Current timestamp: 27/03/2025 07:43:30
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal ActivityLoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Data Protection Policy

Summary

This Policy & Procedure (P & P) provides instruction to all personnel handling personal data. This should be read in conjunction with Authorised Professional Practice (APP) section entitled Information Management. 

Aims

The aim of this P & P is to ensure that all personal data is processed and handled in accordance with the UK General Data Protection Regulations and the Data Protection Act 2018.

The Code of Ethics published in 2014 and revised in 2024 by the College of Policing requires us all to ‘exercise discretion and apply professional judgement, ensuring that actions and decisions are in the public interest and proportionate, lawful and necessary’ and that in doing so we should ‘abide by all instructions, policies and procedures set by the police service’.

The 2024 Code of Ethics is not a statutory Code of Practice, it has the same status as other guidance produced by the College. The Code of Ethics is supported by the Code of Practice for Ethical Policing. This is a statutory Code of Practice which provides chief officers with direction on promoting and supporting ethical and professional behaviour within their forces.

Scope

This P & P applies to any person who has access to Humberside Police personal data including Police Officers, police staff, Special Constables, and volunteers. It also applies to third party suppliers and delivery partners if by virtue of their role, they are required to access personal data held by the force.

Chapter 1 – Responsibilities

1. Chief Officer

  • The Chief Constable is the nominated Data Controller for Humberside Police. The Data Controller is a person who either alone or jointly determines the purposes for which, and the way, personal data is processed.

2. Designated Chief Officer

  • The Deputy Chief Constable (DCC) will be responsible for overseeing the management of Data Protection matters within Force. The DCC will also undertake the role of Senior Information Risk Owner (SIRO).

3. The Force Data Protection officer (DPO)

  • The DPO is responsible for all Data Protection matters pertaining to Humberside Police and manages the Chief Constable’s statutory obligations under the Act including notification of processing to the Information Commissioner, compliance with the principles and securing individuals’ rights.

4. All Police Officers, police staff, Special Constables and other authorised users

  • Every Police Officer, police staff member, Special Constable and other authorised user of force information assets has a duty to ensure compliance with the principles of the Data Protection Act 2018 and will undertake to follow this force P & P.
  • Humberside Police will take criminal and/or disciplinary action against any category of person mentioned who wilfully accesses and/or misuses personal information. Accesses information without a clear policing or other statutory business purpose is likely to constitute misuse. 
  • Section 170 of the Act identifies the following criminal offences for the unlawful obtaining etc of personal data:

It is an offence for a person knowingly or recklessly—

  1. to obtain or disclose personal data without the consent of the controller,
  2. to procure the disclosure of personal data to another person without the consent of the controller, or
  3. after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
  • Section 171 of the Act for re-identification of de-identified personal data states it is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Controller in relation to the personal data when it was obtained.
  • Section 173 Alteration etc of personal data to prevent disclosure to data subject states it is an offence for a person to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.

Chapter 2 – Definitions & Related Guidance

5. Definitions

Personal Data – relates to a living individual who can be directly or indirectly        identified by that data e.g. name, date of birth, description, photographic image.

  • It also extends to any expression or opinion about an individual and any intention of the Data Controller towards the individual.

Processing – collecting, storing, sharing, destroying: anything that we do with personal data is processing from the point of collection to destruction.

Special Category Data – relates to an individual’s health, sexual life or orientation, racial or ethnic origin, religious beliefs, political opinion, Trade Union membership, genetic data and biometric data used for identification purposes.

Criminal Offence Data – means personal data relating to criminal convictions and offences or related security measures. This covers a wide range of information about offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings.

6. Related Guidance

  1. Humberside Police Privacy Notice
  2. Breach reporting guidance
  3. DPIA Policy and Template
  4. Subject Access Policy and Procedure
  5. Data Processing Contract Guidance
  6. Information Security P & P
  7. Records Management Policy
  8. Information Security Policy 

Chapter 3 – Policy Guidance

7. Policy

  • The UK GDPR applies the EU’s GDPR standards for the processing of data considered as ‘general data’; this is data which is processed for a reason not involving law enforcement or national security. This includes some processing for a policing purpose as defined in Management of Police Information (MoPI) 2005 as ‘protecting life and property, preserving order, preventing the commission of offences, bringing offenders to justice, and any duty or responsibility of the police arising from common or statute law.’
  • Part 3 of the Data Protection Act 2018 (DPA 2018) implements the Law Enforcement EU Directive (Directive 2016/680) and is separate from the UK GDPR/GDPR. The processing of personal data for law enforcement purposes can only be done by an organisation which is considered as a ‘competent authority’ in law. Law enforcement purposes are ‘the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. How organisations should process data for ‘law enforcement purposes’ can be found at Part 3 of the Data Protection Act 2018.
  • Humberside Police collects and uses certain types of information about the people with whom it deals in order to perform effectively as a police force.
  • This includes current, past and prospective members of staff, offenders, victims, witnesses, suppliers and others with whom it communicates. This personal information must be dealt with properly when it is collected, recorded, used and destroyed.
  • Humberside Police regard the lawful and correct treatment of personal information as vitally important to the successful operation of the force and to maintaining public confidence.

The Six Principles of the Data Protection Act 2018

  • To achieve lawful handling of personal data, Humberside Police must comply with the Data Protection principles, Personal Data must be:
  1. Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’).
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair. This means you   must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • You must be clear, open and honest with people from the start, about how you will use their personal data.
  • Selected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 

Data must not be collected unless there is a specified and valid reason. Any personal data processed by Humberside Police must only be used for a policing purpose, i.e.:

  1. protection of life and property
  2. preserving order
  3. preventing the commission of offences
  4. bringing offenders to justice,
  5. and any duty or responsibility of the police arising from common or statute law.
  • Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
  • Personal data shall be:accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’). 
  • Personal data shall be: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
  • For more detail about the Principles 3, 4 and 5, please see our Force Records Management Policy.
  • Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Chapter 4 – Accountability – Individuals Rights including Subject access

6. Accountability – Individuals Rights including Subject access

As a Data Controller, Humberside Police is responsible for and must demonstrate accountability and compliance with the data protection principles. As such, appropriate technical and organisational measures must be implemented in an effective manner to ensure compliance with data protection principles.

We must therefore apply adequate resources and controls to ensure and to document UK GDPR compliance, including:

  • appointing a suitably qualified DPO;
  • implementing Privacy by Design when processing personal data;
  • completing a Data Protection Impact Assessment (DPIA) Screening when creating or amending a business process which involves handling personal data;
  • where DPIA Screening identifies that the process may present a high risk to the privacy of data subjects, completing a full DPIA on the process;
  • integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Privacy Notices, Records of Processing Activities and records of personal data breaches;
  • training staff on compliance with Data Protection legislation and keeping a record accordingly; and
  • regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
  • The Data Protection legislation affords individuals with rights in relation to their personal data, which are:
  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision making including profiling
  • Requests for access are free of charge (unless requests are manifestly unfounded or excessive) and there is a requirement to process within one calendar month. Any requests should be forwarded immediately to the Information Governance Unit.     
  • For further information around subject access rights, please see the Subject Access Policy & Procedure