APPENDIX 2: REPORT FROM THE INFORMATION
The Serious Organised Crime Agency's operation and
use of the ELMER database.
Information Commissioner's Report to the House of
Lords European Union Committee
3. Legal Framework
Annex 1The Data Protection Principles
Annex 2Relevant Legislation
1.1 The Information Commissioner (the Commissioner)
has responsibility for promoting and enforcing the Data Protection
Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA).
He is independent from government and upholds information rights
in the public interest, promoting openness by public bodies and
data privacy for individuals. The Commissioner does this by providing
guidance to individuals and organisations, solving problems where
he can and taking appropriate action where the law is broken.
1.2 The House of Lords European Union Committee ('the
Committee') published the findings from its Inquiry into Money
Laundering and the Financing of Terrorism in July 2009. The Committee
made a number of recommendations which included recommending that
the Commissioner should review and report on the operation and
use of the ELMER database. It also recommended that the Commissioner
should consider in particular whether the rules for the retention
of data are compatible with the jurisprudence of the European
Court of Human Rights.
1.3 The Commissioner welcomed the opportunity to
undertake the review of the ELMER database. As part of the Commissioner's
review a team ('the review team') from the Commissioner's Office
visited the Serious Organised Crime Agency ('SOCA') to observe
the ELMER database in operation. This enabled the review team
to understand the type of information that is recorded and retained
on ELMER and the purposes for which it is used.
1.4 The review team received the fullest co-operation
from SOCA and were able to have access to staff and to see the
operation of the database in practice. The Commissioner thanks
SOCA and its staff for their assistance.
2.1 There is a legal obligation for the regulated
sector and any entity (individual or corporate, regulated or unregulated)
that might otherwise be accused of committing one of the principal
money laundering offences under Section 327 to 329 of the Proceeds
of Crime Act to submit Suspicious Activity Reports (SARs) to SOCA.
The 'regulated sector' includes banks and financial institutions
and more recently has included solicitors, accountants and others.
It is estimated that between 125,000 and 175,000 businesses could
be subject to reporting requirements although we understand that
only approximately 5,000 actually report. The ELMER database holds
the SARs information and currently holds approximately 1.5 million
2.2 A SAR must be made as soon as practicable once
an organisation (or an individual) has formed a suspicion or knows
of terrorist financing or money laundering. It is a criminal offence
not to make a disclosure when a suspicion has been formed although
the legislation does not define 'suspicion' and this has been
left to the Courts. In the Court of Appeal case R v Da Silva 
All ER (D) 131 (Jul) the Judge stated that there should be 'more
than a fanciful possibility' that a person is handling criminal
property or money-laundering activity is taking place. Guidance
issued by SOCA states 'As soon as you know or suspect that a person
is engaged in money laundering or dealing in criminal property
you must submit a SAR'. SOCA also provides a document containing
case studies for training purposes and highlights those situations
where a SAR may be required such as where there is sudden activity
on a dormant account.
2.3 The SARs regime was introduced in 1986/87. However
ELMER only became functional in 2000. SARs submitted prior to
ELMER becoming functional were transferred to the ELMER database.
This means that as at 2010 data has been held on ELMER for ten
years but is actually older in some cases.
2.4 Latest figures indicate that from October 2008
to the end of September 2009 228,834 SARs and 13,618 Consent SARs
were received by SOCA.
In 2009 an average of 19,264 were being received monthly.
2.5 During the Committee's Inquiry the Commissioner
stressed that it was important that the SAR process should be
operated in a proportionate manner. The database should focus
on assisting with the investigation and prevention of serious
criminal behaviour and the thresholds for reporting, recording
and granting access should reflect this. It should be noted that
the rationale for the ELMER database and the range, content and
reason for submission stem from the reporting provisions in the
Proceeds of Crime Act 2002 and the Terrorism Act 2000 rather than
a requirement of SOCA.
2.6 It was also the Commissioner's view that there
should be established retention periods for the information held
on the database. If there are SARs based on financial transactions
meeting a particular threshold level rather than on hard evidence
of criminal activity the prolonged retention of those records
would be inappropriate and disproportionate and there should not
be a blanket policy to keep all SARs indefinitely. SOCA clarified
in evidence that each SAR is assigned a deletion date of ten years
after receipt and is automatically deleted unless it has been
amended or updated in which case the deletion date is reset to
six years following that event. SOCA also confirmed that there
is also a procedure for earlier deletion of individual SARs where
all necessary activity relating to that SAR has been undertaken
and SOCA estimated that 20,880 SARs have been permanently deleted
from the database.
2.7 The Committee were concerned that SARs are routinely
retained for ten years on a database to which there is wide access
especially in those cases where it could be shown that the initial
suspicion was unfounded. The Committee referred particularly to
the ruling of the European Court of Human Rights that the retention
on the DNA database of the DNA of persons not convicted of a criminal
offence could amount to a breach of their right to respect for
private life under Article 8 of the European Convention on Human
2.8 The Committee hoped that adoption of their recommendations
on a de minimis provision, improved guidance and the improved
provision of feedback to reporters would lead over time to an
improvement in the quality of the ELMER database so that entries
on it are focused on serious organised crime including money laundering.
The Committee's recommendation in this respect was in relation
to removing the requirement to report a suspicious transaction
based on a minor offence. This would lead to the raising of the
threshold for making SARs leading to a more proportionate approach.
3. Legal framework
3.1 There is an established legal framework governing
the requirements to notify SOCA of a SAR. These have grown over
time and relate to a number of legal instruments (see Annex 2).
3.2 The legislation which directly relates to the
way in which the ELMER database operates are the Proceeds of Crime
Act 2002 and the Terrorism Act 2000 which require banks and other
businesses in the 'regulated sector' together with any entity
(individual or corporate, regulated or unregulated) that might
otherwise be accused of committing one of the principal money
laundering offences ('the principal money laundering offences')
to report. These offences are outlined in Sections 327 to 329
of the Proceeds of Crime Act and include concealing criminal property,
disguising criminal property, converting criminal property, transferring
criminal property and removing criminal property from England
3.3 These organisations/individuals are required
to report to the UK Financial Intelligence Unit (SOCA) any suspicions
that arise concerning criminal property, money laundering or terrorist
financing. Persons and businesses can avail themselves of a defence
against money laundering charges by seeking the consent of SOCA
to proceed with a transaction or undertake an activity (a prohibited
act) about which they have concerns. The decision to grant or
refuse consent is taken by SOCA after consultation with other
Law Enforcement Agencies (LEAs).
The Data Protection Act 1998
3.4 The DPA establishes a framework of rights and
duties which are designed to safeguard personal data. This framework
balances the legitimate needs of organisations to collect and
use personal data for business and other purposes against the
right of individuals to respect for the privacy of their personal
3.5 Central to the DPA are eight legally enforceable
principles which include that organisations must ensure that everything
they do with personal information is fair and lawful, and that
the information is used only for specified purposes. Personal
information must also be adequate, relevant and not excessive
in relation to the purpose or purposes for which it is processed.
Personal information should not be kept for longer than is necessary
and appropriate technical and organisational measures need to
be taken against unauthorised or unlawful processing or loss.
3.6 The Commissioner is responsible for enforcing
the DPA and has enforcement powers to ensure compliance.
The Human Rights Act 1998
3.7 The Human Rights Act 1998 (HRA) gives legal effect
in the UK to the fundamental rights and freedoms contained in
the European Convention on Human Rights (ECHR). SOCA is a public
authority for the purposes of the HRA.
3.8 Article 8 of the ECHR gives every person the
right to "respect for his private and family life, his home
and his correspondence." Article 8(2) states that there "shall
be no interference by a public authority with the exercise of
this right except such as is in accordance with the law and is
necessary in a democratic society in the interests of national
security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of
health or morals, or for the protection of the rights and freedoms
S and Marper v UK
3.9 In S and Marper v The United Kingdom (Application
Nos 30562/04 and 30566/04, 2008) the European Court of Human Rights
(ECtHR) found that "the blanket and indiscriminate nature
of the powers of retention of the fingerprints, cellular samples
and DNA profiles of persons suspected but not convicted of offences,
as applied in the case of the
applicants, fail[ed] to strike
a fair balance between the competing public and private interests
The Court established that the retention constituted "a disproportionate
interference with the applicants' right to respect for private
life and [could not] be regarded as necessary in a democratic
society". Accordingly, it found the UK to be acting in violation
of Article 8 of the European Convention of Human Rights (ECHR).
4.1 There is no single prescribed way to submit SARs.
They can be submitted several ways such as online using SOCA SAR
Online via the SOCA website, by fax, by post or telephone. SAR
Online allows SARs to be submitted securely. SAR Online is for
small to medium volume reporters who register, log on and then
submit their reports. High volume reporters such as banks make
multiple submissions of SARs via an encrypted email process which
allows for secure bulk data exchange. SARs received electronically
receive an automatic Unique Reference Number and confirmation
of receipt. However, approximately 3% of reports are received
by fax or post and these SARs do not receive an acknowledgement
of receipt unless the reporter requests consent to carry out a
4.2 In order to submit a SAR via SAR Online a new
user is required to register and, to do this, they must enter
the details of the reporting organisation they represent. The
user will then need to activate the account before it can be used
and then will be prompted to create a password. Once that is created
the user will be able to utilise the site functionality which
is essentially completing the form and submitting it. Registered
users can also nominate other users.
4.3 SOCA guidance states that the following information
should be contained in a SAR if available to the reportersubject's
full name, date of birth and addresses, subject details such as
national insurance numbers, vehicle registration, driving licence,
passport, phone numbers, website addresses, details of occupation/employer,
details of any associates of the subject, company details including
full legal name, designation, country of incorporation and contact
details, subject's account number if appropriate and transaction
details and subject type such as subject, victim etc. A full reason
for any suspicion should also be provided.
4.4 Bulk transfers (via SAR Online) can include 300
to 400 SARs in one email (which is encrypted). The review team
were advised that ELMER would be unlikely to include duplicates
as this would only happen if the organisation submitted the information
4.5 SARs which are received via SAR Online are automatically
added to the ELMER database. An automatic keyword search identifies
those SARs which may require further investigation. Manual searches
can also be undertaken on the database as and when required.
4.6 The Proceeds of Crime Act requires that the regulated
sector and any entity (individual or corporate, regulated or unregulated)
that might otherwise be accused of committing one of the principal
money laundering offences not only report but also seek consent
from the designated authority (SOCA) to carry out a transaction.
This would be when there is a suspicion that they may be dealing
with the proceeds of crime and that to complete the transaction
could mean that a money laundering offence is committed.
4.7 Individuals and organisations can therefore avail
themselves of a defence against money laundering charges by seeking
the consent of SOCA to conduct a transaction or undertake an activity
about which they have concerns. The legislation gives SOCA seven
working days to respond. Although a transaction must not be carried
out until specific consent is received, in practice the assumption
is that if the reporter (or consent requestor) has not heard back
from SOCA within seven days consent can be assumed.
4.8 If consent is refused the transaction or activity
must not proceed for a further 31 calendar days ('moratorium'
period) with the intention that action will be taken by investigators
within that time. If consent is granted following the moratorium
period the transaction can progress and the reporter will have
a defence to any potential money laundering offences. Also, the
reporter will have a defence if the moratorium period expires
and no action has been taken and the reporter proceeds with the
transaction. SOCA advised that approximately 13,000 consent SARs
are received annually.
4.9 Access to ELMER by external agencies is through
the Moneyweb portal. The review team were shown how this works
in practice. Most records are accessible through the Moneyweb
portal although those which are considered to be particularly
sensitive are not available to view (such as terrorist financing
and those involving corrupt officials). Records only become accessible
after they have been on ELMER for seven days.
4.10 Currently 2,200 individual users have access
via Moneyweb. This is monitored and where, for example, an account
is not being used this would be reviewed. A Security Certificate
is issued when a user registers and this is renewed annually.
The Security Certificate is attached to the unique email address
which is registered to the account and therefore users are not
able to log in from their home address or indeed another organisation
or police force if they re-locate or change jobs. In these cases
they would need to re-register.
4.11 All organisations registering to use Moneyweb
sign a Partnership Agreement. This stipulates who will be eligible
to access the system, the type of training required, SOCA's responsibilities
and the responsibilities of the end user including confidentiality.
Partnership Agreements are signed at senior level.
4.12 Each organisation registering will have a SPOC
(Single Point of Contact) for the purposes of this work and they
report on the use of the system. SOCA also undertakes visits and
is in regular contact with the SPOCs. SOCA provides six monthly
feedback to users by way of the Feedback Questionnaire and also
monitors the activity of new users. SARs were reviewed by end
users through Moneyweb 362,229 times during the period January
to October 2010.
4.13 The Committee's report states that access to
ELMER is available to 'every police force in England and Wales,
Scotland, Northern Ireland, all of the national agencies that
have prosecution powersHMRC, DWP, the Serious Fraud Officetogether
with other agencies such as trading standards, and some county
every day there are over 1,500 trained and authorised
users across the country who as their core business are examining
SARs that relate to their own public duty. It is also used for
purposes unrelated to serious organised crime, such as ensuring
compliance with tax obligations. Nottinghamshire County Council
uses ELMER to investigate housing benefit fraud.'
4.14 The review team's findings suggest that access
is not in fact as wide as suggested in the report. The review
team were advised that no Local Authorities or Trading Standards
bodies have direct access to ELMER as yet although agencies that
have investigative and enforcement powers such as the Financial
Services Authority, Trading Standards Investigation Units and
local authorities' Fraud Investigation Units may request SAR derived
information from SOCA. These requests are risk assessed before
information is disclosed.
4.15 There is an electronic 'footprint' left on ELMER
when anyone has accessed a record. This applies both to internal
access and those accessing ELMER via Moneyweb. The 'audit' button
identifies who has accessed the record, when they have accessed
the record and what they have done with the record (such as printing
4.16 There is also a confidential hotline for the
reporting sectors to raise concerns about the inappropriate use
of SARs or breaches of SAR confidentiality. These are investigated
with the end user.
4.17 SARs are routinely shared with relevant police
forces based on location information. The SARs report is sent
as an intelligence package. A record is kept on ELMER of who the
SAR has been sent to. It is then left to the police force to decide
what action to take, if any. In any event users with direct access
are permitted to search, access and action SARs across the database
without relying on SOCA to share the information.
4.18 Information from ELMER can also be disclosed
internationally. Requests for SAR derived information from overseas
Financial Intelligence Units (FIUs) are managed through the Egmont
network which is a secure system. The Egmont Group is a forum
for national FIUs which aims to improve international cooperation
in the fight against money laundering and terrorist financing.
Membership of this group means that SOCA exchanges financial intelligence
with other members. Individual requests are generated through
the Egmont system and consideration is given to the request and
whether in fact any information can be disclosed. Information
will not be shared if the country is considered to be high risk.
International FIUs do not have direct access to ELMER. FIU.NET
is a restricted system for sharing information between FIUs but
is limited to EU members. SOCA has yet to fully exploit FIU.net.
The review team were advised that concerns about whether FIU.Net
meets UK standards for secure data exchange have now been resolved.
4.19 The Committee's report reflects the evidence
provided to it by SOCA that each SAR is assigned a deletion date
of ten years after receipt and is automatically deleted unless
it has been amended or updated in which case the deletion date
is reset to six years following that event. SOCA's evidence stated
that there is a procedure for earlier deletion of individual SARs
where all necessary activity relating to that SAR has been undertaken.
The report indicated that SOCA estimates that 20,880 SARs have
been permanently deleted from the database.
4.20 The review team queried the ten year retention
period and what the reasoning was for this. SOCA referred to previous
discussions in 1999 between the ICO (then the Data Protection
Registrar) ('the Registrar') and the National Criminal Intelligence
Service (NCIS) wherein the Registrar had reached an understanding
with NCIS on retaining records for up to six years. The data would
then be 'locked down' for a further four years. However, as mentioned
below, it seems that NCIS decided at that, in practice, it was
not necessary to retain data beyond six years.
4.21 An internal NCIS memorandum dated 19 October
1999 entitled 'Procedures for deleting ELMER records' refers to
discussions with the Registrar and sets out a number of recommendations
in relation to when records should be deleted. It does state that
the deletion procedures for ELMER have yet to be formally documented
and agreed within NCIS but it is recognised that the rules for
deleting ELMER records needed to be formalised although it is
not clear whether this was ever done.
4.22 The recommendations were that two procedures
should be adopted. Firstly, if an LEA chooses the option 'funds
not linked to criminality' on the feedback form then the record
should be deleted immediately 'rather than stored for 6 years'.
This would be for those records where an investigation has been
undertaken and found that the funds are legitimate. Secondly,
it was recommended that all other records should be retained for
a period of six years. The six year period would be amended if
a record was updated or linked, from which point the six year
period would start again. There was also a recommendation made
to create an 'archiving' database which would allow for records
(stripped of their underlying data) to be stored for a further
four years after the six year period had expired. The 'archiving
database' seems to have been decided against as it was stated
that there appeared to be no benefit to having this functionality
if the purpose was only for statistical analysis. Lastly, there
was reference to printing out a daily report which would list
all records which had one month to run before the six year period
expired. This referred to reports being reviewed to determine
which records should be deleted or retained for longer. This option
was seen to be time consuming and burdensome but it was also acknowledged
in this memorandum that the DPA could be breached if records are
kept for longer than necessary.
4.23 It appears that SOCA's thinking on retention
periods developed still further over time. The policy in place
at the time of the review was that SARs would be deleted ten years
after receipt unless there was evidence of continuing law enforcement
interest in an individual SAR or more recent SARs could be linked
to it and in these cases the SAR would be retained for a further
six years. However, the capability to achieve this systematically
has not kept pace with the increase in numbers of SARs received
from 14,500 in 1999 to an estimated 250,000 in 2010. The review
team found that there was no mechanism built into the system to
allow 'blanket' deletion although individual cases can be deleted
in some circumstances such as when there are duplicates on the
system. The review team were advised that in 2011 ELMER is to
undergo a rebuild to improve the processing of SARs. A project
is underway to determine the requirements for the rebuild and
it is intended that the final design will include a more effective
automated deletion process that will enable SOCA to implement
deletion rules in a more proactive and flexible way. SOCA have
said that any deletion policy would need to take into account
the value of older SARs and the recognition that SARs provide
a defence in law to the reporter and may be subject to disclosure
in Court years after they were submitted.
4.24 The review team queried whether there was any
evidence of the value of data over time such as SARs being accessed
which had been on the system for, say, longer than five years.
It was explained by several SOCA staff that it was useful to retain
the data just in case a third party needed to prove that they
had submitted the SAR. There were two cases cited where it had
been useful to provide evidence to show that the organisation
had submitted the SAR. SOCA also provided evidence (below) to
show how many times SARs received in 2004 or earlier were accessed
by end users during each month in 2009 -
It should be noted that the table shows that the
records were 'hit' but does not provide any further detail than
that. It is possible that some of the aged hits may have occurred
when searching on similar names and not because of concerns about
unlawful activity by that person. It is notable that the number
of checks drops substantially when records are over seven years
4.25 The SARs Regime Committee was set up to supervise
SOCA's discharge of its responsibilities with regards to the SARs
Regime. The Regime Committee is a committee of the SOCA Board
and has terms of reference in place. The Regime Committee comprises
members from the reporting sectors, regulators, professional bodies
and from end users as well as the SOCA FIU management.
4.26 There is a comprehensive set of policies and
procedures governing the SARs regime which the review team has
had sight of.
4.27 The governance arrangements also include a substantial
number of documents which include the SARs Annual Report, Home
Office Guidance on the Handling and Confidentiality of SARs (HO
Circular 53/2005) and the twice yearly Feedback Questionnaire.
This provides a mechanism for the regular exchange of information
with end users/reporters.
5.1 The level of co-operation from staff at SOCA
was exemplary. All the staff the review team met were clearly
committed to the work that they do.
5.2 The review team found that there were many examples
of good practice. The automatic keyword search which is undertaken
when a SAR is received means that those SARs which could be of
concern are flagged up automatically. This helps alleviate concerns
about SARs going straight onto ELMER without consideration.
5.3 The review team also found that the proactive
sharing of SARs with relevant police forces was helpful to ensure
effective scrutiny of the records.
5.4 The security, policy and procedures in relation
to SAR Online appear sufficiently robust. Access to ELMER is tightly
controlled and unused accounts are reviewed and deleted if necessary.
Direct access to ELMER is also not as widespread as had first
5.5 The audit trail on ELMER was also reassuring.
Not only did the 'audit' facility indicate who had accessed a
particular record (both internally and externally) but it could
be seen what had happened to the record for example if it was
5.6 However, whilst those SARs of concern are flagged
and considered (either within SOCA or externally when divulged
to the relevant LEA) those that raise no concerns are in effect
retained indefinitely. This raises compliance concerns and the
review team were not satisfied that there was currently sufficient
evidence to support the long retention of SARs of no concern.
It was also clear that the current system does not support the
existing retention policy in practice.
5.7 There are several aspects of the operation of
ELMER which raise concerns about compliance with the Data Protection
Act. The first data protection principle states that personal
data shall be processed fairly and lawfully. Central to this is
the requirement that individuals have an understanding of how
their personal information will be processed by those who hold
it. The Commissioner is concerned whether these fair processing
requirements are being met in those cases of no concern retained
on a system indefinitely without the knowledge of those individuals
to whom those reports relate. The third principle requires that
personal data shall be adequate, relevant and not excessive. The
fifth principle requires that personal data should not be kept
for longer than is necessary. The Commissioner takes the view
that that the current arrangements governing the retention of
records, particularly those records that raise no concerns, may
not comply with these requirements.
5.8 The first principle also requires that personal
data are processed fairly and lawfully. This lawful processing
element requires consideration of whether the processing of SARs
is compliant with other legal duties. SOCA is required to comply
with the provisions of the Human Rights Act 1998 which gives effect
in the UK to the European Convention on Human Rights. Article
8 of that Convention is engaged by the processing of SARs and
its provisions together with the jurisprudence of the European
Court of Human Rights (ECtHR). The retention of data on the ELMER
database engages concerns about whether this is an unjustified
interference with an individuals' right to respect for their private
and family life, particular taking into account the judgment of
the ECtHR in the 'S and Marper'
5.9 The retention of SARs which raise no ongoing
law enforcement concerns and the retention of these for an indefinite
period engage concerns about out whether such retention is justified,
necessary and proportionate. It is difficult to conclude that
this is the case.
5.10 Given that compliance with ECHR obligations
is in question, this also calls into question whether such personal
data are lawfully processed in accordance with the requirements
of the first principle.
5.11 Further, apart from the Committee's Inquiry
there has been little in the way of post-legislative scrutiny
of the relevant legislation which introduced the requirement to
report suspicions to SOCA. The current law focuses on reporting
but there are no additional safeguards on the face of the legislation
to prevent the disproportionate retention or to prevent reporting
of cases likely to be of little or no interest. The Commissioner's
view is that any legislation which engages significant privacy
concerns should include on the face of it a requirement on the
Government to report to Parliament on how the measures have been
deployed including evidence of the extent to which the expected
benefits and possible risks have been realised in practice and
the continued need for the measures in question.
6. Recommendations on future action
6.1 The Commissioner makes a number of recommendations
to help ensure that the processing of personal data on the ELMER
database complies with the requirements of the Data Protection
Act and on the legislative approach to the reporting of suspicious
financial activity. These are set out below:
6.1.1 That SOCA continues to maintain its current
robust policies and procedures in respect of access to ELMER,
the automatic keyword search, the proactive sharing of SARs with
LEAs and the security of SAR Online. This will be particularly
important in the context of the proposed changes affecting SOCA
outlined in the Government's recent 'Policing in the 21st
6.1.2 That SOCA develops, implements and actively
manages a record retention and deletion policy which addresses
the requirements of the DPA and HRA on necessity and proportionality.
This policy should be developed in consultation with the Commissioner.
6.1.3 That SOCA develops a plan for the development
and implementation of a DPA and HRA compliant retention policy
within three months of the presentation of this report.
6.1.4 That SOCA ensures that the planned upgrade
of ELMER includes the functionality to support the new record
retention policy and that this is introduced during 2011.
6.1.5 That the Government considers whether, in the
light of experience, the current arrangements for reporting of
SARs continue to be justified, whether they are both effective
and proportionate and whether they could be improved. Consideration
should be given to whether there is a pressing social need to
justify the requirement to report any transaction which is based
on a very low threshold of suspicion that handling criminal property
or money laundering is taking place.
Annex 1: The Data Protection Principles
1. Personal data shall be processed fairly and lawfully
and, in particular, shall not be processed unless
(a) at least one of the conditions in Schedule
2 is met, and
(b) in the case of sensitive personal data, at
least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or
more specified and lawful purposes, and shall not be further processed
in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and
not excessive in relation to the purpose or purposes for which
they are processed.
4. Personal data shall be accurate and, where necessary,
kept up to date.
5. Personal data processed for any purpose or purposes
shall not be kept for longer than is necessary for that purpose
or those purposes.
6. Personal data shall be processed in accordance
with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or
damage to, personal data.
8. Personal data shall not be transferred to a country
or territory outside the European Economic Area unless that country
or territory ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the processing of
Annex 2: Relevant legislation
1. European Directives
(i) 91/308/EECIncorporated into UK law
via the Criminal Justice Act 1991, the Drug Trafficking Act 1994
and the Money Laundering Regulations 1993.
(ii) 2001/97/ECIncorporated into UK law
via the Proceeds of Crime Act 2002 and the Money Laundering Regulations
(iii) 2005/60/ECIncorporated into UK law
by the Money Laundering Regulations 2007, the Terrorism Act 2000
(Amendment) Regulations 2007 (TACT Regulations 2007), Proceeds
of Crime Act 2002 (Amendment) Regulations 2007 (POCA Regulations
2. Serious Organised Crime and Police Act 2005 (SOCPA)enacted
SOCA assuming responsibility for the national FIU.
3. Serious Crime Act 2007
4. Anti-Terrorism Crime & Security Act 2001
5. Counter Terrorism Act 2008
6. EU Regulation on Counter Proliferation Finance
16 SOCA Annual Report 2009 Back
S and Marper v United Kingdom, judgment of 4 December 2008,
S and Marper v United Kingdom  ECHR 30562/04 [Grand Chamber]
(4 December 2008) Back