UK: Law changes will make it harder to hold police to account for illegal data access


An office for West Yorkshire Police, based in Leeds, has been convicted of breaches of the Computer Misuse Act 1990, after using police databases to search for information on people she knew with no legitimate reason. The case highlights the risks posed by forthcoming changes to UK data protection law.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Image: Duane Storey, CC BY-NC-ND 2.0

According to the Yorkshire Evening Post, Sanya Shahid "carried out unauthorised searches on the police computer system to access records in October 2020 when she had no legitimate policing purpose for doing so."

A nine-month investigation into her conduct led to her arrest in May 2021. While press reports do not make all the details of the case clear, it is likely that it was possible to determine the officer at fault through the use of database system logs. These indicate which user has accessed a system, when they have done so, and for what reason.

However, changes to UK data protection law currently approaching their final stages in the House of Lords would eliminate the need for police forces to record the reason an officer has accessed a particular database.

The Data Protection and Digital Information Bill amends the 2018 Data Protection Act so that logs on consultation and disclosure of information held in law enforcement databases would no longer have to record the justification for consultation or disclosure.

The amendments would strike out the following text from the law:

(1) A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

(a) collection;

(b) alteration;

(c) consultation;

(d) disclosure (including transfers);

(e) combination;

(f) erasure.

(2) The logs of consultation must make it possible to establish—

(a) the justification for, and date and time of, the consultation, and

(b) so far as possible, the identity of the person who consulted the data.

(3) The logs of disclosure must make it possible to establish—

(a) the justification for, and date and time of, the disclosure, and

(b) so far as possible—

(i) the identity of the person who disclosed the data, and

(ii) the identity of the recipients of the data.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

Further reading

31 October 2023

UK participation in “unnecessary” police facial recognition system needs “open, thorough, democratic debate”

MPs must ensure thorough scrutiny and a meaningful democratic debate on potential UK participation in a pan-European police facial recognition system that is unnecessary, disproportionate and undesirable, says a statement coordinated by Statewatch and signed by 13 other civil society organisations.

30 January 2023

UK: Police and intelligence agencies to increase joint work, with reduced privacy safeguards

The Data Protection and Digital Information Bill will degrade privacy and data protection safeguards in policing. Under certain conditions, law enforcement agencies (LEAs) will be able to circumvent rights protections by acting with the same powers as intelligence agencies. Laws safeguarding personal data during transfers will be diluted and the means for oversight will be significantly reduced.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error