Requests for Personal Information from External Bodies Standard Operating Procedure otice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions. Owning Department Version umber Information Management 2.00 Date Published 19/07/2017 OT PROTECTIVELY MARKED
Compliance Record Equality Impact Assessment: Date Completed / Reviewed: 25/06/2013 Information Management Compliant: Yes Health and Safety Compliant: Yes Publication Scheme Compliant: Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial Approved Version 02/07/2013 2.00 Under the direction of DCC Johnny Gywnne the amendments noted in this SOP are in relation to grammatical changes only from the wording 'police office' to 'police station'. 19/07/2017 OT PROTECTIVELY MARKED 2
COTETS 1. Purpose 2. Process 3. Handling the Requests 4. Retention of Section 29 Forms 5. Provision of Information in Response to Section 29 Forms 6. Disclosure of Information to the Police by Others APPEDICES Appendix A C Division Appendix B V Division Appendix C P Division Appendix D A and B Divisions Appendix E E and J Divisions Appendix F Division Appendix G G, U, Q, L and K Divisions Appendix H D Division Appendix I List of Associated Legislation Appendix J List of Associated Reference Documents Appendix K List of Associated Generic PSoS Forms Appendix L Glossary of Terms Appendix M Information Management Unit Contact Details In Use Y Y Y OT PROTECTIVELY MARKED 3
1. PURPOSE 1.1 This Standard Operating Procedure (SOP) describes the process police officers and staff should adopt when requesting personal data from non-police bodies where there is not an Information Sharing Protocol (ISP) or Memorandum of Understanding (MOU) in place. ote: Where an ISP exists the documented procedure should be followed. 1.2 Where intelligence is sought or intelligence is to be confirmed the local Intelligence Bureau should be contacted. The Intelligence Bureau act as SPOCs for both requesting and sharing intelligence with organisations such as the Department of Work and Pensions and Her Majesty s Revenue and Customs (HMRC). 2. PROCESS 2.1. There are a number of sections under the Data Protection Act 1998 which provide a gateway for the release of personal information for specific policing purposes. These are: Section 28(1) which allows disclosure to the police for the purpose of safeguarding national security. Section 29(3) which allows disclosure to the police for the: o Prevention or detection of crime o Apprehension or prosecution of offenders. Schedule 3 (3b) which allows disclosure to the police to protect the vital interests of the subject. 2.2 It would be very unusual for most police stations ever to use the legal gateway provided by Section 28 (national security); and although there is growing use of Schedule 3 (3b) especially where the interests of vulnerable people are concerned, the most usual reason for asking for the release of personal information is under Section 29 for the prevention and detection of crime/apprehension or prosecution of offenders. For this reason many organisations, and not just the Police Service, refer to the form, which is usually required for the release of personal information, as a Section 29 form. 2.3 It is essential that the reason for the request, giving sufficient detail to explain the necessity of the information to any investigation, is recorded. It gives an auditable record of the legitimacy of processing the information and is required by the standards for compliance laid down by both the Information Commissioner and the Manual of Guidance for the Management of Police Information (MOPI). 2.4 Most organisations will require the written request to be countersigned by a supervisory officer of at least the rank of Inspector and there will often be a person, process or office within the organisation for dealing with such OT PROTECTIVELY MARKED 4
requests. It is good practice to make enquiries about any process prior to making the request for personal information. 2.5 In emergencies most organisations will respond to a verbal request for personal information but some form of audit trail should be provided at the time either by recording the request and the reason for it in the Police Officer s notebook or PDA and getting the entry and the response signed by the person providing the information or by countersigning the organisation s own file or record in the same way. Organisations will usually ask for a Section 29 form to be provided as a follow up to this emergency process. 3. HADLIG THE REQUESTS 3.1 Where possible, the form should be sent to a secure email address. To be secure e-mail addresses must contain one of the following - pnn. gsi. or gsx. or cjsm. hs.net may also be used. 3.2 Many organisations, such as banks/building societies, do not have secure e- mail facilities. In such cases every effort should be made to submit the form by hand. 3.3 Faxes may be used in exceptional circumstances; when the following process should be followed: Recipient notified of incoming fax; Record made of date and time fax sent (confirmation sheet should be used where ever possible); and Recipient confirms receipt of fax to the sender; the same process should be used when sending an urgent response. 3.4 Again, requests should only be posted to an organisation in exceptional circumstance and only if the proper recipient has been identified given the sensitivity of the information contained in the request. In such circumstances the envelope and any accompanying letter should be marked Personal and In Confidence. 4. RETETIO OF SECTIO 29 FORMS 4.1 Copies of the Section 29 forms, or their equivalent, will be retained as part of the disclosure (revelation) process for the crime or incident being investigated. OT PROTECTIVELY MARKED 5
5. PROVISIO OF IFORMATIO I RESPOSE TO SECTIO 29 FORMS 5.1 The sections which permit the release of information (further processing) under the Data Protection Act 1998 do not compel anyone to disclose information to the police and whilst many external bodies want to assist the police, they are often wary of doing so for fear that they breach the Data Protection Act. 5.2 Pressure should never be put on individuals to comply with the request for information. Assistance or advice can be obtained from the local Information Management office. The contact details of the Information Management Units are given at Appendix M. 6. DISCLOSURE OF IFORMATIO BY THE POLICE TO OTHERS Guidance on the disclosure of information is given in the Disclosure of Personal and Sensitive Information SOP and relevant ISPs. Further information on obtaining or disclosing information can be obtained from local Information Management Units. OT PROTECTIVELY MARKED 6
APPEDIX I LIST OF ASSOCIATED LEGISLATIO Data Protection Act 1998 Human Rights Act 1998 OT PROTECTIVELY MARKED 7
LIST OF ASSOCIATED REFERECE DOCUMETS APPEDIX J Disclosure of Personal and Sensitive Information SOP Government Protective Marking Scheme SOP Manual of Guidance for the Management of Police Information (MOPI) OT PROTECTIVELY MARKED 8
APPEDIX K LIST OF ASSOCIATED GEERIC PSOS FORCE FORMS Section 29 Form OT PROTECTIVELY MARKED 9
APPEDIX M LOCAL IFORMATIO UITS COTACT DETAILS Refer to the Information Management Contact Directory on the Information Management intranet mini site. OT PROTECTIVELY MARKED 10