The purpose of this note is to state in simple accessible language the data protection
and privacy policies which, after a risk assessment, I follow.
1. A significant part of my business consists in examining the contents of computers
of all kinds including personal computers, smart phones, tablets, extracts from larger
systems, and a variety of data storage media. I also examine data held in the cloud,
generated via social media, records created by financial institutions and communications
data created by, among others, telecommunications utilities and Internet Service
2. In all instances I am instructed by others: typically lawyers, law enforcement
and other investigatory agencies, and companies needing to carry out internal investigations.
The purpose of the instructions will be tied to actual or prospective legal proceedings,
criminal or civil or regulatory. For the purposes of GDPR I am acting as a data processor
not a data controller. The data controller is the organisation or individual who
instructs me. In all instances my instructions will be in writing and my activities
will be limited to those instructions. It should be noted that over the course of
a specific instruction there may be variations in the light of subsequent findings;
however the variations will also be recorded in writing.
3. Some of the data I hold may be subject to undertakings given to law enforcement
agencies and/or the courts.
4. Because of the way in which data is stored on computer-like devices and on storage
media it is inevitable that in many instances I will find myself viewing personal
data and that some of that data will turn out to be irrelevant to my investigations.
Several points need to be made. First in order to provide integrity and authenticity
to digital evidence it is often necessary to seize an entire device and create a
forensic image copy which is then examined; similarly in order to give integrity
and provenance to individual emails it may be necessary to acquire an entire email
archive. Secondly the aim of an investigation is to find relevant material but that
inevitably involves looking at material which will eventually be excluded. Standard
technical measures used in the investigation of digital material concentrates on
the use of searches by keywords and similar; as a result although I may have notional
access to the personal data of individuals not involved in my instructions in practice
the use of keywords will mean that investigations are limited and collateral intrusion
5. Contemporaneous notes as well as final written reports are generated during investigations
so that it should be possible to retrace any of my activity.
6. In most instances data including personal data held by me will fall within a number
of the exemptions allowed under GDPR. These include:
· national security;
· public security;
· the prevention, investigation, detection or prosecution of criminal offences;
· other important public interests, in particular economic or financial interests,
including budgetary and taxation matters, public health and security;
· the protection of judicial independence and proceedings;
· breaches of ethics in regulated professions;
· monitoring, inspection or regulatory functions connected to the exercise of official
authority regarding security, defence, other important public interests or crime/ethics
· the protection of the individual, or the rights and freedoms of others; or
· the enforcement of civil law matters.
7. Some of the data may include “special category data” covering sexual orientation,
health, race, ethnic origin, politics, and religion among others. This will be reflected
in my instructions.
8. I do not hold personal information for marketing purposes.
9. There will always be a clear lawful basis for carrying out data processing as
much of the activity will fall into the categories of “legal obligation” or “public
task”. In these circumstances I aim to identify a specific legitimate interest, show
that the processing is necessary to achieve it, and balance it against the individual’s
interests, rights and freedoms.
10. In all instances my aim using both managerial and technical measures is to minimise
intrusion into the privacy of individuals and with particular emphasis on the impact
of the privacy of third parties who are not the subject of my instructions.
11. Computer related material received in the course of instructions is kept securely.
Unless a data source is being actively examined data is stored on removable hard
disks which are themselves kept in a locked safe. All my examination computers are
password protected and kept in an office to which only I have access. Examination
computers are not normally connected to the external Internet. I follow the GCHQ/NCSC
Cyber Essentials technical controls.
12. Data received in the course of instructions will be retained so long as there
appears to be a need in terms of future action. This may include appeals or that
the same or overlapping evidence may be needed in future potential legal activity.
Retention decisions are made on the basis of information supplied by those instructing.
13. Copies of data received in the course of instructions are only released to 3rd
parties as a direct need within those instructions. Any such transfer is documented.
Typically copies will only be provided to instructing lawyers for the purpose of
onward transmission to others also instructed, to counter-parties and to appropriate
courts and tribunals. In the vast majority of circumstances it will not be necessary,
in order to fulfil my instructions, to transfer data outside the jurisdiction within
which the instruction has been issued.
14. I do not employ third parties to carry out digital investigations other than
with the express agreement of those instructing me. Insofar as it is necessary and
appropriate where I do employ third parties I see that they are covered by the same
undertakings towards personal data as I follow myself.
15. Individuals considering making a subject data access request to me should in
the first instance approach the organisation or individual who is instructing me.
Unless there is an overwhelming reason not to do so I am happy to disclose the identity
of my instructing party.