OFFICIAL FOIA OPEN

Force Publication Scheme 24/06/2020 1

Reference No. SA045

Implementation Date 24/06/2020

Version Date 24/06/2020

Version Number V1.0

Freedom of Information Act

Open

Government Security Classifications

OFFICIAL – No restrictions

Alliance Data Protection

Policy

2

Table of Contents

1. Policy Section ............................................................................................. 4

1.1 Vision and Guiding Principles of the Strategic Alliance.......... 4

1.2 State of Intent – Aim & Rationale…………………………………. 4

1.3 National Decision Making Model………………………………….. 5

1.4 Code of Ethics………………………………………………………... 5

1.5 Authorised Professional Practice………………………………… 5

2. Standards ......................................................................................................

2.1 Standards and definitions…......................................................... 5/6

2.2 Legal Basis .................................................................................... 6

2.3 Assessment Compliance............................................................... 6

2.4 Monitoring ...................................................................................... 7

2.5 Feedback ........................................................................................ 7

3. Procedure Section ........................................................................................ 7

3.1 Notification & Registration …………………………………………. 7

3.2 Data Protection by Design and Default …………………………... 7

3.3 Processing Contracts ……………………………………………….. 8

3.4 Privacy Notices……………............................................................ 8

3.5 Individuals Rights ……………………………………………………. 8

3.6 Access and Use of Information ……………….…………………… 9

3.7 Information Security …………………………………………………. 10

3.8 Public access to computers or digital devices………………….. 10

3.9 Disclosure of Information………..…………………………………. 10/11

3.10 Consent ……………………..…………………………………………. 11

3.11 Accuracy ……………………………………………………………….. 11

3

3.12 Review and Removal of Information …..………………………….. 12

3.13 Data Protection Offences…..………………………………………… 12

3.14 Breaches of Data Protection ………………………………………… 13

3.15 Training …………………………………………………………………. 13

4. Consultation and Authorisation ............................................................... 13

4.1 Consultation ................................................................................... 13

4.2 Authorisation of this Version ........................................................ 14

5. Version Control .......................................................................................... 14

5.1 Review ............................................................................................. 14

5.2 Version History ............................................................................... 14

5.3 Document History ........................................................................... 14

4

1 Policy Section

1.1 Vision and Guiding Principles of the Strategic Alliance

1.1.1 Working together as it can offer the best opportunity to:- • develop service delivery to the public; • ensure delivery against the Police and Crime Commissioner’s (PCC) Police and

Crime Plans; • retain a local policing identity; • ensure resilience around our Strategic Policing Requirement; • maximise value for money; and • maximise opportunities for the ongoing personal/professional development of

our staff. 1.1.2 This approach also satisfies the set critical success factors as follows:- • both forces mitigate/manage their greatest threat, harm and risks. • both forces achieve their medium term financial strategies. • the strategic policing requirement continues to be met with reducing resources. • a transformational approach to service delivery. • both forces adapt and respond to change in an agile/positive way. • opportunities to invest in new capabilities to meet emerging threats and technology. 1.2 Statement of Intent – Aim and Rationale 1.2.1 Devon and Cornwall (DCP) and Dorset Police (DP) have a statutory obligation to process

personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) in respect of non-law enforcement processing and the Data Protection Act 2018 (DPA) in respect of law enforcement processing. For ease of reference these will be collectively referred to as ‘Data Protection legislation’ for the remainder of this document. For the purpose of this policy, ‘data’ and ‘information’ shall have the same meaning.

1.2.2 This policy applies to individuals at all levels of both Forces including Police Officers, Police Staff, Special Constabulary, Police Community Support Officers (PCSO), temporary staff and 3rd parties (for example but not necessarily limited to partner agency staff, consultants, contractors and volunteers) who have authorised access to personal data which is held by either Force.

1.2.3 All DCP and DP officers/police staff and 3rd parties must have a clear understanding of

their personal responsibilities under data protection legislation and how this affects the processing of personal data. The data protection team can be contacted for help or advice - Middlemoor 01392 303622 or Winfrith 01202 223810 or by email dataprotectionalliance@devonandcornwall.pnn.police.uk

1.2.4 Individuals described in 1.2.2 above occupy a privileged position with regard to the

information they have access to. The public must have confidence in the ability of the police service to protect the confidentiality of all the information that it holds as part of its policing function. The damage done to the reputation of the service by an individual who is found to have committed a breach by unlawfully accessing, disclosing, holding or processing personal data cannot be overstated and this detracts from the credibility of the service in this crucial area.

5

1.2.5 Both forces are committed to protecting the rights of individuals with regard to the

processing of personal data. DCP and DP will take criminal and/or disciplinary action against any category of person mentioned in 1.2.2 above who wilfully, without authority or defined policing purpose or other statutory or business purpose, accesses and/or misuses personal data held by either Force. Any use of personal data that does not have a defined policing or other statutory or business purpose is likely to constitute a misuse.

1.2.6 This policy is a joint policy applicable to both DCP and DP Police forces. This policy

supersedes DP - P09:2007 Data Protection Policy and Procedure and DCP - D31 Data

Protection Policy.

1.3 National Decision Model

1.3.1 The National Decision Model (NDM) is the primary decision-making model used in both DP and DCP. Where applied it ensures that ethical (see Code of Ethics), proportionate and defensible decisions can be made in relation to operational and non-operational policing. The latest guidance can be found via this Authorised Professional Practice (APP) link.

1.4 Code of Ethics 1.4.1 The Code of Ethics underpins every policy, procedure, decision and action in policing

today and staff are reminded of the need to comply with the standards and principles of the Code of Ethics for policing.

1.5 Authorised Professional Practice 1.5.1 The College of Policing (CoP) offers an online service that provides access to a

consolidated body of guidance for policing called Authorised Professional Practice (APP). This enables officers and staff to access and search for the most up to date approved guidance, replacing a number of previously published National Policing Improvement Agency (NPIA) and Association of Chief Police Officers (ACPO) documents.

2.0 Standards 2.1 All personnel shall comply with relevant Force and Alliance Policy. This Policy is supported

by a series of Data Protection procedures and Information Sharing Agreements (ISAs) providing more detailed guidance as required. Failure to comply with Force/Alliance Policy, or failure to ignore relevant guidance, may result in criminal and/or disciplinary action.

2.1.1 Data Protection key definitions 2.1.2 Controller means the person who determines the manner and purpose for which personal

data is processed; The Chief Constable for each Force is Controller. 2.1.3 Data Protection Officer (DPO) means the person designated by the controller of each

Force who advises on and monitors compliance with the DPA. The DPO role, tasks,

6

position and responsibilities are set out in the DPA.

2.1.4 Processor means any third party (other than an employee of the controller) who processes personal data on behalf of the controller.

2.1.5 Personal data means any information relating to an identified or identifiable natural person

(data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Information about a deceased person does not constitute personal data.

2.1.6 Special Category data means racial or ethnic origin, political opinions, religious or

philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

2.1.7 Personal Data Breach means a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2.1.8 General processing GDPR and Part 2 of the DPA relates to general processing and

covers police support functions such as Human Resources, Occupational Health, Finance and Payroll (including pensions), Estates, ICT and Procurement. GDPR does not apply to the processing of personal data by Devon and Cornwall and Dorset Police (as a competent authority) for Law Enforcement purposes.

2.1.9 Law Enforcement processing - Part 3 of the DPA relates to the processing of personal

data by a competent authority for Law Enforcement purposes - the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.1.10 Data Protection Principles

General Processing Law Enforcement Processing

Principle 1 Lawful, fairness and transparency Lawful and fair

Principle 2 Purpose limitation Specified explicit and legitimate

Principle 3 Data minimisation Adequate, relevant and not excessive

Principle 4 Accuracy Accurate, up to date

Principle 5 Storage limitation Kept no longer than is necessary

Principle 6 Security, integrity and confidentiality

Ensure appropriate security

2.2 Legal Basis

2.2.1 Both Forces are required to abide by the DPA and where it is influenced by other legislation including the below; The requirement to comply with this legislation shall be devolved to employees and agents of the relevant Force, who may be held personally accountable for any breaches.

7

Crime and Disorder Act 1998

Police Act 1996

Coroners and Justice Act 2009

The Computer Misuse Act 1990

The Health and Safety at Work Act 1974

Human Rights Act 1998

Regulation of Investigatory Powers Act 2000

Freedom of Information Act 2000

Rehabilitation of Offenders Act 1974

Management of Police Information MOPI

2.3 Assessment Compliance

2.3.1 This document has been drafted and audited to comply with the principles of the Human Rights Act. Internal and external Equality and diversity issues have also been considered to ensure compliance with Equality legislation and policies. In addition, Data Protection, Freedom of Information, Management of Police Information and Health and Safety issues have been considered. Adherence to this document will therefore ensure compliance with all relevant legislation and internal policies.

2.4 Monitoring 2.4.1 It is the responsibility of all police officers, police staff, special constables and police

volunteers to monitor both their own and works colleague’s adherence to this policy. Where it is believed that someone is non-compliant with the policy the DPO in the respective force should be informed in the first instance. The DPO will also monitor the effectiveness of this policy, reporting to the Joint Information Board where required.

2.5 Feedback

2.5.1 Feedback relating to this policy can be made in writing or by e-mail to; Data Protection Officer (DPO), Alliance Information Management Department,

Middlemoor, Elliott House, Exeter Or Data Protection Officer (DPO), Alliance Information Management Department, Winfrith Email – dataprotectionalliance@devonandcornwall.pnn.police.uk

8

3.0 Procedure Section

3.1 Notification & Registration

3.1.1 The DPOs are responsible for ensuring each force holds a current registration with the Office of the Information Commissioner (ICO).

Devon and Cornwall Police Registration number Z4883316.

Dorset Police Registration number Z4883455.

3.2. Data Protection by Design and Default

3.2.1 The DPA places a legal obligation to both Forces to consider data protection requirements

at the earliest stage when developing new systems, IT applications and implementing new

or significantly changes to existing processes for the handling of personal data. A Data

Protection Impact Assessment (DPIA) identifies and reduces data protection risk,

assesses the necessity and proportionality to reduce the likelihood of privacy harm to

individuals resulting from the processing of personal data.

3.2.2 More detail to establish when to conduct a DPIA can be found and accessed by both

Forces on the DCP Intranet: Data Protection Impact Assessments

3.3 Processing contracts

3.3.1 Where a processor is to be carrying out processing on behalf of the controller of either or

both Forces, a Data Processing Contract will be implemented to ensure that all Article 28 (GDPR) obligations are met. Any Data Processing Contract must be reviewed by the DPO prior to the implementation of the contract.

3.4 Privacy Notice 3.4.1 The Privacy Notices for both Forces explain the collection and use of personal data, where

personal data is obtained from, the lawful basis to process, how it is handled, how it is kept secure and to whom it is disclosed. These are published on the Force websites and are available on request from the DPO. (see 2.5.1);

Privacy notice D & C Privacy notice Dorset 3.5 Individual’s rights 3.5.1. Data Protection Legislation provides data subjects with a number of rights. If personal data

is held by a Force for Law Enforcement purposes then the right to data portability and the right to object do not apply. (*See 2.1.9)

The individual rights are:

Right to be informed

Right of access

9

Right to rectification

Right to erasure (right to be forgotten)

Right to restrict processing

Right to data portability*

Right to object*

Rights in relation to automated processing 3.5.2 Any person wishing to apply under their Right of Access (Subject Access) for their

personal data can do so verbally or in writing. To ensure the legal timeframe of a calendar month is complied with, requests must be sent without delay to the Alliance Data Protection Team Devon and Cornwall Police Headquarters, Elliott House, Middlemoor, Exeter EX2 7HQ or by e mail: dataprotectionalliance@devonandcornwall.pnn.police.uk

Published guidance for the Rights of an Individual is available on the Devon and Cornwall Police website and the Dorset Police website or by contacting the Data Protection Team.

3.5.3 For DP the Right to Rectification and Right to Erasure requests are to be forwarded to the Information Review Team.

Contact Email: RecordDeletionRequests@dorset.pnn.police.uk

The remaining Rights for DP and all the Individual’s Rights for DCP are to be forwarded to the Alliance Data Protection Team

Contact Email: dataprotectionalliance@devonandcornwall.pnn.police.uk

3.6 Access to and use of information

3.6.1 All information held by either force relating to an identifiable person (personal data) is classified as OFFICIAL or OFFICIAL SENSITIVE according to Government Security Classification. Access and use of such information by Individuals described in 1.2.2 must only be in the course of their official duties or role. Use for any other purpose is prohibited and may result in criminal and disciplinary proceedings.

3.6.2 Where an individual described in 1.2.2 who has authorised access to police information is

involved in or witnesses a crime or incident whilst off duty or where it is not related to their duty or role, no access to the recorded information should be made without prior authorisation from their line manager.

3.6.3 It is NOT acceptable for a member of either force to conduct checks on: a. People/Nominals living in close proximity to them/family/friends. b. Friends or friends of family members.

c. Prospective employees of friends or family. d. Individuals applying for membership of social/other clubs. e. The desirability of property. f. Individuals subject to enquiries by private detective agencies.

This is not an exhaustive list. If in doubt, advice should be sought from the Data Protection Team.

3.6.4 It is recognised that individuals described in 1.2.2 may have contact whilst off-duty, through family or social relationships, with people who are, or may be, of interest to the police or parties who have been involved with the police as victims or offenders. As a

10

result of information that they become aware of directly or indirectly members of the relevant Force may consider it necessary to take further action.

3.6.5 In the interests of the integrity of the Force and individuals described in 1.2.2, where it is

felt necessary to access the Force information, the line manager will be informed. If the line manager / supervisor is not available, another supervisor should be contacted. The line manager will, if appropriate, access Force information. A record will be made of this access and its justification. In the case of police officers and special constables this will be in their pocket notebook. In cases of doubt, before accessing Force information, the line manager should seek guidance from the Counter-Corruption and Intelligence Unit (Devon and Cornwall Ext. 307174) or (Dorset Ext. 700 3505) or Alliance Data Protection Team (ext. 303622 ). The line manager / supervisor must be satisfied that the check is being undertaken for official law enforcement purposes.

3.6.6 Such contacts are potentially valuable sources of information and should not be

discouraged. However, individuals described in 1.2.2 above should be aware of the risk that their actions could be misinterpreted and should take the steps recommended above to allay any challenge to their integrity.

3.7 Information Security 3.7.1 The DPA requires both Forces to ensure appropriate security of personal data including

the protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisation measures. Further guidance see the Information Security Policy SA007, and associated procedures and guidance.

3.8 Public access to computers or other digital devices 3.8.1 All digital devices/terminals must be sited so that police information displayed is kept from

public view at all times. Visitors must not be allowed to view ‘live’ information and no ‘real’ transaction should be conducted in their presence.

3.8.2 Logged on terminals are to be continuously manned or locked when not in use. At no time

will data be displayed or unattended or unsupervised.

3.9 Disclosure of Personal Data 3.9.1 Individuals described in 1.2.2 above must ensure that no disclosure is made of personal

data which is held by either force whether proactively or as part of a request unless a lawful basis has been identified. Care must be taken as disclosure may take many forms, including viewing records on computer, removable media or documents (which includes Force/Personal data taken from computer records) at meetings, by word of mouth or radio transmission. It must be established if the proposed disclosure should be dealt with under a specific process, agreement or by a specified Department or Team. The identity of the enquirer or recipient must be satisfactorily established and that they are authorised and legally entitled to receive the proposed disclosure. This may involve deferring the enquirer until verification is sought, adopting ‘call back’ procedures or advising the enquirer to apply in writing. Only the minimum personal data necessary to meet the specified purpose should be disclosed and advice can be sought from the Alliance Data Protection Team.

11

3.9.2 Any unauthorised disclosure may render the individual who made the disclosure liable to criminal and/or disciplinary proceedings.

3.9.3 The police service works with a number of partner agencies to jointly tackle issues relating

to crime, anti-social behaviour, as well as supporting and protecting vulnerable people and children. Information Sharing Agreements (ISAs) provide the legal and procedural framework for disclosure. The Information Management Department are responsible for the co-ordination of ISAs and maintaining a record of ISAs. These can be found on the Intranet here; DCP ISAs and Dorset ISAs

3.9.4 Where necessary personal data can be disclosed in an urgent or emergency situation. The

decision to disclose under such immediate circumstances must follow the National Decision Model and a record of the decision is to be made as soon as is practicable.

3.9.5 Instances may arise when a police officer or police staff member requires personal data

from another organisation for law enforcement purposes - the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against the prevention of threats to public security.

Should this occur the request should be made in writing to the other organisation using the following form for the respective Force; DCP Form 277 see Data Protection Intranet D & C Data Protection site DP Form A232 see Data Protection Intranet Dorset Data Protection site

3.9.6 In cases of doubt concerning disclosure of personal data, advice may be sought from: Alliance Data Protection Team on 01392 226622 or by e mail; dataprotectionalliance@devonandcornwall.pnn.police.uk

3.10 Consent 3.10 Any police process which relies on consent as the lawful basis should make sure that the

consent is clear, specific and give separate and distinct options to consent depending on the purpose and processing. When asking for consent the following points should be considered;

Consent must be freely given, specific, informed and unambiguous.

Individuals must be advised why the data is needed the data and how the data will be used.

Individuals must be advised that they can withdraw their consent at any time and be informed how they do that.

Consent must not be a precondition of a service.

Individuals should positively opt in, there can be no default consent.

For children under the age of 13 consent will be required from a parent or guardian. Children over the age of 13 are generally considered competent to have control over their own information and that their consent may be required to disclose to parents.

3.11 Accuracy of Data 3.11.1 It is the responsibility of those who receive information to ensure, so far as is possible, that

it is accurate, valid and up-to-date.

12

3.11.2 Those causing information to be entered on police records must ensure that it is adequate,

relevant, unambiguous and professionally worded. Matters of opinion, not fact, must be clearly recorded as such. If it is discovered or suspected that personal data is inaccurate, contact must be made with the source of the information to rectify the inaccuracy.

3.12 Review and removal of data 3.12.1 Unless a system incorporates automatic weeding facilities, reviews of personal data must

be carried out at frequent intervals to ensure immediate cancellation or amendment of unwanted or out-of-date material. See the Joint Records Management Policy WT001.

3.12.2 All print-out material, or removable media when no longer required will be disposed of

securely. Disposal will depend on the classification of the information or material. 3.13 Data Protection Act Offences 3.13.1 There are a number of criminal offences set out in the DPA which include: 3.13.2 Section 170 of DPA states that it is an offence for a person knowingly or recklessly: (a) to obtain or disclose personal data without the consent of the controller, (b) to procure the disclosure of personal data to another person without the consent of the

controller, or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 3.13.3 Section 171 states that it is an offence for a person knowingly and recklessly to amend

information, that previously could not identify a person so that the person can then be identified from it, without the consent of the controller responsible for anonymising the personal data in the first place.

3.13.4 Section 184 states that is an offence for a person offering employment, goods or services

to require a person to obtain their health record or their conviction or caution record which has been obtained under their Right of Access (Subject Access).

3.13.5 Where either force receives a complaint that a member of the public or another

organisation may have committed or be committing a criminal offence under the DPA, the allegation will be recorded by the force in accordance with the National Crime Recording Standard and associated procedures. The officer in the case will notify the case to the;

The Head of Enforcement Information Commissioner’s Office Wycliffe House

Water Lane Wilmslow Cheshire SK9 5AF Where the offence solely relates to Data Protection matters, the ICO will deal with the investigation and prosecution.

13

3.13.6 Where a DPA offence or misconduct is identified by or reported to the police relating to police held personal data by those working for or on behalf of either force, the allegation must be forwarded to the Professional Standards Department (PSD).

3.13.7 The College of Policing APP and the NPCC Data Protection Manual on DPA provides

detail of all the offences under the DPA and more guidance; College of Policing APP 3.14 Breaches of Data Protection 3.14.1 All breaches or suspected breaches of the DPA must be reported to the DPO of either

Force by email to dataprotectionalliance@devonandcornwall.pnn.police.uk 3.14.2 All security breaches should be reported to the Alliance Information Assurance Team by

following the security incident reporting process on the Devon and Cornwall Police Intranet site here: Report a data breach

3.15 Training 3.15.1 Annual Data Protection e-learning is a mandatory training requirement for all officers, staff,

special constables, volunteers or other approved persons who have access to police information. The DPO will liaise with Learning and Development Department to ensure this requirement is adhered to and any non-completion of the training followed up.

3.15.2 All new staff in Dorset Police will attend a mandatory Induction course which includes an

input from the DPO. 4.0 Consultation and Authorisation 4.1 Consultation

Version No: 1.0 Name Signature Date

Police & Crime Commissioner

Police Federation

Superintendents Association

GMB / UNISON / Unite

Other Relevant Partners (if applicable)

14

4.2 Authorisation of this Version

Version No: 1.0 Name Signature Date

Prepared: Data Protection and Information Sharing Manager

Data Protection and Information Sharing Manager

25/09/2019

Authorised: Head of Alliance Information Management

Head of Alliance Information Management

22/06/2020

Approved: Head of Alliance Information Management

Head of Alliance Information Management

22/06/2020

5.0 Version Control

5.1 Review

Date of next scheduled review Date: 01/09/2020

5.2 Version History

Version Date Reason for Change Created / Amended by

1.0 24/06/2020 Creation of a single Strategic Alliance Policy for Data Protection matters. Previous version history for DCP D31 and DP PO9:2007 with respective force policy staff.

T F 50920 (DCP) S W 7017 (DP)