Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Freedom of information request reference no: 01.FOI.21.022431
I note you seek access to the following information:
Please can you provide me with:
1. Copies of any Data Protection agreement(s) that police constables or police staff (‘police employee’) sign or agree when they join the force, and before they handle (or have access to) the personal data of the public, personal data acquired while in their role as police employees (‘personal data’).
2. Any internal police guidance, procedures or policies for police employees that mishandle or allegedly mishandle personal data. (‘data breach’) that was acquired while in the role of a police employee.
3. Please include for a data breach while on duty, off duty or after the cessation of employment, by any means.
4. Please indicate who is responsible for investigating and/or taking appropriate action against any police employee (ex-employee) for such mishandling of personal data? Please include the same for on-duty, off duty or after employment cases.
5. Who is responsible for a said data breach? Again, this is for police employees on-duty, off-duty and after employment.
6. Who is accountable for a said data breach? Again, this is for police employees on-duty, off-duty and after employment.
7. Who is responsible for holding the police employee to account under any of these circumstances?
I have today decided to disclose the located information to you in full.
Please find below information pursuant to your request above.
Q1 - Copies of any Data Protection agreement(s) that police constables or police staff (‘police employee’) sign or agree when they join the force, and before they handle (or have access to) the personal data of the public, personal data acquired while in their role as police employees (‘personal data’).
Information not held. There is no specific data protection form that we sign, the only document is the official secrets act. However, individuals must undergo mandatory training on GDPR as part of their recruit training as well as all serving officers and staff. Individuals must comply with the force’s standards of professional behaviour and code of ethics, both of which cover the appropriate accessing and handling of police held data.
Q2 - Any internal police guidance, procedures or policies for police employees that mishandle or allegedly mishandle personal data. (‘data breach’) that was acquired while in the role of a police employee.
Q3 - Please include for a data breach while on duty, off duty or after the cessation of employment, by any means.
For Q2 and Q3 – Please see attached documents titled:
Breaches of the DPA
Information and You training slides
Information Code of Conduct v5 dated 17Jul2018_to_current_date (1)
Information, Technical and cyber breaches
Personal data security breaches
Security Incident Reporting Guidance v5 17Aug2021
Security reminder for managing conference calls
Caveat
The MPS confirms that response to Q4 – Q7 are general responses and each case is considered on its own merits.
Q4 - Please indicate who is responsible for investigating and/or taking appropriate action against any police employee (ex-employee) for such mishandling of personal data? Please include the same for on-duty, off duty or after employment cases.
Depending on the nature of the breach this could be a criminal and/or misconduct investigation usually conducted by the Directorate of Professional Standards. The ICO also having the ability (in specific circumstances) to investigate and prosecute individuals for offences under the DPA. And, regards responsibility and accountability which would be determined during assessment of the incident, other means such as malware or external factors (i.e. third-parties) may be part of the reason, as in something that cannot be mitigated.
Q5 - Who is responsible for a said data breach? Again, this is for police employees on-duty, off-duty and after employment.
This is usually an individual or it can be a computer system failure.
Q6 - Who is accountable for a said data breach? Again, this is for police employees on-duty, off-duty and after employment.
The individual responsible for the breach is held accountable and also the Commissioner can be held to account.
Q7 - Who is responsible for holding the police employee to account under any of these circumstances?
For criminal matters the DPP (Director of Public Prosecutions) will decide on how the case is progressed.
For misconduct matters it is usually the Directorate of Professional Standards.
As with Q4, the ICO also having the ability (in specific circumstances) to investigate and prosecute individuals for offences under the DPA