Holding and sharing personal information under the terms of the Data Protection Act, 1998

Report: 10a
Date: 29 April 2004
By: Commissioner

Summary

This report explains the impact of the Data Protection Act, 1998 (DPA) on holding personal information, and sharing this data with other organisations, particularly in the context of character enquiries on individuals who work with children and vulnerable adults. It also highlights the work of the new Information Sharing Project and the on-going MPS Inspectorate’s Thematic Inspection of the retention and disclosure of criminal intelligence.

A. Recommendation

That

1. the obligations of the DPA on holding and sharing personal data be noted, in conjunction with the requirements of the Crime and Disorder Act, 1998; and
2. the MPS report back to the MPA in the second half of 2004 about the likely impact of the Bichard Inquiry.

B. Supporting information

1. The Data Protection Act applies to all organisations, public, private, charitable, and political, that collect, store, and use personal information. The Act provides guidelines for handling, destroying, holding and sharing this information. Whilst the DPA itself is very complex, the eight principles on which it is based are simple and sensible stipulations.

The eight principles

2. Personal data must be:

1. processed fairly & lawfully;
2. obtained only for one or more specified & lawful purposes, and only be used for those purposes;
3. adequate, relevant, and not excessive;
4. accurate & up to date;
5. deleted when unnecessary;
6. processed according to the rights of the individual concerned;
7. protected against unauthorised access, destruction, damage and disclosure;
8. kept within the European Economic Area, unless the country or organisation concerned ensures a comparable level of protection for the information.

Holding personal information

3. The principles of the DPA mean that there are several stages in the process of ‘holding’ personal data:

Notification

4. Any organisation that processes personal information must register with the Information Commissioner, who regulates the DPA and Freedom of Information Act. This notification is publicly accessible via the Public Register of Data Controllers, and, as required by principle two, lists the purposes for which personal information is processed. Personal data can only be collected for the notified purposes, and, according to principle three, must be relevant only to these purposes. Police forces in the UK have agreed a common notification. The MPS, and all other UK forces, state that personal data is collected and held for the purposes of:

• Staff administration;
• Policing;
• Administrative & ancillary support for policing purpose.

5. The MPS can only collect, hold and use personal information for the above purposes. Intelligence about sex offenders is covered by the policing purpose.

Fair processing/collection

6. The first principle of the DPA stipulates that information must be processed fairly and lawfully. This relates to how the information is collected. Usually this means that the individual concerned is told why the data is being collected, how it will be used, and with whom it may be shared, and their consent to this process is sought. In special cases the need for consent is waived, and data can be collected, held and used without the knowledge or acquiescence of the individual. Two such special cases are:

• the necessity of complying with a separate legal obligation;
• the administration of justice.

7. MPS information collected without consent invariably falls within one of these special purposes. It is clearly inappropriate to try to collect criminal intelligence only with the consent of the subject; this information is collected lawfully because the processing is necessary for the administration of justice.

Information quality & retention

8. Principles 3, 4 & 5 require the MPS to keep accurate, relevant and timely records. Once personal information is no longer needed for the purposes registered with the Information Commissioner, or is seen to be inaccurate, or irrelevant, it should be deleted. Boroughs and Operational Units have the responsibility for making this decision about their own information based on their operational policing needs.

9. ACPO have produced guidelines that make recommendations about the length of time categories of records should be kept. These guidelines are likely to be revised in the next year. They are currently the subject of PITO project, and may well be mentioned in Sir Michael Bichard’s report. Retention and Disposal Schedules, designed to set standard periods for the active life of a record, prior to evaluation and possible deletion, are currently being prepared by Records Management Branch. Version 1 of this Schedule was published on the Records Management intranet site in March 2003. The full version is due to published in June 2004 and will cover all categories of MPS records. MPS records fall into two broad types: those where review and deletion can be proscribed with a high degree of certainty (finance and custody records, for example) and those where management judgement will always be required (like intelligence). The judgement relies on specialist knowledge of operational needs and the content of individual records. In these cases retention and deletion may be guided by schedules, but must be decided on a case-by-case basis.

10. Decisions about what information to hold, collect and delete is always made by the operational owners and users of the information, not the Data Protection Officer. The current position is that criminal intelligence held electronically, including information about sexual offences, is not routinely deleted. Registered manual files containing intelligence data are systematically reviewed. The Bichard Inquiry may recommend that the MPS take a different approach to the management of intelligence data, but it is impossible to anticipate Sir Michael’s report.

Sharing personal information

11. The DPA does not forbid the sharing of personal information, but it does impose a set of rules about how to accomplish this. As with the collection of data, sharing can usually be accomplished if the subject gives their consent, or if an exemption to the need to seek consent applies. Exemptions from the need to seek consent include: sharing for the purposes of the prevention and detection of crime, and sharing information to protect the life of the subject.

12. The DPA also rules on sharing information with organisations that are not within the European Economic Area (EEA). When information is to be taken outside the EEA, contracts must be signed stipulating an equivalent level of data protection. Without this standard of data security and confidentiality the information cannot be exchanged.

13. The MPS also has certain legal obligations to share data, without reference to the Data Protection Act. The Crime & Disorder Act, 1998 and the Police Act, 1997 are both good examples of our mandatory obligations to disclose information. Section 115 of the Crime & Disorder Act allows the disclosure of relevant information, including personal information, between agencies in order to achieve the purposes of the Act (to reduce crime and disorder in society). Part V of the Police Act 1997 obliges Police forces to disclose information about applicants for jobs working with children or vulnerable adults to their potential employers.

14. The complex interaction of the various legal regimes that apply to information sharing is not widely understood within the MPS. This lack of legal clarity is one of the issues currently being addressed by the Information Sharing Project, headed by Commander James Smith.

Information sharing project

15. Information sharing in the MPS at present is governed by a variety of different procedures. These have typically been developed an ad hoc basis for specific sharing agreements, systems or the requirements of particular operational units. This approach served well enough for the MPS while requests for information sharing were relatively few. However, requests for MPS information have increased substantially in recent years, chiefly due to the Crime and Disorder Act, and the rate of increase continues to rise as the MPS and its partners become ever more imaginative in their approaches to partnership policing.

16. The purpose of the Information Sharing project is to tackle the issue of information sharing on a corporate basis and provide a coherent policy and process for setting up information sharing agreements. It will also be seeking to clarify the legal position with regard to the sharing of personal data and establish clear ground rules for when this is and is not appropriate. Its deliverables will include a toolkit for practitioners and a paper recommending any organisational changes necessary to make the new arrangements work quickly and efficiently.

17. The project will run on a timescale that will allow extensive consultation with both practitioners and policy makers within the MPS and with partners and stakeholders outside. It is anticipated that its products will be published towards the end of this year.

Character enquiries

18. Members of the public who work with, or have access to, children and vulnerable adults require Enhanced Police checks. The checks are disclosed to the potential employers and the subject of the information. The Character Enquiries Centre (CEC) located within SO4 undertakes Enhanced Disclosure checks on behalf of the Metropolitan Police Service at the request of the Criminal Records Bureau. The Police Services of England and Wales are required to provide this information under Part V of the Police Act, 1997.

19. Enhanced Disclosures provide details of the individual’s criminal record held on the Police National Computer (PNC), and can also include non-conviction data if it is deemed relevant by the Chief Officer. In determining the relevance of non-conviction information various points must be considered, including the nature of the post applied for; the extent of potential access to the child or vulnerable adult; and the age and reliability of the information being considered. The Chief Officer must also consider the rights of the individual when deciding upon relevance, and so the principles of the Data Protection and Human Rights Acts are also important.

20. The CEC currently receives approximately 10,000 enquiries per week and is required to return 90% of the checks within 10 working days.

Current activities and dependencies

MPS Inspectorate Thematic Inspection

21. Assistant Commissioner David Veness has initiated a Thematic Inspection to look into the retention and disclosure of intelligence in Enhanced Disclosures. This work is on-going, and the Inspectorate’s report could recommend changes to the procedures by which the MPS records and discloses intelligence information.

Bichard Inquiry report

22. Any internal policy changes in the area of data retention and sharing are awaiting the recommendations of Sir Michael Bichard’s report, due in May 2004. The Bichard Inquiry was asked to investigate child protection procedures in Humberside and Cambridgeshire Constabularies in light of the conviction of Ian Huntley. The Inquiry was particularly directed to look at the effectiveness of intelligence based record keeping, vetting practices, and information sharing with other agencies. Sir Michael is likely to make cross-force recommendations on all of these topics. In light of this, we have recommended that the MPS report to the MPA in the second half of 2004 on the likely impact of the Bichard Report on the Service.

C. Race and equality impact

1. The rights and safeguards of the Data Protection Act apply to any person of any nationality.

2. The MPS shares information with a variety of agencies for a variety of reasons. We understand that information about some demographic groups could be shared with a disproportionate number of organisations. This exchange of information is always undertaken on a firm legal basis, but we would like to publicise this facet of police work. We are therefore currently reviewing the information the MPS provides to the public about DPA, in particular the information we give about the organisations with which we share information, and the uses to which it is put. The material already provided is only available in English. The review will also consider the demand for information in other languages.

3 When processing Subject Access Requests, the means by which individuals can see the information the MPS holds about them, the MPS requires proof of identity and address. This has implications for those with no fixed abode. The Public Access Office, the team processing these requests, are always willing to consider alternative arrangements on a case by case basis.

D. Financial implications

There are no additional financial implications at the moment. Implementing the recommendations from the Bichard Inquiry may have a cost. The on-going Information Sharing Project and Thematic Inspection could also suggest changes that require financial input.

E. Background papers

None

F. Contact details

Report author: Helen Child, Data Protection Officer and Nick Crouch, Senior Strategist, Information Governance, MPS.

For more information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Send an e-mail linking to this page

Feedback