National Police Board INSTRUCTION 1 (10)

Transcription

1 National Police Board INSTRUCTION 1 (10) Date No 23 January /2012/66 Period of validity 1 February January 2017 Legal basis Section 4, Police Administration Act (110/1992) Sections 44 and 48, Act on the Processing of Personal Data by the Police (761/2003) Repeals Target groups The police IMPLEMENTATION OF A DATA SUBJECT S RIGHTS BY THE POLICE: RIGHT OF ACCESS, RECTIFICATION OF DATA AND PROVISION OF INFORMATION 1 Purpose and scope of application This instruction specifies the procedures for implementing the data subject s right of access to those data systems of the police on which provisions are laid down in the Act on the Processing of Personal Data by the Police (761/2003). Regarding the implementation of right of access to other personal data registers of the police administration, the procedure described in section 28 of the Personal Data Act (523/1999) should be followed. The instruction also specifies the procedure for rectifying erroneous data and the duty to provide information on the processing of data. This instruction complements the Order on file-keeping by the police (2020/2011/1423). 2 Descriptions of files and keeping them available Under section 10 of the Personal Data Act, the controller shall draw up a description of the personal data file, indicating: the name and the address of the controller and, where necessary, those of the representative of the controller the purpose of the processing of the personal data a description of the group or groups of data subjects and the data or data groups relating to them the regular destinations of disclosed data and whether data are transferred to countries outside the European Union or the European Economic Area a description of the principles in accordance to which the data file has been secured. The controller shall keep the description of the file available to anyone. This obligation may be derogated from, if necessary for the protection of national security, defence or public order and security, for the prevention or National Police Board Vuorikatu 20 A, P.O. Box 302, HELSINKI kirjaamo.poliisihallitus@poliisi.fi, Tel , Fax

2 National Police Board 2 (10) investigation of crime, or for a supervision task relating to taxation or public finances. Under section 18 of the Act on the Openness of Government Activities (621/1999), in order to create and realise good practice on information management, the authorities shall see to the appropriate availability, usability, protection, integrity and other matters of quality pertaining to documents and information management systems and, for this purpose, especially: 2) draw up and make available specifications on their information management systems and the public information contained therein, unless granting access to such information would be contrary to the provisions in section 24 or in some other Act (description of information system). Under section 24 of the Personal Data Act, when collecting personal data, the controller shall see to that the data subject can have information on the controller and, where necessary, the representative of the controller, on the purpose of the processing of the personal data, on the regular destinations of disclosed data, as well as on how to proceed in order to make use of the rights of the data subject in respect to the processing operation in question. This information shall be provided at the time of collection and recording of the data or, if the data are obtained from elsewhere than the data subject and intended for disclosure, at the latest at the time of first disclosure of data. Under section 43 of the Act on the Processing of Personal Data by the Police, when collecting personal data for the purpose of performing duties as referred to in section 1(3) of the Police Act, the police shall be mindful of their obligation to provide information under section 24(1) of the Personal Data Act. This obligation does not apply when the police are collecting, recording or supplying personal data necessary for the performance of duties as referred to in section 1(1) of the Police Act. As regards national personal data files of the police, the information provided under section 18 of the Act on the Openness of Government Activities and section 24 of the Personal Data Act are contained in the descriptions of files. In its letters (SM /Si-2, 1 December 1999; SM /Si-2, 23 March 2001 and SM /Si-2, 26 August 2002), the Ministry of the Interior Police Department issued police administration units instructions on keeping a Police Personal Data Registers folder available in order to ensure that each person exercising the right of access laid down in sections of the Personal Data Act and sections of the Act on the Processing of Personal Data by the Police will, in addition to fulfilling the obligations referred to in the legislation, be provided information on personal registers kept by the police as flexibly as possible. The police units have the duty to ensure that a Police Personal Data Registers folder is available at each customer service point of the police. The folder should contain up-to-date versions of the following: the Personal Data Act (523/1999) the Act on the Processing of Personal Data by the Police (761/2003)

3 National Police Board 3 (10) Order on file-keeping by the police instruction on implementing the data subject s rights by the police descriptions of files for national personal data files kept by the police descriptions of files for registers used by individual police units referred to in section 6(2) of the Act on the Processing of Personal Data by the Police, unless availability of the description of file has been restricted by law forms provided for using the right of access. The information security descriptions of national personal data files kept by the police can also be accessed at the national website of the police ( 3 Responsibilities The tasks and responsibilities, and persons to whom these responsibilities are assigned, associated with the keeping and maintaining the police administration s data systems are specified in the Order on file-keeping by the police (2020/2011/1423). This order obliges each police unit to appoint a person in charge of implementing the data subjects rights and an adequate number of deputies for him/her. The names, positions and telephone numbers of these persons should be recorded in the above-mentioned Police Personal Data Registers folder in the section reserved for it. 4 Procedures and restrictions of using the right of access Under section 26 of the Personal Data Act, regardless of secrecy provisions, everyone shall have the right of access, after having supplied sufficient search criteria, to the data on him/her or a child in his/her care in a personal data file, if such data is recorded in the personal data register and they concern the person having requested this information or a child in his/her care. A minor, or a person under 18 years of age, also has the right of access to personal data on him/herself, in the event that he or she, in consideration of his/her age, level of development and the nature of the matter, understands the significance of the issue. The right of self-determination of a minor and the fulfilment of the above criteria are assessed case by case. Basically, the right of access applies to minors aged 15 or over. The ultimate decision is made by a court of law. A guardian also has a right of access on behalf of his or her client in the event that using the right of access is included in the power of attorney given to the guardian. In addition to the right of access laid down in the Personal Data Act, it is also possible to request and obtain data under the right of access provisions in other legislation and on the conditions provided in these. These other provisions may give entitlement to more extensive rights of access than what can be obtained under the right of access provisions contained in the Personal Data Act. For example, it is also possible to

4 National Police Board 4 (10) 4.1 Submitting and receiving a request obtain data on other persons under the interested party s right of access laid down in the Act on the Openness of Government Activities, if these data may have a bearing on the interested party s interests, rights or duties. The authorities have the duty to provide advice and additional information on whether it is more appropriate to exercise the right of access under the Personal Data Act, or the right of access of an interested party under the Act on the Openness of Government Activities. Under section 44(2) of the Act on the Processing of Personal Data by the Police, when applying their right of access, data subjects shall present a request to this effect in person to the police and prove their identity. The data subject may bring an assistant with him/her. Specific forms have been designed to facilitate the implementation of the right of access. However, using the forms is not an absolute requirement for implementing the right of access. The request may also be made through some other document. The person receiving this form or other document at the police unit should ascertain the identity of the customer making the request and make an entry to that effect in the document. The request document must indicate the police data system or other personal data file kept by the police to which the data subject wishes to apply his/her right of access. If necessary, the data subject must be assisted in completing the document. Should he or she wish, the data subject applying the right of access must be provided information on descriptions of files, data groups recorded in the files and the logic of data processing. As regards other personal data files, the data subject should be directed to the relevant controller. A request concerning right of access should always be addressed to the relevant controller (company, authority, employer, organisation etc). The request for right of access is primarily received by the person in charge of register matters appointed to this task at the police unit. As the request document is received, if the right of access cannot be implemented immediately, the data subject must be informed of when and how he/she can have access to the data on him/her. The person responsible for registers should, without undue delay, give the data subject access to his/her data. If the data subject has not, within three months of making the request, received a written reply, this will be considered tantamount to refusing the right of access. The time limit referred to in this provision means the time during which the data subject having made the request must be replied. Providing the actual information may take longer than this. The giving of access may not take more than three months without particularly weighty reasons, as the data subject must be reserved the right of access to the data without undue delay. A copy of the document requesting the right of access will be kept by the police, and the original document will be handed over to the data subject after the right of access procedure has been completed. The police unit having implemented the right of access should keep the copies of request

5 National Police Board 5 (10) 4.2 Implementing the right of access 4.3 Restrictions to the right of access documents on file for two years from the date on which the right of access was implemented. Similarly, information on what register data the data subject was given access to must be kept. The right of access can be implemented at the controller s premises or at each district police department as regards the following registers: Data System for Police Matters Data System for Administrative Matters National Schengen Information System temporary or manually maintained personal data files for national use kept by the police Emergency Response Centre data system as regards police data Register of Aliens as regards police data When a request for right of access concerns the National Schengen Information System, the appointed person at the police department should contact in writing the persons in the National Bureau of Investigation listed in the information security description to ensure that the right of access is also implemented regarding the SIRENE office information system that is part of the National Schengen Information System. Under section 46 of the Act on the Processing of Personal Data by the Police, the European Police Office provides the data to be accessed from the Europol information system. A request to this effect shall be presented to a police department, which forwards the matter without delay for processing by the European Police Office. The police department shall notify the person submitting the request that the European Police Office will reply to him or her directly. Everyone also has the right to ask the Europol Joint Supervisory Body to verify that the collection, recording, processing and utilization by the European Police Office of personal data on themselves occur in a lawful and correct manner. A request to this effect shall be presented to a police department or the Data Protection Ombudsman, which shall forward the matter without delay for processing by the European Joint Supervisory Body. Everyone has the right to ask the Data Protection Ombudsman to verify that the recording and utilization of personal data on them in the Europol information system by the Europol national unit and its transmission to the European Police Office occur in a lawful manner and without violating the rights of the individual. For this purpose, the Data Protection Ombudsman has the right to have access to the Europol Information System at the premises of the Europol national unit and to the information recorded by the Europol national unit on transmission of data. Under section 45 of the Act on Processing of Personal Data by the Police, the data subjects themselves do not have a personal right of access to the data in the Suspect Data system, the Operational Data System of the

6 National Police Board 6 (10) Security Police, the Europol Data System nor in the National Schengen Information System in cases as referred to in Article 109(2) of the Schengen Convention, nor to classification, surveillance, modus operandi or information source data concerning persons or acts included in other police personal data files. At the request of the data subject, however, the Data Protection Ombudsman may examine the lawfulness of the data referred to above that is held on the data subject (=indirect / restricted right of access). A request to the Data Protection Ombudsman may be received at a district police department or at the controller s premises. When verifying the lawfulness of the file-keeping, the Data Protection Ombudsman will focus particular attention on the manner in which the data is processed, the necessity and correctness of the processed data, the recording date of the data and the possibility of implementing the data subject s rights. A response given to the data subject will not, however, disclose any data obtained during the verification process, in other words, not even whether or not the register contains data on the person having submitted the request. Classification, surveillance, modus operandi and information source data concerning persons or acts referred to in section 45(1) 5 of the Act on the Processing of Personal Data by the Police, to which the data subject him/herself has no right of access, are recorded in the Data System for Police Matters as follows: all personal data affecting the person s own safety or the occupational safety of the police data recorded in an apprehension warrant in order to conduct surveillance on a person information on persons under surveillance travelling in motor vehicles recorded in searched motor vehicles data data relevant to the safety in custody of the target person recorded in arrested person data modus operandi data of personal description data keywords, special characteristics, photographs, fingerprints and palm prints, DNA samples and their classification data as well as footprints data on information sources. Under section 27 of the Personal Data Act, there is no right of access if providing access to the data could compromise national security, defence or public order or security, or hinder the prevention or investigation of crime. The right of access also does not apply if providing access to the data would cause serious danger to the health or treatment of the data subject or to the rights of someone else. Data in a file are used solely for historical or scientific research or statistical purposes are also excluded from the right of access, similarly to cases where the personal data in the file are used in the carrying out of monitoring or inspection functions and not providing access to the information in indispensable in order to safeguard an important economic interest or financing position of Finland or the European Union.

7 National Police Board 7 (10) 4.4 Extent of access and personal scope The right of access of the data subject may only be restricted under section 27 of the Personal Data Act when it is necessary in individual cases to ensure that the conditions listed above are met. If the request for right of access concerns register data in cases where the investigation of the relevant case remains unfinished or the matter is otherwise open, the right of access is granted by permission of the head of investigation or his/her superior. As knowledge of a report having been recorded alone may obstruct the investigation of an offence, even this piece of information should not be disclosed without permission to a person exercising his/her right of access on a case that is under investigation. If, when the right of access is applied, it turns out that only part of the data in the register are excluded from right of access, the data subject however has the right of access to any other data recorded on him/her. Based on the right of access, everyone has the right to verify all data on him/herself recorded in a personal data file. The personal data file consists of all data collected for the same purpose, and data that are part of the same file may thus exist, for example, in an electronic format, in a physical folder or in an index system. The data may also be on a sound or video recording, and they may be in possession of different persons or otherwise at different locations. Despite of this, the right of access applies to all the data listed above, regardless of their format or location. If the data subject wishes to exercise his/her right of access to sound and video recordings, he/she must indicate the location and as exact a time as possible for when the recording was made, for example by means of a CCTV system, in order to find the data. Sometimes it may be necessary for the person submitting the request to attach his/her photograph. The right of access only concerns those images on the recording that show the person having requested for the information. Regarding investigation and executive assistance data in the Data System for Police Matters in particular, drawing a line between data that concern the person exercising the right of access and others may be difficult because, in addition to a conventional personal data file centred around persons, the system also is a register of cases. Several case categories and the data of several persons may be recorded under one report. As the right of access of the data subject is restricted to his/her own data and part (position and role) in the case, the personal data of all other persons recorded in the report must be removed from the information provided, for example by blanking it out. When assessing the scope, obligations related to processing personal identity codes, the significance of secrecy of addresses, telephone numbers and other details under section 24(1) paragraph 31 of the Act on the Openness of Government Activities, and the duties imposed by section 25 (4) of the Population Information Act (507/1993) on processing data subject to security restrictions should be taken into consideration.

8 National Police Board 8 (10) 4.5 Providing access for verification Data provided based on the right of access should be given to the data subject in an understandable format. Providing information means letting the data subject peruse the data (documents or printouts). On request, the data will be provided in writing. On request, the data can also be sent by post against acknowledgement of receipt, provided that the request has been submitted to the police in person. When providing information, it should also be noted that printouts from police personnel data files may contain abbreviations which must be explained to the data subject to avoid confusion. These abbreviations include the case status indications in the Data System for Police Matters; AV, TP, JP, SJÄ etc. For reasons of data security, any information that may identify the person having provided access to the data and the computer used must be removed from the documents. The data may not be shown to the data subject directly on a computer screen. If a data subject is refused access to the data, he or she must be issued a written certificate to this effect, also stating the reason for the refusal. After receiving a certificate of refusal, or if the data subject does not receive a written reply from the controller within three months of making a request, he or she may take the matter to the Data Security Ombudsman in writing. As a certificate of refusal, a police form designed for requesting for right of access may be used, or it may be drawn up as a separate document. A copy of the certificate must be kept on file similarly to the copy of the request document, for reasons of legal protection among others. Under section 40(2) of the Personal Data Act, the Data Protection Ombudsman shall decide matters relevant to the right of access brought to his/her attention by the data subject. Only a decision made by the Data Protection Ombudsman may be appealed under the provisions of the Administrative Judicial Procedure Act (586/1996). 4.6 Costs and payment accrual basis of right of access A fee may only be collected by the police for applying the right of access if less than one year has elapsed since the date of which the data subject most recently exercised his/her right of access. In observance of good governance, the data subject should be informed of any costs before exercising the right of access. Reasonable costs must be determined for the right of access, and they may not be in excess of the immediate costs incurred while providing the information. 5 Correcting, removing and complementing personal data recorded in a file Under section 9 of the Personal Data Act, the personal data processed must be necessary for the declared purpose, and they may not be

9 National Police Board 9 (10) erroneous, incomplete or obsolete. When collecting and otherwise processing personal data, the controller must ensure that the data is correct and, if necessary, correct the data on its own initiative. Each data subject has the right to demand that data on him/herself recorded in a personal file be corrected, if the data subject has found errors in them when accessing the data or otherwise. Under section 29(1) of the Personal Data Act, the controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file and erroneous, unnecessary, incomplete or obsolete data as regards the purpose of the processing, The controller shall also prevent the dissemination of such data, if this could compromise the protection of the privacy of the data subject or his/her rights. Under section 27 of the Act on the Processing of Personal Data by the Police, information found to be incorrect may be retained if this is necessary for safeguarding the rights of the data subject, another party involved or police personnel, however not in the National Schengen Information System. Such information may only be used for the stated purpose of safeguarding rights. The controller does not have a duty to correct data in the personal data file if, in the controller s opinion, this data are not erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The correctness and necessity of the data are evaluated based on the date on which they were recorded. In that case, the controller should issue the data subject a written certificate of refusal, which also shows the reasons for which the request was rejected. If the controller does not approve of the request to correct data, the data subject may request that the Data Protection Ombudsman issue an order to the controller to correct the data. A demand to this effect concerning the national personal data files of the police submitted by a data subject must be received at any police unit. The demand, details of the person submitting it and any documents at hand that may be needed for resolving the issue must be forwarded without delay to the controller at the supreme police command (National Police Board, Technology Unit, P.O. Box 302, Helsinki). At the time of submission, the data subject submitting the demand should be explained that the police supreme command as the controller will reply to him/her directly. A demand based on a file kept by an individual unit must be addressed directly to the controller (the unit having set up the file), which will reply to the data subject. National Police Commissioner Mikko Paatero Director of Technology Pirkko Paavola-Häggblom

10 National Police Board 10 (10) APPENDICES DISTRIBUTION FOR INFORMATION Appendix 1, Police administration s data systems and file-keeping National Police Board units National Bureau of Investigation National Traffic Police Security Police Police Technical Centre Police College of Finland Police departments ICT Agency HALTIK Ministry of the Interior Police Department Office of the Data Protection Ombudsman SEITTI Internet