The Protection of Freedoms Act 2012

As usual, what sounds like a good measure rapidly fades away when you start to look at the detail. Lawyers insert so many caveats that the legislation becomes almost meaningless. George Orwell just got the date wrong. It wasn’t 1984. The Ministry of Truth just told lies, for example. A glance at the Government’s take on this reveals that wheel clamping is to be outlawed which sounds great but it fails to tell you that instead you will have to provide the name of the driver to private parking companies if you overstay at one of their car parks  - and pay their ‘fine’ if you don’t and on average this is now over £100. The main areas covered by this misnamed legislation are listed below. For details, the Act may be found on


The PoF Act sets out new laws governing the retention and destruction of DNA, footwear impressions and fingerprint profiles of suspected and convicted criminals. Last year the UK's Supreme Court ruled that police guidelines that allowed DNA samples taken during criminal investigations to be retained indefinitely were unlawful because it violated individuals' rights to privacy as guaranteed by human rights laws.

DNA and fingerprint samples can be retained "indefinitely" under the PoF Act in select circumstances, including where arrested suspects have been guilty of a serious crime previously. If those arrested suspects have no such previous conviction, their data must be destroyed after a three year period. Police can ask a district judge to issue an order enabling them to retain the information for a further two years, although this request can be appealed against.

The PoF Act requires that DNA or fingerprint samples must be destroyed if, "it appears to the responsible chief officer of police that, "it has been gathered unlawfully or from a third-party person in connection with a suspected criminal's arrest where the arrest was unlawful or based on mistaken identity”.

However, DNA or fingerprint profile details can be retained beyond the expiry of retention periods for national security purposes unless a Biometrics Commissioner decides that it is "not necessary" for those purposes that the information is retained. The Human Rights Joint Committee had criticised this clause in its scrutiny of the draft PoF proposals.

The Committee had said the clause would, "create a broad, 'catch all' discretion for the police to authorise the retention of material indefinitely for reasons of national security." There had, at that point, been no, "justification" why the power was, "necessary and proportionate", it had said.

There will also be a, ‘National DNA Database Strategy Board’.

So what at first glance appears to be a genuine attempt to protect our freedoms has so many ‘get out’ clauses that little will change.


Schools and further education bodies will not always need parents' consent in order to legitimately process 'biometric data' about children under the new laws.

Schools and further education bodies will be able to process, "physical or behavioural characteristics or features" about a child and store the information in a system that can be used to match automatically those traits to verify individuals' identity. The precise data processed and collected may relate to individuals' skin patterns, features of their eyes or about their voice and handwriting techniques, according to the Act.

So the Act legitimises many of the things which people have been complaining about. The ultimate aim, of course, is to gather as much information as possible on everyone because the more information the Government has, the more it can control you. And what better place to start than in schools?

Although the Act requires that parents generally be notified about the schools or bodies' intentions to process biometric data about their children and obtain consent from at least one parent to conduct the activity, there are exceptions where processing can go ahead without parental consent.

Those exceptions include if a parent cannot be found, if they lack mental capacity to consent or if parents cannot be contacted for child welfare reasons, but also if, "it is otherwise not reasonably practicable to notify the parent or (as the case may be) obtain the consent of the parent." As usual, we find the weasel words which effective mean that schools can do whatever they like.

In scrutinising a draft of the PoF laws last autumn a Parliamentary Committee recommended that the 'reasonably practicable' clause be removed from the final version because they deemed it, "unnecessarily weakened" the requirement to obtain parent consent. That is precisely why it was left in, of course.

The Human Rights Joint Committee had recommended that children of, "sufficient maturity" be able to decide for themselves whether their biometric information should be processed. Under the PoF Act schools and education bodies must not process a child's biometric data if that child objects to the activity, even if parental consent has been obtained.


Part 2 of the Act obliges the Secretary of State to establish a code of practice for surveillance camera systems. That code is to be enforced by a newly created Surveillance Camera Commissioner. CCTV and automatic number plate recognition systems are already commonplace in business parks and shopping centres but the Act does not currently apply to privately owned cameras.

During the drafting of the Act however, there was discussion that Part 2 could be extended to include progressively more cameras. In this context it is interesting to note that section 33(5)(k) allows the Secretary of State to expand the reach of the provisions by widening the definition of relevant authority to include, "any person specified or described by the Secretary of State" by statutory instrument.

So, once again we see that the Secretary of State is granted wide powers to do as he pleases.

Wheel clamping and parking

Whilst outlawing wheel clamping (though not completely), the Act gives unprecedented power to private parking companies (PPCs). The registered keeper of a vehicle (as recorded at DVLA) is required to pay any charge demanded by the parking company or to name the driver if the registered keeper was not the driver. However, in order to pursue the charge, the parking companies must comply with numerous conditions.

If you do not wish to provide the name and address of the driver (and there is no legal obligation to do so), the PPC must have complied with all of the following procedural steps in order to be able to recover the parking charge from you. If you know that the PPC has failed to follow the steps below, then you can choose to decline to give the driver’s details with impunity; the choice is yours. If you do choose to decline you should advise the PPC just where it has failed to comply with PoFA, but after the end of the period for service of the notice to keeper. If you were to advise the PPC too early then the PPC can re-serve the notice to keeper which is compliant with the Act.

1. The vehicle must not have been stolen at the time that the parking charges were incurred. You must provide the PPC with evidence that it had been stolen – if it has.

2. From the date you receive a, ‘Notice to Keeper’, no action may be taken against you until at least 28 days have elapsed. (During that time you can either pay the charge, appeal or provide the name and address of the driver).

3. No more may be recovered from you than is specified in the, ‘Notice to Keeper’ (less any payments made towards the unpaid Parking Charges).

4. The creditor (person entitled to recover the parking charge – the PPC) must have a contractual right to recover the parking charge from the driver and must be unaware of the name and current address of that driver.

5. Either

a. The driver received what the Protection of Freedoms Act 2012 calls a, ‘Notice to Driver’ (parking ticket) , at the time the vehicle was stationary in the car park, followed by the, ‘Notice to Keeper’, both of which must comply with the requirements of the Protection of Freedoms Act 2012 (see below); or

b. Where a ‘Notice to Driver’ was not served because of the use of automatic number plate recognition (ANPR), then just a, ‘Notice to Keeper’ has been served on you.


6. The Creditor (PPC) or its agent must have made application to the DVLA for your name and address either:


a. NOT EARLIER than 28 days after the vehicle was parked (where a, ‘Notice to Driver’ was issued); or


b. NOT LATER than 14 days after the vehicle was parked (where a, ‘Notice to Driver’ was not issued)


7. Any requirements of any Regulations made under paragraph 12 of Schedule 4 of the Protection of Freedoms Act 2012 have been met (as to display of notices in the car park). No such Regulations have been made as at February 2013.

8. Subject to Schedule 4 of the Protection of Freedoms Act 2012 where the vehicle was hired and the hire agreement includes an obligation on the hirer to pay all parking charges, if the hire company provides evidence of that liability to the Creditor within 28 days of the service of the Notice to Keeper, together with the name and address of the driver, then the hire company shall not be liable for the parking charges.

Regulation of Investigatory Powers Act (RIPA)

The Government stated that it, "will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime".

RIPA was designed to regulate the use of investigatory powers and to satisfy the requirements of the ECHR on its incorporation into UK law by the Human Rights Act 1998. RIPA regulates the use of a number of covert investigatory techniques, not all of which are available to local authorities. The three types of technique available to local authorities are: the acquisition and disclosure of communications data (such as telephone billing information or subscriber details); directed surveillance (covert surveillance of individuals in public places); and covert human intelligence sources ("CHIS") (such as the deployment of undercover officers). Local authorities sometimes need to use covert techniques in support of their statutory functions. They, not the police, are responsible for enforcing the law in areas such as: environmental crime; consumer scams; loan sharks; taxi cab regulation; underage sales of knives, alcohol, solvents and tobacco; and the employment of minors. The communications data powers are primarily used by local authorities to target rogue traders (where a mobile phone number can be the only intelligence lead). Directed surveillance powers are used in benefit fraud cases and to tackle anti-social behaviour (in partnership with the police), while CHIS and directed surveillance techniques are used in test purchase operations to investigate the sale of tobacco, alcohol and other age-restricted products.

RIPA sets out the specified grounds for authorising the acquisition and disclosure of communications data and specifies the grounds for which authorisations can be granted for carrying out directed surveillance and for the use of CHIS. At present, authorisations for the use of these techniques are granted internally by a member of staff in a local authority (who must be of at least Director, Head of Service, Service Manager or equivalent grade), and are not subject to any independent approval mechanism. The use of these covert techniques under RIPA is subject to codes of practice made by the Home Secretary. The Chief Surveillance Commissioner is responsible for overseeing local authorities’ use of directed surveillance and CHIS, whilst the Interception of Communications Commissioner has similar responsibilities in respect of local authorities’ use of their powers in respect of the acquisition and disclosure of communications data. The Investigatory Powers Tribunal, established under section 65 of RIPA, investigates complaints about anything that a complainant believes has taken place against them, their property or communications which would fall to be regulated under RIPA.

The review of counter-terrorism and security powers considered the use of RIPA powers by local authorities following concerns that they have been using directed surveillance techniques in less serious investigations, for example, to tackle dog fouling or checking an individual resides in a school catchment area. The review concluded that the use of directed surveillance powers by local authorities should be subject to a seriousness threshold and that the use of all three techniques by local authorities should be subject to a Magistrate’s approval mechanism. The seriousness threshold will restrict local authority use of directed surveillance to the investigation of offences which attract a maximum custodial sentence of six months or more or which involve underage sales of alcohol and tobacco. The threshold will be introduced through an order made under section 30(3)(b) of RIPA; the Magistrate’s approval mechanism will be enacted (in Scotland approval will be granted by a sheriff’s court).

Powers of entry - protection of property from disproportionate enforcement action

This section was introduced because of the aggressive actions of bailiffs.

A power of entry is a right for a person (usually a state official of a specified description, for example, police officers, local authority trading standards officers, or the enforcement staff of a regulatory body) to enter into a private dwelling, business premises, land or vehicles (or a combination of these) for defined purposes (for example, to search for and seize evidence as part of an investigation, or to inspect the premises to ascertain whether regulatory requirements have been complied with). There are around 1200 separate powers of entry contained in both primary and secondary legislation.

The Disclosure and Barring Service (DBS)

This Service combines the Criminal Records Bureau which destroyed the lives of only a thousand or so people each year by its incompetence; a thousand that we know about. Many people may have lost jobs or not obtained new jobs because of mistakes by the CRB. Now it has been combined with the Independent Safeguarding Authority which kept changing the rules so they hadn’t much of an idea what they were supposed to be doing either.

This is what the Service itself has to say:

The DBS searches police records and, in relevant cases, barred list information, and then issues a DBS certificate to the applicant and employer to help them make an informed recruitment decision.

DBS checks are only available where an employer is entitled to ask exempted questions under the Exceptions Order to the Rehabilitation of Offenders Act (ROA) 1974 (Opens in a new window). The Exceptions Order acts as the gateway for access to the DBS checking service and lists those occupations, professions and positions considered to be exempt from the ROA.

The checking service currently offers two levels of DBS check; standard and enhanced. The order allows for applications to be submitted to a standard level. To qualify for the higher level of DBS check, the position must also meet one of the criteria set out in The Police Act 1997 (Opens in a new window) (Criminal Records) Regulations.

The DBS recognises that information released on DBS certificates can be extremely sensitive and personal. Therefore a code of practice for recipients of DBS certificates has been developed to ensure that any information they contain is handled fairly and used properly.

The legislative changes that amend the Safeguarding Vulnerable Groups Act 2006 (Opens in a new window) (SVGA) and the Police Act 1997 regulations, which the DBS checking service is based on, were introduced through the Protection of Freedoms Act 2012 (POFA).


Part of the role of the DBS is to help prevent unsuitable people from working with vulnerable groups including children. Referrals are made to the DBS when an employer or an organisation, for example, a regulatory body, has concerns that a person has caused harm or poses a future risk of harm to vulnerable groups including children. In these circumstances the employer legally must or regulatory body may, make a referral to the DBS. The range of groups that are required or empowered under the SVGA to make referrals are:

  • regulated activity providers (employers and volunteer managers)
  • personnel suppliers
  • local authorities
  • education and library boards (NI)
  • health and social care (HSC) trusts (NI)
  • keepers of registers e.g. General Medical Council, Nursing and Midwifery Council supervisory authorities e.g. Care Quality Commission, Ofsted


The DBS is committed to ensuring that we make fair, consistent and thorough barring decisions that are an appropriate response to the harm that has occurred and to the risk of harm posed. We are keenly aware of the impact barring or not barring a person can have both to the person referred and also those with whom they have or could have come into contact with. Often very difficult and finely balanced decisions have to be made.

There are two main ways cases come to us:

1) Autobars - there are two types of automatic barring cases where a person has been cautioned or convicted for a 'relevant offence': automatic barring without representations offences will result in the person being placed in a barred list(s) by the DBS irrespective of whether they work in regulated activity; while automatic barring with representations offences may, subject to the consideration of representations and whether the person has a link to regulated activity, result in the person being placed in a barred list(s) by the DBS


2) referrals from an organisation that has a legal duty or power to make referrals to DBS: typically there is a duty, in certain circumstances, on employers to make a referral to the DBS when they have dismissed or removed an employee from working in regulated activity, following harm to a child or vulnerable adult or where there is a risk of harm

A new test for regulated activity has been introduced which means the DBS can only bar a person from working within regulated activity with children or adults if we believe the person is or has been, or might in the future be, engaged in regulated activity. The only exception to this is where a person is cautioned or convicted for a relevant (automatic barring) offence and is not eligible to submit representations against their inclusion in a barred list.

Additionally, where a person is cautioned or convicted of a relevant (automatic barring) offence with the right to make representations, the DBS will ask the person to submit their representations and consider them before making a final barring decision.

Making barring decisions

The DBS makes its decisions using barring decision-making processes specifically developed for this use and approved by the DBS Board. The DBS Board is ultimately responsible for all the decisions made by the DBS.

Our barring decision-making processes for considering discretionary (non-automatic barring) cases have been developed to ensure all DBS decisions are fair, consistent and thorough. The typical process has five decision-making stages. At each stage a decision is required for the case to progress to the next stage. If the criteria for the case to progress to the next stage are not met, the case is closed and no further action taken. However, where appropriate the DBS retains the information, subject to its Data Retention Policy.

Isn’t it amazing how complicated the civil servants can make it? Of course, the more complicated it is, the more work there is for them and the bigger they can build their empires.

Data Protection

There is a small change to the Data Protection Act which allows ‘data sets’ to be disclosed. These would be databases or spreadsheets capable of manipulation.

Other Provisions

There are over 200 areas covered by the Act including deregulating the times people can get married and anti-terrorism legislation – too much to cover here and not particularly relevant to data protection. The Act may be seen in all its glory at:

The Protection of Freedoms Act could hardly be less aptly named. It really means freedom for the State to interfere in our lives even more.