(1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
(2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either -
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
(3) In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
(4) The first case is where -
(a) the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and
(b) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(5) The second case is where -
…