Skip to content Quick exit
REPORT CRIME ONLINEEMERGENCY CALL 999
REPORT CRIME ONLINEEMERGENCY CALL 999

Appropriate Policy Document

This document sets out principles to help guide decision-making and, in some parts, may be quite prescriptive. However, it is vital that officers and staff have the freedom to innovate, exercise discretion and take risk-based decisions centred on the needs of the victim and the merits of each case.

There may be occasions when an employee is considered to have acted outside of the content of this document but if they have done so with honesty, integrity and professionalism, to make the best decision for the community we serve, they will be trusted and supported. On the occasions when this is the case, the rationale for it must be properly recorded.

This document should be read in conjunction with the Bedfordshire Police, Cambridgeshire Constabulary and Hertfordshire Constabulary (BCH) Information Management Policy and Data Protection Procedure.

Policy author: BCH Data Protection Officer / Director of Information

Policy owner: BCH Head of Information Rights and Assurance

Publication date: September 2020

Review date: September 2022

 

1. Aim and Introduction

1.1. This document is the ‘Appropriate Policy Document’ which sets out how Bedfordshire Police, Cambridgeshire Constabulary and Hertfordshire Constabulary (BCH) will protect special category personal data and personal data relating to criminal convictions and offences, in compliance with Schedule 1 Part 4 and Section 42 of the Data Protection Act 2018 (DPA 2018).

1.2. Section 10 of the DPA 2018 requires that where the processing of special category personal data is reliant on one of the following lawful bases as described in Article 9 of the General Data Protection Regulation 2016/679 (GDPR) the processing must also satisfy a condition in Schedule 1 of the DPA 2018. • Article 9 (b) Employment, social security and social protection. • Article 9 (g) Substantial public interest. • Article 9 (h) Health and social care. • Article 9 (i) Public health. • Article 9 (j) Archiving, research and statistics.

1.3. Certain conditions within Schedule 1 DPA 2018 require that the Controller has an Appropriate Policy Document in place at the time the personal data is processed.

1.4. Section 35 (4) and (5) of the DPA 2018 require that where the processing of personal data for any of the law enforcement purposes is sensitive processing, based either on the consent of the individual or condition within Schedule 8, the Controller shall have an Appropriate Policy Document in place.

1.5. The procedure provides ‘high-level’ direction and guidance to ensure compliance with the legal requirements of the Data Protection Act 2018 and General Data Protection Regulation (GDPR ) (opens in new window). Further detail is available within the College of Policing’s Authorised Professional Practice (APP) (opens in new window) for Data Protection (opens in new window) and the Manual of Guidance for Data Protection professionals.

2. Applicability

2.1. Inclusions

2.1.1. This policy applies to (whether full-time or part-time), fixed term and permanent staff, seconded staff, temporary and agency staff, contractors, self-employed consultants and associates etc.

2.2. Exclusions

2.2.1. No known exclusions.

3. Associated Documentation

  • Legislation/National Guidance
  • Authorised Professional Practice (APP)
  • BCH14_001 Information Management Policy
  • BCH Information Management Strategy (IMS)
  • Information Management Department (IMD) Delivery Plan
  • BCH14_009 Data Protection Procedure

4. Statement of Policy (Purpose)

4.1. Where BCH are carrying out the processing of special category and criminal offence data in its capacity as a Competent Authority and Controller, this document will explain:

    • the Force’s procedures which are in place to secure compliance with the data protection principles set out in Article 5 of the GDPR and Section 35-40 of the DPA 2018
    • when the processing is carried out by the Force in reliance on one of the conditions set out in Schedule 1, Parts 1-3; and
    • the Force’s policies about the retention and erasure of such personal data processed in reliance on a condition specified in Schedule 1 of the DPA 2018.

Compliance with data protection principles

a) ‘Lawfulness, fairness and transparency’

4.2. Law Enforcement Processing

4.2.1. The lawfulness of sensitive processing carried out by the Force is derived from its official functions as a public body and obligations or rights imposed or conferred by law as an employer.

4.2.2. The processing will be based either on the consent of the individual or where the processing is strictly necessary for the law enforcement purpose and meets at least one of the following conditions in Schedule 8 of the DPA 2018: -

  • Statutory Purposes • Administration of Justice
  • Protecting individual’s vital interests
  • Safeguarding of children and of individuals at risk
  • Personal data already in the public domain
  • Legal Claims • Judicial Acts
  • Preventing Fraud

4.3. General Processing

4.3.1. Where sensitive processing is carried out by the Force for operational policing purposes that are NOT prescribed for under Part 3 of the DPA 18 (section 31: Law Enforcement Purpose) the processing will rely on one of the following lawful bases from Article 9 of the GDPR and will meet a relevant condition from Schedule 1 of the DPA 2018: -

  • Article 9 (a) Consent;
  • Article 9 (c) Protecting vital interests;
  • Article 9 (e) Manifestly made public by the data subject;
  • Article 9 (f) Establishment, exercise or defence of legal claims;
  • Article 9 (g) Substantial public interest.
    • Schedule 1, Part 2 (6): Statutory and government purposes;
    • Schedule 1, Part 2 (7): Administration of justice and parliamentary purposes;
    • Schedule 1, Part 2 (8): Equality of Opportunity or treatment
    • Schedule 1, Part 2 (9): Racial and Ethnic diversity at senior levels of organisation
    • Schedule 1, Part 2 (10): Preventing or detecting unlawful acts;
    • Schedule 1, Part 2 (11): Protecting the public against dishonesty;
    • Schedule 1, Part 2 (12): Regulatory requirements relating to unlawful acts and dishonesty;
    • Schedule 1, Part 2 (14): Preventing fraud;
    • Schedule 1, Part 2 (18): Safeguarding of children and of individuals at risk
    • Schedule 1, Part 2 (19): Safeguarding of economic well-being of certain individuals; • Article 9 (j) Archiving, research and statistics.
    • Schedule 1, Part 1 (4): Research.

4.3.2. Where the processing of special category and criminal offence data is carried out by the Force for non-operational policing purposes but predominantly as an employer, they will rely upon the following lawful bases from Article 9 of the GDPR and from Schedule 1 of the DPA 2018: -

  • Article 9 (a) Consent;
  • Article 9 (b) Employment, social security and social protection. Schedule 1, Part 1 (1): employment, social security and social protection;
  • Article 9 (h) Health and social care: Schedule 1, Part 1 (2): Health or social care purposes;
  • Article 9 (f) Establishment, exercise or defence of legal claims;
  • Article 9 (j) Archiving, research and statistics. Schedule 1, Part 1 (4): Research.

4.3.3. Further information is available to the public by accessing the Force’s high level Privacy Notice available on the website:

b) ‘Purpose limitation’

4.4. Law Enforcement Processing

4.4.1. The Force are authorised by law to process personal, special category and criminal offence data for any of the ‘law enforcement’ purposes. However, any further use of that data for a non ‘law enforcement’ purpose, under the GDPR, will only take place where it is authorised by law.

4.4.2. The Force’s purpose for law enforcement processing are specified, explicit and legitimate as well as necessary and proportionate. Where the Force plans to use sensitive data for a new purpose other than that of law enforcement, the processing will comply with the requirements of DPA 2018 and GDPR.

4.5. General Processing

4.5.1. The Force will only reuse personal, special category and criminal offence data collected under GDPR where that further use is compatible with the original purpose it was collected for.

c) ‘Data minimisation’

4.6. BCH only collects data that is necessary and proportionate to carry out its specified purpose. It is processed in the context of carrying out processes which enable the Force to meet its stated policing or employment purposes for processing.

4.6.1. Additionally, the Force's internal guidance, training and policies require staff to use only the minimum data required to achieve the specified purpose.

4.6.2. The Force periodically reviews special category personal data and deletes data which is no longer required.

d) ‘Accuracy’

4.7. It is the responsibility of the person who receives the original information to ensure, as far as it is possible, that it is accurate, valid and up to date.

4.7.1. Where processing personal data for law enforcement purposes a clear distinction must, where relevant and as far as possible be made between personal data relating to different categories of data subject such as suspects, convicted offenders, victims and witnesses or other persons with information about offences.

4.7.2. The development and procurement of Information Management systems in the Force will require that Privacy by “Design and Default” is embedded in such processes.

4.7.3. The Force takes reasonable steps to ensure that personal, special category and criminal offence data which is inaccurate, incomplete or out of date is not disclosed. If it is discovered, after disclosure, that the data was inaccurate, then the Force will inform the recipient as soon as possible.

4.7.4. If an individual contacts the Force to question the accuracy of their data it will respond to such requests in accordance with Article 16 of the GDPR/Section 46 DPA 2018. Where the Force decides not to erase or rectify the data it will document this decision.

4.7.5. Requests for the disclosure of any personal information will only be considered once the Force is fully satisfied that the enquirer or recipient is identified and authorised to receive the information.

e) ‘Storage limitation’

4.7.6. BCH are committed to improving records management to ensure that information is managed throughout its life cycle in a systematic, cost-effective and efficient manner. In particular, it provides a means of applying controls to information to maintain its evidential weight and ensure its authenticity, availability and integrity. Only retaining personal, special category and criminal offence data processed for a general purpose and law enforcement purpose.

4.7.7. BCH Police Officers and staff to effectively and efficiently direct the managing, creating, retaining and disposing of all types of records and, is aligned with the NPCC National Guidance on the Minimum Standards for the Retention and Disposal of Police Records and the Public Records Act.

4.7.8. The Force will carefully consider the retention periods for sensitive data and the purpose for which it is processed. A periodic review of retention periods will be undertaken by the Force to justify the need for retention of such data.

f) ‘Integrity and confidentiality’

4.8. Section 2 of the GDPR and Sections 66-68 of the DPA 2018 contain the requirements for the security of personal data to include the implementation of appropriate technical and organisational measures to include a level of security appropriate to the risks arising from the processing of personal data.

4.8.1. Appropriate technical and organisational security measures will include:

  • Using and developing technological solutions to ensure compliance with the data protection legislation.
  • Using and developing physical measures to protect force assets.
  • Ensuring the reliability of any persons who have access to police information.
  • Reporting and investigating security breaches.

4.8.2. These obligations include the need to consider the nature of the data to be protected and the harm that might arise from such unauthorised or unlawful processing, accidental loss, destruction or damage. The Government Security Classifications provide for such considerations and is adopted by the Force as part of its compliance with the NPCC Community Security Policy.

Requirement to keep records of processing activity

4.9. Law Enforcement Processing

4.9.1. Where the processing is sensitive processing the following information is recorded in our Record of Processing Activity:

  • whether the sensitive processing is carried out in reliance on the consent of the data subject, or if not, which condition from the DPA 2018 Schedule 8 is relied on;
  • how the processing satisfies Section 35 (lawfulness of processing); and
  • whether the personal data is retained and erased in accordance with the policies described previously in this document, and, if it is not, the reasons for not following those policies.

4.10. General Processing

4.10.1. Where the processing of personal, special category and criminal offence data is carried out by BCH (as Controller(s)) the following information is recorded in our Record of Processing Activity: -

  • whether the processing of personal, special category and criminal offence data is carried out in reliance on the consent of the data subject, or if not, which condition from the DPA 2018, Schedule 1 (Parts 1 & 2) is relied on;
  • how the processing satisfies Article 6 and Article 9 of the GDPR (lawfulness of processing); and
  • whether the personal, special category and criminal offence data is retained and erased in accordance with the policies described above in Section 3 of this document, and, if it is not, the reasons for not following those policies.

5. Implications of the policy

5.1. Equality Impact Assessment

5.1.1. This policy has no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity – therefore an Equality Impact Assessment has not been completed (as no risk identified).

6. Monitoring and Review

6.1. The policy owner remains responsible for the monitoring of this policy throughout its lifespan, and is responsible for making any necessary amendments required due to changes in data protection legislation.

6.2. This policy will be reviewed annually by the policy owner.

7. Summary of Major Changes

(If applicable)

8. Policy Authorisation

8.1. Local senior authorisation

Auhtorisation
NameForceDateSignature

Andy Gilks

Bedfordshire

08 Sep 20

Andy Gilks – SIRO

Andy Gilks

Cambridgeshire

08 Sep 20

Andy Gilks – SIRO

Andy Gilks

Hertfordshire

08 Sep 20

Andy Gilks – SIRO

 

Essex

 

 

 

Kent

 

 

 

Norfolk

 

 

 

Suffolk

 

 

8.2. 7F DCC authorisation

DCC authorisation
Date of 7F DCC Meeting7F DCC Comments

 

Pending for 7F

 

9. Glossary/Definitions 

Glossary
Abbreviation/WordExplanation
None None

Our website uses cookies to improve your experience.

OK