal Procedure and Investigations Act 1996 Code of Practice, should incorporate measures that address data protection and privacy concerns.
The police and the wider criminal justice community must take action to apply these recommendations to their practice in order to provide the public with appropriate levels of reassurance. The Commissioner offers support to the National Police Chiefs’ Council and College of Policing to assist with taking forward these recommendations.
This can by no means be the end of the story. Data protection and privacy is one aspect of a much broader set of issues in this space, and there are significant steps across the whole system that need to be taken to increase the public’s confidence in how their personal data is used in a criminal justice context. The Commissioner therefore calls for a national consortium of relevant organisations to work together to improve the system as a whole in order to ensure public confidence in the wider process.
The Commissioner will be writing to Chief Constables and Police and Crime Commissioners, to assist in the consideration and implementation of her recommendations.
The Commissioner recognises the shared ambition across agencies and organisations to improve practice, including the National Disclosure Improvement Plan and the Attorney General’s review and the Victims’ Code revision already under way, and her recommendations should be seen as complementary to that work. These combined efforts will provide a catalyst for improvements in data protection and privacy issues that will in turn provide the public with greater reassurance.
1 https://www.gov.uk/government/publications/policing-by-consent
2 For convenience and brevity, we use the term “complainant”, without prejudice or disrespect, to refer generically to a person who has made a report of being the victim of a criminal offence, recognising that such a person may be referred to as a “victim” or “survivor”.
3 Consent in data protection law has a specific meaning and is represented throughout this report as “Consent” (with upper case C) to distinguish it from the general definition of consent.