1.0 Summary of Changes 1.1 This procedure/sop has had an additional paragraph added at 3.8.6 relating to data processing of information by direct access to Athena. 2.0 What this Procedure/SOP is About 2.1 Section 4 of the Data Protection Act 1998 (DPA) requires Data Controllers to ensure all their processing of personal data is in compliance with the DPA, including its eight Data Protection Principles. 2.2 The Chief Constables of Essex Police and Kent Police are the respective Data Controllers of the two police forces. They determine the purposes for which personal data are processed by the two police forces (as per the forces notification to the Information Commissioner) and the manner in which that processing takes place, as documented in policy, procedure, SOPs and standard working practices. 2.3 This procedure/sop provides considerations for complying with the eight principles of the DPA to ensure lawful processing of personal information, including how individuals can require a Chief Constable to inform them of any personal data, relating to them, that a force may be processing. 2.4 The forces approach to Data Protection compliance is to follow the College of Policing s Data Protection Authorised Professional Practice (APP). The Essex Police leads on Data Protection are the Senior Information Officers within Information Management, and the Kent Police lead is the Head of Legal Services. Compliance with this procedure/sop and any governing policy is mandatory. 3.0 Detail the Procedure/SOP 3.1 The Principles 3.1.1 All processing of personal data by the two police forces must be in compliance with the eight data protection principles (Schedule 1 DPA) set out below; though exemptions within the DPA mean that in some circumstances there may be no requirement to comply with all aspects of all of the principles. The first principle: personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: At least one of the conditions in Schedule 2 is met; and In the case of sensitive personal information, at least one of the conditions in Schedule 3 of the Act is also met. Page 1 of 12
3.1.2 The second principle: personal data shall be obtained for specified, lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes. 3.1.3 The third principle: personal data shall be adequate, relevant and not excessive for the purpose for which they are processed. 3.1.4 The fourth principle: personal data shall be accurate and where necessary kept up to date. 3.1.5 The fifth principle: personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or purposes. 3.1.6 The sixth principle: personal data shall be processed in accordance with the rights of data subjects under the Act. 3.1.7 The seventh principle: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 3.1.8 The eighth principle: personal data shall not be transferred to a country outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 3.2 Access and Disclosure 3.2.1 Information held on police systems is confidential to authorised individuals whose duties require them officially to be in possession of such information. 3.2.2 Where it is deemed necessary to disclose information to another organisation (a third party) the force needs to make a decision as to see how this is accommodated within the first and second principles. Further guidance is available within SOP W01014 - Information Sharing Agreement. 3.3 Data Subject Rights - Subject Access 3.3.1 The DPA s sixth data protection principle requires that the forces process personal data in accordance with the rights of data subjects. Under Section 7 of the DPA, a right, commonly referred to as subject access, allows an individual to apply for a copy of the information that the force holds about them. The individual is also entitled to further information about the processing of the data, but various exemptions to the right of subject access apply in certain circumstances or to certain types of personal data. Page 2 of 12
3.3.2 Individuals may exercise this right by making a written subject access request (SAR). This must to be accompanied by payment of the forces fee for dealing with the request (this is the maximum charge of 10). 3.3.3 Potential applicants may be advised that the right applies only to information relating to the person making the request. It does not extend to information about other people and it does not give an absolute right to access to documents. The right is limited in its application. Information will not be made available if: a) The release of the information could lead to the identification of another person to whom Essex Police or Kent Police have a duty of confidence (this may be an offender or a victim); b) The information being processed is used for the prevention or detection of crime; or the arrest or prosecution of offenders and disclosure would prejudice those purposes; c) The information is contained in non-automated records (unstructured paper files for example) and the cost to Essex Police or Kent Police of retrieving it is likely to exceed 450. 3.3.4 The forces cannot insist on the use of a particular form for making a SAR, but the forces will make forms available to assist the requester to provide the information that is needed to deal with their request (Form A95 for Essex Police; Form 2902B for Kent Police). 3.3.5 Applicants should be advised that application forms may be downloaded from the forces web sites. Telephone applications will be sent out within 2 working days of request, by second-class post. 3.3.6 As well as a signed application form, applicants will need to provide two copies of proof of identity, showing their name and date of birth. Approved identity documents include: passport, driving licence, utility bill or similar. At least one of the documents must bear their signature, and a different one must contain their current home address. 3.3.7 For nationally held information, the NPCC (formally ACPO) Criminal Records Office (ACRO) process application forms on behalf of all forces within England and Wales. Enquiries relating to such applications should be directed to ACRO (SAR), PO Box 662, Fareham, Hampshire, PO14 9LQ, email subjectaccess@acro.pnn.police.uk or telephone. A fee and appropriate identification will be required to make a valid request. 3.3.8 For locally held information, Essex Police and Kent Police will provide acknowledgments for all applications and a reference number will be provided to assist tracking. Page 3 of 12
3.3.9 Correspondence received by Divisions or Departments asking for subject access under the Act will be acknowledged and the correspondence will be forwarded to forces respective Data Protection teams for a response. However, where the request is for specific disclosure of information such as; details of crime, accident reports or custody records, these will be dealt with locally in accordance with the relevant policy/sop. Where there is any doubt, contact the Senior Information Officer, Information Management (Essex Police) or Legal Services (Kent Police), for guidance. 3.3.10 Processing of requests can take up to 40 calendar days. Requests for an urgent response will only be considered for extreme emergencies e.g. Visa required to visit a gravely ill relative. 3.3.11 An employer should not require potential or current employees to submit themselves through the subject access procedure in order to provide such information to their employer, a process known as enforced subject access. Section 56 DPA makes enforced subject access a criminal offence. Allegations of offences under Section 56 DPA should be reported to the Information Commissioner. 3.3.12 An employer is entitled to seek information regarding an individual s criminal past, due to the applicant being likely to come in to close contact with children or vulnerable adults. The police do not carry out these checks and any applicant should be advised to contact the Disclosure and Barring Service (DBS). The DBS can be contacted by telephone on 0870 9090811 or on the internet. 3.3.13 The two police forces may receive single hybrid requests for both recorded information and personal data under the statutory provisions of the Freedom of Information (FOI) and Data Protection Acts. For example, a subject access request may also contain a valid FOI request or vice-versa. On such occasions, the respective Data Protection/FOI teams will coordinate responses under both Acts. 3.4 Obtaining Personal Data from Outside Organisations 3.4.1 Section 29(3) DPA gives Data Controllers, in other organisations, the legal authority to release personal data to the police, without fear of contravening the DPA, provided certain criteria are met. Failure to meet these criteria could mean that the Data Controller, the requesting officer or both, commit a criminal offence. For these reasons, it is imperative that a Data Protection Disclosure form (Essex Police Form A101 and, Kent Police Form 3560) is used and properly completed. The use of this form does not exempt either party from the provisions of other relevant legislation. The form may be used by police officers and police staff. 3.4.2 The legislation provides the grounds to release personal data to the police, provided that data are required for one or more of the following purposes; the prevention or detection of crime or the apprehension or prosecution of an offender. Page 4 of 12
3.4.3 In practice, Section 29(3) assists the police where personal data are required from a Data Controller (e.g. a commercial company, a public institution or Internet Service Provider), for one or more of the purposes mentioned in paragraph 3.4.2 above. Organisations will normally require requests to be made in writing. 3.4.4 The Act only allows release of information without the knowledge or consent of the data subject where both the information is required for one of the purposes at 3.4.2 and where a failure to disclose the data would be likely to prejudice the investigation or enquiry. For this reason the form must not be used where the only purpose is to confirm known facts, for general intelligence or for administrative purposes. 3.4.5 A Data Controller can always refuse a request for data made by the police. It is therefore important that officers and staff using such forms recognise that they are making a request for information, not a demand. Unless a specific statutory power exists to demand information, non-compliance with a request will need to be overcome by a court order and guidance should be sought from Legal Services (Essex Police) or the Civil Court Orders Team (within PPU at Kent Police) in relation to material filed in family proceedings or Legal Services (Kent Police) otherwise. 3.4.6 There is no obligation imposed by the two police forces for such requests to be authorised by a superior officer or member of police staff of any particular rank. However, should the Data Controller subject of the request require such authorisation an officer, of at least the rank of Inspector, may authorise any request. This level of authority is designed to give a Data Controller confidence that an appropriate validation process has been observed prior to any request. 3.4.7 On occasion it may not be possible to disclose the reasons why such information is deemed necessary e.g. national security investigations. Where no reason can be provided, for operational reasons, and the Data Controller subject of the request requires such authorisation then the authorising signatory should be an officer of at least the rank of Superintendent. 3.4.8 The requestor and those authorising must be aware that they are each making a statement that the conditions are true, and that obtaining personal data under false pretences may be a criminal offence. 3.4.9 Audits may be undertaken to ensure that requests for information are lawful and in accordance with this policy. 3.5 Non-Disclosure Exemptions 3.5.1 There is also the ability for other organisations to request the release of information from Essex Police or Kent Police. As this invariably breaches the duty of confidence in the handling of personal information it is necessary to seek a legal gateway and the legislation provides a series of exemptions to cover such situations: Page 5 of 12
a) Disclosure is for the purpose of safeguarding National Security [Section 28]; b) Disclosure is required for the purposes of: prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty, and the application of those provisions in relation to the disclosure would be likely to prejudice any of these purposes [Section 29]; c) Disclosure is required by or under any enactment, by any rule of law or by the order of a court [Section 35]. This may require the individual to be advised that such a disclosure is being considered before any decision is made (policy W01n - Information Sharing Agreements Kent, W 2024 Procedure Information Sharing - Essex); d) Disclosure for the purpose of or in connection with any legal proceedings (including prospective legal proceedings) or for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights [Section 35]. This will invariably require the individual to be advised that such a disclosure is being considered before any decision is made (policy W01n - Information Sharing Agreements); e) Disclosure is to the Data subject; or f) Disclosure is at the request of or with the consent of the data subject, which can be evidenced. 3.5.2 A written record of the circumstances and the exemption used should be retained in the event that the disclosure is challenged. 3.6 Consent to Process Requirements under the DPA 3.6.1 Section 17 of the DPA requires that the purpose(s) for the processing of personal data by the two police forces must be included within the notification to the Information Commissioner. Processing must not take place unless it is validated as being within the Chief Constable s notification in the Information Commissioner s register or is required by or under any rule of law. 3.6.2 Any new system processing personal data, whether in physical or digital format, requires a preliminary risk assessment which is assessed and recorded by either the Information Security Unit (form 3915 for Kent Police) or the Information Security Officer (for Essex Police). 3.6.3 Development of the system should not commence until the legitimacy of the process has been approved and a Privacy Impact Assessment conducted where required. Page 6 of 12
3.7 Data Subject Rights Other Rights Other than the right of access as described above the DPA also entitles an individual to other rights. Rights exist in relation to the following: Right to prevent processing likely to cause damage or distress; o An individual is entitled to write to either police force requiring that they do not process their personal data in a manner that is causing or is likely to cause unwarranted substantial damage or substantial distress to themselves or another person. Such applications will be forwarded as soon possible, in the case of Essex Police to the Senior Information Officer, Information Management; or Legal Services for Kent Police. Rights in relation to automated decision taking; o Subject to certain exemptions, an individual has the right to require that either police force ensures no decision that would significantly affect them is taken by the police force or on its behalf purely using automated decisionmaking software. Such applications will be forwarded as soon possible, in the case of Essex Police to the Senior Information Officer, Information Management; or Legal Services for Kent Police. Right to Prevent Processing for the Purposes of Direct Marketing o Subject to certain exemptions, an individual has the right to request that either force stops using their personal data for direct marketing purposes. This includes the communication by any means (for example by use of email) or any advertising or marketing directed at particular individuals. Such a right is unlikely to be needed to be applied within the police service. In the event that such a request is received, upon receipt it will be forwarded to either the Senior Information Officer, Information Management (Essex Police) or Legal Services (Kent Police) to co-ordinate the response. Statutory timescales are imposed for responses therefore it is imperative that the request is forwarded immediately. Right to take action for compensation if the individual suffers damage by any contravention of the Act by Data Controllers. o Any individual who believes they have suffered damage and/or distress as a result of any contravention of the requirements of the Act may be entitled to compensation where the Data Controller is unable to prove that it had taken such care as was reasonable in all the circumstances to comply with the relevant requirement. Right to take action to rectify, block, erase or destroy inaccurate data; o An individual has the right to seek a court order for the rectification, blocking, erasure or destruction of inaccurate personal data processed by either Police Force. Page 7 of 12
Right to request the Information Commissioner to assess a Data Controller s processing. o An individual can request the Information Commissioner to make an assessment if they believe that they are affected by the processing of personal data by either force. In such circumstances, the Information Commissioner will liaise with either force as necessary. 3.8 Data Processing Contracts 3.8.1 Anyone other than officers and staff of either police force who processes personal data on behalf of the force is known as a Data Processor. Where a Data Processor is used paragraphs 9 to 12 of Part II of Schedule 1 to the DPA require that the processing must be carried out under a written contract directing the Data Processor to act only on instructions from the police force and requiring it to comply with obligations equivalent to those on the police force by the seventh data protection principle. 3.8.2 Contracts created for this purpose are known as data processing contracts and both forces will use the template data processing contract contained in the Data Protection APP if existing contracts do not meet the requirements described in 3.8.1. 3.8.3 Examples of data processing include I.T. maintenance companies, confidential waste contractors and volunteers working within a police force. 3.8.4 It is the responsibility of the head of any business area (for example, the Information Asset Owner) within the two police forces arranging or sponsoring data processing in their business area to develop data processing contracts to cover that data processing. 3.8.5 A copy of any data processing contract will be provided to the Senior Information Officer, Information Management (Essex Police) or Legal Services (Kent Police). 3.8.6 Where the data processing involves processing of information by direct access to Athena there is a requirement from section 6.3 of the Athena Information Management Code of Connection that the draft Data Processing Contract is passed to the Business Manager at the Athena Management Organisation for approval prior to the data processing commencing. Page 8 of 12
3.9 Data Complaints/Disputes Resolution 3.9.1 Both forces receive complaints and disputes concerning the manner in which personal data are processed. Such complaints should be put in writing and dealt with as follows: Applications for the Early Disposal of Information Essex Police applications will be made in accordance with W 2021 Procedure Applications for the Early Disposal of Information. Excessive retention of personal data. Essex Police to be reported to the Senior Information Officer, Information Management who will liaise with the Records Manager, Information Asset Owner and others as necessary to resolve the dispute. Kent Police to be reported to Legal Services, who will liaise with the Records Manager, Information Asset Owner and others as necessary to resolve the dispute. Inappropriate access to or use of personal data. Essex Police to be reported to Professional Standards who will liaise with Senior Information Officer, Information Security Officer and Information Asset Owner and others as necessary to resolve the dispute. Kent Police to be reported to Legal Services, who will liaise with the Records Manager, Information Asset Owner and others as necessary to resolve the dispute. Inaccurate personal data Essex Police to be reported to the Senior Data Quality & Compliance Officer who will liaise with the Senior Information Officer, Information Asset Owner and others as necessary to resolve the dispute. Kent Police to be reported to Legal Services, who will liaise with the Records Manager, Information Asset Owner and others as necessary to resolve the dispute. Failure to apply data subject rights appropriately Essex Police to be reported to the Senior Information Officer who will liaise with others as necessary. Kent Police to be reported to Legal Services, who will liaise with the Records Manager, Information Asset Owner and others as necessary to resolve the dispute. Disclosure & Barring Service (DBS) disclosures Essex Police & Kent Police to be reported directly to the DBS complaints procedure. Page 9 of 12
Non-compliance with Protection of Freedoms Act (POFA) Essex Police & Kent Police Any request for the deletion of nationally held records of biometric material (DNA Sample), fingerprints, DNA Profiles and scanned fingerprints (held on IDENT1), should go to ACRO in the first instance 3.10 Compliance and Enforcement 3.10.1 All officers and staff and others working or volunteering for, or on behalf of, either force are responsible for ensuring that the forces obligations under the DPA are met. 3.10.2 Information Management (Essex Police) and Information Security Unit (Kent Police) audit systems and processes for compliance with the appropriate legislation and force policy. The findings of such audits, along recommendations, may be reported to the relevant Information Asset Owner (IAO) and to the forces Senior Information Risk Owners (SIROs). (See W 1009 Procedure/SOP Protective Monitoring.) 3.10.3 In addition to any official action by Professional Standards Department for breaches of policy, the DPA FOI Acts create specific criminal offences which can be committed by any individual: a) Unauthorised access to or disclosure of personal information (Section 55 DPA); b) Destruction, alteration, concealment of any information with a view to preventing disclosure (Section 77 FOI Act). 4.0 Equality Impact Assessment 4.1 This procedure/sop has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure/sop would have no potential or actual differential impact on grounds of race, ethnicity, nationality, gender, transgender, disability, age, religion or belief or sexual orientation. 5.0 Risk Assessment 5.1 There is an overall risk concerning the use and management of Essex and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security. Page 10 of 12
6.0 Consultation 6.1 The following were included in the consultation during the formulation of this document: Unison / Federation Diversity / H&S PSD The Information Management Boards (IMB s) for Essex and Kent. Business Services 7.0 Monitoring and Review 7.1 The forces partnership lead departments will be responsible for ensuring that the procedure/sop will remain current in line with HMG and NPCC policy. 7.2 This procedure/sop will be reviewed by or on behalf of the forces SIROs every year. 8.0 Governing force policy. Related force policies or related procedures (Essex) / linked standard operating procedures (Kent) Joint Essex Police and Kent Police W 1000 Policy Information Management and Assurance W 1001 Procedure /SOP ICT Acceptable Use W 1002 Procedure/SOP - User Account Management W 1003 Procedure/SOP - Information Classification & Handling W 1004 Procedure/SOP - Incident Reporting & Management W 1005 Procedure/SOP - Information Asset Owners W 1007 Procedure/SOP - Accreditation of Information Assets W 1008 Procedure/SOP - Physical Security W 1009 Procedure/SOP Protective Monitoring W 1010 Procedure/SOP - Records Management (Physical and Digital) W 1011 Procedure/SOP - Data Protection W 1012 Procedure/SOP - Records Review, Retention and Disposal W 1014 Procedure/SOP - Information Sharing Agreements W 1017 Procedure/SOP Sanitisation and Disposal W 1019 Procedure/SOP Freedom of Information Page 11 of 12
Essex Police Only W 2006 Procedure Cryptographic Security W 2011 Procedure Transaction Monitoring and Audit W 2013 Procedure Appropriate Access and Use of Police Information W 2020 Procedure Data Quality W 2021 Procedure Applications for the Early Disposal of Information W 2040 Procedure Records and Evidence Centre 9.0 Other source documents, e.g. Legislation, APP, Force forms, partnership agreements (if applicable) Athena Information Management Code of Connection Page 12 of 12