ICO

The ICO Audits Staffordshire Police

The ICO Audits Staffordshire Police

We are drowning in information and starved for knowledge.

― Author Unknown

 

One of the many advantages of being a member of IODPA is the availability of expert knowledge on a variety of topics, all relevant to police injury pensions.

One way we assist our members is by informing them of their rights as ‘data subjects.’

The term ‘data subject’ refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an individual whose personal data can be collected.

In the course of an officer’s career, their force accumulates considerable quantities of information about the individual. In the case of injury-on-duty pensioners that accumulation of data does not stop on their retirement – their force keeps on gathering it.

Trouble is, some forces don’t look after the personal information they acquire.

It is fair to say that data protection law rarely springs to the forefront of injury-on-duty pensioners minds. That is understandable, but when we see that a large and professional organisation, seems to have little knowledge of how the law requires them to manage the huge quantities of data they acquire and store, then we begin to worry.

One such deficient organisation is Staffordshire Police, which has just been shockingly revealed to be in dire need of improving its data handling processes and procedures.

The Information Commissioner’s Office has recently published its Executive Summary of a Data Protection Audit which it conducted of Staffordshire Police. You can read it here.

staffordshire-police-audit-052018

 

The report concludes Staffordshire Police could provide only limited assurance that,

processes and procedures are in place and delivering data protection compliance.

Moreover, the audit identified,

considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.

The ICO report is also critical of Staffordshire Police’s lack of a data protection policies, a lack of awareness of arrangements for sharing information, out of date information about data protection on its web site, failing to advise people about fair processing of personal information, an inability to show that information held was accurate and up to date, no publication scheme covering freedom of information requests and responses, and a low training rate of employees on data protection.

That covers pretty much all of the areas of data protection law, and shows that Staffordshire is failing in all of them.

What this means for injury-on-duty pensioners can be best illustrated by recounting some of the experiences of our members.

We are told of swathes of personal information being lost or destroyed, including important records confirming entitlement to an injury pension.

We are informed of the opposite – of Staffordshire unnecessarily retaining huge quantities of sensitive personal financial and medical information relating to former officers, and in some cases, relating to third parties such as family members.

We hear of long delays in responding to Freedom Of Information Act requests.

We are notified of inaccurate information being held, and of very sensitive personal information being accessed by employees without the permission of the data subject.

 

The situation is so bleak within Staffordshire Police that some of our members have been compelled to make formal complaints to the Information Commissioner’s Office. It is our understanding that these complaints will reveal even more deficiencies in Staffordshire’s handling of personal information.

The ICO report advises, ‘The matters arising in this report are only those that came to our attention
during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement.’

IODPA believes that Staffordshire is only one of many forces who are failing in respect of data protection.

The Information Commissioner’s Office provides a valuable and important safeguard of injury-on-duty pensioners’ data rights and we applaud the ICO for its work and for bringing the deficiencies of Staffordshire Police into the light of public knowledge. The findings of the ICO’s initial audit are, we hope, a salutary wake-up call to Staffordshire and to all other forces who casually process so much personal information whilst starved of knowledge of data protection law.

More ICO advice for Northumbria Police

More ICO advice for Northumbria Police

Another interesting development regarding the use of injured pensioners data by Northumbria Police and complaints that have been made to the Information Commissioners Office (‘ICO’).

IODPA believe that a number of police pensioners have made similar complaints regarding their former force attempting to coerce them to hand over their private and sensitive data (medical notes).

Many of them have taken the step to complain to the ICO, who have now issued advice to them.

The complaints have been centred around consent being freely given when considering releasing medical notes, the retention of medical notes and Subject Access Requests. The upshot is, that it is “unlikely that NP are complying with the first principal of the Data Protection Act”, which states that personal data should be processed fairly and lawfully.

Please note, this is advice from the ICO as opposed to a formal decision notice and it is for individuals. We would imagine that the ICO would come to the same conclusion for any pensioner with a similar complaint, regardless of force.

Of course this is not the first time that the ICO have provide advice in relation to Northumbria Police – https://iodpa.org/2017/11/24/northumbria-police-federation-wins-ico-advice-notice/

If you believe your data is being processed unfairly, please get in touch with the ICO – https://ico.org.uk/

 

Nothumbria - ICO advice