Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

Transcription

1 POLICY Security Classification Disclosable under Freedom of Information Act 2000 Yes POLICY TITLE Data Protection REFERENCE NUMBER A031 Version 1.1 POLICY OWNERSHIP DIRECTORATE BUSINESS AREA CHIEF OFFICERS KNOWLEDGE AND INFORMATION MANAGEMENT IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING LOW EQUALITY ANALYSIS LOW Warwickshire Police and West Mercia Police welcome comments and suggestions from the public and staff about the contents and implementation of this policy. Please

2 1.0 POLICY OUTLINE The Data Protection Act 1998 regulates the use of information from which a living individual can be identified. It applies to the processing of personal data (including holding, collecting, receiving, viewing, transmitting). Warwickshire Police and West Mercia Police are committed to protecting the rights of individuals with regard to the processing of personal data. They will comply with, and process personal data in accordance with the provisions of the Data Protection Act 1998 in all respects. This policy applies to every police officer, member of police staff, police community support officer, special constable, volunteer, contractor, and approved persons working for or on behalf of both forces whether responsibilities include updating or simply using West Mercia Police and Warwickshire Police information containing personal data. Both Warwickshire Police and West Mercia Police have a legal obligation to comply with the Data Protection Act 1998; this Act establishes standards and governs the processing of personal data. The Chief Constable is the Data Controller for each police force. The Data Controllers have appointed Data Protection Officer s to direct the day to day operation of the Act within each individual police force. All employees of Warwickshire Police and West Mercia Police can be personally criminally liable if they disclose or obtain personal data without the authority of the Data Controller. To make, or encourage another person to make an unauthorised disclosure knowingly or recklessly may result in criminal liability. The offences that apply are Section 55 of the Data Protection Act and further details can be located in Section PURPOSE OF POLICY To ensure that personal data is processed by all of those to whom the policy applies in a way which is compliant with the Data Protection Act Warwickshire Police and West Mercia Police need to collect and use certain types of information about the people with whom it deals in order to perform effectively as a police force. These include current, past and prospective members of staff, offenders, victims, witnesses, suppliers, clients/customers and others with whom it communicates. This personal information must be dealt with properly when it is collected, recorded, used and destroyed, whether by manual or electronic means. Both forces regard the lawful and correct treatment of personal information as important to the successful operation of the Forces, achievement of our aims and objectives and to maintaining the confidence of members of the public. Numerous information / systems exist within each organisation and the integrity and value of this information is paramount. The communities served by both Warwickshire Police and West Mercia Police expect data to be treated in line with legislation. If any breaches of the Data Protection Act 1998 do take place then these will be dealt with in accordance with this policy and other associated policies and legislation. The policy: Outlines how the Data Protection Act applies to employees of Warwickshire Police and West Mercia Police (and any person processing personal data on their behalf);

3 Outlines the responsibility of every employee of both forces under the Act who processes personal data on behalf of Warwickshire Police and West Mercia Police ; Outlines basic information about how to deal with disclosures; and Aids the compliance aspects of the ACPO/ACPOS Community Security Policy. In order to ensure compliance with the Data Protection Act 1998, the Code of Practice on the Management of Police Information and other relevant standards for the management of police information, the Chief Constable s are obliged to have an audit regime to measure performance to comply with legislative and policy requirements and thereby help in endorsing the effectiveness and efficiency of operational policy. The purpose of the Audit is to provide a systematic and independent examination to determine whether activities involving the processing of police information are carried out in accordance with the organisation s policies and procedures and whether this processing meets the requirements of relevant legislation and standards. 3.0 IMPLICATIONS OF THE POLICY Both Police Forces recognise that personal data is a primary asset to each Force. The legal basis for this policy is the Data Protection Act 1998, underpinned by Article 8 of the Human Rights Act which provides the legal parameters for the processing of personal data. However, compliance with other legislation, Codes of Practice, policies and guidance also has relevance, such as: The Freedom of Information Act 2000 The Computer Misuse Act 1990 The Copyright, Designs and Patents Act 1988 The Official Secrets Acts and The Code of Practice on the Management of Police Information The Crime and Disorder Act 1998 Human Rights Act 1998 Rehabilitation of Offenders Act 1974 ACPO Manual of Guidance for Data Protection All systems must also comply with the relevant ACPO policy including:- ACPO Community Security Policy Police National Standard Operating Rules applicable to all Police computer applications.

4 4.0 DATA PROTECTION The national body for the supervision of Data Protection is the Information Commissioners Office (ICO) to whom the Chief Constable s notify the purposes for processing personal data. Where a data subject is unhappy with some aspect of the processing of their personal data, or a disclosure they have or have not received from the Force, they have the right of appeal to the Information Commissioner. Any request for an assessment or correspondence from the Information Commissioner should be responded to promptly and co-ordinated through the Data Protection Officer. This notification serves to provide transparency and openness about the processing of personal data. It is a fundamental principle of the Data Protection Act 1998 that the public should know, or be able to find out who is carrying out the processing of personal data and for what purpose. The principal purpose for which Warwickshire Police and West Mercia Police processes information is for a Policing Purpose which is defined as:- Protecting life and property; Preserving order; Preventing the commission of offences; Bringing offenders to justice Any duty or responsibility arising from statute or common law Data is also processed for specific purposes connected with the administration of the Force, its employees and the provision of necessary services to support the Policing Purpose. Data Protection Principles All personal data must be collected, processed, maintained and disclosed in accordance with the eight Data Protection Principles (Schedule One, Part One of The Data Protection Act), which specify that personal data must: 1. Be processed fairly and lawfully; 2. Be processed for a specified purpose 3. Be adequate, relevant and not excessive 4. Be accurate and up to date 5. Not be kept longer than is necessary 6. Be processed in accordance with individual s rights 7. Be kept secure 8. Not be transferred to other countries without adequate protection 5.0 PURPOSE Access to information systems or personal data, including browsing, use or disclosure, is only permitted to employees, agents and approved persons working for or with Warwickshire Police and West Mercia Police, where it is necessary in the course of

5 their official duties for policing purposes and in accordance with Force policies and procedures. Where a member of Warwickshire Police or West Mercia Police is involved in or witnesses a crime or incident whilst off duty, no access to the recorded information can be made without prior authorisation from their supervisor. Access to any force ICT equipment must be controlled. Only authorised users in the course of official police business should have access. 5.1 Procedure The use of police information systems for a private purpose or any other purpose other than that declared by the Chief Constable s to the Information Commissioner is strictly prohibited. Where a member of staff has a personal connection with the other party (e.g. victim, witness, suspected offender, offender) they must declare this connection and the reason for the enquiry/record check to a supervising officer before any action is taken Details should then be recorded in a pocket book if one is issued or via at the time. The supervisory officer will then consider any potential conflicts of interest before making any judgement to: 1. Reject enquiry/record check request because of a potential conflict of interest or suggestion of inappropriate use of police systems or 2. Allocate the enquiry to an independent person or 3. Approve the initial enquiry and dependent upon the result; arrange for the matter to be allocated to another officer for an independent enquiry to be carried out. Deliberate unauthorised access to, copying, destruction and/or alteration of, or interference with any computer or ancillary equipment or data (soft or hard copy) is also strictly prohibited. In order to meet the requirements for lawful processing, particular consideration will be given to:- a) Confidentiality arising from the relationship between Warwickshire Police and West Mercia Police and any individual; b) The ultra vires rule and the rule relating to the excess of delegated powers, under which officers may only act within the limits of their legal powers; c) The legitimate expectations of any individuals in relation to the processing of information about them; and d) Article 8 of the European Convention on Human Rights (the right to respect for private and family life, home and correspondence). 5.2 Fair Processing

6 In meeting any obligation to ensure that processing of information is fair, due consideration will be given to the adoption of any recognised standards or advice to provide individuals with such information as is necessary to ensure that they are likely to understand:- a) the purposes for which their personal data are to be processed; b) the likely consequences of such processing and; c) whether particular disclosures can be reasonable envisaged Staff collecting information about individuals will, wherever possible, give a brief explanation as to what their information may be used for. Individuals should also be told if their information is likely to be passed to a third party. 5.2 Disclosure of Personal Data Disclosure of information may take many forms, including viewing records on a terminal, computer printouts, typewritten material, by word of mouth or radio transmission including telephone and Airwave. Information from police systems will, in the first instance, only be disclosed to serving officers or other police personnel who require such information in order to carry out their official duties. Requests for the disclosure of any personal data will only be considered once the member of staff is fully satisfied that the requestor is authorised to receive the information. Care will be taken to ensure that any disclosure is within that allowed by any prevailing policy, guidance, Information Sharing Agreement, Memorandum of Understanding or statutory obligation and is authorised at the appropriate level. 6.0 POLICE ENQUIRIES ACCESS TO PERSONAL DATA HELD BY OTHER ORGANISATIONS Sometimes it is necessary to seek information relevant to a police enquiry from other organisations (credit details, bank details, medical details etc) In these circumstances, the organisation receiving the police enquiry may request a Personal Data Request Form (Section 29(3)) stating the reason and what specific information is sought. The exemption to the rules of non-disclosure, which is most likely to affect police officers, provides that personal data is exempt from the non-disclosure provisions of the Act in cases where the disclosure is for any of the following purposes:- the prevention and detection of crime the apprehension or prosecution of offenders

7 These exemptions only apply to the extent that if the data were not disclosed to the police it would be likely to prejudice police investigations. It should be noted that although we are able to use Section 29(3) of the Data Protection Act for legitimate police enquiries it is still a matter for the organisation to determine whether or not to disclose the information as there is no element of compulsion in this respect. For audit purposes, a copy of the request is to be kept with the associated crime papers. If an Information Sharing Agreement is in existence the rules of that agreement should be followed. 6.1 Where disclosure is in the vital interest of the data subject There are provisions under the Data Protection Act 1998 which cater for circumstances where there is a genuine life or death situation (severe medical emergency or a potential suicide for example) and where the usual approach for a disclosure is not possible. These provisions are contained within Schedules 2 and 3 of the Data Protection Act and refer to the Vital Interests of the data subject. Officers making use of this process should ensure that the events are adequately documented and retained pending any future challenge over possible unlawful processing of personal data. 6.2 Use of Section 29(3) exemption by other organisations Other organisations may also request information from the police under the nondisclosure exemption provided by Section 29(3). Normally such use will be by organisations that have the ability to investigate and/or prosecute offences. It should be noted that there is no obligation for any Police Force to comply with such a request and any disclosure must only be made in accordance with relevant Force policies and/or prevailing legislation. Each request should be considered on its individual merits and disclosures made only where the relevant considerations are satisfied. The receipt of such requests together with the decision and any relevant responses should be recorded and retained on the appropriate file and available for any future audit or inspection. 7.0 ADEQUACY AND RELEVANCE OF DATA The reliability of information held in police information systems depends primarily on the professional competence of police officers and staff who obtain and record information.

8 Information held on police systems must be adequate i.e. fit for purpose, unambiguous and professionally worded. All abbreviations, warning signals and information markers must comply with national standards. Forms designed for the collection of information should only record that information which is pre-determined to be relevant in relation to the purpose for which it is required. 7.1 Accuracy of Data It is the responsibility of the person who receives the original information to ensure, as far as is possible, that it is accurate, valid and up-to-date. All staff will ensure wherever possible, that all information entered on police records is adequate, relevant, unambiguous and professionally worded. Where errors are found on any personal data held they will be reported to a supervisory officer and corrected at the earliest opportunity. Cancellations, amendments and deletions will be carried out as a matter of priority. The source of information received from an individual or from a third party will be recorded accurately. Notations of this nature will assist into any investigation, should the information or its source be challenged. Where it is known that inaccurate information may have been disclosed to a third party, the corrected information will be disclosed to that party with explanation, together with any other action necessary to minimize any harm, loss or damage arising from such disclosure. 8.0 REVIEW, RETENTION AND DISPOSAL OF DATA Unless a system incorporates automatic facilities or other structured procedures, reviews of personal data must be carried out at frequent intervals to ensure immediate cancellation or amendment of unwanted or out-of-date material. This is good practice that should be applied to all information held. Current procedures on the MoPI Review, Retention and Disposal (RRD) Policy and other legal requirements for the retention of documents are dealt with by the Records Manager. 8.1 Deletion of Records from National Police Systems The processing of requests for the deletion of PNC records, fingerprints and DNA samples will be carried out in accordance with the advice and guidance provided by the Home Office and ACPO Criminal Records Office (ACRO). Further information can be obtained from the Records Manager on extension INFORMATION SECURITY In accordance with the Force Information Security Policy all members of the Force should note and report any breach of information security or suspected security weakness as quickly as possible through line management channels to the Information

9 Security Manager / Officer. Under no circumstances should users attempt to prove a suspected weakness. 10. AUDIT AND MONITORING The Force Assurance Lead Officer will develop an annual audit schedule from a comprehensive risk analysis in accordance with the framework and standards provided by the APP for Data Protection. This will determine the nature and scope of the audit, taking into account available resources and provide a strategy which will form the basis of audit activity for the period under consideration. This schedule will be subject to annual review and lead to a documented Strategic Audit Plan which will outline: Areas to be audited; Target dates and; Resource allocation It is recognised that limited resources may restrict the number of applications or systems, which may be audited. However, the decision regarding which applications or systems will be audited and the scope and frequency of such audit will be subject to a formal risk assessment process and current business needs. The Strategic Audit Plan will be subject to review and approval by the Deputy Chief Constable. The schedule and associated risk analysis documentation will be available for inspection by external auditors as required. Individual audits (as specified in the annual audit schedule) will be subject to a separate planning process, with the aim of performing the audit in an effective and efficient manner. The audit plan will set out the follow: The scope and objectives of the audit; Conduct/methodology (e.g. sample size, sample selection) of the audit; Audit programme (detailing error classification and audit tests to be carried out); Resource allocation and target timescales The audit schedule should be supplemented by quality assurance and monitoring processes undertaken by supervisors and managers in each business area. Transaction checks will also be carried out on a regular basis in order to:- Deter and detect unauthorised access to police information or systems; To raise staff awareness of data protection issues and maintain public confidence in the use of police information and To ensure that all required transaction fields are completed to provide an adequate audit trail for retrospective investigations into transactions that have been carried out.

10 11.0 CRIMINAL OFFENCES AND BREACHES OF THE DATA PROTECTION ACT All breaches or suspected breaches of the Data Protection Act 1998 must be reported promptly to the Information Security Manager / Officer and / or to the Professional Standards Department in suspected criminal breaches. Incidents must be recorded via a SIR1 form found on the respective forces Intranet systems. The Data Protection Officer must also be informed, who will give advice and guidance to ensure compliance with the Data Protection Act and Information Commissioners guidance. The APP for Data Protection sets out the procedures for the recording and handling of allegations of criminal offences committed in contravention of the Data Protection Act It describes the role of the police and the ICO and the actions to be taken when criminal offences under the Act are suspected A number of criminal offences are created by the Data Protection Act. The data controller is guilty of an offence if they (a) (b) (c) (d) (e) (f) are processing without notification; fail to notify the Commissioner of changes to notification register entry; fail to comply with written request for particulars; fail to comply with an enforcement notice/information notice/special information notice; knowingly or recklessly make a false statement in compliance with an enforcement notice or special information notice; intentionally obstructs, or fails to give reasonable assistance in the execution of a warrant However, it is not just the Data Controller who is criminally liable. All staff in Warwickshire Police and West Mercia Police are considered to be servants or agents of the Chief Constable (the Data Controller) and as such can be personally criminally liable if they disclose or obtain personal data without the authority of the Data Controller. Therefore, if you make, or encourage another person to make an unauthorised disclosure knowingly or recklessly you may be held criminally liable. The offences that apply are given at Section 55 of the Act and are as follows: (a) (b) (c) without the consent of the Chief Constable (Data Controller), knowingly or recklessly to unlawfully obtain or disclose personal data or the information contained in personal data; or procure the disclosure to another person of the information contained in personal data; without the consent of the Chief Constable (Data Controller) to knowingly or recklessly procure the disclosure to another person of the information contained in personal data. There is another offence committed by a person who sells personal data if it has been obtained in contravention of the above or offers to sell information obtained or to be obtained in contravention of the above.

11 This does not apply if it can be shown: - (i) that the obtaining, disclosing or procuring - was necessary for the purpose of preventing or detecting crime, or was required or authorised by or under any enactment, by any rule of law or by the order of a court, (ii) (iii) (iv) that an individual acted in the reasonable belief that they had in law the right to obtain or disclose the data or to procure the disclosure to another person, that they acted in the reasonable belief that the Chief Constable would have consented if they had known of the obtaining, disclosing or procuring and the circumstances of it, or that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest. In addition, in respect of computer processed information, the following activities are criminal offences under the Computer Misuse Act 1990: unauthorised access to computer material; unauthorised modification of computer material, and unauthorised access with intent to commit/facilitate the commission of further offences With effect from 6 th April 2010, penalties for Data Protection breaches will be subject to fines of up to 500,000, brought in by the Criminal Justice and Immigration Act Other Relevant Offences It should be noted that the misuse of official personal data can also be dealt with as an offence of Misconduct in Public Office, which can attract a custodial sentence. The Computer Misuse Act also contains offences relating to the unauthorised access to information (not limited to personal data) and includes accessing information held in systems that the offender has authorised access to for official purposes, but where the access on the relevant occasion was unauthorised. In addition, the Freedom of Information Act 2000 creates the following offence in relation to personal data: Section 77: Altering, defacing, blocking, erasing, or concealing any record to prevent disclosure under Section 7 of the Act which refers to Subject Access.

12 12.0 SUBJECT ACCESS Under Section 7 of the Data Protection Act every individual has the right of access to their personal data. For further guidance please refer to the APP for Data Protection TRAINING Successful completion of the on-line data protection training is a pre-requisite to obtain access to force systems including obtaining an account. The training covers the use of personal data, lays down the principles and how to comply with them, and lists the offences that may be committed through non-compliance. The training is an on-line, self-teach programme, delivered via the Intranet and can be accessed from any terminal connected to the Intranet, anywhere in the force, at any time of day. All details of training commenced, progress and test scores are held centrally and accessible via Learning and Development. Any individual who fails to achieve the standard should be given time to re-sit the training and pass the test. The individuals line manager / supervisor will decide whether the individual requires additional training prior to re-sitting the test. Any individual who fails a second time should be given one-to-one instruction under arrangements made by their line manager / supervisor. Consistent and repeated failure will result in the individual being denied access to the force network and all systems until the required standard is attained. In this event the individual s line manager / supervisor should assess the risk of leaving the individual in any role with unsupervised access to personal data and take action accordingly If training has been completed in the previous 12 months then there will be no requirement to undertake the training again in a new role. If a police officer / police staff member transfers from another force then there will be a requirement to undertake the training within the first six weeks of service in line with force policy. There will be a requirement for all staff to undertake Data Protection refresher training every two years. All Managers and supervisors should encourage individuals to refresh their knowledge of data protection and the requirements the Act places upon them at every opportunity. To avoid any unintentional and/or unlawful disclosure, the use of Live data held on computer systems or in manual filing systems for training purposes is strictly prohibited without prior and express consultation with the Data Protection Officer, Head of Training and/or Head of Professional Standards.

13 14.0 Design It is the responsibility of managers and specialists responsible for the development or alteration of systems or databases for the management of police information to ensure that appropriate consultation takes place between the user, ICT, Data Protection Officer and the Information Security Officer to ensure compliance with the relevant statutory provisions including: a) Data Protection Act 1998 b) The Computer Misuse Act 1990 c) The Copyright, Designs and Patents Act 1998 d) The Official Secrets Act, and; e) The Code of Practice on the Management of Police Information 15.0 Redaction Process The preferred process for redacting data is by way of an IT system, e.g. e-redact. However, if this is not available and you have to redact using any Microsoft Product you should be aware that electronic redaction in Microsoft is not secure therefore the following process must be followed: Redaction MUST be made on a physical copy of the document/data using a black marker pen ensuring the information is sufficiently obscured. The document / data should then be recopied / rescanned once redacted. This will ensure the redaction is permanent No documents / information should be released if the redaction is not 100% secure. Considerations when redacting The original file version of a document must never be redacted. Only the first redacted version must be kept. Any transitional copies must be destroyed appropriately. The information should be read in context to ensure that it does not suggest the content of the redacted material. Information should be considered in its full context. Whole sentences, paragraphs and pages of documents can be removed if the information is not relevant to the individual, if pages are removed detail the page number to the requestor

14 Redaction of personal information to protect identity (only if the detail is not already known by the requestor) Where the title/heading of a document relates to the requestor it can be left in, where it relates to someone else it should be removed. When redacting, simply removing the individual s name is almost never sufficient to hide their identity. Take care with terms such as he, she, him, and her, mother, father, sister, brother, neighbour etc. which can be used to establish identity, therefore should be removed. Descriptions that might give away identity should be redacted, e.g. the blonde haired boy / girl. Take care with job titles that might also give away identity. If an address is in the public domain, it does not need to be redacted, e.g. if the address is for an organisation it can be left in, but, if it mentions an individual it should be redacted CONSULTATION Key stakeholders have been consulted on the content of this policy including, Head of Knowledge and Information Management, UNISON, Police Federation, Health & Safety Manager, Risk Manager, Legal Department, Superintendents Association and Professional Standards DOCUMENT HISTORY Date Author/Reviewer Amendment(s)/Rationale Approval/Adoption V1.0 Tracey Lynskey & Harmonisation JNCC 14/04/2014 Dec 2013 John Jones V1.1 September 2017 Tracey Lynskey Amended following consultation with the ICO after a Data Protection breach. See summary of Change document September 2017