Data Protection. Standard Operating Procedure

Similar documents
Freedom of Information

Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

Standard Operating Procedure

Data Protection Policy and Procedure

Complaints about the Police Standard Operating Procedure

Liquor Licensing. Standard Operating Procedure

PSD: COMPLAINTS & MISCONDUCT Policy & Procedures

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Subject Access Requests

Victim and Witness Care. Standard Operating Procedure

Data Protection. Policy & Procedure. Greater Manchester Police

Service of Legal Documents

DURHAM CONSTABULARY POLICY

Community Advisors. Standard Operation Procedure

Suspension from Duty Standard Operating Procedure

SCOTTISH POLICE AUTHORITY CORPORATE GOVERNANCE FRAMEWORK DECEMBER 2017

NOT PRTOECTIVELY MARKED

Requests for Personal Information from External Bodies

Scottish Police Federation

Driver Improvement Scheme. Standard Operating Procedure

DISCLOSURE & BARRING SERVICE (DBS) PROCEDURE

WEST MIDLANDS POLICE Force Policy Document

independent and effective investigations and reviews PIRC/00328/17 APRIL 2018 Report of a Complaint Handling Review in relation to Police Scotland

Stop and Search. Standard Operating Procedure

Access to Personal Information Procedure

Derbyshire Constabulary SIMPLE CAUTIONING OF ADULT OFFENDERS POLICY POLICY REFERENCE 06/122. This policy is suitable for Public Disclosure

Charities & Not-for-Profits Overview of Data Protection Law

ELECTRONIC MONITORING OF OFFENDERS. Standard Operating Procedures

Data Protection Policy

Unacceptable, Persistent or Unreasonable Actions by Complainers

CORRUPT CONDUCT AND PUBLIC INTEREST DISCLOSURE POLICY

Decision 120/2007 Mr Russell Findlay and the Chief Constable of Fife Constabulary

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

PRIVACY MANAGEMENT PLAN

Data Protection Act 1998 Policy

Offending by Children

CCTV CODE OF PRACTICE

Support for Person Reporting Wrongdoing Policy and Procedure

Election Duties. Standard Operating Procedure

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

These Officers can be contacted by:

Protection of Freedoms Act 2012

against Members of Staff

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

independent and effective investigations and reviews [PIRC/00442/17] [JUNE 2018] Report of a Complaint Handling Review in relation to Police Scotland

STUDENT DISCIPLINARY PROCEDURES MAY 2009 CM

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

European College of Business and Management Data Protection Policy

Public Interest Disclosures Procedure

independent and effective investigations and reviews PIRC/00444/17 October 2018 Report of a Complaint Handling Review in relation to Police Scotland

Guidelines on the Safe use of the Internet and Social Media by Police Officers and Police Staff

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

DBS CHECKS AND EMPLOYING EX- OFFENDERS: GUIDE TO POLICY AND PROCEDURE

POLICE SCOTLAND COUNTER CORRUPTION UNIT INDEPENDENT ENQUIRIES AND ORGANISATIONAL LEARNING - UPDATE

NHS HDL(2002) 23 abcdefghijklm. Health Department Directorate of Performance Management and Finance

independent and effective investigations and reviews PIRC/00637/17 October 2018 Report of a Complaint Handling Review in relation to Police Scotland

Safeguarding your drinking water quality

Child sex offenders disclosure scheme (CSODS)

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

PNC Inspections: National overview report

Privacy. Purpose. Scope. Policy. Appendix A

JULY Scottish Police Authority. complaints audit

OFFICE OF THE POLICE AND CRIME COMMISSIONER FREEDOM OF INFORMATION ACT 2000 PUBLICATION SCHEME

Recording, Weeding and Retention of Information on Criminal History System (CHS)

Version 1.0 December Complaints Handling Procedures

DATED DISCIPLINARY RULES AND PROCEDURE AND GRIEVANCE PROCEDURE

Whistleblowing Policy

Decision 063/2012 Mr Drew Cochrane of the Largs and Millport News and the Chief Constable of Strathclyde Police

DATA PROTECTION POLICY STATUTORY

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

AIA Australia Limited

in partnership, challenging DOMESTIC ABUSE

ANTISOCIAL BEHAVIOUR FIXED PENALTY NOTICES. Standard Operating Procedures

OFFICIAL MISCONDUCT AND PUBLIC INTEREST DISCLOSURE POLICY

Public Complaints and the Role of the Police Ombudsman

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1.

Crime Investigation. Standard Operating Procedure

MEMORANDUM OF UNDERSTANDING

Port Glasgow St Andrew s Data Protection Policy

Report of a Complaint Handling Review in relation to Police Scotland

Not Protectively Marked POLICY AND STANDARD OPERATING PROCEDURES

Sensitive and Personal Records

MEMORANDUM OF UNDERSTANDING

FREEDOM OF INFORMATION ACT 2000 SUMMARY GUIDANCE

Data Protection Policy

SUBJECT ACCESS REQUEST

Data Protection Policy

Service Procedure THE SEIZURE, RETENTION AND DISPOSAL OF EVIDENCE RELATED PROPERTY

Data Protection Bill [HL]

DATA SHARING AND PROCESSING

Wanted Persons SI0118

Subject Access Request Procedure

National Strategy to address the issue of police officers and staff who abuse their position for a sexual purpose

Disclosure Barring Service (DBS) Checks & Employing Ex-offenders

Policies and Procedures

Data Protection Bill [HL]

Schools Subject Access Request Procedures

Counter-Terrorism Bill

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Transcription:

Data Protection Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: Information Management 3.00 Date Published: 07/11/2017 Version 3.00

Compliance Record Equality and Human Rights Impact Assessment (EqHRIA) Date Completed / Reviewed: Information Management Compliant: Health and Safety Compliant: Publication Scheme Compliant: 26/07/2017 Yes Yes Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial approved version 14/03/2013 2.00 No change to content, updated to new template. 04/11/2016 3.00 Cyclical review. SOP fully rewritten. 06/11/2017 Please Note: Version 3.00 of the Data Protection SOP contains changes so significant from that published as v2.00 dated 04/11/2016 that it should be regarded as having been completely revised. Consequently, changes from v2.00 are not highlighted in yellow and readers should therefore take care to read all sections when referring to this document. Version 3.00 2

Contents 1. Purpose 2. Background 3. Criminal Offences under the Data Protection Act 1998 4. Purposes for which Personal Data are Processed 5. Accessing Police Scotland Systems 5.1 Personal Data within Police Scotland Systems to which Access is Permitted 5.2 Personal Data within Police Scotland Systems to which Access is not Permitted 5.3 Personal Data Accessed Through Normal Working Practices 6. Disclosure of Personal Data Held Within Police Scotland Systems 7. Action Taken on Suspected Breaches of the Act Section 55 8. Concerns Regarding Conduct of Others 9. How Officers and Staff Can Obtain Their Personal Data held by Police Scotland 10. Further Advice and Guidance Appendices Appendix A Appendix B Appendix C Appendix D Appendix E List of Associated Legislation List of Associated Reference Documents List of Associated Forms Glossary of Terms Contact Details Version 3.00 3

1. Purpose 1.1 This Standard Operating Procedure (SOP) supports the following Police Service of Scotland, (hereafter referred to as Police Scotland), policies for Data Protection Employee Relations 1.2 The purpose of this document is to provide all officers and staff of Police Scotland with clear guidance on the correct use of the personal data held, examples of misuse and details of the offences under the Data Protection Act 1998 (the Act) that can be committed when personal data are misused. 2. Background 2.1 All officers and staff are bound by the Data Protection Act 1998, Human Rights Act 1998 and the Computer Misuse Act 1990. 2.2 It is the responsibility of all officers and staff to comply with all SOPs and policies which underpin compliance with these Acts. These are listed in Appendix B. 2.3 All personal data held by Police Scotland are governed by the Act. All officers and staff are responsible for ensuring that the personal data they process are dealt with in accordance with the Act. Personal data must be accessed, used, disclosed and retained in accordance with the specified business procedures relating to the individual roles of officers and staff. 2.4 To understand their responsibilities it is necessary for officers and staff to be familiar with certain terms within the Act. These are: data controller a data controller decides the purposes for which, and the manner in which personal data will be processed. (See the definition of processing below.) The Chief Constable is the data controller for all the personal data held by Police Scotland. personal data data which relate to a living individual who can be identified in any way from that data, or from that data when linked to any other information held and which identifies an individual. This can apply when statistical data are merged. It also applies to vehicle registrations and other numerical references e.g. Police National Computer Identification (PNC ID), Criminal History System (CHS) number, the System to Co-ordinate Personnel and Establishment (SCoPE) Police Scotland Identifier (PSI) or other Unique Reference Number (URN). data subject an individual who is the subject of personal data. Version 3.00 4

processing (in relation to personal data) includes accessing, sharing, obtaining, recording, retaining, retrieving, altering, consulting, using and disclosing personal data and relates to personal data held in any form, e.g. images, digital or electronic or hard copy. The definition means that anything done with personal data held by Police Scotland must be dealt with in accordance with the provisions of the Act. 3. Criminal Offences under the Data Protection Act 1998 3.1 It is an offence under Section 55 of the Act, for a person to knowingly or recklessly, without the consent of the data controller to: a) obtain or disclose personal data or the information contained within personal data, or b) procure the disclosure to another person of the information contained in personal data. 3.2 It is also an offence to sell or offer to sell personal data obtained in contravention of the above section of the Act. 3.3 It is a common misconception that it is only unauthorised disclosure of personal data which is an offence. However, unauthorised accessing of personal data is also an offence, even if no subsequent disclosure is made. 3.4 Section 5.2 below provides guidance on what constitutes unauthorised access. 3.5 Section 6 provides information on what constitutes unauthorised disclosure of personal data. 3.6 All suspected breaches of the Act will be reported to the Crown Office and Procurator Fiscal Service (COPFS), or dealt with in accordance with agreed protocols. See Section 7. 4. Purposes for which Personal Data are Processed 4.1 Personal data are processed by Police Scotland for: all aspects of policing the provision of services to support policing the provision of administration and ancillary support to policing. 4.2 To view these in detail, see the Police Scotland notification on the Information Commissioner's website. 4.3 All officers and staff will receive training specific to the relevant systems and processes they use and may consist of on the job training. Version 3.00 5

5. Accessing Police Scotland Systems 5.1 Personal Data within Police Scotland Systems to which Access is Permitted 5.1.1 Access to personal data within Police systems, whether held electronically or in manual records is permitted by the Chief Constable to enable officers and staff to carry out their specific roles within their business areas. 5.1.2 The permission to access a system extends only to the specific records within that system which need to be accessed to allow officers and staff to carry out their role. 5.1.3 Certain officers and staff, as part of their specific roles are permitted to access records of other employees of Police Scotland. Examples of these are, Anti Corruption Unit (ACU), Information Management (IM) Professional Standards Department (PSD), People and Development (P&D), and Information Communications Technology (ICT). 5.1.4 In all such cases, the access is limited to those records necessary for the purpose of carrying out the duties of the role. 5.1.5 Officers and staff may access their own SCoPE record and the SCoPE records for other personnel within Police Scotland for whom they have management responsibilities or when required for P&D or for administrative or business purposes. 5.2 Personal Data within Police Scotland Systems to which Access is Not Permitted 5.2.1 Officers and staff do not have permission to access any record which is not necessary for the purposes of their job role. Accessing such records may constitute a criminal offence. (See section 3). Such records include: records of people known to them through their personal life*, even if requested to by such a person; (see also paragraph 5.3 below relating to accessing such records through the normal course of the job role) records to trace a person, vehicle or address for personal reasons, records of any other police employee including their own; (but see 5.1 above) accessing any record out of curiosity, or due to an interest in a specific type of case, e.g. sexual or violent, or because a case is high profile. 5.2.2 *The term personal life relates to their life outside the Force but is not intended to include a person with whom officers and staff have a passing acquaintance. It is not a chance meeting with a person which may be repeated from time to time. Version 3.00 6

5.2.3 Subject to paragraph 5.2.5 below, officers and staff should not be allowed to be involved in an investigation relating to anyone known to them through their personal life, except in the role of a witness if necessary, and under no circumstances should they attempt to access the records of the investigation. 5.2.4 Accessing records contrary to the instructions above may constitute a criminal offence and will be investigated by PSD. 5.2.5 Should it be necessary for an officer to be involved in an investigation of a person known to them through their personal life, e.g. where no other officer is available, the relevant supervisor must allocate the investigation to another officer as soon as possible. In any cases of doubt, guidance should be sought from PSD/ACU. 5.2.6 Any unsuccessful unauthorised attempts to access data will be considered a breach of professional behaviour and may be investigated under the relevant conduct/disciplinary procedures. This includes attempts to access data (i.e. searches) where there is no record in existence, access to the record has been restricted or access was unsuccessful for any other reason. Police Scotland has the ability and right to monitor access or attempts to access the data it holds. 5.2.7 These controls are not designed to restrict officers and staff from performing their roles. A reasonable test to apply is to ask Taking account of the instructions within this document, can I justify accessing this record for a specific lawful purpose? If there is any doubt, then do not access the record. Instead guidance should be sought from the relevant line manager, IM, PSD or ACU. The contact details are in Appendix E. 5.3 Personal Data Accessed Through Normal Working Practices 5.3.1 If during the course of carrying out their role, an officer or member of staff discovers that they have accessed the record of an individual known to them through their personal life, they must immediately log out of the record relating to that person, bring it to the attention of their supervisor, and provide them with evidence in support of why the record was accessed. The supervisor will then take action as in paragraph 5.3.4 and 5.3.5. The exception to this is when accessing the information is necessary for an ongoing incident or emergency, and the supervisor must be notified immediately after the event. 5.3.2 This action is necessary for the protection of the individual officer or member of staff should there be any question of why the record was accessed. 5.3.3 The supervisor should keep a record of the report and can seek advice from PSD if required. Version 3.00 7

5.3.4 The supervisor must allocate the work to another officer or member of staff unless it is not possible due to exceptional circumstances, e.g. there is no one else available to whom the work can be allocated. Permission to continue with the work must be authorised by an officer not below the rank of at least Inspector or by a senior police staff manager not below Band G and at least one rank/grade above the individual concerned. The authorisation must be recorded and available in an auditable format. 6. Disclosure of Personal Data held within Police Scotland Systems 6.1 Information must only be disclosed when it is lawful to do so. 6.2 Officers and staff will be trained for their roles (see paragraph 4.3) and this will include guidance, when relevant to the role, on sharing information routinely with a variety of external bodies/partner organisations such as Local Authorities. 6.3 When there is any question or doubt as to whether the information should be shared, advice must be sought from the relevant supervisor or Information Management. It must not be assumed that because an external body/partner asks for the information, that they are entitled to have it. Further guidance can be obtained from the Information Sharing Protocols SOP. 6.4 The Data Protection Act does not apply to the personal data of the deceased, but it does apply to the living relatives of, or other people who had been involved with the deceased. Care must be taken therefore not to breach the Act by making unlawful disclosures regarding these persons when making disclosures relating to a deceased person. 6.5. Unlawful disclosure of personal data is that which is made knowingly or recklessly and without the consent of the data controller. For example, a disclosure which does not form part of a business process, or is made to a person who is not authorised to have it, (such as a disclosure of an investigation to the person under investigation) is a criminal offence and therefore strictly forbidden. 7. Action Taken on Suspected Breaches of the Act Section 55 7.1 All suspected breaches of the Data Protection Act, (either unlawful access or disclosure) will either be: reported to the Crown Office and Procurator Fiscal Service (COPFS) Complaints about the Police Department (CAAPD) or will be dealt with in accordance with agreed protocols. Version 3.00 8

If referred to COPFS, CAAPD will decide whether there are to be criminal proceedings. 7.2 For officers below the rank of Assistant Chief Constable, regardless of whether COPFS decides to prosecute, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct. Any such breach will be referred to PSD for consideration of conduct proceedings under the relevant legislation. The regulations to which this paragraph relates are: The Police (Conduct) (Scotland) Regulations 1996, The Police Service of Scotland (Conduct) Regulations 2013, and/or The Police Service of Scotland (Conduct) Regulations 2014. 7.3 For senior officers, i.e. Assistant Chief Constable, Deputy Chief Constable and Chief Constable, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct and will be dealt with in accordance with the relevant legislation, i.e. The Police (Conduct) (Senior Officers) (Scotland) Regulations 1996, The Police (Conduct) (Senior Officers) (Scotland) Regulations 1999 The Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013 7.4 For police staff a breach of the Act can also constitute a breach of the Disciplinary SOP and/or the Code of Conduct. Any breach of the Code of Conduct will be investigated and assessed, and considered in line with the Disciplinary SOP. 7.5 Any breach may also be reported to the Information Commissioner s Office (ICO) in accordance with the ICO guidance. 8. Concerns Regarding Conduct of Others 8.1 If an officer or member of staff has any concerns regarding the conduct of a colleague or a person known to them through their personal life, they must not access/attempt to access any records of that individual but instead they can use any of the following channels to report them: through line management channels; directly to ACU or PSD; through the Integrity Matters link on the intranet which also provides guidance on what should be reported. This can be done anonymously if preferred; through Crimestoppers. Version 3.00 9

9. How Officers and Staff can obtain their Personal Data held by Police Scotland 9.1 As already stated, officers and staff can access their own SCoPE record. If however they want to know what other personal data is held by Police Scotland in relation to them they can obtain it by making a Subject Access Request (SAR) using Police Scotland Form 052-002 and submitting it to the e- mail address on the form. 9.2 There is no charge for providing information to an officer or member of staff if it relates to them as an employee of Police Scotland, e.g. information held by ACU, P&D or PSD. If however the request relates to personal data which may be held on Police systems such as PNC, CHS or other crime systems, a fee of 10.00 will be required. 9.3 Guidance on how to make a SAR is on the Police Scotland website. Further information can also be obtained from IM. Contact details are in Appendix E. 10. Further Advice and Guidance Further advice and guidance regarding the contents of this SOP can be obtained from IM, ACU or PSD. Contact details are in Appendix E. Version 3.00 10

Appendix A List of Associated Legislation The Data Protection Act 1998 The Police (Conduct) (Scotland) Regulations 1996 The Police Service of Scotland (Conduct) Regulations 2013 The Police Service of Scotland (Conduct) Regulations 2014 The Police (Conduct) (Senior Officers) (Scotland) Regulations 1996 The Police (Conduct) (Senior Officers) (Scotland) Regulations 1999 The Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013 The Human Rights Act 1998 Public Records (Scotland) Act 2011 Version 3.00 11

Appendix B Policies Data Protection Policy Employee Relations Policy List of Associated Reference Documents Standard Operating Procedures Email and Internet Security SOP Government Protective Marking Scheme (GPMS) SOP ICT User Access Security SOP Information Security SOP IT Security SOP Record Retention SOP Secure Disposal and Destruction of Data SOP Requests for Personal Information from External Bodies SOP Information Sharing Protocols SOP ICT Acceptable Use of Computer Systems SOP Mobile Data and Remote Working SOP Security Incident Reporting and Management SOP Disciplinary SOP Guidance Code of Conduct Version 3.00 12

Appendix C List of Associated Forms Subject Access Request Form 052-002 Version 3.00 13

Appendix D Glossary of Terms ACU Anti Corruption Unit CHS Criminal History System COPFS Crown Office and Procurator Fiscal Service FOI Freedom of Information ICT Information Communications Technology IM Information Management P&D People and Development PNC Police National Computer PSD Professional Standards Department PSI Police Scotland Identifier SAR Subject Access Request SCoPE System to Co-ordinate Personnel and Establishment SID Scottish Intelligence Database SOP Standard Operating Procedure The Act The Data Protection Act 1998 URN Unique Reference Number Version 3.00 14

Appendix E Contact Details Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30, Prejudice to Effective Conduct of Public Affairs. Version 3.00 15

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback