[This version is provided by http://www.cyber-rights.org]
Association of Chief Police Officers Data Protection Code of Practice
Draft for Consultation
A Draft for Consultation of the Association of Chief Police Officers Data Protection Code of Practice has been submitted to the Information Commissioner for her consideration by the Association of Chief Police Officers, under Section 51(4)(b) of the Data Protection Act 1998
As part of that consideration, the views are sought of as many data subjects and persons representing data subjects, as is possible. We welcome all contributions, which will enable the Information Commissioner to take the fullest account of existing opinion on the issues involved.
If you feel you have a contribution to make in the process, you are asked to consider the contents of the draft document and forward any views you may have to the Information Commissioner’s Office.
Please write, e-mail or fax any comments to the address below by 18th February 2002.
Peter E. Clarke, ACPO Data Protection Code of Practice Consultation, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Fax: 01625 524510
ACPO Data Protection Code of Practice
DRAFT: 8 10
3. Areas of Responsibility
5. Fair and Lawful Processing of Personal Information
6. Disclosure of Personal Information
7. Data Subjects Rights
8. Data Quality
9. Retention of Personal Information
10. Complaints & Discipline
12. Development of Information Systems
13. Review of the Code
A. Glossary of terms
The Police Service has a significant role to play in the Criminal Justice system and as such has a special responsibility to ensure information, particularly personal information, is fit for the purpose. To allow the quality of information to deteriorate at this stage would mean the rest of the Criminal Justice system would suffer as a result. The aims of this Code of Practice are to preserve the public’s confidence in the way the Police process their information and to provide standards for every Police Officer and Support Staff when handling personal information.
The Data Protection Act 1998 is intended to protect the rights of individuals when information about them is processed by organisations including the Police. The Act is concerned with all personal information, whether it is held on computer, closed circuit television, manual filing records, microfiche, or any other media. Therefore the standards contained in this Code of Practice relate to all collections of personal information held by the Police and it should be read and applied in exactly the same way.
There are areas where application of the Act is influenced by other legislation: the Human Rights Act, Regulation of Investigatory Powers Act, Crime and Disorder Act, Computer Misuse Act, to name just a few. It is simply not possible in a document such as this to cover every conceivable position of the various legislation and the reader should take this into account.
Similarly, there are many Codes of Practice published by other public bodies and organisations, including the Information Commissioner, that may have a bearing on the interpretation of this Code of Practice.
3. AREAS OF RESPONSIBILITY
3.1 Chief Officer
Ultimate responsibility for the implementation of this Code of Practice rests with the Chief Officer of Police, who is the Data Controller for the purposes of the Data Protection Act 1998. He or she will designate an officer of Assistant Chief Constable, Commander or civilian equivalent to ensure compliance with the code.
3.2 Assistant Chief Officer
A designated ACPO Officer will be responsible for: -
3.3 Force Data Protection Officer
A Force Data Protection Officer will be appointed whose responsibilities will include: -
3.4 All Police Officers, Support Staff and Special Constables
Every Police Officer, Support Staff member and Special Constable of the Force has a duty to ensure compliance with the principles of the Data Protection Act 1998 and will undertake to follow the provisions of this Code of Practice in accordance with Force policy and procedures.
3.5 Her Majesty’s Inspectorate of Constabulary
HMIC is the national body responsible for monitoring compliance by Forces with this Code of Practice.
Their role is to carry out regular audit checks in every Police Force, using criteria that can be measured and quantified, and a reporting structure that ensures every Chief Officer is accountable.
4. NOTIFICATION of PROCESSING to the
(PRINCIPLE 2) Personal data shall be obtained only for one or more specified and lawful purposes…..
The specified purposes are those notified to the Office of the Information Commissioner under Part III of the Act.
4.2 Method of Compliance
All personal data must be processed within terms notified to the Information Commissioner, or be specifically exempt from notification. Individual Chief Officers are the Data Controller for his or her own Police Force.
To assist with compliance with this principle, the Association of Chief Police Officers, on behalf of Chief Officers, has agreed general statements of processing with the Information Commissioner. These can be found on the Information Commissioner’s web site: www.dataprotection.gov.uk
It may be necessary from time to time to alter the details notified to the Information Commissioner, by Force Data Protection Officers, through the Association of Chief Police Officers (ACPO).
5. FAIR and LAWFUL PROCESSING of PERSONAL
(PRINCIPLE 1) Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
5.1 The reasons for the police service holding personal information vary considerably, e. g. to carry out operational policing functions, to perform tasks required by statute, or in support of the general management of a force.
Chief Officers must establish proper basis for processing personal information under Schedules 2 and 3 of the Act.
A number of conditions are set down in the Act, including where processing is necessary for any function conferred on a constable. It is therefore important that processing activities remain within these conditions.
5.2 Fair Obtaining of Personal Information
Information must be obtained in a fair and lawful manner in accordance with the law and with Force instructions. Information must not be obtained by deceiving or misleading an individual or applying any unfair pressure such as making threats or offering inducements.
Personal data is considered to have been "fairly obtained" if it is from a person who is authorised by law to supply it.
Either at the time the Data Controller commences the processing, or at a time when the data is to be disclosed to a third party, a Data Subject must be provided with: -
There will be circumstances when the purpose information is to be used is obvious. On other occasions it may be necessary to provide an explanation to the individual.
In certain situations an individual has little option other than to supply information to the Police for policing purposes. In such circumstances the Information Commissioner has taken the view that it may be necessary;
The Data Protection Tribunal has endorsed this approach, adding that such notifications must be given at the time the information is initially obtained.
5.3 Lawful processing
Any processing of personal information must be in accordance with other legal duties that affect the police service.
To contravene these legal duties would involve unlawful processing within the terms of the Data Protection Act, where personal data is involved.
For example; processing information for a purpose beyond the Police’s powers would mean the Chief Officer is acting ultra vires, which also amounts to unlawful processing under the Act.
Other legal duties, such as Common Law duties of confidentiality and obligations under the Human Rights Act are also important and must be taken into consideration.
Where there is any doubt about the lawfulness of processing, legal advice will be sought before processing.
5.4 Fair Processing
In addition to processing personal information legally Chief Officers must ensure it is processed fairly.
It would not be fair, for example, to pass personal information to another organisation when an individual has made it clear he or she does not consent to the information being passed on at all.
6. DISCLOSURE of PERSONAL INFORMATION
How and to whom the Police Service disclose personal information are further aspects of fair and lawful processing under the Act.
6.1 Disclosure of personal information must be compatible with the purpose for which the data were originally processed. This includes taking into account the purpose for which
any person to whom they may be disclosed may use them.
Personal information can only be lawfully disclosed to individuals and organisations mentioned in the notified purpose; unless the person to whom the disclosure is to be made is subject of an exemption under the Act, or is authorised by other legislation.
The Police Service has nationally agreed policies and instructions (which may be more restrictive than the details notified to the Information Commissioner), that will be authorised at the appropriate level.
From time to time it may be necessary for the Police to use certain exemptions that are included in the Act when it is important to do so.
Such an exemption may be used where to not disclose information would be likely to prejudice the prevention or detection of a crime, or the apprehension and prosecution of an offender.
A judgement will need to be made in every case where it is considered an exemption may apply. Force Data Protection Officers must be consulted before an exemption is relied upon.
6.3 Overseas Transfers
Where consideration is being given to the transfer of personal data to a country outside the European Economic Area (EEA) advice must be sought of the Force Data Protection Officer.
Issues surrounding the adequacy of a Country’s data protection practices and legislation must be considered before a decision is made whether or not to transfer personal information.
7. DATA SUBJECTS RIGHTS
(PRINCIPLE 6) Personal data shall be processed in accordance with the rights of Data Subjects under this Act including;
7.1 Right of Access to Personal Data
Individuals have the right to access personal data that are being processed about them by a Data Controller, or someone else on the Data Controller’s behalf.
They must be provided with the following information: -
7.2 Method of Application
Requests for personal information must be made in writing and although Chief Officers can not insist on their completion, standard forms provide benefits to Forces and to individuals. For this purpose a standard "Subject Access Application Form" has been devised (Form SA1).
The applicant must provide sufficient information to establish their identity and to allow the Data Controller to locate the information requested.
There is a standard fee, subject to the statutory maximum (£10 as at 1 March 2000).
It is important to establish the identity of the person making the request, to ensure information is disclosed to the right person. Chief Officers will usually request identification documents to assist with this. More information can be requested if the subject’s identification is in doubt.
7.4 Responding to Requests
Once a completed application is received (as above), Forces must reply, even if personal data are not held or an exemption is relied upon, within forty days.
Information supplied in response to a subject access request must reflect the data held at the time the request was received. Account may be taken of any routine amendment or deletion made between receiving and responding to a request but this must not be made as a result of receiving the request.
Any information provided must be in permanent form, and should be legible to the applicant. If the information cannot be fully transcribed into an intelligible format, explanation should be given of any code used in the response.
7.5 Sufficient Information
If a request does not provide sufficient information to be processed, the Chief Officer must take steps to make the individual aware that further information is required. These steps must be taken as soon as possible after receiving a request and should guide the applicant as to what further information is needed to satisfy the requirement.
Forces will also need to decide what is "reasonable" as a minimum requirement. Information provided by the applicant will need to be balanced with other information that may be available. For instance, where a number of similar records are found it may be necessary to ask the applicant to provide further details to assist in a process of elimination.
In respect of CCTV material, for example, it would be necessary for the individual to provide details of dates, times and locations to enable the data to be located.
Before refusing an application on the grounds that insufficient information has been provided, Data Controllers must ensure that: -
7.6 Circumstances Where Information May Be Withheld
Third Party Information
Chief Officers are not obliged to disclose information in response to a subject access application if it identifies another individual.
This also applies to the obligation on Chief Officers to provide details of the source of the information held. If the source of the information identifies a 3rd party it can be withheld.
Information about a third party can only be disclosed if: -
In these circumstances, due regard has to be given to a balance of interest of the parties concerned.
Specific measures may need to be taken when responding to applications for access to CCTV material. It may be necessary to blur any images of third parties on the film unless they do not have a reasonable expectation of privacy, for example if they are in a public place.
Crime and Taxation Exemptions
Information processed for the purposes of the prevention and detection of crime or the apprehension and prosecution of an offender may be exempt from the subject access provisions of the Act. To rely on this exemption a Chief Officer must demonstrate that the disclosure of the data to the data subject is likely to prejudice the above purposes.
7.7 Requests Made on Behalf of Another
Subject Access Requests can be accepted from a child if, in the opinion of the Chief Officer, the child has sufficient intellectual ability to understand the nature of the request.
A parent or guardian can exercise the right, and receive the reply, if: -
Forces may receive subject access requests by agents acting on behalf of an individual. Chief Officers will need to satisfy themselves as to the identity of the agent and be provided with sufficient information about the individual he is acting for, to assist in establishing identity and locating the data sought.
Chief Officers should obtain written confirmation from the individual authorising the agent to make the request.
All responses would normally be sent directly to the Data Subject at their home address. Where a request is made for the information to go to a place other than the individual’s home address, the relationship between the individual and the agent, e.g. client/solicitor, should be a factor in determining whether to comply with the request.
There may be occasions when the Data Subject specifically requests that nothing be sent to his home address. In these circumstances, and to protect their interests, arrangements should be made to ensure the response is passed directly to the Data Subject.
7.8 Right To Prevent Processing Likely To Cause Damage Or
An individual is entitled to make a request that a Chief Officer does not process personal data relating to him or her that is causing or is likely to cause unwarranted substantial damage or distress. This must be done in writing by the Data Subject and is known as a Data Subject Notice.
A Chief Officer must respond to this notice within 21 days. After deciding whether the notice is warranted and the individual’s claims can be substantiated, the individual should be informed of the decision.
7.9 Rights In Relation To Automated Decision Taking
A data subject has the right to request that a Chief Officer ensures no decision that would significantly affect the subject is taken purely using automated decision making software.
When such decisions are made, the data subject has the right to be informed that the decision was made on such a basis and, within 21 days of such notification, can require the Chief Officer to reconsider their decision.
7.10 Right To Compensation
An individual who believes they have suffered damage or damage and distress as a result of any contravention of the requirements of the Data Protection Act, by a Data Controller, may be entitled to compensation.
In these circumstances the Chief Officer must be able to demonstrate that such care as was reasonable in the circumstances was taken to ensure compliance with the Act.
8. DATA QUALITY
(PRINCIPLE 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
It is necessary that all information initiated by Police Officers, Support Staff, or partner agencies with which the police service is directly engaged in activities, are clear in meaning and sufficient for others to understand.
This is particularly important where any specific action is required to be taken.
Box 8 Inadequate data
If a Police operator fails to enter a postcode properly where it is required on the Police National Computer (PNC) this has a detrimental effect on a search carried out using the "QUEST" system.
In effect, this renders the data "inadequate" for operational purposes, aside from the requirements of the Data Protection Act.
Similarly, delays in entering Court results onto the PNC will inevitably mean data are inadequate for its purpose, creating opportunities for improper action such as the premature release of a suspect for a crime.
Chief Officers must give clear guidance on what procedures are to be adopted to ensure that only relevant information is processed i.e. the minimum amount of information about the individual that is required and is relevant for the purpose.
In their efforts to comply with the Third Principle, Chief Officers must start by considering their policies for collecting information about individuals. When considering how to achieve the notified purpose and at the same time comply with the Third Principle, Chief Officers must identify those instances where additional information will be required and seek to ensure that such information is only collected and recorded in those cases.
Where information is processed for the purpose of criminal intelligence or during the course of a major investigation, appropriate guidance must be given to those having responsibility for deciding what should and what should not be recorded.
All criminal intelligence will be graded using a standard evaluation system, which gives an indication of the quality of the information, the reliability of the source of the information and provides guidance on the subsequent dissemination of that information.
Police Officers, Support Staff and Special Constables originating information must ensure that it is adequate, unambiguous and professionally worded. Opinions should be clearly distinguishable from matters of fact.
8.3 Not excessive
Information must not be excessive in relation to the purpose for which it is held. It is difficult to argue that irrelevant information is not also excessive information. Only the minimum amount of information about the individual must be held in order to properly fulfil the purpose.
It is excessive to hold data on all individuals where that particular item of data is only relevant in certain individual cases.
Box 9 "Excessive" Data
It may be considered "excessive" to mark personal data to indicate that an individual has a "contagious disease" (HIV, Hepatitis, etc.) when, in practice, normal health and safety precautions should afford adequate protection for everyone.
It would not be excessive, however, to use the marker where an individual uses the threat of infecting Police Officers when held in custody.
The Data Protection Tribunal has held that only the minimum amount of information that is required for the conduct of that purpose should be held about an individual.
The Data Protection Tribunal has also held, "that information should not be retained on the grounds that it may possibly become relevant in the future and the fact that an individual volunteers information is not a material fact in considering whether it is excessive and irrelevant for its purpose."
8.4 Keeping information up to date and accurate
(Principle 4) Personal data shall be accurate and, where necessary, kept up to date.
Data are inaccurate for the purposes of the Act if they are incorrect or misleading as to any matter of fact.
It is of vital importance, not only to comply with the Act but for operational reasons, to ensure as far as is practicable that all information processed is accurate. This is equally applicable to information received from the Data Subject, another part of the police service or from a third party.
Great care must be exercised in the collection of information. All operators, when entering information, must ensure that it is accurately recorded and where possible the source of the information is included on the system. Where there is any doubt, information must be clarified with the source of that information prior to its inclusion.
Box 10 "Accurate" Data
Where an entry is created on the PNC for the arrest of a person Chief Officers must ensure that the information is accurate and kept up to date to avoid arresting the individual incorrectly.
Chief Officers must adopt procedures to prevent factual inaccuracies being entered onto information systems or relevant filing systems.
This may be achieved by: -
Should inaccuracies come to light, Chief Officers must take steps to lessen the damage or distress caused to the data subject or any other person by: -
Where inaccurate information is found it should be corrected or erased without delay.
The Fourth Principle is not to be regarded as being contravened if an inaccuracy in personal data is actually an accurate record of information provided by the data subject, or a third party.
Chief Officers must ensure reasonable steps are taken to ensure the accuracy of the data, taking into account the purpose for which data were obtained and processed.
8.5 Kept up to date
Police Officers and support staff will ensure that necessary cancellations or amendments are carried out. An arrest or detention or any other course of action affecting an individual or any other individual affected by that course of action to his detriment which is based on inaccurate information, may render the Chief Officer liable to pay compensation under the Act in addition to any liability under civil law.
All information must be promptly entered onto Police information systems. Chief Officers will ensure systems of work exist to achieve this requirement.
Box 11 "Up to date records"
In instances where Court results are not entered promptly this could lead to someone being released from custody too soon.
Failure to create these records could allow an unsuitable person to obtain employment with children or vulnerable persons.
Failing to update these records could prevent a person obtaining employment.
The Association of Police Chief Officers has agreed timescales within which this information must be entered.
9. RETENTION OF PERSONAL INFORMATION
(PRINCIPLE 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
9.1 Method of Compliance
Forces must have procedures to ensure that personal data, which are processed, are periodically reviewed and information that is no longer required is removed (weeded) from information collections
9.2 Personal Information Held By the Police
The reasons for the police service holding personal data vary considerably, e. g. to carry out primary operational functions, to provide information or to perform tasks required by statute, or in support of the general management of a force.
It is not possible, in all instances, to lay down absolute rules about how long particular items of personal data which form part of a collection should be retained. However, such rules should be established where possible.
Persons responsible for data collections should ask the following questions: —
In determining these matters account needs to be taken of, for example: -
Records of general incidents, crime, accounts and administration can be given a normal maximum retention period based on known requirements. Such considerations as the limitation of proceedings and audit requirements, etc. will be relevant in determining how long personal data of this nature should he kept.
Chief Officers will ensure every collection of personal data has "operating rules". These will be to a prescribed format and will include data retention periods, which have been determined locally following consideration of national and force requirements.
In some cases, as soon as information has served its purpose it must be deleted immediately.
Failure to remove data when their purpose has been served will result in inaccurate, irrelevant, excessive and out of date data being held. All of these would be breaches of the Data Protection Principles.
There may be occasions where information needs to be retained for longer periods to fulfil statutory requirements, or other policing purposes.
In these cases a period beyond which the information may no longer be retained should be determined.
Consideration should be given to having all personal information removed. Within that period it may be possible to delete particular information when it is patently obvious that it will no longer be required.
In some cases it will be necessary for further enquiry’s to be made and/or the views of the officer responsible for the initial record to be sought before a decision to remove the information can be properly taken.
9.3 Guideline for the review and removal of personal information
While it is not possible to formulate absolute guidelines the following recommendations, which cover major types of personal data held by the police, are made.
The guidelines are drawn widely and the phrase "kept for no longer than" has been used in recognition of the fact that given normal usage and review procedures, some data will be removed before a prescribed period expires. Similarly, it is also recognised that instances will occur when it will be necessary, because of the nature of the information and the circumstances prevailing at the time, to retain particular items of data for longer periods than specified.
It should be remembered that where personal data are held for historical, statistical or research purposes and not used in such a way that damage or distress is, or is likely to, be caused to any Data Subject:
(a) the information contained in the data, shall not be regarded for the purposes of the First Principle as obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained and;
(b) the data may, notwithstanding the Fifth Principle, be kept indefinitely.
When data are held for the above purposes, personal information should be removed from the data, where possible.
9.4 General Rules for Criminal Record Weeding on Police Systems
The paragraphs within this section are numbered in accordance with the ACPO Crime Committee Policy circulated 29th September 1999, as amended on 1st November, 2000.
1. The period of retention of a subject’s complete criminal record will depend upon the disposal types that it contains. The whole of a subject’s record will be retained for the longest period specified in any of the applicable weeding rules.
2. A record will not be deleted if there is an impending prosecution, or if the subject is shown on PNC as ‘Wanted/Missing’, has certain Orders recorded, is shown as a ‘Deportee’ or has an ‘Unconfirmed Dead’, Sexual Offender’ or ‘Offences against Vulnerable Person’ marker. If the record shows that the subject is a Disqualified Driver, the record will be retained for the life of the disqualification should that record be due for weeding. The existence of any other warning signal or information marker on a record will not cause that record to be retained beyond its normal weed date.
3. Where Court Orders are granted against a subject as a result of a conviction, that record will remain for the life of the Order, if that exceeds the normal weed date for that record. Where an order is issued against a subject in isolation of the criminal record, i.e. issued in a civil court, those details will remain for the duration of the order, the subject’s criminal record will be subject to the normal weeding rules.
4. When the death of a subject is notified to the police, the record will be retained for one year after confirmation of death, to allow for the finalising of any outstanding matters that may involve the deceased. The record will then be weeded. A Chief Officer may extend this period where the record is required for current or future investigative purposes involving serious crime. The record will be weeded as soon as retention for this purpose is no longer required.
Records including convictions for recordable offences
5. Where a subject has not been convicted for a recordable offence for a period of 10 years from the date of their last conviction, subject to paragraph 5.2, the record will be deleted unless any of the following conditions apply:
5.1 The record contains a total of 6 months or more imprisonment, including suspended sentences. The total will be the aggregate of all sentences, irrespective of whether they are consecutive or concurrent.
5.2 The record contains 3 or more convictions for recordable offences.
5.3 The subject has on any occasion been found unfit to plead by reason of insanity, or has been sentenced under the Mental Health Acts.
5.4 The record contains a conviction for offences involving indecency, sexual offences, violence (as defined in the attached schedules), or trafficking in, importation of, or supply of all classes of drugs or possession of class ‘A’ drugs.
5.5 The record contains a conviction for an offence involving, as a victim, a child young person, or one who is elderly, or who is mentally or physically disabled or where the M.O. indicates that the offender deliberately targets this class of victim.
5.6 The record contains a conviction for an offence involving terrorism under any provisions of anti-terrorism legislation.
6. Subject to the provisions of paragraph 4: -
Where condition 5.1 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.
Where condition 5.2 applies the record will be retained for 20 years from the date of the last conviction.
Where condition 5.3 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.
Where condition 5.4 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.
Where condition 5.5 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.
Where condition 5.6 applies the record will be retained until the death of the subject or until the subject reaches 100 years of age.
Non recordable convictions
7. Only recordable offences are entered onto PNC, on a stand-alone basis. The recording of non recordable convictions on local systems is at the discretion of Forces and their Chief Officers, subject to the requirements of any applicable legislation.
Records containing cautions
8. If there are cautions but no convictions on the record, and no further cautions have been recorded for a period of 5 years, the record will be deleted, except where the caution is accompanied by an "offends against vulnerable person" information marker.
Records containing police reprimands and final warnings
9. If there are police reprimands or final warnings but no convictions on the record, the reprimands will be retained until the offender has attained the age of eighteen years and for a minimum period of five years. After attaining the age of eighteen years and if no police reprimands or final warnings have been recorded for a period of five years, the record will be deleted.
Records containing other disposals
10. Disposals other than conviction, caution, police reprimands, final warnings, acquittal, discontinuance and not guilty bind-over, will also be recorded, i.e. adjourned sine die, lie on file. The offences contained within such disposals will determine the period of retention, in accordance with the provisions of paragraphs 5, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, and 6.
11. A prosecution for a recordable offence that is prosecuted to conviction and results in a bind-over is a recordable conviction. The period of retention will be determined in accordance with the provisions of paragraphs 5, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, and 6.
11.1 Any other recordable offence not prosecuted to conviction but whereby the defendant accepts the bind-over will be retained for the period of that bind-over.
Retention of acquittals or discontinued cases without caution
12. Except in circumstance mentioned in paragraph 13 below, details of acquittals, or of cases discontinued without caution may not be retained beyond 42 days after the notification (this period is to allow for the appeals process and for the destruction of fingerprints to be synchronised with deletion of data on the computer record, this will not affect the retention on the record, of any details of conviction, cautions, or other disposals.
13. In cases detailed at 13.1 and 13.2 acquittals and discontinued cases must be retained.
13.1 Acquittal for an offence of unlawful sexual intercourse by a male with a female under sixteen years of age must be retained. Details will be deleted when a male reaches twenty four years (Section 6 (3), Sexual Offences Act 1956).
13.2 Acquittal in cases where possession of stolen property can be proved, but insufficient ‘mens rea’ on that occasion to convict – details will be retained for a period of 1 year from the date of charging for use as special evidence (section 27 (3), Theft Act 1968) in any subsequent hearing for an offence of handling stolen goods.
14. Details may be retained for a period of five years in cases where a sexual offence is alleged, but the subject is acquitted, or the case is discontinued because of lack of corroboration or allegation of consent by the victim, providing identity is not an issue. An officer not below the rank of Superintendent must give authorisation and be reviewed again at the end of the retention period. Cautions for sexual offences, ordinarily weeded after five years, may also be reviewed and extended where appropriate.
14.1 When considering retention for cases above, the authorising officer must personally consider the full circumstances and only if all of the following criteria have been satisfied will authorisation for retention of the details be given;
(i) The circumstances of the case would give cause for concern if the subject were to apply for employment for a post involving substantial access to vulnerable persons and;
(ii) The decision to retain the information can be defended on the grounds of the prevention and detection of crime.
Offences that will be retained for life
Convictions records will be retained for the life of the offender where the record contains a conviction for offences involving indecency, sexual offences, violence, trafficking in, importation of, or supply of all classes of drugs, or possession only of Class "A" drugs, and other offences as detailed in a list held by Force Data Protection Officers.
9.5 Crime Intelligence
It is not possible to lay down strict criteria for the removal of data from criminal intelligence records. The need to retain or remove such information can only be judged from the nature of the information, and whether it is necessary, lawful, proportional and relevant to its purpose.
The decision to retain or remove personal data will be assisted by knowledge of the reliability of the source.
All intelligence reports will be reviewed on a regular basis and considered for deletion subject to a maximum period of 12 months.
For intelligence to be retained it must be relevant, but in some cases information will have to be retained for long periods if the police are to effectively discharge their duties.
9.6 Crime Reports
Crime reports should normally be kept for no longer than 10 years, except where legal proceedings, appeals or reviews are pending at the expiry of that period, or the record relates to a serious crime.
Undetected crime records may be retained indefinitely, but should be reviewed every 5 years, following the initial 10 year period.
Records relating to serious crime will thereafter be reviewed every five years.
9.7 Stolen/Lost/Found Property
Records relating to all categories of property should normally be kept for no longer than six years. If there is a need, in particular circumstances, to keep details for a longer period, for example, those relating to (a) high value items, (b) major enquiries, (c) firearms, or (d) where ownership is still disputed, then the need for their continued retention should be reviewed annually.
9.8 Non Payment of Fine and Non Appearance Warrants
Review after 12 months for non payment of fine warrants and 3 years for non appearance warrants, where the Police and not the Courts carry out these functions.
9.9 Road Traffic Accidents
Traffic accident reports should normally be held for no longer than 3 years unless legal proceedings are outstanding, or until a related period of disqualification has expired.
9.10 Major Enquiry Information
A distinction is made between a major crime enquiry and a major incident investigation. For example, a murder enquiry as opposed to an incident such as a plane crash or natural disaster.
Major Incident Records, should normally be kept for ten years, or the duration of the sentence imposed on the offender(s), whichever is the longer, except where legal proceedings, appeals or reviews are pending at the expiry of that period.
Chief Officers may wish to retain a major crime enquiry or a major incident investigation because of the value of the records for historical purposes. Provided that the personal information that is kept for this purpose is not used in a way that is likely to cause damage or distress to any Data Subject, the information may be archived and kept indefinitely.
NB. This would not include data routinely archived for operational purposes.
9.11 Complaints and Discipline.
Records relating to complaints against Police Officers will be held for a period not exceeding 6 years, at which time the data will be reviewed and a decision taken whether to retain it or not. This is to allow for any civil claims.
After that time a decision will be made whether to retain information on an annual basis.
9.12 Occurrence/Incident Reports/Logs
Records should normally be kept for no longer than 3 years beyond the time it was last updated.
It is recognised that it may be necessary, from time to time, to keep such records for longer periods for management information purposes. Where this is necessary, records should only be used for that purpose and where possible de-personalised.
9.13 Personnel Records
Personnel records relating to police and support staff may be retained for 6 years beyond the time they have left the organisation. This is to allow, for example, to defend claims in the Civil Courts relating to injuries sustained at work.
The Information Commissioner publishes guidance in this area that is recommended practice for Police Forces.
9.14 Records Relating to Pensions
Records relating to police and support staff pensions may be held for the lifetime of the individual, or his or her beneficiary, where relevant.
9.15 Other Records
In judging how long to hold records, the requirement to hold personal data for no longer than necessary for its purpose must always be complied with. A settled record retention policy for all records should be in place.
9.16 Operating Rules
Police Forces operate many and varied information systems, therefore every collection of personal information will have specific Operating Rules that follow a prescribed format and include rules on data retention.
9.17 Items within Records
Individual data items within records may be considered for deletion earlier than the above standards.
10. COMPLAINTS AND DISCIPLINE
10.1 Law and Enforcement.
There are a number of criminal offences created by the Data Protection Act 1998, but proceedings may only be instigated by the Information Commissioner, or by, or with the consent of the Crown Prosecution Service.
Police officers have a duty to act when offences come to their notice, and the following should apply.
10.2 Where officers in the normal course of their duties, become aware that a person may have committed or be committing an offence under the Act, they should inform the Force Data Protection Officer.
The Force Data Protection Officer should make the Information Commissioner’s Office aware allowing them to make appropriate enquiries.
Where the offences uncovered relate solely to Data Protection matters, the Information Commissioner’s Office will deal with the prosecution.
10.3 In the event of offences under the Act being discovered by officers in the course of their investigations into other matters (e.g. a fraud investigation) it is important that all evidence relating to data protection matters is secured and the Force Data Protection Officer will advise throughout this process.
It is the responsibility of the Force Data Protection Officer to subsequently liaise with the Commissioner on questions relating to the bringing of proceedings.
In such circumstances the Information Commissioner’s Office would assist in the preparation of the case file, with regard to any Data Protection offences, for the Crown Prosecution Service to pursue.
10.4 Where the circumstances of an offence committed under Section 55 of the Data Protection Act 1998 may also constitute an offence under the Official Secrets Act 1989, the Police will investigate the matter and submit a file to the Crown Prosecution Service.
10.5 If a complaint against a police officer by a member of public is being investigated and there is evidence to suggest the officer may have committed an offence under the Data Protection Act 1998, details should be reported to the Crown Prosecution Service in accordance with the provisions of S.90(3) and (4) of the Police and Criminal Evidence Act 1984.
Following this the Police Complaints Authority (PCA) must be notified under existing arrangements (unless the complaint falls within the supervised category in which the PCA will already have been informed).
10.6 As a result of an internal misconduct enquiry (under the Police Conduct Regulations 1999) if evidence exists to suggest that an officer has committed an offence under the Act, details should be reported to the Crown Prosecution Service in accordance with present arrangements.
10.7 Complaint Investigation.
Section 42(1) of the Act states that a data subject (or any other person who believes himself to be directly affected by the processing of personal data) may request the Information Commissioner make an ‘assessment’ as to whether the data controller has complied with the provisions of the Act.
The Information Commissioner has published policies on the handling of requests for assessment.
In addressing complaints made against the Police or against a police officer, the following procedures will be followed;
10.8 Where a member of public complains to the Police, or does so through any person other than the Information Commissioner, about the conduct of a police officer in relation to a Data Protection issue, the matter should be investigated in accordance with the Data Protection Act 1998. Any disciplinary matters will be dealt with ancillary to criminal matters.
10.9 Where a member of public complains directly to the Information Commissioner about the Police in connection with Data Protection matters, the Information Commissioner will deal with the matter in accordance with her powers under the Act.
In such circumstances it is suggested that the complaint is not regarded as a ‘complaint against police’ as it will not have been submitted to a Chief Officer of Police and will be dealt with by the Information Commissioner in accordance with the requirements of the Data Protection Act 1998.
If the matter concerns the conduct of an individual Officer raising the possibility of a criminal offence, the Information Commissioner’s Office will contact the Officer designated to deal with ‘complaints and discipline’ matters. The Information Commissioner’s Office will notify the Force Data Protection Officer of the enquiry.
It is expected that the department responsible for dealing with the complaint will liaise fully with the Force Data Protection Officer throughout the enquiry.
10.10 Instances may arise where a complainant submits his/her complaint to both the Information Commissioner and the Police. In these circumstances it will be necessary, by the way the legislation is framed, for both agencies to take action. When this becomes apparent at the outset of enquiries, in order to obtain maximum benefit from these dual responsibilities, agreement will be reached between the police force concerned and the Information Commissioner as to the consultation and collaboration in carrying out enquiries.
Where the Information Commissioner’s Office make contact with the department responsible for handling complaint and misconduct matters within a force (through the Chief Officer) the Force Data Protection Officer should be notified. At this point it is expected that the Force Data Protection Officer will take over the liaison role between the two bodies to assist in the joint enquiry.
At the conclusion of a joint investigation it is recommended that the Information Commissioner be given a draft report of the investigating officer’s report to the Crown Prosecution Service (CPS). The Information Commissioner’s comments thereon must either be taken into account in the investigating officer’s recommendation to the CPS, or appended to the report before submission to the CPS.
Where the Information Commissioner receives a complaint after the conclusion of an investigation then the investigating officer’s report, and supporting documentation, should be made available to the Information Commissioner.
It is recommended that papers be retained for six years in order to provide for such a circumstance.
10.11 In the case of internal enquiries by ‘Complaints and Discipline’ sections, where it is considered that offences under the Data Protection Act may be disclosed, Force Data Protection Officers must be consulted.
Additionally the Force Data Protection Officer must be notified of any suspensions from duty or dismissals, arising from such enquiries, in order to ensure that access to force and national information systems is revoked.
These arrangements should help to avoid confusion and prevent duplication of effort. The rationale being that if an individual wants his/her complaint dealt with by the Information Commissioner, it will be referred to her. If he/she wishes the complaint to be treated and dealt with as a complaint against the Police, it will be submitted to the Police.
Should it be necessary for the Information Commissioner to refer any matter to a Force, routine enquiries concerning compliance with the Data Protection Principles will be referred to the Force Data Protection Officer. Those giving rise to a suspected offence will be directed to the Deputy Chief Constable, or equivalent.
S.55(1) of the Data Protection Act 1998 creates a serious offence of unlawfully obtaining or disclosing personal data, without the consent of the ‘Data Controller’.
A criminal offence is committed if an individual knowingly or recklessly,
without the consent of the Chief Officer (Data Controller).
This does not apply where it can be shown that any of the provisions, outlined under S.55(2) shown below, are satisfied:
(i) necessary for the purpose of preventing or detecting crime, or
(ii) required or authorised by or under any enactment, by any rule of law, or by the order of a court.
In addition there are further offences committed through the selling of personal data. Specifically, when a person sells or offers to sell personal data where that data has been obtained in contravention of the above.
The penalties for these offences are;
(Principle 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Having regard to the state of technical developments and the cost of implementing any measures, the measures must ensure a level of security appropriate to: -
Chief Officers (Data Controllers) must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
Where processing is carried out by a Data Processor or on behalf of a Chief Officer, in order to comply with the seventh principle the Chief Officer must:
11.2 Why Information Security
The objective of information security is to manage the preservation of confidentiality, integrity and availability of information and other assets as part of the delivery of Policing.
Information is an asset, which like other important business assets has a value to the Police. Information security must address both the relevance, level and kind of threats to which data are exposed – identify the threats and vulnerabilities and then implement suitable countermeasures.
Information security addresses both technical and non-technical aspects.
11.3 Compliance with the Seventh Principle
Information security is achieved by implementing a suitable set of controls that include: policies, procedures, organisational structures, and training and software functions.
11.4 Community Security Policy (CSP)
Police Forces are required to comply with a standard for information security based on ISO 17799. The "Community Security Policy" sets out a broad statement which addresses the security requirements of the Association of Chief Police Officers of England, Wales & Northern Ireland (ACPO), the Association of Chief Police Officers in Scotland (ACPOS) and the Criminal Justice Community.
The CSP provides a baseline set of security requirements for safeguarding sensitive information to which all persons, organisations and service providers within the Criminal Justice Community are required to comply.
Every UK Police Force has allocated responsibility for Information Security and to advise on the ISO 17799 standard and the Community Security Policy.
11.5 Confidentiality, Integrity, Availability
Specific security measures relating to all Police information systems will be developed and documented by Chief Officers.
As a minimum they will cover the following:
11.6 Security Statement
Any protocol or agreement covering the sharing of personal information between a Chief Officer and a partner organisation will include a statement regarding information security.
The standards defined for Police Forces in the ACPO Community Security Policy cannot be imposed on organisations that do not fall within this Policy’s remit, but organisations who process personal data must still comply with the seventh Principle of the Data Protection Act, 1998
Therefore, partner organisations must have a level of security in place commensurate with the sensitivity and classification of information shared and the possible risks that could ensue from the sharing of the information.
The Security Policy of each of the signatories will be attached to any agreement involving the Police.
12. DEVELOPMENT OF INFORMATION SYSTEMS
Chief Officers will ensure that Data Protection and security implications are considered at an early stage of the development of an information system. They should be considered at the design stage of any computer system, CCTV system, audible recording system or relevant filing system.
Data Protection and security requirements should be considered at the same time as user requirements are being identified. This will avoid delays in implementing systems and ensure that the costs of such systems have been correctly identified.
At the design stage of information systems there are many opportunities to incorporate features to assist Data Protection compliance by ensuring there are features to:
Systems must include guidance to ensure that only relevant information is processed. Forms used for collecting information about the individual must be structured in such a way that when completed they will provide the right amount of information.
13. REVIEW OF THE CODE.
The ACPO Data Protection Portfolio Group will keep the Code of Practice under review, taking account of: -
Data Information which is being processed.
Data Subject An individual who is subject of personal data.
Data Controller A person (Chief Officer of Police) who determines the purposes for which personal data are processed.
Processing Obtaining, recording or holding personal information; carrying out any operation on the information, including: -
Personal Data Personal data containing a number or code used for identification purposes (e.g. PNC ID) must be processed in compliance with this Code of Practice.
Third Party In relation to personal data; means any person other than: -