Data Protection Information Management / Jody McKenzie Structure of Input • • • • • • Background to the Data Protection Act How the Act works What the Force does to comply with the Act What you should do to comply with the Act Other legislation you may encounter Scenarios Data Protection - background • Data Protection Act 1984 based on European directive • Sought to ensure that information on people held in computer databases was collected with their consent, held only for specific purposes and is not used to their detriment • Assumption that information belongs to individual • Focus on fairness to individual • Superseded by Data Protection Act 1998 Data Protection Act 1998 – definitions (1) • Data = information (manual or electronic) • Personal data = information about a living identifiable individual • Includes expression of opinion or intentions towards that individual • Sensitive personal data, eg commission of an offence, criminal proceedings, physical health, sexual life • Data subject = identifiable individual Data Protection Act 1998 – definitions (2) • Processing = anything done with the data, without limit • Data controller = determines what data is collected and how it is processed • Protection = data controller must act to protect data from unfair use Data Protection Act 1998 – how it works (1) • Way in which personal data should be protected set out in eight principles: • Processing must be fair (to data subject) and lawful • Processing only for specified purposes – policing purposes and staff administration • Data must be accurate, relevant, not excessive, up-to-date, held securely • Data subjects have rights of access, of erasure of incorrect information, and of compensation, and to know how their data is being processed Data Protection Act 1998 – how it works (2) • Exemptions exist from provisions of Act, eg national security, prevention and detection of crime, regulatory activity • Each exemption relates to different sections of the Act • If processing may breach principles, but you think an exemption may apply, seek advice before taking further action Data Protection – Force compliance • Register with Information Commissioner – specifying purposes and recipients • Produce policies and procedures – specifying how information is processed • Agree information sharing protocols with partners • Train staff in use / misuse of systems • Audit use of systems and data quality • Provide data subjects with access to their data • Civil monetary penalties of up to £500,000 Data Protection – your responsibilities • Comply with standard operating procedures and information sharing protocols • Record information accurately • Use information only for policing or staff purposes • Browsing is not permitted • Take all precautions to keep information secure • Verify identity of recipient to ensure they are entitled to receive data • Respond promptly to audit requests Data Protection – offences • Selling, or offering for sale, data improperly obtained • Obtaining or disclosing data without the Chief Constable’s consent • Procuring the disclosure to another person without the Chief Constable’s consent • Criminal offences, unlimited fine in High Court • Third most common complaint to Professional Standards Other relevant legislation • Rights to privacy: Human Rights Act 1998, common law of confidentiality • Rights to receive information: Freedom of Information (Scotland) Act 2002, Environmental Information (Scotland) Regulations 2004 • Powers to disclose information: Police Act 1997, Protection of Vulnerable Groups (Scotland) Act 2007, Antisocial Behaviour (Scotland) Act 2004 • Other information management offences: Computer Misuse Act 1990 • Guidance for Police: Management of Police Information (MOPI), Police circular 4/07 Data Protection Act 1998 Questions? Summary • • • • Record information accurately on Police systems Only use information in connection with your employment Keep information secure, and dispose of it appropriately Do not disclose information unless confident it is in order to do so Contacts Information Management Unit, Woodhill House Iain Gray, Interim Head of Information Management Jody McKenzie, Compliance Manager