Site Contents: © Peter Sommer, 2018 Not to be reproduced without permission
PO Box 6447 London N4 4RX UK
The purpose of this note is to state in simple accessible language the data protection and privacy policies which, after a risk assessment, I follow.
1. A significant part of my business consists in examining the contents of computers of all kinds including personal computers, smart phones, tablets, extracts from larger systems, and a variety of data storage media. I also examine data held in the cloud, generated via social media, records created by financial institutions and communications data created by, among others, telecommunications utilities and Internet Service Providers.
2. In all instances I am instructed by others: typically lawyers, law enforcement and other investigatory agencies, and companies needing to carry out internal investigations. The purpose of the instructions will be tied to actual or prospective legal proceedings, criminal or civil or regulatory. For the purposes of GDPR I am acting as a data processor not a data controller. The data controller is the organisation or individual who instructs me. In all instances my instructions will be in writing and my activities will be limited to those instructions. It should be noted that over the course of a specific instruction there may be variations in the light of subsequent findings; however the variations will also be recorded in writing.
3. Some of the data I hold may be subject to undertakings given to law enforcement agencies and/or the courts.
4. Because of the way in which data is stored on computer-
5. Contemporaneous notes as well as final written reports are generated during investigations so that it should be possible to retrace any of my activity.
6. In most instances data including personal data held by me will fall within a number of the exemptions allowed under GDPR. These include:
· national security;
· public security;
· the prevention, investigation, detection or prosecution of criminal offences;
· other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
· the protection of judicial independence and proceedings;
· breaches of ethics in regulated professions;
· monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
· the protection of the individual, or the rights and freedoms of others; or
· the enforcement of civil law matters.
7. Some of the data may include “special category data” covering sexual orientation, health, race, ethnic origin, politics, and religion among others. This will be reflected in my instructions.
8. I do not hold personal information for marketing purposes.
9. There will always be a clear lawful basis for carrying out data processing as much of the activity will fall into the categories of “legal obligation” or “public task”. In these circumstances I aim to identify a specific legitimate interest, show that the processing is necessary to achieve it, and balance it against the individual’s interests, rights and freedoms.
10. In all instances my aim using both managerial and technical measures is to minimise intrusion into the privacy of individuals and with particular emphasis on the impact of the privacy of third parties who are not the subject of my instructions.
11. Computer related material received in the course of instructions is kept securely. Unless a data source is being actively examined data is stored on removable hard disks which are themselves kept in a locked safe. All my examination computers are password protected and kept in an office to which only I have access. Examination computers are not normally connected to the external Internet. I follow the GCHQ/NCSC Cyber Essentials technical controls.
12. Data received in the course of instructions will be retained so long as there appears to be a need in terms of future action. This may include appeals or that the same or overlapping evidence may be needed in future potential legal activity. Retention decisions are made on the basis of information supplied by those instructing.
13. Copies of data received in the course of instructions are only released to 3rd
parties as a direct need within those instructions. Any such transfer is documented.
Typically copies will only be provided to instructing lawyers for the purpose of
onward transmission to others also instructed, to counter-
14. I do not employ third parties to carry out digital investigations other than with the express agreement of those instructing me. Insofar as it is necessary and appropriate where I do employ third parties I see that they are covered by the same undertakings towards personal data as I follow myself.
15. Individuals considering making a subject data access request to me should in the first instance approach the organisation or individual who is instructing me. Unless there is an overwhelming reason not to do so I am happy to disclose the identity of my instructing party.