Data Protection. Standard Operating Procedure

Transcription

1 Data Protection Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: Information Management 3.00 Date Published: 07/11/2017 Version 3.00

2 Compliance Record Equality and Human Rights Impact Assessment (EqHRIA) Date Completed / Reviewed: Information Management Compliant: Health and Safety Compliant: Publication Scheme Compliant: 26/07/2017 Yes Yes Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial approved version 14/03/ No change to content, updated to new template. 04/11/ Cyclical review. SOP fully rewritten. 06/11/2017 Please Note: Version 3.00 of the Data Protection SOP contains changes so significant from that published as v2.00 dated 04/11/2016 that it should be regarded as having been completely revised. Consequently, changes from v2.00 are not highlighted in yellow and readers should therefore take care to read all sections when referring to this document. Version

3 Contents 1. Purpose 2. Background 3. Criminal Offences under the Data Protection Act Purposes for which Personal Data are Processed 5. Accessing Police Scotland Systems 5.1 Personal Data within Police Scotland Systems to which Access is Permitted 5.2 Personal Data within Police Scotland Systems to which Access is not Permitted 5.3 Personal Data Accessed Through Normal Working Practices 6. Disclosure of Personal Data Held Within Police Scotland Systems 7. Action Taken on Suspected Breaches of the Act Section Concerns Regarding Conduct of Others 9. How Officers and Staff Can Obtain Their Personal Data held by Police Scotland 10. Further Advice and Guidance Appendices Appendix A Appendix B Appendix C Appendix D Appendix E List of Associated Legislation List of Associated Reference Documents List of Associated Forms Glossary of Terms Contact Details Version

4 1. Purpose 1.1 This Standard Operating Procedure (SOP) supports the following Police Service of Scotland, (hereafter referred to as Police Scotland), policies for Data Protection Employee Relations 1.2 The purpose of this document is to provide all officers and staff of Police Scotland with clear guidance on the correct use of the personal data held, examples of misuse and details of the offences under the Data Protection Act 1998 (the Act) that can be committed when personal data are misused. 2. Background 2.1 All officers and staff are bound by the Data Protection Act 1998, Human Rights Act 1998 and the Computer Misuse Act It is the responsibility of all officers and staff to comply with all SOPs and policies which underpin compliance with these Acts. These are listed in Appendix B. 2.3 All personal data held by Police Scotland are governed by the Act. All officers and staff are responsible for ensuring that the personal data they process are dealt with in accordance with the Act. Personal data must be accessed, used, disclosed and retained in accordance with the specified business procedures relating to the individual roles of officers and staff. 2.4 To understand their responsibilities it is necessary for officers and staff to be familiar with certain terms within the Act. These are: data controller a data controller decides the purposes for which, and the manner in which personal data will be processed. (See the definition of processing below.) The Chief Constable is the data controller for all the personal data held by Police Scotland. personal data data which relate to a living individual who can be identified in any way from that data, or from that data when linked to any other information held and which identifies an individual. This can apply when statistical data are merged. It also applies to vehicle registrations and other numerical references e.g. Police National Computer Identification (PNC ID), Criminal History System (CHS) number, the System to Co-ordinate Personnel and Establishment (SCoPE) Police Scotland Identifier (PSI) or other Unique Reference Number (URN). data subject an individual who is the subject of personal data. Version

5 processing (in relation to personal data) includes accessing, sharing, obtaining, recording, retaining, retrieving, altering, consulting, using and disclosing personal data and relates to personal data held in any form, e.g. images, digital or electronic or hard copy. The definition means that anything done with personal data held by Police Scotland must be dealt with in accordance with the provisions of the Act. 3. Criminal Offences under the Data Protection Act It is an offence under Section 55 of the Act, for a person to knowingly or recklessly, without the consent of the data controller to: a) obtain or disclose personal data or the information contained within personal data, or b) procure the disclosure to another person of the information contained in personal data. 3.2 It is also an offence to sell or offer to sell personal data obtained in contravention of the above section of the Act. 3.3 It is a common misconception that it is only unauthorised disclosure of personal data which is an offence. However, unauthorised accessing of personal data is also an offence, even if no subsequent disclosure is made. 3.4 Section 5.2 below provides guidance on what constitutes unauthorised access. 3.5 Section 6 provides information on what constitutes unauthorised disclosure of personal data. 3.6 All suspected breaches of the Act will be reported to the Crown Office and Procurator Fiscal Service (COPFS), or dealt with in accordance with agreed protocols. See Section Purposes for which Personal Data are Processed 4.1 Personal data are processed by Police Scotland for: all aspects of policing the provision of services to support policing the provision of administration and ancillary support to policing. 4.2 To view these in detail, see the Police Scotland notification on the Information Commissioner's website. 4.3 All officers and staff will receive training specific to the relevant systems and processes they use and may consist of on the job training. Version

6 5. Accessing Police Scotland Systems 5.1 Personal Data within Police Scotland Systems to which Access is Permitted Access to personal data within Police systems, whether held electronically or in manual records is permitted by the Chief Constable to enable officers and staff to carry out their specific roles within their business areas The permission to access a system extends only to the specific records within that system which need to be accessed to allow officers and staff to carry out their role Certain officers and staff, as part of their specific roles are permitted to access records of other employees of Police Scotland. Examples of these are, Anti Corruption Unit (ACU), Information Management (IM) Professional Standards Department (PSD), People and Development (P&D), and Information Communications Technology (ICT) In all such cases, the access is limited to those records necessary for the purpose of carrying out the duties of the role Officers and staff may access their own SCoPE record and the SCoPE records for other personnel within Police Scotland for whom they have management responsibilities or when required for P&D or for administrative or business purposes. 5.2 Personal Data within Police Scotland Systems to which Access is Not Permitted Officers and staff do not have permission to access any record which is not necessary for the purposes of their job role. Accessing such records may constitute a criminal offence. (See section 3). Such records include: records of people known to them through their personal life*, even if requested to by such a person; (see also paragraph 5.3 below relating to accessing such records through the normal course of the job role) records to trace a person, vehicle or address for personal reasons, records of any other police employee including their own; (but see 5.1 above) accessing any record out of curiosity, or due to an interest in a specific type of case, e.g. sexual or violent, or because a case is high profile *The term personal life relates to their life outside the Force but is not intended to include a person with whom officers and staff have a passing acquaintance. It is not a chance meeting with a person which may be repeated from time to time. Version

7 5.2.3 Subject to paragraph below, officers and staff should not be allowed to be involved in an investigation relating to anyone known to them through their personal life, except in the role of a witness if necessary, and under no circumstances should they attempt to access the records of the investigation Accessing records contrary to the instructions above may constitute a criminal offence and will be investigated by PSD Should it be necessary for an officer to be involved in an investigation of a person known to them through their personal life, e.g. where no other officer is available, the relevant supervisor must allocate the investigation to another officer as soon as possible. In any cases of doubt, guidance should be sought from PSD/ACU Any unsuccessful unauthorised attempts to access data will be considered a breach of professional behaviour and may be investigated under the relevant conduct/disciplinary procedures. This includes attempts to access data (i.e. searches) where there is no record in existence, access to the record has been restricted or access was unsuccessful for any other reason. Police Scotland has the ability and right to monitor access or attempts to access the data it holds These controls are not designed to restrict officers and staff from performing their roles. A reasonable test to apply is to ask Taking account of the instructions within this document, can I justify accessing this record for a specific lawful purpose? If there is any doubt, then do not access the record. Instead guidance should be sought from the relevant line manager, IM, PSD or ACU. The contact details are in Appendix E. 5.3 Personal Data Accessed Through Normal Working Practices If during the course of carrying out their role, an officer or member of staff discovers that they have accessed the record of an individual known to them through their personal life, they must immediately log out of the record relating to that person, bring it to the attention of their supervisor, and provide them with evidence in support of why the record was accessed. The supervisor will then take action as in paragraph and The exception to this is when accessing the information is necessary for an ongoing incident or emergency, and the supervisor must be notified immediately after the event This action is necessary for the protection of the individual officer or member of staff should there be any question of why the record was accessed The supervisor should keep a record of the report and can seek advice from PSD if required. Version

8 5.3.4 The supervisor must allocate the work to another officer or member of staff unless it is not possible due to exceptional circumstances, e.g. there is no one else available to whom the work can be allocated. Permission to continue with the work must be authorised by an officer not below the rank of at least Inspector or by a senior police staff manager not below Band G and at least one rank/grade above the individual concerned. The authorisation must be recorded and available in an auditable format. 6. Disclosure of Personal Data held within Police Scotland Systems 6.1 Information must only be disclosed when it is lawful to do so. 6.2 Officers and staff will be trained for their roles (see paragraph 4.3) and this will include guidance, when relevant to the role, on sharing information routinely with a variety of external bodies/partner organisations such as Local Authorities. 6.3 When there is any question or doubt as to whether the information should be shared, advice must be sought from the relevant supervisor or Information Management. It must not be assumed that because an external body/partner asks for the information, that they are entitled to have it. Further guidance can be obtained from the Information Sharing Protocols SOP. 6.4 The Data Protection Act does not apply to the personal data of the deceased, but it does apply to the living relatives of, or other people who had been involved with the deceased. Care must be taken therefore not to breach the Act by making unlawful disclosures regarding these persons when making disclosures relating to a deceased person Unlawful disclosure of personal data is that which is made knowingly or recklessly and without the consent of the data controller. For example, a disclosure which does not form part of a business process, or is made to a person who is not authorised to have it, (such as a disclosure of an investigation to the person under investigation) is a criminal offence and therefore strictly forbidden. 7. Action Taken on Suspected Breaches of the Act Section All suspected breaches of the Data Protection Act, (either unlawful access or disclosure) will either be: reported to the Crown Office and Procurator Fiscal Service (COPFS) Complaints about the Police Department (CAAPD) or will be dealt with in accordance with agreed protocols. Version

9 If referred to COPFS, CAAPD will decide whether there are to be criminal proceedings. 7.2 For officers below the rank of Assistant Chief Constable, regardless of whether COPFS decides to prosecute, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct. Any such breach will be referred to PSD for consideration of conduct proceedings under the relevant legislation. The regulations to which this paragraph relates are: The Police (Conduct) (Scotland) Regulations 1996, The Police Service of Scotland (Conduct) Regulations 2013, and/or The Police Service of Scotland (Conduct) Regulations For senior officers, i.e. Assistant Chief Constable, Deputy Chief Constable and Chief Constable, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct and will be dealt with in accordance with the relevant legislation, i.e. The Police (Conduct) (Senior Officers) (Scotland) Regulations 1996, The Police (Conduct) (Senior Officers) (Scotland) Regulations 1999 The Police Service of Scotland (Senior Officers) (Conduct) Regulations For police staff a breach of the Act can also constitute a breach of the Disciplinary SOP and/or the Code of Conduct. Any breach of the Code of Conduct will be investigated and assessed, and considered in line with the Disciplinary SOP. 7.5 Any breach may also be reported to the Information Commissioner s Office (ICO) in accordance with the ICO guidance. 8. Concerns Regarding Conduct of Others 8.1 If an officer or member of staff has any concerns regarding the conduct of a colleague or a person known to them through their personal life, they must not access/attempt to access any records of that individual but instead they can use any of the following channels to report them: through line management channels; directly to ACU or PSD; through the Integrity Matters link on the intranet which also provides guidance on what should be reported. This can be done anonymously if preferred; through Crimestoppers. Version

10 9. How Officers and Staff can obtain their Personal Data held by Police Scotland 9.1 As already stated, officers and staff can access their own SCoPE record. If however they want to know what other personal data is held by Police Scotland in relation to them they can obtain it by making a Subject Access Request (SAR) using Police Scotland Form and submitting it to the e- mail address on the form. 9.2 There is no charge for providing information to an officer or member of staff if it relates to them as an employee of Police Scotland, e.g. information held by ACU, P&D or PSD. If however the request relates to personal data which may be held on Police systems such as PNC, CHS or other crime systems, a fee of will be required. 9.3 Guidance on how to make a SAR is on the Police Scotland website. Further information can also be obtained from IM. Contact details are in Appendix E. 10. Further Advice and Guidance Further advice and guidance regarding the contents of this SOP can be obtained from IM, ACU or PSD. Contact details are in Appendix E. Version

11 Appendix A List of Associated Legislation The Data Protection Act 1998 The Police (Conduct) (Scotland) Regulations 1996 The Police Service of Scotland (Conduct) Regulations 2013 The Police Service of Scotland (Conduct) Regulations 2014 The Police (Conduct) (Senior Officers) (Scotland) Regulations 1996 The Police (Conduct) (Senior Officers) (Scotland) Regulations 1999 The Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013 The Human Rights Act 1998 Public Records (Scotland) Act 2011 Version

12 Appendix B Policies Data Protection Policy Employee Relations Policy List of Associated Reference Documents Standard Operating Procedures and Internet Security SOP Government Protective Marking Scheme (GPMS) SOP ICT User Access Security SOP Information Security SOP IT Security SOP Record Retention SOP Secure Disposal and Destruction of Data SOP Requests for Personal Information from External Bodies SOP Information Sharing Protocols SOP ICT Acceptable Use of Computer Systems SOP Mobile Data and Remote Working SOP Security Incident Reporting and Management SOP Disciplinary SOP Guidance Code of Conduct Version

13 Appendix C List of Associated Forms Subject Access Request Form Version

14 Appendix D Glossary of Terms ACU Anti Corruption Unit CHS Criminal History System COPFS Crown Office and Procurator Fiscal Service FOI Freedom of Information ICT Information Communications Technology IM Information Management P&D People and Development PNC Police National Computer PSD Professional Standards Department PSI Police Scotland Identifier SAR Subject Access Request SCoPE System to Co-ordinate Personnel and Establishment SID Scottish Intelligence Database SOP Standard Operating Procedure The Act The Data Protection Act 1998 URN Unique Reference Number Version

15 Appendix E Contact Details Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30, Prejudice to Effective Conduct of Public Affairs. Version