iPolice: helping the Belgian Integrated Police to comply with data protection rules

The EU Law Enforcement Directive (LED) sets out the data protection rules that pertain to law enforcement. As part of Belgium’s iPolice project, Sopra Steria is helping to design a new solution that will enhance the work of the Belgian Police while also ensuring that personal data is kept secure.

The Belgian Integrated Police operates on two levels: the Federal Police, which operates at the national level, and the Local Police forces, each of which covers a district called a police zone.

The force is also divided into the Administrative Police and the Judicial Police. While the latter is involved in investigations and judicial proceedings, the Administrative Police performs various functions, from road traffic enforcement to maintaining public order. These functions are defined by the 1992 law on the functioning of the Police.

This law established a complex system of databases, where all information – including personal data – collected by the Police must be stored. These databases, depending on whether they are local or federal, administrative or judicial, are accessed by officers and administrative staff through multiple applications.

Building a data protection-compliant solution

The iPolice project aims to address the fragmentation of these databases and the proliferation of platforms by bringing them together in a single solution. This one-stop-shop platform will significantly help the Belgian Integrated Police carry out its work by providing it with more and better organised information more quickly. The solution also includes intelligence led analysis features that will allow the Police to better analyse their data while also respecting data protection rules.

Considering the vast amount of personal data that the Police collect and process daily, great attention has been paid to Title II of the 2018 Belgian Law on Personal Data Protection (LPD), which transposes the European Law Enforcement Directive (LED). Following the principles of data protection by design and by default, Sopra Steria is helping to build a data protection-compliant solution, from design to development and implementation.

Main rules to consider

The EU Law Enforcement Directive and the Belgian LPD share a number of data protection principles with the GDPR, such as lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, security of personal data, and accountability. However, considering the specific nature of the tasks and functions carried out by law enforcement authorities, these principles are at times defined in a different way from the GDPR. For instance, the lawfulness of a processing activity is ensured only if that activity is provided by law and necessary for the performance of a task for the purposes listed by the directive. Examples are the prevention, investigation, detection, or prosecution of criminal offences, or the prevention of threats to public security.

The LED also requires that a distinction is made, as far as possible, between the personal data of different data subjects, making clear that the personal data of a witness or a victim should not be processed in the same way as the personal data of a convicted criminal. In this regard, the Belgian LFP provides for different retention periods of personal data, according to the category of the subject. In this way, the law also implements the storage limitation principle, which requires EU member states to provide specific data retention periods and to set up specific procedural measures to ensure the time limits are respected.

At the same time, it is essential to ensure the quality of personal data (data accuracy), in particular providing a distinction between personal data based on facts and those based on assessments, an issue that may arise during investigations and legal proceedings.

Another important element is the logging system. The EU’s LED mandates that business logs are maintained to record who has accessed and processed personal data, at what time, and for what reason. Not all police officers have the same access rights, and a robust access management system, paired with a proper logging system, is crucial to verify the lawfulness of the processing and ensure the integrity and security of personal data, which is often of a sensitive nature.

These provisions are part of the design and development of Belgium’s iPolice, which adheres to the highest standards of security. Sopra Steria is a key contributor to this initiative. If you’d like to know more about the role of data protection in the iPolice initiative, don’t hesitate to contact us.