Embed Size (px)
Citation preview
Data Protection Policy
ABOUT THIS PROCEDURE The purpose of this policy is to set out the high level data protection requirements for all processing
activities involving personal data carried out by South Wales Police and Heddlu Gwent Police (“the
forces”). These requirements are legislative obligations and failure to comply with them constitutes
an infringement of the legislation which may result in enforcement action and/or penalties issued by
the Information Commissioner’s Office (ICO) and potential court action brought by individuals who
suffer damage and distress as a result of an infringement
TITLE DP001 - Data Protection Policy
DEPARTMENT RESPONSIBLE Information Management
DATE CREATED 25/11/1997
LAST REVIEWED 30/06/2020
NEXT REVIEW DATE 30/06/2021
VERSION v17
SECURITY CLASSIFICATION OFFICIAL
PUBLICATION SCHEME Yes
COLLEGE OF POLICING APP Management of Police Information
How to navigate this document:
You can either:
Scroll through each page in sequence
Or click on the tabs on the right hand side to go to a specific section
If you have any questions on this procedure, please see the relevant contact in the Further
Reference section or email the Policy Unit.
Data Protection Policy
QUICK REFERENCE
Relevant Definitions (further definitions will be provided in the associated procedural and
guidance documents)
Common Definitions under the General Data Protection Regulation (GDPR) and Data Protection
Act 2018 (DPA) - General Processing and Law Enforcement
“Personal data”– Any information relating to an identified or identifiable natural person; an
identifiable natural person is one who can be identified directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data or to one or more
factors specific to the physical or physiological, genetic, mental, economic, or cultural or social
identity of that natural person;
“Data Subject” – the identified or identifiable natural person to whom the personal data relates.
“Biometric data” means personal data resulting from specific technical processing relating to the
physical, physiological or behavioural characteristics of an individual, which allows or confirms the
unique identification of that individual, such as facial images or dactyloscopic data;
“Genetic data” – Personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or health of that natural person
which result, in particular from an analysis of a biological sample from the person in question;
“Data concerning health” means personal data relating to the physical or mental health of an
individual, including the provision of health care services, which reveals information about his or her
health status;
“Processing” – any operation or set of operations which is performed on personal data or sets of
personal data, whether or not by automated means e.g. collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, disclosure, alignment,
combination, restriction, erasure or destruction;
“Processor” means any person who processes personal data on behalf of the controller (other than a
person who is an employee of the controller); (A sub-processor is a person who is subcontracted by
the processor).
“Child” – a natural person who is under 13 years old (16 years in Scotland) for the purposes of an
information society service; for all other purposes a person who is under 18 years old;
“Pseudonymisation” processing of data can no longer be attributed to a specific data subject without
the use of additional information i.e. a key which is kept separately and is subject to technical and
organizational measures to ensure that it cannot be linked to the data to make data subjects
identifiable.
“Consent” – any freely given, specific, fully informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement giving a clear affirmative action, signifies
agreement to the processing of personal data (see ‘DP010 – Consent’ for further information);
Part 2 Definitions – General Processing
Data Protection Policy
“Special Category Data” – Personal data revealing racial or ethnic origin, political opinions, religious
or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric
data for the purpose of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation.
“Controller” – a natural or legal person, public authority, agency or other body which alone or jointly
with others, determines the purpose and means of the processing, or where it is nominated by UK
law. The Chief Constables are the data controllers for South Wales Police and Gwent Police
respectively.
Part 3 Definitions - Law Enforcement
“Law Enforcement Purposes” - prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, including the safeguarding against and the
prevention of threats to public security.
“Sensitive processing” – processing of special category data and personal data relating to criminal
convictions and offences or related security measures under Part 3 DPA.
“Competent Authority:
• Any United Kingdom government department other than a non-ministerial government
department, including Scottish, Welsh and Northern Ireland Ministers.
• Chief Officers of Police and other policing bodies
• Authorities with functions relating to offender management
• Other authorities e.g. the Director of Public Prosecutions, the Procurator Fiscal, the
Information Commissioner, a court or tribunal.
“Controller” - means the competent authority which, alone or jointly with others determines the
purposes and means of the processing of personal data or is required to process under an
enactment. The Chief Constable is the data controller for South Wales Police.
“Employee”, in relation to any person, includes an individual who holds a position (whether paid or
unpaid) under the direction and control of that person.
Miscellaneous Terms
“Appropriate Policy Document” – this document explains the controller’s procedures for securing
compliance with the data protection principles in connection with sensitive processing in reliance on
the consent of the data subject or (as the case may be) in reliance on the condition in question, and
explains the controller’s policies as regards the retention and erasure of personal data processed in
reliance on the consent of the data subject or (as the case may be) in reliance on the condition in
question, giving an indication of how long such personal data is likely to be retained
“Information relating to another individual” includes information identifying him/her as the source
of information if they can be identified from that information or from that information and any
other information that the data subject is likely to possess or obtain
Data Protection Policy
“Individual Rights”- these are rights which can be exercised by data subjects in respect of personal
data held about them, unless there are exemptions which enable a data controller to disapply the
right, but only in so far as it is necessary.
Any other terms may be addressed in guidance notes.
Data Protection Policy
ROLES & RESPONSIBILITIES
Data Protection is everyone’s responsibility.
This policy applies to all police officers, staff, volunteers, secondees and contractors who are
processing personal data for or on behalf of the forces.
Processing includes ‘general processing’ under Part 2 of the DPA and processing for ‘law
enforcement purposes’ under Part 3 DPA.
This applies to both manual and automated processing of personal data, whether structured or
unstructured, as South Wales Police and Gwent Police are public authorities under the Freedom of
Information Act 2000. It also applies to any method, channel, system or service used to process
personal data.
The requirements apply notwithstanding other legislative requirements, codes of practice and
standards.
Any individual rights requests or reports of data incidents/personal data breaches must be sent to
the Data Protection Team as soon as possible as there are legal timescales which must be met.
Data Protection Policy
FULL PROCEDURE
Data Protection Principles
The principles are the pillars which govern good data protection practice. Failure to comply with the
principles may lead to enforcement action, financial penalties, reputational damage and potential
legal action by data subjects who have suffered damage or distress as a result of non-compliance.
There are 6 data protection principles which apply to both general processing and processing for law
enforcement purposes:
1. Personal data shall be processed lawfully, fairly and in a transparent manner.
To process personal data lawfully you need to have lawful grounds for processing unless you
can establish that there is an exemption.
Lawful processing
A least one lawful processing must be met. There are different conditions applicable to general
processing purposes and for law enforcement purposes.
Additional conditions must also be met where the processing is sensitive and involves special
category data.
An overview of the lawful conditions is set out in the Further Reference section of this
document.
Fair Processing
The forces will not mislead or deceive data subjects when we collect their information or as
soon as possible following collected. Information should not be processed in a way which
would not reasonably be expected by the data subject. If the processing is likely to result in a
negative impact on the data subject it is unfair if it cannot be justified; this also applies to
handling of individual rights.
Transparency
The forces will be clear and open with data subjects about how personal data concerning them
are collected, used, consulted or otherwise processed. Any information and communication
relating to the processing of personal data must be accessible and easy to understand, and that
clear, plain language be used.
There are minimum pieces of information that must be provided and data subjects should be
made aware of the risks, rules and safeguards, and their rights including how to exercise them.
A full list of transparency information and how it can be communicated is set out in the Further
Reference section of this document.
This information must be easy to read, free from jargon and clearly and prominently displayed
although it can be provided verbally. We will take into consideration whether the audience will
be able to understand it e.g. children.
Data Protection Policy
The forces will provide privacy notices for internal and external data subjects and where
necessary will provide additional information where the processing of personal data may not
be reasonably expected by data subjects.
2. Personal Data shall be collected for a specified, explicit and legitimate purposes and not further
processed in a manner incompatible with those purposes
When collecting personal data ensure that there is a specific purpose for which the data will be
processed.
If personal data is to be used for a totally different purpose to that for which it was originally
collected that the data subject has not been informed about you can only so where:
You have their valid consent (this may not be appropriate in the circumstances)
Further processing is required for a task carried out in the public interest
Further processing is archiving purposes in the public interest, scientific or historical
purposes or for statistical purposes
Personal data collected for a law enforcement purpose may be processed for any other law
enforcement purpose (whether by the controller that collected the data or by another
controller) provided that:
It is authorised by law to process the data for the other purpose, and
The processing is necessary and proportionate to that other purpose.
Personal data collected for any of the law enforcement purposes may not be processed for a
purpose that is not a law enforcement purpose unless the processing is authorised by law.
3. Personal data shall be adequate relevant and limited to what is necessary in relation to the
purpose for which is it processed
The forces will process the minimum amount of data to achieve your purpose. Personal data
should not be collected just in case you might need it in the future or it might be useful to you.
Additional personal data may be collected where it is for a foreseeable circumstance even if
that does not materialise.
You should also consider whether you can achieve your objective with anonymised data.
(see DP009 – Data Minimisation, Pseudonymisation and Anonymisation Guidance)
4. Personal data shall be accurate, and where necessary, kept up-to-date
The forces will take every reasonable step to ensure that personal data that is inaccurate,
having regard to the purpose for which it is processed, is erased or rectified without delay.
In order to preserve evidence or the information cannot be rectified a note or marker can be
put with the information to state that it is inaccurate.
Data Protection Policy
5. Personal data shall be kept in a form which permits identification of data subjects for no longer
than necessary for the purposes for which the personal data are processed
Where identifiable personal data is no longer needed it should be anonymised. Anonymised
data can be retained indefinitely as it is no longer personal.
Back-ups of personal data which are no longer needed should be put ‘beyond use’ however if it
is appropriate to delete personal data from a live system it should also be deleted from back-up
systems where possible.
From ICO guidance, they will be satisfied that information has been ‘put beyond use’, if not
actually deleted, provided that the data controller holding it:
is not able, or will not attempt, to use the personal data to inform any decision in respect
of any individual or in a manner that affects the individual in any way;
does not give any other organisation access to the personal data;
surrounds the personal data with appropriate technical and organisational security; and
commits to permanent deletion of the information if, or when, this becomes possible.
Where data is put beyond use, it is not expected that individuals will be granted the right of
access (subject access requests) to the personal data provided that all four safeguards above
are in place.
It is, however, important to note that where data put beyond use is still held it might need to be
provided in response to a court order. Therefore, it is essential that data protection by design
and default be a prime objective in any new process or system, especially in respect to technical
solutions to prevent deletion problems occurring.
Time limits should be set of periodic reviews of personal data to assess whether it still required.
These time limits should be included in the retention schedule.
You can keep personal data for longer periods if it will be processed solely for public interest
archiving, scientific or historical research, or statistical purposes and provided you have
appropriate safeguards in place.
If only some of the data you hold is still necessary, the other data should be deleted.
6. Personal data shall be processed in a manner that ensures appropriate security, including
protection against unauthorised or unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organisational measures
This applies to all types of personal data and information assets that are used to store and
process data i.e. paper-based or electronic systems. Security must remain relevant and
effective and part of an ongoing process of continuous improvement.
Data Protection Policy
Appropriate security will includes taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of the processing as well as the
risk of varying likelihood and severity for the rights and freedoms of individuals.
Technical measures may include:
pseudonymisation or encryption of the data (see ‘DP009 – Data minimisation,
Pseudonymisation and Anonymisation’ for more information);
the ability to ensure the ongoing confidentiality, availability, integrity and resilience of
systems and services;
the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures.
Organisational measures may include:
Procedural controls – policies, processes and procedures that all users must follow.
Personnel controls – pre-employment checks to verify potential employees or
contractors; criminal records checks and security vetting to ensure staff are safe to
handle potentially sensitive information; security awareness training and internal policy
training to help staff understand how to comply with policies and procedures.
Physical controls - e.g. lockable cabinets; security doors; prevention on unauthorised
personal entering sensitive areas; clear desk policy to ensure sensitive information is not
left on employees’ desks.
Where special category data is processed, or there is sensitive processing, the forces will have
an appropriate policy document in place to explain the procedures in place for complying with
the data protection principles and to explain the controller’s policies for retention and erasure
of personal data processed in reliance on the consent of the data subject or, as the case may be,
in reliance on the condition in question, giving an indication of how long such personal data is
likely to be retained.
Data Controller Obligations
As data controllers the forces will meet their obligations through the implementation of appropriate
organisation and technical controls, including appropriate data protection policies, and be able to
demonstrate compliance of processing activities, including measuring effectiveness taking into
account the nature, scope, context and purposes of the processing and the risks to the rights and
freedoms of natural persons.
The risk to the rights and freedoms of individuals, as a result of processing their personal data, may
include physical, material or non-material damage, in particular:
• Discrimination;
• Identity theft or fraud;
• Financial loss;
• Damage to reputation;
Data Protection Policy
• Loss of confidentiality or personal data protected by professional secrecy;
• Unauthorised reversal of pseudonymisation;
• Any other significant economic or social disadvantage;
• Where data subjects may be deprived of their rights and freedoms or from exercising control
over their personal data
• Where personal data are processed which reveals special categories;
• Where personal data are evaluated e.g. analysing or predicting aspects concerning
performance at work, economic situation, health, personal preferences or interests,
reliability or behaviour, location or movements in order to create personal profiles;
• Where personal data of vulnerable people, in particular children are processed; or
• When processing involves large amount of personal data and affects large amounts of data
subjects.
Data Protection by Design and Default
The forces will, where possible, implement appropriate measures to ensure data protection is built
into processes by design and/or default. This applies to the amount of data collected, the extent of
the processing, the period of storage, appropriate security measures and accessibility.
Where new processes are proposed, changes to existing processes or new, innovative technologies
for processing data are being introduced these should be screened to identify whether a Data
Protection Impact Assessment (DPIA) will be conducted to identify, assess and manage privacy risks
which may arise as a result of the processing.
The DPIA screening and assessment process will be a key governance function in obtaining approvals
for relevant processes and projects which involve processing personal data. Where a full DPIA is
required it should be incorporated into the project cycle as a living document which is regularly
updated.
In limited circumstances, where there is a high level of residual risk the forces via the joint DPO will
consult with the Information Commissioner’s Office prior to processing of the data.
Where a DPIA is required the processing activity will not ‘go live’ until the DPIA has been signed off
by the DPO, the responsible owner and in some circumstances, the Senior Information Risk Owner
(SIRO).
(see ‘DP003 – DPIA’ guidance and templates for more information)
Records of Processing
The forces shall maintain a record of all processing activities involving personal data special category
data and criminal offences and penalties under their responsibility. This applies to personal data in
relation to the public and employees.
Data Protection Policy
(see ‘RM001 – Records Management Policy’ for more information)
Co-operation with the Supervisory Authority
The forces and their processors will co-operate, on request, with the Information Commissioner’s
Office in the performance of its tasks.
The Data Protection Officer will be the primary point of contact for the Information Commissioner’s
Office unless it is agreed otherwise in specified circumstances.
Personal Data Breaches
In the event of a personal data breach, the forces, via the DPO, will without undue delay and where
feasible no later than 72 hours after having become aware of it, notify the personal data breach to
the Information Commissioner’s Office unless it is unlikely to result in a risk to the rights and
freedoms of the data subject.
The forces will document all personal data breaches.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of the data
subject the relevant force will communicate it to the data subject without undue delay and provide
recommendations for the data subject so that they can mitigate any further negative effects.
All employees, contractors and processors will report potential incidents, near misses and actual
personal data breaches which may be a risk or have resulted accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or
otherwise, in in accordance with the Data Incident Management Procedure.
Where a personal data breach has or appears to have occurred all reasonable steps should be taken
to contain any damage arising from the occurrence and measures should be taken to prevent it or
similar breaches from happening again.
Any weaknesses in systems or processes should be recorded on local Uncertainties Register for
consideration by Information Management. Appropriate steps should be taken to mitigate any risks
to individuals.
(see ‘DP005 – Personal Data Breach Reporting’ for more information)
Data Protection Officer
The forces will designate an independent joint data protection officer, who shall be involved in all
issues relating the processing of personal data, enabling them to:
• Inform and advise all employees of the force of their data protection obligations
• Monitor compliance with data protection provisions and internal policies
• Provide advice where requested as regards DPIAs
• To be the point of contact and coo-operate with the ICO.
Data Protection Policy
The DPO will also provide sign off all DPIAs in addition to responsible owners or the SIRO, depending
on the nature of the processing or the residual risk, referring the DPIA to the ICO for consultation
where necessary.
Transfer of Personal Data Overseas
The forces will ensure that there is an adequate level of protection for any transfer of personal data
to a third country or international organisation or that there are appropriate safeguards, enforceable
data rights and effective legal remedies for data subjects.
Rights of Data Subjects
The forces will take appropriate measures to provide any information as required by data protection
law to data subjects in a concise, transparent, intelligible and easily accessible form, using clear,
plain language. (See ‘further reference’ information in this guidance document)
Mechanisms to facilitate the exercise individual rights will be provided free of charge where
applicable, in particular, access to, rectification or erasure of personal data and the exercise of the
right to object. Where possible, the means to make these requests will be electronic unless other
methods of communication are specified.
A response will be provided an individual in response to a request without undue delay and in any
event within one month of receipt of the request. Where a request made under Part 2 is complex or
there are a number of requests an extension of a further 2 months may be applied and the data
subject informed of this and the reason for delay within the first month of receipt. This does not
apply to subject access requests made under Part 3.
If there is a high volume of information meaning it cannot be sent or the information about the
requester cannot be taken off police premises arrangements will be made with the requester to
view the information under supervision at a suitable location at an agreed time and date.
Where the forces determine not to take action in response to a request or consider the request to
be invalid they will inform the data subject of this within 1 month of receipt of the request and
provide an explanation unless by doing so would be prejudicial to an ongoing investigation.
The relevant force will always verify the identity of a data subject making a request and inform them
of their right to lodge a complaint with the ICO if they are not satisfied with the actions taken.
See also:
‘Further reference’ section in this document
‘DP002 – Subject Access Requests’ for the right to access;
‘DP006 – Record Deletion Process’ for the right to erasure;
‘DP007 – Rectification’
Data Protection Policy
Processors
The forces will only use data processors which provide sufficient guarantees about the technical and
organisational measures used to ensure the protection of the personal data and the rights of data
subjects.
Any sub-processors will only be engaged with the prior authorisation of the relevant force.
A written agreement or legally binding contract will be in place throughout the supply chain with the
same data protection obligations on all processors and sub-processor.
The forces will provide documented instructions to processors about the processing of any personal
data on its behalf.
Data Sharing
The forces will ensure that any requests for sharing of personal data in its possession is lawful and
only relevant, adequate and not excessive information will be provided. If personal identifiers are
not required then information should be anonymised or pseudonymised.
Where there is routine sharing or sharing of a number of data sets in one transfer, data sharing
agreements should clearly set out the purpose for sharing, the roles and responsibilities of the
parties, security considerations and the lawful basis under which it is shared. This does not preclude
contractual requirements or the application of other standards or best practice.
Where there is large scale sharing of personal data and/or special category data the data sharing
agreement may need to be preceded by a DPIA.
(see ‘DP008 – Information Sharing Agreements’ for more information)
Information Security
(See also ‘Information Security’ Policies for more information)
IT
Any systems, software or hardware must be developed and planned in full consultation with
Information Security. Where the development is intended to facilitate the processing of
personal data Information Management advice should also be sought.
Police Personnel are not to access any police systems, records or information for their own
purposes. Access to all systems are monitored and unauthorised access will be subject to
disciplinary procedures.
The use of personal data for demonstration purposes to non-police personnel is prohibited in
most circumstances. Visitors must not be allowed to view ‘live’ information and no real
transactions should be carried out whilst being observed unless prior authorisation has been
provided by Information Management for a specific purpose. Authorisation should be sought
on each occasion this is required.
Installation of monitors/printers etc. should be under supervision or agreed under contract to
ensure that certain data cannot be viewed by unauthorised persons.
Data Protection Policy
Computer screens must be locked when unattended and passwords should not be shared to
prevent unauthorised access to information or systems.
Paper
The forces operate a clear desk policy. Checks should be conducted at the end of the day to
ensure that no personal information in relation to staff or the public is left on desks, printers,
unsecured bins etc.
No computer printouts or any other paperwork containing personal information should be
accessible by unauthorised persons. Police personnel must exercise due diligence when
handling personal data in transit and at rest, including secure storage and disposal of
information whether it is an official police record or handwritten notes.
Hardcopy information should not be removed from police premises unless absolutely necessary
and where appropriate security measures are in place.
Audio
Personal data which is transmitted via radio, telephone or other communications equipment
should not be disclosed or accessed by unauthorised individuals.
Appropriate and reasonable measures should be taken to prevent such disclosure such a muting
in-car radios when transporting individuals.
Disposal
All printout material, magnetic tape, diskettes, manual files etc. which contain personal data and are
no longer required in line with retention periods will be treated as confidential waste and disposed
of in accordance with the Force Information Security procedures.
(see also the ‘RM001 - Records Management’ Policy, which incorporates the ‘South Wales Police
Retention Schedule’)
Retention
Personal Data should be periodically reviewed and removed where necessary. If possible, personal
identifiers should be removed when no longer required for the purposes for which they were
collected.
When considering whether personal data should be kept in an identifiable form you must take into
account force retention schedules, Management of Police Information (MOPI) guidelines, Criminal
Procedures and Investigations Act 1996 (CPIA) , Police and Criminal Evidence Act 1994 and any
other legislative requirements which may refer to the retention or deletion of information.
(see also the ‘RM001 - Records Management’ Policy, which incorporates the ‘South Wales Police
Retention Schedule’).
Data Protection Policy
Logging
The forces will keep logs for at least the following law enforcement processing operations in
automated processing systems:
• Collection
• Alteration
• Consultation – to establish justification for, and date and time of, consultation and as far as
possible the identity of the person who consulted the data
• Disclosure (including transfers) - to establish justification for, and date and time of,
disclosure and as far as possible the identity of the person who consulted the data and the
identity of any recipients.
• Combination
• Erasure
Logs may only be used for the following purposes:
• Verify lawfulness of processing
• Assist with self-monitoring by the controller (or the processor), including for the conduct of
internal disciplinary proceedings
• Ensure security and integrity of personal data
• The purposes of criminal proceedings
Training and Awareness
The forces will provide a programme of data protection training and awareness from induction
onwards all staff to ensure that they are aware of and are competent in the handling of personal
data.
This will be supplemented by tailored awareness and communication activities, which will be
informed by trends identified through compliance monitoring, demand and national
communications/guidance from the NPCC, the ICO and the European Data Protection Board. These
will be provided via methods that are deemed most appropriate and effective, taking into account
the message to be conveyed and the target audience.
Compliance and Audit
The DPO will monitor compliance through reporting, trend analysis and audit of operational and
corporate areas. The DPO will also have sight of any draft and final audit reports which have
included data protection compliance issues. The DPO will be made aware and have visibility of
second and third tier audits.
