wp56f0f848.png
Expert Witness & Digital Forensic Services










 

Site Contents: © Peter Sommer, 2018   Not to be reproduced without permission

PO Box 6447  London N4 4RX UK

wp782315a9.png

 

 

wp5e6bc680.png
wp782315a9.png
wpd913d621.png
wp4a7871db.png

The purpose of this note is to state in simple accessible language the data protection and privacy policies which, after a risk assessment, I follow.

1. A significant part of my business consists in examining the contents of computers of all kinds including personal computers, smart phones, tablets, extracts from larger systems, and a variety of data storage media. I also examine data held in the cloud, generated via social media, records created by financial institutions and communications data created by, among others, telecommunications utilities and Internet Service Providers.

2. In all instances I am instructed by others: typically lawyers, law enforcement and other investigatory agencies, and companies needing to carry out internal investigations. The purpose of the instructions will be tied to actual or prospective legal proceedings, criminal or civil or regulatory. For the purposes of GDPR I am acting as a data processor not a data controller. The data controller is the organisation or individual who instructs me. In all instances my instructions will be in writing and my activities will be limited to those instructions. It should be noted that over the course of a specific instruction there may be variations in the light of subsequent findings; however the variations will also be recorded in writing.

3. Some of the data I hold may be subject to undertakings given to law enforcement agencies and/or the courts.

4. Because of the way in which data is stored on computer-like devices and on storage media it is inevitable that in many instances I will find myself viewing personal data and that some of that data will turn out to be irrelevant to my investigations. Several points need to be made. First in order to provide integrity and authenticity to digital evidence it is often necessary to seize an entire device and create a forensic image copy which is then examined; similarly in order to give integrity and provenance to individual emails it may be necessary to acquire an entire email archive. Secondly the aim of an investigation is to find relevant material but that inevitably involves looking at material which will eventually be excluded. Standard technical measures used in the investigation of digital material concentrates on the use of searches by keywords and similar; as a result although I may have notional access to the personal data of individuals not involved in my instructions in practice the use of keywords will mean that investigations are limited and collateral intrusion is minimised.

5. Contemporaneous notes as well as final written reports are generated during investigations so that it should be possible to retrace any of my activity.

6. In most instances data including personal data held by me will fall within a number of the exemptions allowed under GDPR. These include:

· national security;

· public security;

· the prevention, investigation, detection or prosecution of criminal offences;

· other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;

· the protection of judicial independence and proceedings;

· breaches of ethics in regulated professions;

· monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;

· the protection of the individual, or the rights and freedoms of others; or

· the enforcement of civil law matters.

7. Some of the data may include “special category data” covering sexual orientation, health, race, ethnic origin, politics, and religion among others. This will be reflected in my instructions.

8. I do not hold personal information for marketing purposes.

9. There will always be a clear lawful basis for carrying out data processing as much of the activity will fall into the categories of “legal obligation” or “public task”. In these circumstances I aim to identify a specific legitimate interest, show that the processing is necessary to achieve it, and balance it against the individual’s interests, rights and freedoms.

10. In all instances my aim using both managerial and technical measures is to minimise intrusion into the privacy of individuals and with particular emphasis on the impact of the privacy of third parties who are not the subject of my instructions.

11. Computer related material received in the course of instructions is kept securely. Unless a data source is being actively examined data is stored on removable hard disks which are themselves kept in a locked safe. All my examination computers are password protected and kept in an office to which only I have access. Examination computers are not normally connected to the external Internet. I follow the GCHQ/NCSC Cyber Essentials technical controls.

12. Data received in the course of instructions will be retained so long as there appears to be a need in terms of future action.  This may include appeals or that the same or overlapping evidence may be needed in future potential legal activity. Retention decisions are made on the basis of information supplied by those instructing.

13. Copies of data received in the course of instructions are only released to 3rd parties as a direct need within those instructions. Any such transfer is documented. Typically copies will only be provided to instructing lawyers for the purpose of onward transmission to others also instructed,  to counter-parties and to appropriate courts and tribunals. In the vast majority of circumstances it will not be necessary, in order to fulfil my instructions, to transfer data outside the jurisdiction within which the instruction has been issued.

14. I do not employ third parties to carry out digital investigations other than with the express agreement of those instructing me. Insofar as it is necessary and appropriate where I do employ third parties I see that they are covered by the same undertakings towards personal data as I follow myself.

15. Individuals considering making a subject data access request to me should in the first instance approach the organisation or individual who is instructing me. Unless there is an overwhelming reason not to do so I am happy to disclose the identity of my instructing party.