Information Commissioner Elizabeth Denham looks at the issues around the disclosure and transfer of peoples personal data and explains why protecting personal information is a job for everyone.
Forces require the trust and faith of the societies they police and public trust in policing requires respect in how you handle personal data. That means how you look after the information provided by witnesses and victims, the volume of information you are recording and the length of time you are keeping that information. Police forces deal with such sensitive information that when things go wrong, it is likely to be serious. The Information Commissioners Office (ICO) received more than 18,000 data protection complaints from members of the public last year. One in 20 concerned policing and criminal records. A similar proportion of our self-reported data breaches concern the police sector. Breaches are sometimes related to the personal details of witnesses or victims going missing. But we also see incidents relating to police staff information HR data needs care too. Often these errors are entirely avoidable, especially if staff are trained and understand what data protection law requires of them. Here are our top tips. Transferring personal data One of the areas where we at the ICO see problems with information not being handled properly is when it comes to police staff transferring peoples details. Whether it is the names of witnesses being transferred within a force to another police station, or externally to a defence solicitor, it is vital that information is looked after. Whatever your role in the police, when it comes to sending personal information, whoever it is to and whatever form it takes, it is crucial you think carefully about whether or not you are using the most appropriate method. In the past, cases involved the physical loss of data like the officer who put paperwork about a missing person case in his protective wear, only to lose it when it fell out. We still have reports like this; taking paper out of a police station or office is sometimes inevitable and that presents a specific risk that needs to be considered. However, the world has moved on and we now also see difficulties around the protection of personal information in electronic format. Even where forces have formal procedures in place to cover such processing, it is important that these are regularly reviewed and updated as necessary to reflect new technological developments and technical security measures available. Encryption A lack of encryption is a key issue. Encryption is a mathematical function using a secret value the key which encodes data so that only users with access to that key can read the information. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures. We have heard of instances in the past when those working in the police think they can not use encryption because it could be akin to altering original evidence. The appropriateness of applying encryption will depend on the circumstances, but where it is not possible, there should be a clear and justifiable reason for this and an alternative method of securing the data should be sought. There are several different encryption options available and staff should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer. We know that the police and justice sector has long-term plans to improve the digital capacities of investigation and prosecution processes. However, in the meantime, it is important police forces open discussions with partner agencies they regularly send sensitive information to about whether encryption of data is a feasible option. It is worth bearing in mind that there can be times when encryption is not an option, for example, if those organisations you are sending the information to do not have the means to deal with encrypted data. If this is the case, that encryption is not a viable option at this time, then it is even more important to identify t