APP on data protection has been produced to assist forces in their statutory responsibility to comply with the Data Protection Act 1998 (DPA).
Data protection is a core requirement to support effective policing. It identifies the structures, responsibilities, policies and processes that must be in place to ensure consistency in the way the DPA is applied throughout the police service.
The target audience is primarily data protection officers (DPOs), other data protection practitioners, information asset owners, and chief officers in their capacity as data controllers.
The APP helps create an environment across the police service in which compliance can be achieved and provides policing business with professional guidance and assistance in interpreting the DPA.
The APP focuses on police use of personal data for operational purposes. However, it also recognises that the police service processes personal data for supporting functions such as administrating staff. Readers are, therefore, encouraged to be aware of the Information Commissioner’s guidance.
- 1 Data protection introduction
- 1.1 Legal definitions
- 1.2 Personal data in a policing environment
- 1.2.1 Anonymised data
- 1.3 Processing in a police environment
- 2 Governance
- 2.1 Director of information
- 2.2 Chief officer ‒ data controller
- 2.3 Senior manager
- 2.4 Senior information risk owner
- 2.5 Information asset owner
- 2.6 Data protection officer
- 2.7 All staff
- 2.8 Information Commissioner
- 2.9 Data protection training, awareness and guidance
- 2.10 Police collaborative units
- 3 Data protection principles
- 4 Data breach
- 5 Disclosure and information sharing
- 5.1 The non-disclosure provisions
- 5.2 Data Protection Act 1998 section 35
- 6 Handling allegations of criminal offences under the Data Protection Act 1998
- 6.1 Process
- 6.1.1 Offence not connected to the force
- 6.1.2 Offence or misconduct identified by or reported to the police relating to police-held personal data
- 6.1.3 Offence identified or reported to the Information Commissioner relating to police-held personal data
- 6.2 Related offences
- 6.3 Victim care
- 7 Privacy by design
Data protection introduction
The DPA defines key terms including:
Personal data in a policing environment
Personal data in a policing environment includes data that identifies individuals, eg, vehicle registration marks (VRM), telephone numbers and digital data.
Forces can determine whether data relates to an individual in:
- an obvious way, including the individual’s conviction history, medical records, record of interview, witness statement provided by them, injury photos of them, custody record, their personal development plan or absence record
- a non-obvious way not listed above or deemed obvious, that may be processed to learn about, record or decide upon an identifiable person and that may have an impact on that individual.
Forces may anonymise personal data so that it falls outside the scope of the DPA. However, forces still have other obligations including the ACPO/ACPOS (2009) Information Systems Community Security Policy. Forces must ensure that recipients of the anonymised data are not able to re-create it using certain types of software or other information they are likely to have access to.
Processing in a police environment
Processing includes obtaining, recording or holding personal data and carrying out various tasks including organising, adapting, altering, retrieving, consulting, using, disclosing, aligning, combining, erasing or blocking ‒ it is difficult to think of any activity relating to personal data that would not fall under the definition of processing.
The police process, through a wide variety of means, a vast and diverse volume of personal data relating to staff, victims, witnesses, offenders, suspects, and others. The data may be about the person to which they refer, or other individuals mentioned in them. Examples of records that contain personal data are:
- custody record
- crime reports
- incident logs
- intelligence reports
- personnel files
- nominal records.
Under the Freedom of Information Act 2000 (FOIA) the public may apply to access any recorded information, including personal data, held by a police force subject to certain exemptions.
Director of information
The information management business area (IMBA) has a person of chief officer rank who maintains a portfolio for data protection, freedom of information and records management.
This role promotes compliance, consistency and a corporate approach across the service. It also assists chief officers in interpreting data protection in a police environment.
Chief officer ‒ data controller
Each chief officer, as a data controller, has a legal responsibility to ensure their force complies with the DPA. They cannot delegate their legal responsibility.
In some cases the chief officer may be the sole data controller. In other circumstances they may be either a data controller jointly or in common with one or more other data controllers. In such circumstances the data controllership must be clearly defined at the outset.
The chief officer will have measures to ensure that:
- there is an effective dialogue (reporting line) on data protection issues between chief officers, the data protection officer and other staff
- any concerns regarding data protection compliance within a police force are directed to the data protection officer in a timely manner.
The chief officer must formally designate an officer of ACPO rank or equivalent to:
- support and oversee the management of data protection matters
- ensure that force policies, procedures and guidelines reflect the requirements of this APP.
The manager may also perform the function of senior information risk owner (SIRO).
Senior information risk owner
By designating a SIRO, a police force demonstrates that there is a mechanism and decision-making process(es) in place, at senior level, to consider appropriate technical and/or organisational measures for the type of information (including personal data), together with any risks to information and the business. The SIRO:
- has ownership of risk
- ensures that information management and other risks are considered
- understands how the strategic business goals of the police force may be affected by information system failures
- is supported by the information assurance resources and others including the DPO.
Information asset owner
The information asset owner (IAO) (also referred to as the senior responsible officer (SRO) or senior system owner (SSO)) is responsible for all information in their business area.
The data protection officers (DPOs) should assist the IAOs with their wider information management responsibilities, including the need to:
- identify what information assets are held and ensure information assets are registered with records manager
- ensure that data is collected and used fairly and lawfully
- ensure that data is fit for purpose, accurate and up to date
- ensure that appropriate retention policies are established and implemented
- ensure there is effective liaison between the IAO with the DPO so that the rights of data subjects and other data protection obligations are met.
Data protection officer
The DPO manages their chief officer’s (DPA) responsibilities. Within some forces this may be carried out by more than one person, who may be known by a different title. The DPO and their responsibilities within the force must be documented. This role:
- represents the chief officer on data protection matters
- maintains an up-to-date knowledge of the DPA
- advises on relevant legislation and developments in data protection and related matters
- promotes awareness of data protection matters through training, policy development, advice and guidance
- ensures that systematic auditing and monitoring of information and systems takes place in accordance with the APP on information management – audit
- ensures information and systems comply with the relevant legislation
- ensures that security arrangements are in place to protect information, including, where necessary, contracts relating to third parties processing police information
- investigates and resolves complaints made in respect of the handling of personal information (in relation to data protection)
- assists, where appropriate, in investigating disciplinary and criminal matters relating to data protection.
Where the DPO does not undertake any of the listed responsibilities, the force will document who in the force will undertake these responsibilities.
Every police officer, member of police staff, police community support officer, special constable, volunteer, data processor, contractor and approved persons working for or on behalf of the police having access to personal data are required to comply with the requirements of the DPA and any supporting local policy or procedure designed to help achieve compliance.
The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner can take enforcement actions, which include issuing monetary penalties.
Data protection training, awareness and guidance
Forces should develop and implement training strategies that incorporate data protection aspects.
All staff must receive, as a minimum, baseline awareness training, with further specialist training provided dependent on role and circumstances. Forces should consider specialist training for DPOs, which may involve obtaining professional qualifications in DPA.
Forces should deliver refresher training to staff as required. Where contractors have access to force personal data, forces should ensure that they receive or have received training of the necessary standard.
Forces must ensure that up-to-date records are maintained of staff training. These records can assist forces to meet their obligations under principle 7 of the DPA.
Police collaborative units
The creation of collaborative units to deliver certain activity on behalf of more than one police force or between police forces and other organisations, increases the risk of ill-defined governance arrangements. Forces should clearly define governance arrangements at the outset.
Forces must clearly identify the role of the data controller(s) within the unit to allow officers and staff to follow an information management regime. Where more than one force is involved in a collaboration unit, they should adopt a project management approach.
Data protection principles
The data protection principles set out the standards governing the processing of personal data. All chief officers, in their capacity as data controllers, must comply with the principles unless an exemptions applies. The data protection principles are:
- Principle 1 – fair and lawful processing: Personal data must be obtained and processed fairly and lawfully and, in particular, shall not be processed unless:
- Principle 2 – notification and compatible use: Personal data must be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Principle 3 – adequate, relevant and not excessive: Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Principle 4 – accuracy and up to date: Personal data must be accurate and, where necessary, kept up to date.
- Principle 5 – retention: Personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.
- Principle 6 – rights of data subjects: Personal data must be processed in accordance with the rights of data subjects under the DPA.
- Principle 7 – security and protective measures: Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Principle 8 – transfer outside the European Economic Area: Personal data must not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing personal data.
Forces should have measures in place prior to any data security incident, and reactive measures to handle a data breach incident if one occurs.
Forces should have provisions in place to create an effective information assurance/security and/or data protection regime. The key elements within this regime should include:
- a SIRO and the lead on data protection and information assurance/security issues
- an information assurance/security board forum
- senior responsible owners/system owners for the most important information collections/databases
- protective marking scheme and associated policy covering handling protectively marked material
- information assurance/security incident reporting and incident management procedures
- a DPO or equivalent
- an effective data protection/information assurance/security audit and compliance testing programme.
There is no legal obligation to report data protection breaches to the Information Commissioner, however, forces should have due regard to the ICO’s Guidance on data security breach management and the Notification of Data Security Breaches to the ICO.
The national policing lead for data protection is able to provide advice and support and should be contacted if the breach affects more than one force. In addition, data protection breaches should be referred to ACPO DP/FOI CRU where a referral to the ICO was being contemplated or had occurred.
Data breach by external organisations
To mitigate risks around a data breach, forces must ensure that any data processor agreements or information sharing agreements outline how data breaches involving information derived from the force are reported and managed.
For data processors, the measures must equate to those of the force itself. For recipients who are party to any information sharing agreement there should be (as a minimum) a requirement for the force to be informed of the loss as soon as possible so the necessary reactive measures can be instituted.
Disclosure and information sharing
Disclosures of personal data by a force may involve the provision of data by any means including, verbally, electronically and by the supply of hard-copy documents.
The term disclosure in this context should not be confused with the rules for disclosure as provided by the Criminal Procedure and Investigations Act 1996 (CPIA) or the Civil Procedures Rules. Disclosure is also commonly referred to as information sharing.
To ensure appropriate data disclosure decisions are made, forces should consider whether:
- personal data, its purpose, the recipient and the legal basis/power is defined
- data protection principles are applied
- information is proportionate
- third-party information has been removed (where necessary)
- an officer in the case is consulted on disclosure
- reasonable checks have been made to ensure that the disclosure is not likely to prejudice any ongoing criminal proceedings or current police investigations
- the disclosure is not misinterpreted
- appropriate authorisation is given before releasing personal data
- all staff maintain appropriate records for any disclosure made
- once the disclosure has been made the control of the personal data is lost
- an audit trail has been maintained to identify what disclosures have been made at any time
- personal data has only been disclosed if there is clear reason to believe that it may be materially relevant.
Forces should use the personal data request form when requesting personal data.
The non-disclosure provisions
The non-disclosure provisions are defined at DPA section 27(3) and section 27(4). These elements of the DPA impose a restriction on disclosing personal data. The provisions within DPA section 35(1) and section 35(2) provide relief from them. Forces can only disregard any or all of the non-disclosure provisions if their application would prejudice the disclosure. The non-disclosure provisions are:
- DPA principle 1, except where it requires compliance with the conditions in Schedule 2 and Schedule 3 (legitimate processing conditions and sensitive personal data conditions)
- DPA principles 2, 3 , 4 and 5
- DPA section 10 (right to prevent processing likely to cause damage or distress) and section 14 (1) to (3) (rectification, blocking, erasure and destruction)
- to the extent to which they are inconsistent with the disclosure in question.
Data Protection Act 1998 section 35
The public interest may require the disclosure of personal data, which would otherwise be in breach of the DPA, eg, where the disclosure is required by law or made in connection with legal proceedings. There are two key provisions for forces:
- the provisions within section 35(1) cover mandatory disclosures of personal data required by law
- those within section 35(2) deal with discretionary disclosures of personal data in connection with legal proceedings.
The provisions within these subsections provide relief from the non-disclosure provisions.
Disclosures required by law
DPA section 35(1) exempts personal data from the non-disclosure provisions to the extent to which they are inconsistent with the disclosure in question, where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
In this context an enactment refers to an Act of Parliament or a statutory instrument, while an order of a court refers to an order of any court or tribunal that has the status of a court. It is difficult to identify any disclosure from the police service required by any rule of law which would not also be one required either under enactment or order of a court.
Relief provided by DPA section 35(1) is conditional:
- individually each of the non-disclosure provisions can only be disregarded to the extent necessary
- the remaining parts of the Act must be considered, perhaps including a need to comply with some of the non-disclosure provisions, and a need in all cases for a Schedule 2 (and on occasions a Schedule 3) condition, and for compliance with the sixth, seventh and eight principles (where applicable).
Forces must have processes in place for recognising and processing disclosures of personal data where DPA section 35(1) is engaged, and for establishing new procedures as further relevant legislation is enacted. These processes should be designed to ensure that any disclosure of personal data is in compliance with the remaining parts of the Act from which DPA section 35(1) does not provide relief. Forces should ensure that where requests/demands are received that are perceived as being too broadbrush, vague or unclear, they are challenged and the necessary clarity provided so that the force is confident that the required disclosure is appropriate.
Some court orders may be considered unsatisfactory by forces. Forces should, therefore, have systems in place that will ensure that where an unsatisfactory court order requiring disclosure of personal data is received, the force is in a position to exercise its ability to seek to vary the court order where necessary.
Considering a disclosure request
- Has the requirement under law for the disclosure been confirmed?
- What personal data is involved?
- What are the Schedule 2 (and where necessary Schedule 3) grounds for processing?
- How will the disclosure comply with sixth principle rights where exercised?
- How will the disclosure comply with seventh principle?
- Is the proposed method for disclosure appropriate in terms of information security?
- In the case of a court order, should the police force seek to vary the court order?
- To what extent do each of the non-disclosure provisions need to be disregarded?
- Where a non-disclosure provision does not need to be completely disregarded how will compliance with it be achieved?
Disclosures made in connection with legal proceedings
DPA section 35(2) exempts personal data from the non-disclosure provisions to the extent to which they are inconsistent with the disclosure in question, where the disclosure is necessary:
- for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or
- for the purpose of obtaining legal advice, or
- is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
DPA section 35(1) compels disclosure. A force is not obliged to disclose personal data pursuant to a request made by a third party under DPA section 35(2), but may chose to do so dependant on the circumstances. DPA section 35(2) requires that the disclosure should be necessary, as opposed to being simply desirable.
The discretionary nature of the exemption means that forces are encouraged to develop policies that identify in what circumstances they are likely to exercise that discretion and those where they are unlikely to do so.
The discretionary element to this exemption means that there is a risk of inconsistent, and potentially unfair, use of the exemption within and between forces. Forces should develop documentation that outlines their approaches to requests for, or disclosures of, personal data where DPA section 35(2) is likely to be engaged. This documentation should outline the following:
- disclosures are at the discretion of the chief officer
- prioritisation processes take place and define this priority
- some types of request are likely to be declined
- disclosures will not be made until the conclusion of any related criminal investigation or prosecution, and the circumstances where the CPS or coroner will be consulted
- disclosures will be based upon careful consideration of all the facts
- third-party data may form part of the requested information
- the circumstances in which statements provided by police officers or third parties will and will not be disclosed
- the circumstances in which the request will be processed under the subject access provisions
- proof of identity may be required, and which one
- fees may be charged and under what circumstances.
Handling allegations of criminal offences under the Data Protection Act 1998
The DPA makes it an offence where:
- the Information Commissioner is not notified of the processing of personal data (DPA section 21(1))
- the Information Commissioner is not updated regarding relevant changes to the notification (DPA section 21(2))
- relevant particulars are not provided (DPA section 24(4))
- notices are not complied with (DPA section 47(1))
- false information is provided in response to a notice (DPA section 47(2))
- there is unlawful obtaining, disclosing or sale of personal data (DPA section 55(1), DPA section 55(4) and DPA section 55 (5))
- there is unlawful disclosure of personal data by the Information Commissioner (DPA section 59(3))
- there is obstruction of a warrant or failure to assist re warrant execution (DPA Schedule 9 paragraph 12 and DPA section 60(3)).
In England and Wales, criminal proceedings may only be instigated by the Information Commissioner, or with the consent of the Director of Public Prosecution. In Scotland, criminal proceedings will be brought by the Crown Office & Procurator Fiscal Service. In Northern Ireland, proceedings can be started by the Information Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.
On conviction of an offender, the court can order any data connected with the crime to be forfeited, destroyed or erased. Anyone other than the offender who claims to own the material may apply to the court that such an order should not be made.
Forces must have procedures to:
- report breaches of data protection principles to the DPO and information asset owner
- inform the Information Commissioner’s head of investigation of allegations of criminal breaches of the DPA
- inform the DPO of the outcome of allegations and investigation
- identify lessons learnt.
Offences fall within three broad groups.
- Offence not connected to the force
- Offence or misconduct identified by or reported to the police relating to police-held personal data
- Offence identified or reported to the Information Commissioner relating to police-held personal data.
Offence not connected to the force
Where complaints are received that a member of the public or another organisation has committed or is committing a criminal offence under the DPA, the allegation will be recorded by the force. Where the offence relates solely to data protection matters, the crime will be forwarded to the Information Commissioner to carry out the investigation.
Where offences under the DPA are discovered in the course of an investigation, all evidence relating to data protection matters must be secured. The Information Commissioner should provide advice and assist in the preparation of the case file, for any data protection offences. Where the circumstances of an offence committed under DPA section 55 may also constitute an offence under the Official Secrets Act 1989, forces must investigate the matter and submit a file to the Director of Public Prosecution via the CPS. The Information Commissioner and/or the officer in charge will notify the data protection officer of the outcome of the investigation.
Offence or misconduct identified by or reported to the police relating to police-held personal data
Where the misuse of police-held personal data is by those working for or on behalf of a police force, the matter should be reported to professional standards.
The professional standards department (PSD) will assess the circumstances of the case and identify a proportionate response to the allegation. Any DPO advising the PSD on the assessment should consider the following:
- the motive of the offender – was it a case of curiosity, was it for personal gain, was it for another person’s gain?
- the nature of the personal data – for example, the quantity involved, what it related to, its sensitivity
- the harm and/or distress, potential or otherwise, caused to the person to whom the personal data related and others • the level of intrusion or breach of privacy suffered
- previous misconduct or criminal breaches by the offender
- whether the offender was one of many
- the wider public interest.
Where necessary (for example, confirmation that an offence has occurred), the PSD will seek the views of the data protection officer. The Information Commissioner may also be in a position to provide advice. In all cases the PSD should regularly inform the data protection officer about the progress of any investigation and prosecution into offences under the DPA.
A decision by the CPS not to proceed with a prosecution under the DPA should not preclude notification of the case to the Information Commissioner. Cases of procuring disclosure or sale of police-held personal data are of particular interest to the Information Commissioner. The PSD will notify the data protection officer of the outcome of the case so that the force can identify and undertake any necessary remedial action.
Where a criminal investigation has been concluded and guilt has been proved, the PSD will inform the head of enforcement at the ICO, by providing the following details: name of individual, offence and court disposal.
Offence identified or reported to the Information Commissioner relating to police-held personal data
On occasion, the Information Commissioner is likely to receive allegations that a force or individuals working on its behalf have committed offences under the DPA.
The Information Commissioner must be notified that a force or persons working on its behalf have committed offences under the DPA. The Information Commissioner may take primacy for the investigation. Where the Information Commissioner receives a complaint relating to an offence by a force, they will notify the force’s head of PSD.
The following are related offences that may be considered when dealing with offences under the DPA:
- unauthorised access to a computer material (Computer Misuse Act 1990 section 1)
- unauthorised access with intent to commit or facilitate commission of further offences (Computer Misuse Act 1990 section 2)
- unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (Computer Misuse Act 1990 section 3)
- misconduct in a public office (common law)
- conspiracy (Criminal Law Act 1977 section 1(1))
- conspiracy to pervert the course of justice (Criminal Law Act 1977 section 1(1))
- breach of confidence (common law)
- altering records with intent to prevent disclosure (Freedom of Information Act 2000 section 77)
- fraud by false representation (Fraud Act 2006 section 2)
- fraud by abuse of position (Fraud Act 2006 section 4).
Forces should take appropriate action within their powers and capabilities to mitigate any damage or distress caused to an individual by virtue of any offence under the DPA.
Privacy by design
This is an approach to project that promotes privacy and data protection compliance from the start. Although this approach is not a requirement of the DPA it will help forces comply with their obligations under the legislation.
Chief officers should ensure that privacy and data protection is a key consideration in the early stages of any project and then through its life cycle. Specifically when:
- building new IT systems for storing or accessing personal data
- developing legislation, policy or strategies that have privacy implications
- embarking on an information sharing initiative
- using data for new purpose.
Privacy impact assessment
A privacy impact assessment (PIA) enables organisations to identify and address the likely privacy impact of new initiatives. It can be carried out at the same time as other assessment, eg, an equality impact assessment. A PIA considers privacy issues in relation to data protection compliance and wider considerations including:
- increasing public confidence
- preventing problems arising
- avoiding subsequent expense and disruption
- protecting the reputation of the force.
PIAs are not always necessary. If an assessment is to be carried out, it is recommended that forces should:
- consider a PIA as part of initial phase assessment, when new national police system or projects are to be implemented
- incorporate the PIA process(es) into their project management policy/processes
- use relevant consultation and reporting tools subject matter experts, information security office (ISO), record manager and IT manager must form part of the consultation group)
- determine what scale of PIA is necessary (full or small scale)
- review the PIA regularly
- include the privacy risks and countermeasures (this will support legal compliance and can be used as a reference document for any media statements required in the future)
- refer to the initial PIA and reviews, provide an outline of the outstanding PIA risks and refer to previous mitigated risks when finalising the report.
The SIRO should:
- ensure PIAs are completed at appropriate stages of a project
- accept/reject any risk from the PIA document.
The project owner is responsible for the project risk register and should:
- identify the individual who will undertake the PIA
- ensure sufficient resources are provided to the PIA process
- complete the PIA tasks at appropriate times.
Page last accessed 30 March 2017