Transcript - WhatDoTheyKnow

Data Protection
Information Management / Jody McKenzie
Structure of Input
•
•
•
•
•
•
Background to the Data Protection Act
How the Act works
What the Force does to comply with the Act
What you should do to comply with the Act
Other legislation you may encounter
Scenarios
Data Protection - background
• Data Protection Act 1984 based on European directive
• Sought to ensure that information on people held in computer
databases was collected with their consent, held only for
specific purposes and is not used to their detriment
• Assumption that information belongs to individual
• Focus on fairness to individual
• Superseded by Data Protection Act 1998
Data Protection Act 1998 – definitions (1)
• Data = information (manual or electronic)
• Personal data = information about a living identifiable individual
• Includes expression of opinion or intentions towards that
individual
• Sensitive personal data, eg commission of an offence, criminal
proceedings, physical health, sexual life
• Data subject = identifiable individual
Data Protection Act 1998 – definitions (2)
• Processing = anything done with the data, without limit
• Data controller = determines what data is collected and how it is
processed
• Protection = data controller must act to protect data from unfair
use
Data Protection Act 1998 – how it works (1)
• Way in which personal data should be protected set out in eight
principles:
• Processing must be fair (to data subject) and lawful
• Processing only for specified purposes – policing purposes and
staff administration
• Data must be accurate, relevant, not excessive, up-to-date, held
securely
• Data subjects have rights of access, of erasure of incorrect
information, and of compensation, and to know how their data is
being processed
Data Protection Act 1998 – how it works (2)
• Exemptions exist from provisions of Act, eg national security,
prevention and detection of crime, regulatory activity
• Each exemption relates to different sections of the Act
• If processing may breach principles, but you think an exemption
may apply, seek advice before taking further action
Data Protection – Force compliance
• Register with Information Commissioner – specifying purposes
and recipients
• Produce policies and procedures – specifying how information is
processed
• Agree information sharing protocols with partners
• Train staff in use / misuse of systems
• Audit use of systems and data quality
• Provide data subjects with access to their data
• Civil monetary penalties of up to £500,000
Data Protection – your responsibilities
• Comply with standard operating procedures and information
sharing protocols
• Record information accurately
• Use information only for policing or staff purposes
• Browsing is not permitted
• Take all precautions to keep information secure
• Verify identity of recipient to ensure they are entitled to receive
data
• Respond promptly to audit requests
Data Protection – offences
• Selling, or offering for sale, data improperly obtained
• Obtaining or disclosing data without the Chief Constable’s
consent
• Procuring the disclosure to another person without the Chief
Constable’s consent
• Criminal offences, unlimited fine in High Court
• Third most common complaint to Professional Standards
Other relevant legislation
• Rights to privacy: Human Rights Act 1998, common law of
confidentiality
• Rights to receive information: Freedom of Information (Scotland)
Act 2002, Environmental Information (Scotland) Regulations
2004
• Powers to disclose information: Police Act 1997, Protection of
Vulnerable Groups (Scotland) Act 2007, Antisocial Behaviour
(Scotland) Act 2004
• Other information management offences: Computer Misuse Act
1990
• Guidance for Police: Management of Police Information (MOPI),
Police circular 4/07
Data Protection Act 1998
Questions?
Summary
•
•
•
•
Record information accurately on Police systems
Only use information in connection with your employment
Keep information secure, and dispose of it appropriately
Do not disclose information unless confident it is in order to do
so
Contacts
Information Management Unit, Woodhill House
Iain Gray, Interim Head of Information Management
Jody McKenzie, Compliance Manager