Two separate legal regimes — and why that matters
Most discussions of data protection in a policing context collapse two quite different legal frameworks into one. The UK General Data Protection Regulation — UK GDPR, retained from the EU original after Brexit — governs the vast majority of personal data processing by organisations in the United Kingdom. But law enforcement processing sits under a separate regime entirely: Part 3 of the Data Protection Act 2018, which implemented the EU Law Enforcement Directive into domestic law and which continues to apply regardless of Brexit.
The practical differences are significant. Under Part 3, the conditions for lawfully processing personal data are different from those under UK GDPR. The rights available to individuals whose data is processed — to access it, correct it, or object to its use — are more limited, and can be restricted further by a senior officer where disclosure might prejudice an investigation or risk the safety of an individual. The accountability mechanisms are different. And the Information Commissioner's Office exercises its enforcement powers under a different statutory basis. Understanding which regime applies to which police activity is therefore not merely a technical question; it goes to the heart of what rights members of the public actually have when their data is processed by a law enforcement body.
Broadly speaking, Part 3 applies when processing is carried out by a competent authority for a law enforcement purpose — the prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal penalties. Processing by police forces that falls outside that purpose — for example, processing related to HR, finance, or communications with the public that has no direct law enforcement character — falls under the general UK GDPR provisions in Part 2 of the DPA 2018 instead. The distinction is not always obvious in practice, and forces do not always apply it consistently.
Special category data and biometrics
Within the law enforcement framework, biometric data processed for the purpose of uniquely identifying a natural person is classified as special category data — the highest category of sensitivity under data protection law. This includes the facial geometry templates generated by facial recognition systems, fingerprint data, iris scans, and gait analysis outputs. Processing special category data requires not only a lawful basis under Part 3 but compliance with the additional conditions in Schedule 8 of the DPA 2018, which are substantially more demanding.
The Information Commissioner's Office has been explicit on this point in guidance aimed specifically at police forces and operators of surveillance systems. In 2019 the ICO published an opinion on live facial recognition technology in public spaces that set out detailed requirements for lawful deployment: a clear legal basis, a completed and documented Data Protection Impact Assessment, evidence that the processing is necessary and proportionate, and demonstrable compliance with the Public Sector Equality Duty. The opinion stopped short of declaring that live facial recognition was inherently unlawful, but it set a high bar for justification that the ICO has since indicated few existing deployments have comfortably cleared.
DNA profiles and the National DNA Database operated by the Forensic Science Service's successor functions raise their own distinct data protection questions, not least because the database historically retained samples from individuals who were arrested but never convicted — a practice that the European Court of Human Rights found to violate Article 8 of the Convention in S and Marper v United Kingdom (2008), and which was subsequently reformed by the Protection of Freedoms Act 2012, though the precise retention rules remain contested in practice.
Data Protection Impact Assessments
A Data Protection Impact Assessment — DPIA — is a structured prior assessment of the privacy risks created by a proposed processing activity, and the measures taken to mitigate them. Under Part 3 of the DPA 2018, law enforcement controllers must carry out a DPIA before undertaking any new form of processing that is likely to result in a high risk to the rights and freedoms of individuals. The deployment of an AI system that processes biometric data, that conducts surveillance of a significant portion of the public, or that makes or significantly influences decisions about individuals, will almost invariably meet that threshold.
In practice, the quality of DPIAs produced by police forces has been variable. The Court of Appeal's 2020 ruling in Bridges v Chief Constable of South Wales Police found specifically that South Wales Police's DPIA for its live facial recognition deployment was legally inadequate: it failed to properly consider the equality implications of the technology in the terms required by the Public Sector Equality Duty, and it did not adequately assess whether the processing was proportionate to the aim pursued. The ruling has prompted forces across England and Wales to revisit their DPIA processes, though independent observers have continued to question whether published DPIAs genuinely engage with the risks or merely document a decision already taken.
The ICO has powers to require organisations — including law enforcement bodies — to consult with it before beginning high-risk processing where a DPIA indicates that the risks cannot be mitigated. This prior consultation mechanism is more commonly used on the Continent than in the UK, but the legal power exists and the ICO has signalled growing willingness to use it in the context of police AI deployments.
Automated decision-making in policing
Article 11 of Part 3 of the DPA 2018 contains specific restrictions on automated decision-making — decisions taken solely by automated means without meaningful human involvement — in a law enforcement context. Such decisions are prohibited unless authorised by law, and where authorised, must be subject to human review, the individual must be able to obtain a human decision, and the controller must take measures to safeguard the individual's rights. This is the provision that creates the most direct legal tension with risk-scoring tools like HART (Durham Constabulary's Harm Assessment Risk Tool), where a custody officer's bail decision is significantly influenced by an algorithm's output, raising the question of whether that influence crosses the threshold into a prohibited automated decision.
Forces and their legal advisers have generally taken the position that human review — the officer reading the score before making a decision — is sufficient to avoid the Article 11 prohibition. Critics, including the former Information Commissioner Elizabeth Denham, have questioned whether review of an opaque algorithmic output by an officer with limited time and no ability to inspect the model's reasoning constitutes genuinely meaningful human involvement, or whether it is better characterised as the rubber-stamping of an automated recommendation.
The Biometrics Commissioner and the Surveillance Camera Commissioner
Alongside the ICO, two further statutory offices play a role in overseeing how biometric and surveillance data is used by law enforcement in England and Wales. The Biometrics Commissioner was established under the Protection of Freedoms Act 2012, with a remit that includes oversight of the retention of DNA profiles and fingerprints taken from individuals who are not convicted of an offence, and approval of requests by the police to retain biometrics in specific circumstances. The role has been periodically criticised as having insufficient powers relative to the scale of the databases it oversees.
The Surveillance Camera Commissioner, also created by the Protection of Freedoms Act 2012, oversees compliance with the Surveillance Camera Code of Practice — a statutory code that applies to police forces and local authorities operating CCTV systems in public spaces. The code requires documented justification for each camera, data minimisation, appropriate retention periods, and clear signage. Its application to AI-enabled cameras that analyse footage in real time, rather than merely recording it, is an area of ongoing regulatory development, with the Commissioner's office having acknowledged that the code was written before the current generation of AI analytics tools existed.
Post-Brexit divergence and the EU AI Act
The United Kingdom left the European Union's data protection framework in January 2021, though the UK GDPR closely mirrors the EU GDPR at that point in time. Since then, the two regimes have begun to diverge, and the direction of travel matters for AI in policing. The EU's Artificial Intelligence Act, which entered into force in 2024, imposes specific requirements on AI systems used in law enforcement — including mandatory fundamental rights impact assessments for high-risk AI systems, transparency obligations, and significant restrictions on real-time biometric identification in public spaces by law enforcement, subject to limited and narrowly drawn exceptions. The UK has no equivalent legislation and the current government's stated preference is for a sector-led, proportionate approach rather than horizontal AI regulation.
This divergence creates a practical complication for UK forces using AI products sold by EU-based vendors, or by multinational companies that must simultaneously comply with the EU AI Act in other markets. A facial recognition product that meets the EU AI Act's requirements will not necessarily meet the specific requirements of UK data protection law as interpreted by the ICO and the courts; equally, a deployment compliant with UK law may fall foul of the AI Act's requirements for EU-market versions of the same product. How vendors and forces navigate this divergence will be one of the more practically significant data protection questions of the next few years.
ICO enforcement against police forces
The Information Commissioner's Office has historically been reluctant to exercise its strongest enforcement powers against law enforcement bodies, in part because the operational sensitivity of policing creates genuine difficulties for independent scrutiny, and in part because the ICO's primary enforcement tool — financial penalties — raises obvious questions about whether fining a police force is an effective sanction given that the money ultimately comes from the public purse. However, the ICO has issued enforcement notices and formal reprimands to police forces in recent years, including in relation to failures to carry out adequate DPIAs for AI deployments, inadequate data retention practices, and insufficient transparency with the public about surveillance activities.
The most significant enforcement action to date in the AI context was the ICO's reprimand of the Metropolitan Police in 2023 for its use of a third-party facial recognition service without adequately establishing that the vendor's processing of Metropolitan Police data complied with the applicable legal requirements. The case highlighted a broader issue: when forces use commercial AI products, the data protection obligations do not transfer to the vendor. The force remains the data controller and retains responsibility for ensuring that the processing — including the processing carried out by the vendor on its behalf — is lawful.
Follow the coverage
PoliceAI News tracks data protection and privacy stories relating to policing AI continuously — ICO decisions, court rulings, parliamentary debates, and new deployments raising legal questions, as they happen.
View Live Data Protection StoriesYou can also browse the full archive on this topic or explore related subjects: facial recognition, surveillance and smart cities, and AI bias and discrimination.