Mobile Phone Extraction by Police Forces – ICO’s Latest Findings

On 18 June the Information Commissioner’s Office (ICO) released its investigation report into mobile phone data extraction by police forces in England and Wales. The investigation, which began in August 2018, was carried out by the ICO following concerns about the potential for excessive processing of personal data that could arise as a result of mobile phone data extraction.

Today our smart phones hold a considerable amount of data about us that can give an insight into how we live our daily lives. This can be through our messages, call history, emails, photos, location tracking, browsing activities and data we do not even realise is being stored on our phones.

The ICO report looks at the legal background and the appropriate conditions for processing such data. The ICO calls for a code to be put in place that reflects the modern world and the extent of personal data that is held on mobile phones. The ICO report considers that the risk of not having a consistent approach across police forces, and data extraction not being in line with data protection and privacy requirements, is that it could undermine public confidence in the criminal justice system.

In addition to recommending that a code of practice is introduced, the ICO makes a number of other recommendations including recommendations regarding the procurement of new technology used in extracting data by police forces. The ICO recommends that:

  • Technology should be updated and procurements for new technology should take account of privacy by design principles. This means ensuring you build privacy by design principles into your requirements and procurement strategy before you even go to market.
  • Data protection officers should be involved in projects for new technology. Again, they should be consulted at the outset of any new project.
  • Data protection impact assessments (DPIAs) should be carried out prior to the procurement or roll-out of new technology used in mobile data extraction. The ICO also recommends that it would be beneficial for DPIAs to be carried out for existing processing.

The ICO report recognises the importance of ensuring personal data is processed in accordance with a legal framework, much of which was in place before the iPhone was launched, as well as processing it in a way that maintains public confidence in the criminal justice sector. We wait to see how the ICO’s recommendations are put into place and how a potential code of practice could look for mobile data extraction.

Sharpe Pritchard’s technology and data team regularly advice police forces on the procurement of new technology. If you have any questions, please contact Charlotte Smith or Gemma Townley.

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any of the issues raised in this article, please contact us today by telephone or email

Posted in ICO, Latest news and blog, Technology.