November 2001

A Draft for Consultation of the Association of Chief Police Officers Data Protection Code of Practice has been submitted to the Information Commissioner for her consideration by the Association of Chief Police Officers, under Section 51(4)(b) of the Data Protection Act 1998

As part of that consideration, the views are sought of as many data subjects and persons representing data subjects, as is possible. We welcome all contributions, which will enable the Information Commissioner to take the fullest account of existing opinion on the issues involved.

If you feel you have a contribution to make in the process, you are asked to consider the contents of the draft document and forward any views you may have to the Information Commissioner’s Office.

Please write, e-mail or fax any comments to the address below by 18^th February 2002.

Peter E. Clarke, ACPO Data Protection Code of Practice Consultation, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Fax: 01625 524510

e-mail: pclarke@ic-compliance.demon.co.uk

11. Security

INTRODUCTION

2. SCOPE

The Police Service has a significant role to play in the Criminal Justice system and as such has a special responsibility to ensure information, particularly personal information, is fit for the purpose. To allow the quality of information to deteriorate at this stage would mean the rest of the Criminal Justice system would suffer as a result. The aims of this Code of Practice are to preserve the public’s confidence in the way the Police process their information and to provide standards for every Police Officer and Support Staff when handling personal information.

The Data Protection Act 1998 is intended to protect the rights of individuals when information about them is processed by organisations including the Police. The Act is concerned with all personal information, whether it is held on computer, closed circuit television, manual filing records, microfiche, or any other media. Therefore the standards contained in this Code of Practice relate to all collections of personal information held by the Police and it should be read and applied in exactly the same way.

There are areas where application of the Act is influenced by other legislation: the Human Rights Act, Regulation of Investigatory Powers Act, Crime and Disorder Act, Computer Misuse Act, to name just a few. It is simply not possible in a document such as this to cover every conceivable position of the various legislation and the reader should take this into account.

Similarly, there are many Codes of Practice published by other public bodies and organisations, including the Information Commissioner, that may have a bearing on the interpretation of this Code of Practice.

Ultimate responsibility for the implementation of this Code of Practice rests with the Chief Officer of Police, who is the Data Controller for the purposes of the Data Protection Act 1998. He or she will designate an officer of Assistant Chief Constable, Commander or civilian equivalent to ensure compliance with the code.

3.2 Assistant Chief Officer

A designated ACPO Officer will be responsible for: -

• overseeing the management of data protection matters

• ensuring that reporting lines exist to allow Force Data Protection Officers to raise matters at an ACPO level.

A Force Data Protection Officer will be appointed whose responsibilities will include: -

• Managing the Chief Officer’s statutory obligations in respect of the Data Protection Act including; Notification of processing to the Information Commissioner; compliance with the Data Protection Principles and securing individuals rights under the Act.
• Maintaining an up to date knowledge of data protection legislation and general developments in other relevant areas (e.g. Freedom of Information Act) and to ensure that ACPO guidance (including this Code of Practice) is disseminated and adhered to Forcewide.
• Promoting data protection awareness through training, policy development, advice and guidance, ensuring that Operating Rules and general policy guidance in support of this Code of Practice and all matters relating to the Act are available to all staff.
• Undertaking systematic auditing and monitoring of information and systems in accordance with the ACPO Data Protection Audit Manual, including risk assessed strategic audit plans.
• Ensuring information and systems comply with the Data Protection Principles and that appropriate security arrangements exist to protect data, including where necessary that suitable contracts are drawn up relating to the processing of police data by third parties.
• Investigation and resolution of complaints made in relation to personal data and to assist where appropriate in the investigation of disciplinary and criminal matters.
• Liaison on all matters between the Force and the ACPO Data Protection Portfolio Group, Information Commissioner’s Office and other regional or national bodies as required.
• Reporting on a regular basis to the designated ACPO Officer.Ensuring that a close working relationship exists between the Force Information Security Manager, or equivalent, in order to discharge security responsibilities under the Seventh Data Protection Principle.

Every Police Officer, Support Staff member and Special Constable of the Force has a duty to ensure compliance with the principles of the Data Protection Act 1998 and will undertake to follow the provisions of this Code of Practice in accordance with Force policy and procedures.

HMIC is the national body responsible for monitoring compliance by Forces with this Code of Practice.

Their role is to carry out regular audit checks in every Police Force, using criteria that can be measured and quantified, and a reporting structure that ensures every Chief Officer is accountable.

(PRINCIPLE 2) Personal data shall be obtained only for one or more specified and lawful purposes…..

4.1 Interpretation

The specified purposes are those notified to the Office of the Information Commissioner under Part III of the Act.

All personal data must be processed within terms notified to the Information Commissioner, or be specifically exempt from notification. Individual Chief Officers are the Data Controller for his or her own Police Force.

To assist with compliance with this principle, the Association of Chief Police Officers, on behalf of Chief Officers, has agreed general statements of processing with the Information Commissioner. These can be found on the Information Commissioner’s web site: www.dataprotection.gov.uk

It may be necessary from time to time to alter the details notified to the Information Commissioner, by Force Data Protection Officers, through the Association of Chief Police Officers (ACPO).

5. FAIR and LAWFUL PROCESSING of PERSONAL

5.1 The reasons for the police service holding personal information vary considerably, e. g. to carry out operational policing functions, to perform tasks required by statute, or in support of the general management of a force.

Chief Officers must establish proper basis for processing personal information under Schedules 2 and 3 of the Act.

A number of conditions are set down in the Act, including where processing is necessary for any function conferred on a constable. It is therefore important that processing activities remain within these conditions.

Information must be obtained in a fair and lawful manner in accordance with the law and with Force instructions. Information must not be obtained by deceiving or misleading an individual or applying any unfair pressure such as making threats or offering inducements.

Personal data is considered to have been "fairly obtained" if it is from a person who is authorised by law to supply it.

Either at the time the Data Controller commences the processing, or at a time when the data is to be disclosed to a third party, a Data Subject must be provided with: -

• the identity of the Data Controller or his representative;
• the purpose for which the data are intended to be processed;
• any other information necessary to make the processing "fair".

There will be circumstances when the purpose information is to be used is obvious. On other occasions it may be necessary to provide an explanation to the individual.

In certain situations an individual has little option other than to supply information to the Police for policing purposes. In such circumstances the Information Commissioner has taken the view that it may be necessary;

• to notify the individual of any non obvious use of that information, and;
• to take account of the individuals wishes regarding any additional use of the data.

The Data Protection Tribunal has endorsed this approach, adding that such notifications must be given at the time the information is initially obtained.

5.3 Lawful processing

Any processing of personal information must be in accordance with other legal duties that affect the police service.

To contravene these legal duties would involve unlawful processing within the terms of the Data Protection Act, where personal data is involved.

For example; processing information for a purpose beyond the Police’s powers would mean the Chief Officer is acting ultra vires, which also amounts to unlawful processing under the Act.

Other legal duties, such as Common Law duties of confidentiality and obligations under the Human Rights Act are also important and must be taken into consideration.

Where there is any doubt about the lawfulness of processing, legal advice will be sought before processing.

5.4 Fair Processing

In addition to processing personal information legally Chief Officers must ensure it is processed fairly.

It would not be fair, for example, to pass personal information to another organisation when an individual has made it clear he or she does not consent to the information being passed on at all.

How and to whom the Police Service disclose personal information are further aspects of fair and lawful processing under the Act.

6.1 Disclosure of personal information must be compatible with the purpose for which the data were originally processed. This includes taking into account the purpose for which

any person to whom they may be disclosed may use them.

Personal information can only be lawfully disclosed to individuals and organisations mentioned in the notified purpose; unless the person to whom the disclosure is to be made is subject of an exemption under the Act, or is authorised by other legislation.

The Police Service has nationally agreed policies and instructions (which may be more restrictive than the details notified to the Information Commissioner), that will be authorised at the appropriate level.

From time to time it may be necessary for the Police to use certain exemptions that are included in the Act when it is important to do so.

Such an exemption may be used where to not disclose information would be likely to prejudice the prevention or detection of a crime, or the apprehension and prosecution of an offender.

A judgement will need to be made in every case where it is considered an exemption may apply. Force Data Protection Officers must be consulted before an exemption is relied upon.

Where consideration is being given to the transfer of personal data to a country outside the European Economic Area (EEA) advice must be sought of the Force Data Protection Officer.

Issues surrounding the adequacy of a Country’s data protection practices and legislation must be considered before a decision is made whether or not to transfer personal information.

• Right of access to personal data
• Right to prevent processing likely to cause damage or distress
• Rights in relation to automated decision taking
• Right to take action for compensation if the individual suffers damage by any contravention of the act by Data Controller’s
• Right to take action to rectify, block, erase or destroy inaccurate data
• Right to request the Commissioner to assess a Data Controllers processing

Individuals have the right to access personal data that are being processed about them by a Data Controller, or someone else on the Data Controller’s behalf.

They must be provided with the following information: -

• A description of the personal data being processed;
• The purpose for which they are being processed; and
• To whom the information is, or may be, disclosed to.

Requests for personal information must be made in writing and although Chief Officers can not insist on their completion, standard forms provide benefits to Forces and to individuals. For this purpose a standard "Subject Access Application Form" has been devised (Form SA1).

The applicant must provide sufficient information to establish their identity and to allow the Data Controller to locate the information requested.

There is a standard fee, subject to the statutory maximum (£10 as at 1 March 2000).

It is important to establish the identity of the person making the request, to ensure information is disclosed to the right person. Chief Officers will usually request identification documents to assist with this. More information can be requested if the subject’s identification is in doubt.

Once a completed application is received (as above), Forces must reply, even if personal data are not held or an exemption is relied upon, within forty days.

Information supplied in response to a subject access request must reflect the data held at the time the request was received. Account may be taken of any routine amendment or deletion made between receiving and responding to a request but this must not be made as a result of receiving the request.

Any information provided must be in permanent form, and should be legible to the applicant. If the information cannot be fully transcribed into an intelligible format, explanation should be given of any code used in the response.

If a request does not provide sufficient information to be processed, the Chief Officer must take steps to make the individual aware that further information is required. These steps must be taken as soon as possible after receiving a request and should guide the applicant as to what further information is needed to satisfy the requirement.

Forces will also need to decide what is "reasonable" as a minimum requirement. Information provided by the applicant will need to be balanced with other information that may be available. For instance, where a number of similar records are found it may be necessary to ask the applicant to provide further details to assist in a process of elimination.

In respect of CCTV material, for example, it would be necessary for the individual to provide details of dates, times and locations to enable the data to be located.

Before refusing an application on the grounds that insufficient information has been provided, Data Controllers must ensure that: -

• the applicant cannot be reasonably expected to provide any further information;
• the information cannot be extracted without any further information; or
• a request for further information would not significantly reduce the task of locating the data.

Chief Officers are not obliged to disclose information in response to a subject access application if it identifies another individual.

This also applies to the obligation on Chief Officers to provide details of the source of the information held. If the source of the information identifies a 3^rd party it can be withheld.

Information about a third party can only be disclosed if: -

• the third party has given consent to the person making the request; or
• it is reasonable to reply to the request without consent of the other individual.

In these circumstances, due regard has to be given to a balance of interest of the parties concerned.

Specific measures may need to be taken when responding to applications for access to CCTV material. It may be necessary to blur any images of third parties on the film unless they do not have a reasonable expectation of privacy, for example if they are in a public place.

Information processed for the purposes of the prevention and detection of crime or the apprehension and prosecution of an offender may be exempt from the subject access provisions of the Act. To rely on this exemption a Chief Officer must demonstrate that the disclosure of the data to the data subject is likely to prejudice the above purposes.

Subject Access Requests can be accepted from a child if, in the opinion of the Chief Officer, the child has sufficient intellectual ability to understand the nature of the request.

A parent or guardian can exercise the right, and receive the reply, if: -

• the child does not have the intellectual ability to understand the nature of the request, and
• the parent is acting in the best interests of the child.

Forces may receive subject access requests by agents acting on behalf of an individual. Chief Officers will need to satisfy themselves as to the identity of the agent and be provided with sufficient information about the individual he is acting for, to assist in establishing identity and locating the data sought.

Chief Officers should obtain written confirmation from the individual authorising the agent to make the request.

All responses would normally be sent directly to the Data Subject at their home address. Where a request is made for the information to go to a place other than the individual’s home address, the relationship between the individual and the agent, e.g. client/solicitor, should be a factor in determining whether to comply with the request.

There may be occasions when the Data Subject specifically requests that nothing be sent to his home address. In these circumstances, and to protect their interests, arrangements should be made to ensure the response is passed directly to the Data Subject.

7.8 Right To Prevent Processing Likely To Cause Damage Or

An individual is entitled to make a request that a Chief Officer does not process personal data relating to him or her that is causing or is likely to cause unwarranted substantial damage or distress. This must be done in writing by the Data Subject and is known as a Data Subject Notice.

A Chief Officer must respond to this notice within 21 days. After deciding whether the notice is warranted and the individual’s claims can be substantiated, the individual should be informed of the decision.

A data subject has the right to request that a Chief Officer ensures no decision that would significantly affect the subject is taken purely using automated decision making software.

When such decisions are made, the data subject has the right to be informed that the decision was made on such a basis and, within 21 days of such notification, can require the Chief Officer to reconsider their decision.

An individual who believes they have suffered damage or damage and distress as a result of any contravention of the requirements of the Data Protection Act, by a Data Controller, may be entitled to compensation.

In these circumstances the Chief Officer must be able to demonstrate that such care as was reasonable in the circumstances was taken to ensure compliance with the Act.

(PRINCIPLE 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

8.1 Adequate

It is necessary that all information initiated by Police Officers, Support Staff, or partner agencies with which the police service is directly engaged in activities, are clear in meaning and sufficient for others to understand.

This is particularly important where any specific action is required to be taken.

Chief Officers must give clear guidance on what procedures are to be adopted to ensure that only relevant information is processed i.e. the minimum amount of information about the individual that is required and is relevant for the purpose.

In their efforts to comply with the Third Principle, Chief Officers must start by considering their policies for collecting information about individuals. When considering how to achieve the notified purpose and at the same time comply with the Third Principle, Chief Officers must identify those instances where additional information will be required and seek to ensure that such information is only collected and recorded in those cases.

Where information is processed for the purpose of criminal intelligence or during the course of a major investigation, appropriate guidance must be given to those having responsibility for deciding what should and what should not be recorded.

All criminal intelligence will be graded using a standard evaluation system, which gives an indication of the quality of the information, the reliability of the source of the information and provides guidance on the subsequent dissemination of that information.

Police Officers, Support Staff and Special Constables originating information must ensure that it is adequate, unambiguous and professionally worded. Opinions should be clearly distinguishable from matters of fact.

Information must not be excessive in relation to the purpose for which it is held. It is difficult to argue that irrelevant information is not also excessive information. Only the minimum amount of information about the individual must be held in order to properly fulfil the purpose.

It is excessive to hold data on all individuals where that particular item of data is only relevant in certain individual cases.

(Principle 4) Personal data shall be accurate and, where necessary, kept up to date.

Data are inaccurate for the purposes of the Act if they are incorrect or misleading as to any matter of fact.

It is of vital importance, not only to comply with the Act but for operational reasons, to ensure as far as is practicable that all information processed is accurate. This is equally applicable to information received from the Data Subject, another part of the police service or from a third party.

Great care must be exercised in the collection of information. All operators, when entering information, must ensure that it is accurately recorded and where possible the source of the information is included on the system. Where there is any doubt, information must be clarified with the source of that information prior to its inclusion.

Chief Officers must adopt procedures to prevent factual inaccuracies being entered onto information systems or relevant filing systems.

This may be achieved by: -

• ensuring as far as possible that the source of the information is reliable,
• taking steps to verify the information, if possible with another source or if reasonable, with the data subject, at the time of collection or at another convenient opportunity.
• using automatic validation procedures to ensure procedures for data entry and the information system itself does not introduce inaccuracies.

Should inaccuracies come to light, Chief Officers must take steps to lessen the damage or distress caused to the data subject or any other person by: -

• ensuring the inaccurate information is corrected as soon as possible.
• passing the corrected information to any third party to whom the inaccurate information may have already been disclosed
• ensuring any other consequences which may have arisen before the data was corrected have been acted upon to minimise the damage or distress.
• acting on reports of inaccuracies received from other organisations.

Where inaccurate information is found it should be corrected or erased without delay.

The Fourth Principle is not to be regarded as being contravened if an inaccuracy in personal data is actually an accurate record of information provided by the data subject, or a third party.

Chief Officers must ensure reasonable steps are taken to ensure the accuracy of the data, taking into account the purpose for which data were obtained and processed.

Police Officers and support staff will ensure that necessary cancellations or amendments are carried out. An arrest or detention or any other course of action affecting an individual or any other individual affected by that course of action to his detriment which is based on inaccurate information, may render the Chief Officer liable to pay compensation under the Act in addition to any liability under civil law.

All information must be promptly entered onto Police information systems. Chief Officers will ensure systems of work exist to achieve this requirement.

The Association of Police Chief Officers has agreed timescales within which this information must be entered.

• Details of at least 90% of all persons arrested/reported must be entered onto the Police National Computer within 24 hours.
• Details of all persons granted police bail must be entered within 24 hours.
• Results of all court cases, or other disposal of cases, must be entered within 72 hours of the disposal coming into the possession of the police.

9. RETENTION OF PERSONAL INFORMATION

(PRINCIPLE 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

9.1 Method of Compliance

Forces must have procedures to ensure that personal data, which are processed, are periodically reviewed and information that is no longer required is removed (weeded) from information collections

The reasons for the police service holding personal data vary considerably, e. g. to carry out primary operational functions, to provide information or to perform tasks required by statute, or in support of the general management of a force.

It is not possible, in all instances, to lay down absolute rules about how long particular items of personal data which form part of a collection should be retained. However, such rules should be established where possible.

Persons responsible for data collections should ask the following questions: —

• why are the data currently held?
• what purpose do the data now serve?
• are the data still relevant?
• are the data up to date? (For example, is it information, which will not change such as date or place of birth, or is it transient information such as marital status, associates, car ownership, etc.)
• how much credence can be placed on the source of the data and the data content?
• how useful is the information likely to be in the future?

In determining these matters account needs to be taken of, for example: -

• the individual concerned and his circumstances with regard to the information recorded. For example, if the information relates to a convicted person, the seriousness and nature of the offences and/or whether there are reasonable grounds for believing that he is an active criminal, or is likely to re-offend.
• how old are the data?
• to what extent are the data used and thus required?

Records of general incidents, crime, accounts and administration can be given a normal maximum retention period based on known requirements. Such considerations as the limitation of proceedings and audit requirements, etc. will be relevant in determining how long personal data of this nature should he kept.

Chief Officers will ensure every collection of personal data has "operating rules". These will be to a prescribed format and will include data retention periods, which have been determined locally following consideration of national and force requirements.

In some cases, as soon as information has served its purpose it must be deleted immediately.

Failure to remove data when their purpose has been served will result in inaccurate, irrelevant, excessive and out of date data being held. All of these would be breaches of the Data Protection Principles.

There may be occasions where information needs to be retained for longer periods to fulfil statutory requirements, or other policing purposes.

In these cases a period beyond which the information may no longer be retained should be determined.

Consideration should be given to having all personal information removed. Within that period it may be possible to delete particular information when it is patently obvious that it will no longer be required.

In some cases it will be necessary for further enquiry’s to be made and/or the views of the officer responsible for the initial record to be sought before a decision to remove the information can be properly taken.

While it is not possible to formulate absolute guidelines the following recommendations, which cover major types of personal data held by the police, are made.

The guidelines are drawn widely and the phrase "kept for no longer than" has been used in recognition of the fact that given normal usage and review procedures, some data will be removed before a prescribed period expires. Similarly, it is also recognised that instances will occur when it will be necessary, because of the nature of the information and the circumstances prevailing at the time, to retain particular items of data for longer periods than specified.

It should be remembered that where personal data are held for historical, statistical or research purposes and not used in such a way that damage or distress is, or is likely to, be caused to any Data Subject:

(a) the information contained in the data, shall not be regarded for the purposes of the First Principle as obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained and;

(b) the data may, notwithstanding the Fifth Principle, be kept indefinitely.

When data are held for the above purposes, personal information should be removed from the data, where possible.

The paragraphs within this section are numbered in accordance with the ACPO Crime Committee Policy circulated 29^th September 1999, as amended on 1^st November, 2000.

1. The period of retention of a subject’s complete criminal record will depend upon the disposal types that it contains. The whole of a subject’s record will be retained for the longest period specified in any of the applicable weeding rules.

2. A record will not be deleted if there is an impending prosecution, or if the subject is shown on PNC as ‘Wanted/Missing’, has certain Orders recorded, is shown as a ‘Deportee’ or has an ‘Unconfirmed Dead’, Sexual Offender’ or ‘Offences against Vulnerable Person’ marker. If the record shows that the subject is a Disqualified Driver, the record will be retained for the life of the disqualification should that record be due for weeding. The existence of any other warning signal or information marker on a record will not cause that record to be retained beyond its normal weed date.

3. Where Court Orders are granted against a subject as a result of a conviction, that record will remain for the life of the Order, if that exceeds the normal weed date for that record. Where an order is issued against a subject in isolation of the criminal record, i.e. issued in a civil court, those details will remain for the duration of the order, the subject’s criminal record will be subject to the normal weeding rules.

4. When the death of a subject is notified to the police, the record will be retained for one year after confirmation of death, to allow for the finalising of any outstanding matters that may involve the deceased. The record will then be weeded. A Chief Officer may extend this period where the record is required for current or future investigative purposes involving serious crime. The record will be weeded as soon as retention for this purpose is no longer required.

Records including convictions for recordable offences

5. Where a subject has not been convicted for a recordable offence for a period of 10 years from the date of their last conviction, subject to paragraph 5.2, the record will be deleted unless any of the following conditions apply:

5.1 The record contains a total of 6 months or more imprisonment, including suspended sentences. The total will be the aggregate of all sentences, irrespective of whether they are consecutive or concurrent.

5.2 The record contains 3 or more convictions for recordable offences.

5.3 The subject has on any occasion been found unfit to plead by reason of insanity, or has been sentenced under the Mental Health Acts.

5.4 The record contains a conviction for offences involving indecency, sexual offences, violence (as defined in the attached schedules), or trafficking in, importation of, or supply of all classes of drugs or possession of class ‘A’ drugs.

5.5 The record contains a conviction for an offence involving, as a victim, a child young person, or one who is elderly, or who is mentally or physically disabled or where the M.O. indicates that the offender deliberately targets this class of victim.

5.6 The record contains a conviction for an offence involving terrorism under any provisions of anti-terrorism legislation.

6. Subject to the provisions of paragraph 4: -

Where condition 5.1 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.

Where condition 5.2 applies the record will be retained for 20 years from the date of the last conviction.

Where condition 5.3 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.

Where condition 5.4 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.

Where condition 5.5 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.

Where condition 5.6 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.

7. Only recordable offences are entered onto PNC, on a stand-alone basis. The recording of non recordable convictions on local systems is at the discretion of Forces and their Chief Officers, subject to the requirements of any applicable legislation.

Records containing cautions

8. If there are cautions but no convictions on the record, and no further cautions have been recorded for a period of 5 years, the record will be deleted, except where the caution is accompanied by an "offends against vulnerable person" information marker.

Records containing police reprimands and final warnings

9. If there are police reprimands or final warnings but no convictions on the record, the reprimands will be retained until the offender has attained the age of eighteen years and for a minimum period of five years. After attaining the age of eighteen years and if no police reprimands or final warnings have been recorded for a period of five years, the record will be deleted.

Records containing other disposals

10. Disposals other than conviction, caution, police reprimands, final warnings, acquittal, discontinuance and not guilty bind-over, will also be recorded, i.e. adjourned sine die, lie on file. The offences contained within such disposals will determine the period of retention, in accordance with the provisions of paragraphs 5, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, and 6.

11. A prosecution for a recordable offence that is prosecuted to conviction and results in a bind-over is a recordable conviction. The period of retention will be determined in accordance with the provisions of paragraphs 5, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, and 6.

11.1 Any other recordable offence not prosecuted to conviction but whereby the defendant accepts the bind-over will be retained for the period of that bind-over.

Retention of acquittals or discontinued cases without caution

12. Except in circumstance mentioned in paragraph 13 below, details of acquittals, or of cases discontinued without caution may not be retained beyond 42 days after the notification (this period is to allow for the appeals process and for the destruction of fingerprints to be synchronised with deletion of data on the computer record, this will not affect the retention on the record, of any details of conviction, cautions, or other disposals.

13. In cases detailed at 13.1 and 13.2 acquittals and discontinued cases must be retained.

13.1 Acquittal for an offence of unlawful sexual intercourse by a male with a female under sixteen years of age must be retained. Details will be deleted when a male reaches twenty four years (Section 6 (3), Sexual Offences Act 1956).

13.2 Acquittal in cases where possession of stolen property can be proved, but insufficient ‘mens rea’ on that occasion to convict – details will be retained for a period of 1 year from the date of charging for use as special evidence (section 27 (3), Theft Act 1968) in any subsequent hearing for an offence of handling stolen goods.

14. Details may be retained for a period of five years in cases where a sexual offence is alleged, but the subject is acquitted, or the case is discontinued because of lack of corroboration or allegation of consent by the victim, providing identity is not an issue. An officer not below the rank of Superintendent must give authorisation and be reviewed again at the end of the retention period. Cautions for sexual offences, ordinarily weeded after five years, may also be reviewed and extended where appropriate.

14.1 When considering retention for cases above, the authorising officer must personally consider the full circumstances and only if all of the following criteria have been satisfied will authorisation for retention of the details be given;

(i) The circumstances of the case would give cause for concern if the subject were to apply for employment for a post involving substantial access to vulnerable persons and;

(ii) The decision to retain the information can be defended on the grounds of the prevention and detection of crime.

Convictions records will be retained for the life of the offender where the record contains a conviction for offences involving indecency, sexual offences, violence, trafficking in, importation of, or supply of all classes of drugs, or possession only of Class "A" drugs, and other offences as detailed in a list held by Force Data Protection Officers.

It is not possible to lay down strict criteria for the removal of data from criminal intelligence records. The need to retain or remove such information can only be judged from the nature of the information, and whether it is necessary, lawful, proportional and relevant to its purpose.

The decision to retain or remove personal data will be assisted by knowledge of the reliability of the source.

All intelligence reports will be reviewed on a regular basis and considered for deletion subject to a maximum period of 12 months.

For intelligence to be retained it must be relevant, but in some cases information will have to be retained for long periods if the police are to effectively discharge their duties.

Crime reports should normally be kept for no longer than 10 years, except where legal proceedings, appeals or reviews are pending at the expiry of that period, or the record relates to a serious crime.

Undetected crime records may be retained indefinitely, but should be reviewed every 5 years, following the initial 10 year period.

Records relating to serious crime will thereafter be reviewed every five years.

Records relating to all categories of property should normally be kept for no longer than six years. If there is a need, in particular circumstances, to keep details for a longer period, for example, those relating to (a) high value items, (b) major enquiries, (c) firearms, or (d) where ownership is still disputed, then the need for their continued retention should be reviewed annually.

Review after 12 months for non payment of fine warrants and 3 years for non appearance warrants, where the Police and not the Courts carry out these functions.

Traffic accident reports should normally be held for no longer than 3 years unless legal proceedings are outstanding, or until a related period of disqualification has expired.

A distinction is made between a major crime enquiry and a major incident investigation. For example, a murder enquiry as opposed to an incident such as a plane crash or natural disaster.

Major Incident Records, should normally be kept for ten years, or the duration of the sentence imposed on the offender(s), whichever is the longer, except where legal proceedings, appeals or reviews are pending at the expiry of that period.

Chief Officers may wish to retain a major crime enquiry or a major incident investigation because of the value of the records for historical purposes. Provided that the personal information that is kept for this purpose is not used in a way that is likely to cause damage or distress to any Data Subject, the information may be archived and kept indefinitely.

NB. This would not include data routinely archived for operational purposes.

Records relating to complaints against Police Officers will be held for a period not exceeding 6 years, at which time the data will be reviewed and a decision taken whether to retain it or not. This is to allow for any civil claims.

After that time a decision will be made whether to retain information on an annual basis.

Records should normally be kept for no longer than 3 years beyond the time it was last updated.

It is recognised that it may be necessary, from time to time, to keep such records for longer periods for management information purposes. Where this is necessary, records should only be used for that purpose and where possible de-personalised.

Personnel records relating to police and support staff may be retained for 6 years beyond the time they have left the organisation. This is to allow, for example, to defend claims in the Civil Courts relating to injuries sustained at work.

The Information Commissioner publishes guidance in this area that is recommended practice for Police Forces.

Records relating to police and support staff pensions may be held for the lifetime of the individual, or his or her beneficiary, where relevant.

In judging how long to hold records, the requirement to hold personal data for no longer than necessary for its purpose must always be complied with. A settled record retention policy for all records should be in place.

Police Forces operate many and varied information systems, therefore every collection of personal information will have specific Operating Rules that follow a prescribed format and include rules on data retention.

Individual data items within records may be considered for deletion earlier than the above standards.

There are a number of criminal offences created by the Data Protection Act 1998, but proceedings may only be instigated by the Information Commissioner, or by, or with the consent of the Crown Prosecution Service.

Police officers have a duty to act when offences come to their notice, and the following should apply.

10.2 Where officers in the normal course of their duties, become aware that a person may have committed or be committing an offence under the Act, they should inform the Force Data Protection Officer.

The Force Data Protection Officer should make the Information Commissioner’s Office aware allowing them to make appropriate enquiries.

Where the offences uncovered relate solely to Data Protection matters, the Information Commissioner’s Office will deal with the prosecution.

10.3 In the event of offences under the Act being discovered by officers in the course of their investigations into other matters (e.g. a fraud investigation) it is important that all evidence relating to data protection matters is secured and the Force Data Protection Officer will advise throughout this process.

It is the responsibility of the Force Data Protection Officer to subsequently liaise with the Commissioner on questions relating to the bringing of proceedings.

In such circumstances the Information Commissioner’s Office would assist in the preparation of the case file, with regard to any Data Protection offences, for the Crown Prosecution Service to pursue.

10.4 Where the circumstances of an offence committed under Section 55 of the Data Protection Act 1998 may also constitute an offence under the Official Secrets Act 1989, the Police will investigate the matter and submit a file to the Crown Prosecution Service.

10.5 If a complaint against a police officer by a member of public is being investigated and there is evidence to suggest the officer may have committed an offence under the Data Protection Act 1998, details should be reported to the Crown Prosecution Service in accordance with the provisions of S.90(3) and (4) of the Police and Criminal Evidence Act 1984.

Following this the Police Complaints Authority (PCA) must be notified under existing arrangements (unless the complaint falls within the supervised category in which the PCA will already have been informed).

10.6 As a result of an internal misconduct enquiry (under the Police Conduct Regulations 1999) if evidence exists to suggest that an officer has committed an offence under the Act, details should be reported to the Crown Prosecution Service in accordance with present arrangements.

Section 42(1) of the Act states that a data subject (or any other person who believes himself to be directly affected by the processing of personal data) may request the Information Commissioner make an ‘assessment’ as to whether the data controller has complied with the provisions of the Act.

The Information Commissioner has published policies on the handling of requests for assessment.

In addressing complaints made against the Police or against a police officer, the following procedures will be followed;

10.8 Where a member of public complains to the Police, or does so through any person other than the Information Commissioner, about the conduct of a police officer in relation to a Data Protection issue, the matter should be investigated in accordance with the Data Protection Act 1998. Any disciplinary matters will be dealt with ancillary to criminal matters.

10.9 Where a member of public complains directly to the Information Commissioner about the Police in connection with Data Protection matters, the Information Commissioner will deal with the matter in accordance with her powers under the Act.

In such circumstances it is suggested that the complaint is not regarded as a ‘complaint against police’ as it will not have been submitted to a Chief Officer of Police and will be dealt with by the Information Commissioner in accordance with the requirements of the Data Protection Act 1998.

If the matter concerns the conduct of an individual Officer raising the possibility of a criminal offence, the Information Commissioner’s Office will contact the Officer designated to deal with ‘complaints and discipline’ matters. The Information Commissioner’s Office will notify the Force Data Protection Officer of the enquiry.

It is expected that the department responsible for dealing with the complaint will liaise fully with the Force Data Protection Officer throughout the enquiry.

10.10 Instances may arise where a complainant submits his/her complaint to both the Information Commissioner and the Police. In these circumstances it will be necessary, by the way the legislation is framed, for both agencies to take action. When this becomes apparent at the outset of enquiries, in order to obtain maximum benefit from these dual responsibilities, agreement will be reached between the police force concerned and the Information Commissioner as to the consultation and collaboration in carrying out enquiries.

Where the Information Commissioner’s Office make contact with the department responsible for handling complaint and misconduct matters within a force (through the Chief Officer) the Force Data Protection Officer should be notified. At this point it is expected that the Force Data Protection Officer will take over the liaison role between the two bodies to assist in the joint enquiry.

At the conclusion of a joint investigation it is recommended that the Information Commissioner be given a draft report of the investigating officer’s report to the Crown Prosecution Service (CPS). The Information Commissioner’s comments thereon must either be taken into account in the investigating officer’s recommendation to the CPS, or appended to the report before submission to the CPS.

Where the Information Commissioner receives a complaint after the conclusion of an investigation then the investigating officer’s report, and supporting documentation, should be made available to the Information Commissioner.

It is recommended that papers be retained for six years in order to provide for such a circumstance.

10.11 In the case of internal enquiries by ‘Complaints and Discipline’ sections, where it is considered that offences under the Data Protection Act may be disclosed, Force Data Protection Officers must be consulted.

Additionally the Force Data Protection Officer must be notified of any suspensions from duty or dismissals, arising from such enquiries, in order to ensure that access to force and national information systems is revoked.

These arrangements should help to avoid confusion and prevent duplication of effort. The rationale being that if an individual wants his/her complaint dealt with by the Information Commissioner, it will be referred to her. If he/she wishes the complaint to be treated and dealt with as a complaint against the Police, it will be submitted to the Police.

Should it be necessary for the Information Commissioner to refer any matter to a Force, routine enquiries concerning compliance with the Data Protection Principles will be referred to the Force Data Protection Officer. Those giving rise to a suspected offence will be directed to the Deputy Chief Constable, or equivalent.

S.55(1) of the Data Protection Act 1998 creates a serious offence of unlawfully obtaining or disclosing personal data, without the consent of the ‘Data Controller’.

A criminal offence is committed if an individual knowingly or recklessly,

• obtains or discloses personal information, or the information contained in personal data, or
• procure the disclosure to another person of the information contained in personal data,

without the consent of the Chief Officer (Data Controller).

This does not apply where it can be shown that any of the provisions, outlined under S.55(2) shown below, are satisfied:

• that the obtaining, disclosing or procuring of the information was either,

(i) necessary for the purpose of preventing or detecting crime, or

(ii) required or authorised by or under any enactment, by any rule of law, or by the order of a court.

• that the individual acted in the reasonable belief that he/she had in law the right to obtain or disclose the data, or to procure the disclosure to the other person.

• that the individual acted in the reasonable belief that the Chief Officer would have consented if he had known of the obtaining, disclosing or procuring, and the circumstances of it.

• that in the particular circumstances, the obtaining, disclosing or procuring was justified as being in the public interest.

In addition there are further offences committed through the selling of personal data. Specifically, when a person sells or offers to sell personal data where that data has been obtained in contravention of the above.

The penalties for these offences are;

• a fine of up to £5000 in a summary conviction.
• an unlimited fine on conviction on indictment.

(Principle 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

11.1 Interpretation

Having regard to the state of technical developments and the cost of implementing any measures, the measures must ensure a level of security appropriate to: -

• the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage, and
• the nature of the data to be protected.

Chief Officers (Data Controllers) must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

Where processing is carried out by a Data Processor or on behalf of a Chief Officer, in order to comply with the seventh principle the Chief Officer must:

• choose a Data Processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and,
• take reasonable steps to ensure compliance with those measures
• ensure the processing is carried out under a written contract, under which the Data Processor is to act only on instructions form the Chief Officer, and
• the contract requires the Data Processor to comply with obligations equivalent to those imposed on a Chief Officer by the seventh principle.

The objective of information security is to manage the preservation of confidentiality, integrity and availability of information and other assets as part of the delivery of Policing.

Information is an asset, which like other important business assets has a value to the Police. Information security must address both the relevance, level and kind of threats to which data are exposed – identify the threats and vulnerabilities and then implement suitable countermeasures.

Information security addresses both technical and non-technical aspects.

Information security is achieved by implementing a suitable set of controls that include: policies, procedures, organisational structures, and training and software functions.

Police Forces are required to comply with a standard for information security based on ISO 17799. The "Community Security Policy" sets out a broad statement which addresses the security requirements of the Association of Chief Police Officers of England, Wales & Northern Ireland (ACPO), the Association of Chief Police Officers in Scotland (ACPOS) and the Criminal Justice Community.

The CSP provides a baseline set of security requirements for safeguarding sensitive information to which all persons, organisations and service providers within the Criminal Justice Community are required to comply.

Every UK Police Force has allocated responsibility for Information Security and to advise on the ISO 17799 standard and the Community Security Policy.

Specific security measures relating to all Police information systems will be developed and documented by Chief Officers.

As a minimum they will cover the following:

• Authorised access to personal data
• Authorised access to the sites, buildings and functional areas where data is located.
• Vetting and employment of contractors, agency staff and volunteers.
• Disposal of confidential waste.
• Polices regarding disclosure of information
• Radio transmissions and mobile phone conversations
• Mobile data terminals.

• Security of networks
• Security incident reporting procedures
• System change control procedures.
• Training and testing using live data.
• Portable and home computers
• Unauthorised and unlawful software

• Security of accommodation where information systems are sited.
• Protection of installations, staff, equipment and data from natural and other hazards.
• A register of assets.
• Business continuity plans.
• Security, storage and management of media.

Any protocol or agreement covering the sharing of personal information between a Chief Officer and a partner organisation will include a statement regarding information security.

The standards defined for Police Forces in the ACPO Community Security Policy cannot be imposed on organisations that do not fall within this Policy’s remit, but organisations who process personal data must still comply with the seventh Principle of the Data Protection Act, 1998

Therefore, partner organisations must have a level of security in place commensurate with the sensitivity and classification of information shared and the possible risks that could ensue from the sharing of the information.

The Security Policy of each of the signatories will be attached to any agreement involving the Police.

Chief Officers will ensure that Data Protection and security implications are considered at an early stage of the development of an information system. They should be considered at the design stage of any computer system, CCTV system, audible recording system or relevant filing system.

Data Protection and security requirements should be considered at the same time as user requirements are being identified. This will avoid delays in implementing systems and ensure that the costs of such systems have been correctly identified.

At the design stage of information systems there are many opportunities to incorporate features to assist Data Protection compliance by ensuring there are features to:

• allow records to be identified at the end of their useful life.
• ensure only accurate information is recorded, using automatic validation features
• restrict the recording of irrelevant information
• audit trails to allow quality control checks
• facilities for searches for subject access requests
• any abbreviations used must comply with the standard list acceptable for inclusion on the Police National Computer
• measures to guard against unauthorised access, unlawful processing, accidental loss, destruction or damage to personal data.
• system access controls

Systems must include guidance to ensure that only relevant information is processed. Forms used for collecting information about the individual must be structured in such a way that when completed they will provide the right amount of information.

The ACPO Data Protection Portfolio Group will keep the Code of Practice under review, taking account of: -

• Changes in legislation
• Advice from the Information Commissioner
• Decisions from the Courts
• Changes in technology
• Policies, practices and procedures in partner organisations
• Experience in practice
• Relevant guidance from other representative bodies.

Data Information which is being processed.

Data Subject An individual who is subject of personal data.

Data Controller A person (Chief Officer of Police) who determines the purposes for which personal data are processed.

Processing Obtaining, recording or holding personal information; carrying out any operation on the information, including: -

• Organising, adapting or altering;
• Retrieving, consulting or using;
• Disclosing, by transmitting, disseminating or otherwise making available;
• Aligning, combining, blocking, erasing or destroying.

Personal Data Personal data containing a number or code used for identification purposes (e.g. PNC ID) must be processed in compliance with this Code of Practice.

Third Party In relation to personal data; means any person other than: -

• the data subject
• the data controller, or
• any data processor.