1.0 Summary of Changes
1.1 On its review the following changes were made to this procedure/SOP:
- Within 3.1.2 name added for Kent Data Protection Officer, Kent Police HQ address updated and Essex Data Protection Officer name updated;
- 3.5.1.4 category 4 has additional information added;
- 3.5.2.2 has updated email address for Kent;
- Bullet points in 3.5.2.3 had additional wording regarding “taking details of preferred method of contact”;
- 3.6.3 has “within 72 hours” added;
- Throughout “UK” added prior to reference to GDPR;
- Author details updated.
2.0 What this Procedure/SOP is About
2.1 This procedure/SOP applies to all officers, staff, volunteers and contractors within both Essex Police and Kent Police. In particular the content from paragraphs 3.11 through to 3.41 which set out specific responsibilities and obligations relevant to all officers and staff should be noted.
2.2 The procedure/SOP provides ‘high-level’ direction and guidance to ensure compliance with the legal requirements of the Data Protection Act 2018. Further detail is available within the College of Policing’s Authorised Professional Practice (APP) for Data Protection and the Manual of Guidance for Data Protection professionals.
2.3 This procedure/SOP therefore underwrites the commitment both forces have towards ensuring an individual’s subject rights can be exercised in accordance with the Data Protection Act 2018.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.0 Detail the Procedure/SOP
3.1 Governance
3.1.1 The Chief Constables of Essex Police and Kent Police are the respective ‘Controllers’ as defined by the Act. They determine the purposes for which personal data is processed by the two police forces and the manner in which that processing takes place. Both forces have appointed their own ‘Data Protection Officer’ whose roles and responsibilities are set out in that legislation.
3.1.2 The respective Controller and relevant Data Protection Officer’s contact details are as below:
|
Essex Police |
Kent Police |
Controller |
Chief Constable, Essex Police HQ, PO Box 2, Chelmsford, Essex, CM2 6DA |
Chief Constable, Kent Police HQ, Sutton Road, Maidstone, Kent, ME15 9BZ |
Data Protection Officer |
Michelle Watson: [email protected] |
Lucy Power [email protected] |
3.1.3 Notwithstanding that each Chief Constable remains a Controller in their own right, they have formally agreed how controller responsibilities where collaborative activity is formally delivered Section 22A, Police Act 1996.
3.1.4 In addition to the roles of Controller and Data Protection Officer each force has appointed a Chief Officer to act as the Senior Information Risk Owner (SIRO). The SIRO has responsibility for sponsoring and promoting information management and governance policy and ensuring compliance through a governance board, held independently in each force.
3.1.5 The attendees at each Board include information management professionals and key internal stakeholders with senior leadership positions from across each organisation. Amongst these are individuals fulfilling the role of Information Asset Owner (IAO) who are key to ensuring compliance with the Act.
3.1.6 The Information Asset Owner (IAO) is a senior individual who holds relevant responsibilities in relation to a particular business area. Their role is to oversee what information, including personal data, their staff collect, (physical and digital records), how it is used, what is added, what is removed, how information is transferred and who has access to it and why. As a result, they are able to understand and mitigate risks and provide assurance to the Senior Information Risk Owner (SIRO) in relation to the security and accuracy of the force’s information assets.
3.1.7 Information records are the corporate property of Essex Police and Kent Police. Neither the physical record nor the intellectual information contained within either Essex Police or Kent Police records belongs to any particular group, team or individual.
3.2 Scope and Applicability
3.2.1 This procedure/SOP applies to:
- All police officers and members of police staff employed by Essex Police or Kent Police;
- All contractors, temporary members of staff, third party suppliers and their staff who process or access personal data on behalf of either force;
- Representatives from other statutory and non-statutory bodies whose work with either forces provides them access to systems, records or premises;
- All persons who volunteer their services to support both forces;
- Any members of an unaffiliated not for profit organisation acting in the interest of the leisure needs and welfare of its membership which includes existing employees, their families or retirees.
3.2.2 For the purposes of this procedure/SOP all of the above are referred to as ‘officers and members of staff’.
3.3 The Principles Relating to Processing Personal Data
3.3.1 All processing (which includes obtaining, creating, amending, storing, disclosing and disposal) of personal data by either Essex Police or Kent Police will be in compliance with the six data protection principles relevant to either General Data Processing or Law Enforcement Processing, subject to legislative exemptions or restrictions. The principles, which differ according to whether the processing is for Law Enforcement purposes or not, are set out in the table attached.
3.4 Legal Basis for Processing
3.4.1 For processing to be lawful under the first principles, it must meet certain conditions set out in each of the various parts of the Act.
3.4.2 For law enforcement processing one of the conditions in Schedule 8 of the Act must be met. The most relevant ones are where the processing is:
- Necessary for judicial and statutory purposes – for reasons of substantial public interest;
- Necessary for the administration of justice;
- Necessary to protect the vital interests of the data subject or another individual
3.4.3 For general processing one of the conditions in Article 6(1) of the General Data Protection Regulation (GDPR) must be met. The most relevant ones are where the processing involves:
- Consent: the individual has given clear consent for the processing of their personal data for a specific purpose;
- Contract: the processing is necessary for a contract the force has with the individual, or because they have asked the force to take specific steps before entering into a contract;
- Legal obligation: the processing is necessary for the force to comply with the law (not including contractual obligations);
- Vital interests: the processing is necessary to protect someone’s life;
- Public task: the processing is necessary for the force to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.
3.4.4 In addition, if the general processing involves special category data – information relating to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation – then one of the conditions under Article 9(2) must be met. The most relevant ones are where the processing are where:
- The individual has given explicit consent for the processing;
- The processing is necessary for lawful employment purposes;
- The processing is necessary to defend legal claims;
- The processing is necessary for occupational health purposes;
- The processing is necessary for archiving research and statistics purposes.
3.5 Subject Rights and the Responsibilities for Officers and Staff
3.5.1 Identifying Subject Rights Requests
3.5.1.1 Individuals are able to exercise eight rights concerning their personal data which is/has been processed by either force. The rights requests may be made verbally or in writing, and may be made directly to any officer or member of staff, or to the forces’ specialist units which process all rights requests.
3.5.1.2 Consequently all officers and staff must be able to recognise a subject rights application when one is made, and follow the processes set out in this section when receiving such a request.
3.5.1.3 Any failure to comply with these rights or respond in a timely manner is likely to result in actions being taken by the regulator, including a potentially a significant fine as well as reputational damage.
3.5.1.4 The subject rights are as follows:
1. The right to be informed
Individuals have the right to be informed about the collection and use of their personal data; we are obligated to provide individuals with information including: the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This is referred to as ‘privacy information’; which must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Information Asset Owners, working with the assistance of the Data Protection Officer, are responsible for ensuring this right is satisfied through the provision of privacy notices.
2. The right to access (Subject Access)
Individuals have the right to be aware of and verify the lawfulness of the processing the forces are carrying out. There is no requirement for a request to be in writing. We are required to provide a copy of the information free of charge, and at the latest within one month of receipt (subject to exemptions).
3. The right to rectification
Individuals have a right to have inaccurate personal data rectified or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. The forces are obligated to provide a response within one calendar month. In certain circumstances the forces can refuse a request for rectification.
4. The right to erasure
Individuals have the right to request the deletion or removal of their personal data. An individual can make a request for erasure verbally or in writing. The forces are obligated to provide a response within one calendar month. In certain circumstances the forces can refuse a request for erasure.
5. The right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, it is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing, and the forces have one calendar month to respond to a request.
6. The right to data portability (only applies to General Processing)
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. The right to object (only applies to General Processing)
Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). Also, direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
8. Rights in relation to automated decision making and profiling
Individuals have the right to object to decisions made about them solely on the basis of automated processing, where those decisions have legal or other significant effects.
3.5.2 Handling Subject Rights Requests
3.5.2.1 Both forces have application forms which individuals are encouraged to complete when making subject access requests. The Kent form is 2902B and the Essex form is A95, both are available via the individual force website.
3.5.2.2 Each force has a dedicated team who manage subject rights requests. It is in the data subject’s and the forces’ best interests, to handle these requests promptly, and the easiest way will be to forward them to the appropriate team which will process them in accordance with their standard working practices:
- Essex – Information Rights Team, Police HQ
- Kent – Subject Access Team, Police HQ
3.5.2.3 Any officer, member of staff or other individual working for or on behalf of the force must consider the following when they identify that an individual is attempting to exercise one of their subject rights:
- Take immediate steps to verify the identity of the person making the request, such as viewing a document such as a driving licence, passport etc., record the details of the request, and the method of identity verification, in their PNB or daybook, and notify the relevant team as soon as possible. If at all possible they should take a copy of the proof of identity;
- Where a request is initially made verbally officers and staff must write the request down and ask the requestor to verify the accuracy of their recording of it and amend it where necessary, as well as taking details of their preferred method of contact;
- If the request is received by email, it must be forward to the relevant team as soon as possible, and they will deal with ID verification;
- If it is not possible to validate the individual’s identity details of the request should be recorded and sent to the team. The individual should be guided to send documents to verify their identity to the team;
- You must notify the team as quickly as possible, as, subject to exemptions, they have only a month to respond fully. In this time, they will have to search force systems, including in some instances paper records, to review their contents and send copies of the information to the individual requesting it.
3.6 Data Breaches and Responsibilities of Officers and Staff
3.6.1 A data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
3.6.2 All officers and staff have a responsibility to escalate any potential information security risks, or actual breaches as defined above to their line manager immediately who must report the matter to the force Information Security Officer in accordance with
W 1004 Procedure/SOP – Incident Reporting and Management. In Essex this will be by means of PFL001 form and in Kent via PFL002.
3.6.3 Where the breach is of a significantly serious nature (to be judged by the Data Protection Officer) it will be notified, as required by the Act, to the Information Commissioner’s Office within 72 hours.
3.6.4 Where a breach could seriously affect the psychological or the physical well-being of an individual, or individuals, whose personal data we process, then this should be escalated as a potential critical incident to the Force Duty Officer who will instigate steps to contain the breach and notify the individual(s) concerned that a breach has occurred. Also, to escalate the matter to either the Gold Commander and or DPO if appropriate.
3.7 Data Protection by Design and Default and Responsibilities for Officers and Staff
3.7.1 The Act places a legal obligation on the forces to consider data protection requirements at the earliest stage when developing new systems, IT applications and processes for handling personal data, including information sharing initiatives – something known as Data Protection by Design & Default.
3.7.2 In some instances it will be necessary to carry out, with the assistance of the Data Protection Officer, Data Protection Impact Assessments in accordance with NPCC Guidance.
3.7.3 Consequently all officers and staff involved in projects or initiatives involving the use of personal data are required to make early contact with their Data Protection Officer for guidance as to how the Data Protection by Design & Default requirements must be met.
3.8 Information Asset Register & Responsibilities of Information Asset Owners and Records Managers
3.8.1 In compliance with the Act, each force will maintain an Information Asset Register which will contain a comprehensive record of all of the information processed by the force, including the legal basis for processing, records of where consent is used, as well as the use of Information Sharing Agreements, Privacy Notices and retention periods.
3.8.2 The information asset register is owned by the individual IAO’s but maintained and kept up to date by the Records Manager in each force.
3.8.3 It is the responsibility of the IAO to work with the Records Manager to keep the register up to date, to inform the Records Manager of any new information assets, as well as using the contents of the register to asses risk, direct interventions such as document reviews or weeding activity where retention periods being exceeded.
3.9 Controller and Data Processors Contractual Requirements and the Responsibilities of Officers and Staff
3.9.1 Both forces recognised that any third party whom processes personal data on behalf of one or both forces is within scope of the Data Protection Act.
3.9.2 It is therefore a requirement of this procedure that any officer or member of staff who is responsible for entering into a new contract, maintaining an existing contract or entering into a procurement contract including the use of purchase orders must comply with the following mandatory process.
- Consult with the Data Protection Officer, to assess whether or not a Data Protection Impact Assessment (DPIA is required);
- Ensure that the contract has a viable Data Protection Agreement, or clause written into it that ensures that the data processor is clear on our expectations of the method, security and legal obligations of their processing operation;
- Ensure that the processing associated with the contract is fully documented on the force Asset Information Register, as well as the Record of Processing Activities, including an assessment of its risk;
- Arrange for plans to be put in place to ensure that the data processor complies with the Data Protection Agreement using an audit programme, the frequency of audit dependent on risk.
3.9.3 In many circumstances you will be required to carry out a Data Protection Impact Assessment (DPIA). This is a statutory requirement, and where processing could present very high risk to data subjects may need to be submitted to and authorised by the Information Commissioners Office before the processing can proceed.
3.9.4 A DPIA templates and guidance are available for both forces: For Kent it can be located within the Information Security and Governance inSite page and in Essex it can be obtained from the Information Security Officer. These include an easy to follow screening process and further guidance as to how to complete the document.
3.9.5 The procedure should not be regarded as an unnecessary bureaucratic burden. It applies a similar logic that used routinely within each force being no different to the thought process applied when using the National Decision Making Model (NDM), seeking Directed Surveillance authorities or completing an Equality Impact Assessment.
3.9.6 Copies of all of the documents used for this process will need to be retained, the legislation requires us to keep these records which may have to be produced to the Information Commissioners Office if a data breach occurs, or we are inspected or audited. Copies of the records will be stored by the Records Manager who will reflect such on the Information Asset Register.
3.10 Retention and Disposal of Personal Data and Responsibilities of Information Asset Owners
3.10.1 Essex Police and Kent Police review, retain and dispose of information in accordance with statutory and regulatory requirements and is directed through the application of the National Police Chiefs Councils Authorised Professional Practice (APP) as well as the Management of Police Information (MoPI).
3.10.2 The retention, management and disposal of all physical and digital assets are the responsibility of the Information Asset Owner (IAO), or the person delegated with that responsibility by the IAO.
3.10.3 All information assets must be managed securely and retained only as long as is necessary to meet the purpose for which they were collected and processed initially.
3.10.4 Further guidance on retention and disposal of personal data can be obtained from the forces’ Records Managers and from the associated procedure.
3.11 Information Security
3.11.1 The Act requires both forces to ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3.11.2 Further guidance on the security of personal data can be obtained from the forces’ Information Security Officers and from the associated procedures.
3.12 Information Sharing
3.12.1 Information sharing involves the disclosure of data from one or more organisations to a third-party organisation or organisations, or the sharing of data between different parts of an organisation.
3.12.2 Information sharing may occur on a formal basis, using express or implied powers as defined in statute, or on an ad hoc basis when for example dealing with an emergency or perhaps sharing data with a third-party contractor to provide a specific service.
3.12.3 It is the policy of Essex Police and Kent Police to follow the Code of Practice for Information Sharing published by the ICO. Additionally, when sharing information, it is the responsibility of the IAO to:
- Ensure that existing Information Sharing Agreements (ISA’s) are current and kept up to date;
- A record that an ISA is in place is made on the Information Asset Register, and the ISA itself is retained an easily accessible;
- When considering or entering into a new ISA, consultation takes place with the DPO beforehand, and consideration is given to completing a DPIA;
- That the contents of any privacy notice in use is consistent with the information contained within the ISA.
3.12.4 Essex Police and Kent Police both have existing procedures covering the creation and management of information sharing agreements which can be found on the relevant force intranet.
3.13 Transfer of Personal Data to Third Countries
3.13.1 The legislation imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter 5 of the UK GDPR.
3.13.2 Essex and Kent both have international operational commitments, which includes information sharing agreements with Interpol, Euorpol, as well as the Security Services.
3.13.3 If an additional need arises to share personal data with third countries outside of the EEA, then the Data Protection Officer must be consulted beforehand, and the principles as set out in Chapter 5 of UK GDPR are adhered to.
3.14 Knowledge and Skills
3.14.1 Both forces are committed to providing their officers, staff and volunteers with the appropriate level of skills and knowledge in data protection relative to the role they perform, and the data protection risks relative to that role.
3.14.2 Essex Police and Kent Police share a single Learning and Development Department who are responsible for delivering Information Security and Data Protection Training using a national training product developed by The College of Policing.
3.15 Criminal Offences and Responsibilities of Officers and Staff
3.15.1 There are a number of criminal offences set out in the Data Protection Act 2018, which include:
- Section 170 Unlawful obtaining etc of personal data - it is an offence for a person knowingly or recklessly to obtain or disclose personal data without the consent of the controller, to procure the disclosure of personal data to another person without the consent of the controller, or after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained;
- Section 171 Re-identification of de-identified personal data - it is an offence for a person knowingly or recklessly to amend information that previously could not identify a person so that the person can now be identified from it, without the consent of the controller responsible for anonymising the personal data in the first place;
- Section 173 Alteration etc of personal data to prevent disclosure - it is an offence for the controller or one of their employees to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive having made a subject access request;
- Section 184 Prohibition of requirement to produce relevant records - it is an offence for anyone offering employment, goods or services to someone else to compel the latter to provide them with, or give them access to the latter’s personal data within records concerning a conviction, caution, health, or within a Disclosure & Barring Service record.
3.15.2 Where any of the above are suspected or identified officers and staff must:
- Record a criminal offence if appropriate in order that it can be assessed and allocated for investigation;
- Notify the relevant Data Protection Officer;
- If the offence relates to personal data processed by either force, report the matter to the relevant Professional Standards Department;
- If the offence relates to personal data processed by any other organisation, record the offence in accordance with crime recording policy and notify the Data Protection Officer in order to consider onward referral to the Information Commissioner’s Office.
3.16 Data Minimisation
3.16.1 The third Data Protection Principle requires that personal data processed for law enforcement purposes must be ‘adequate, relevant and not excessive’, while if processed for general purposes it must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ This means that Essex Police and Kent Police must use the minimum amount of personal data needed to fulfil their purposes and no more, something known as ‘data minimisation.’
3.16.2 Essex Police and Kent Police’s approach to data minimisation is to comply with the ICO’s guidance on the subject which can be accessed here for law enforcement processing and here for general processing.
3.17 Pseudonymisation
3.17.1 Where personal data is processed for General Purposes Essex Police and Kent Police are obliged by Article 32 of the UK GDPR to consider applying a technique known as pseudonymisation to that data to help protect it.
3.17.2 Pseudonymisation is defined at Article 4(5) of the UK GDPR as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual.’ There is no equivalent content in the Data Protection Act 2018.
3.17.3 In practical terms pseudonymisation is a technique designed to reduce risks to confidentiality of personal data by replacing or removing information in personal data that identifies an individual. However, it is important to note that pseudonymised data must still be considered to be personal data and therefore will continue to fall under the scope of the GDPR.
3.17.4 Essex Police and Kent Police’s approach to pseudonymisation is to comply with the ICO’s guidance on the subject which can be found here for general processing. Where personal data is processed for law enforcement purposes the forces may consider use of pseudonymisation, where deemed appropriate by the forces’ Data Protection Officers.
4.0 Equality Impact Assessment
4.1 EIA tbc
5.0 Risk Assessment
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security.
6.0 Consultation
6.1 The following have been consulted during the formulation of this document:
- Unison / Federation
- Diversity / H&S
- PSD
- The Information Management Boards (IMB’s) for Essex and Kent.
- Business Services
7.0 Monitoring and Review
7.1 The forces’ partnership lead departments will be responsible for ensuring that the procedure/SOP will remain current in line with HMG and NPCC policy.
7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every two years with the next review due for May 2020.
8.0 Governing force policy.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
8.1 Data Security
8.1.1 Essex Police and Kent Police have measures in place to protect the security of data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2 Retention & Disposal of Records
8.2.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.