Dated: 23 June 2022
POLICY TITLE: Data Protection
OWNING DIRECTORATE: Information Management
CONTACT DETAILS: Data Protection and Disclosure Advisor, 101
EQUALITY IMPACT ASSESSMENT: Complete
AUTHORISED PROFESSIONAL PRACTICE (APP) NATIONAL GUIDANCE: AVAILABLE
AIM OF POLICY: Northumbria Police recognises the sensitive nature of much of the personal data it processes and its duty in respect of data held by the Force and will protect individuals from the use of erroneous information, or the misuse of correct information.
BENEFIT OF POLICY: Northumbria Police will be able to demonstrate that it complies fully with relevant legislation concerning the storage, retention and disposal of personal information, thereby avoiding criminal prosecutions and/or disciplinary action resulting from instances of unauthorised access to sensitive police or government information.
REASON FOR POLICY: This policy has been drafted in accordance with the Human Rights Act 1998 and reflects the requirements of the Data Protection Act 2018 and the responsibilities laid out in the National Police Chiefs Council (NPCC), Manual of Guidance on Data Protection.
Article 5 of the Data Protection Act 2018 (General Data Protection Regulations (GDPR)) requires that personal data shall be:
a. 'Processed lawfully, fairly and in a transparent manner in relation to individuals;
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'.
Northumbria Police are registered with the Information Commissioner for the purposes of the prevention and detection of crime, apprehension and prosecution of offenders, maintenance of law and order, protection of life and property, vetting and licensing, public safety and rendering assistance to members of the public in accordance with Force policy (Northumbria Police’s Registration Certificate - is accessed via the Information Commissioner's Office website. Registration number Z4888222).
In addition to the ‘policing’ purposes outlined above, Northumbria Police is also registered for the support purposes of (1) staff administration (which covers appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to staff); and, (2) administration and ancillary support for policing purposes (which includes records of computer transactions/computer message logs, telephone message logs, police property management logs etc.).
Northumbria Police collects and uses certain types of information about the people with whom it deals in order to perform effectively as a police force. This includes current, past and prospective members of staff, offenders, victims, witnesses, suppliers, clients/customers and others with whom it communicates. This personal data will be dealt with properly when it is collected, recorded, used and destroyed, whether by manual or electronic means. Northumbria Police regards the lawful and correct treatment of personal data as essential to the successful operation of the Force, and the achievement of Force aims and objectives and to maintaining the confidence of members of the public. Numerous information systems exist within the organisation and the integrity and value of this information is paramount. If any breach of the Data Protection Act 2018 does take place then this will be dealt with in accordance with this policy and other associated policies and legislation.
CONSEQUENCES OF NON COMPLIANCE
If an individual complains to the Information Commissioner’s Office, then the Information Commissioner is obliged to investigate to establish if a breach of the Data Protection Act 2018 has occurred.
ENFORCEMENT
The Information Commissioner can serve a Data Controller with an 'information notice' requiring the Data Controller to provide certain information within set time limits. Failure to comply with such a notice, or providing deliberately false information, is a criminal offence (the Chief Constable is the Data Controller for Northumbria Police. Management of the statutory obligations is delegated to the Force Head of Information Management and Data Protection).
--------------------------------------------------------------------------------------------------------------
SOURCE DOCUMENT: Data Protection Act 2018; Computer Misuse Act 1990.
GROUPS AFFECTED: Every member of Northumbria Police; both officers and staff, whether employed, contracted or a volunteer including those external to Northumbria Police who have access to Northumbria Police information/systems and the communities of Northumbria Police.
ACCESS AND DISCLOSURE RESTRICTIONS: All staff