W2013 Procedure – Appropriate Access and Use of Police Information
Number: W 2013 Date Published: 15 March 2022 Version 7 – March 2022
1.0 Summary of Changes
On its yearly review this procedure has been updated to reflect new author details.
2.0 What this Procedure is about
This procedure details the circumstances where an officer or member of police staff or any other approved person working for or on behalf of the police may lawfully access, attempt to access, or use police information held by Essex Police.
Non-compliance with the provisions of this procedure may result in disciplinary action which could lead to dismissal and criminal prosecution under the Data Protection Act 2018 (‘the Act’) or Misconduct in Public Office.
Compliance with this procedure and any governing policy is mandatory.
3.0 Detail the Procedure
3.1 Police Information and Users of Police Information
This procedure applies to every ‘user’ of police information. A ‘user’ means any police officer, police staff member, or other approved person working for, or on behalf of, Essex Police, and any other person granted access to the Essex Police IT infrastructure who have access to ‘police information’.
‘Police information’ includes any information that is:
Used in any other way.
by Essex Police, its officers, police staff and others working on the force’s behalf. Police information may be held digitally within the force’s IT infrastructure, including the intranet, email, applications and databases. It can also exist in hard copy, in forms, in correspondence, in photographs or other images, and in other documents.
The majority of police information is accessed using police computers or print outs and recordings from those computers, but it can also be accessed or used as words spoken during conversations and meetings.
3.2 Valid Policing Purposes
Users must only access, or attempt to gain access, or use, any item of police information for a valid policing purpose where to do so is necessary or required by their official role, to achieve the police force’s operational or support purposes.
Valid policing purposes may be split into a) Operational Policing Purposes and b) Support Purposes.
Operational Policing Purposes include the:
Prevention and detection of crime;
Apprehension and prosecution of offenders;
Protection of life and property;
Maintenance of law and order;
Rendering of assistance to the public in accordance with force policies and procedures;
Some police information is used for the activities that are necessary for the Support Purposes which help maintain the Operational Policing Purposes mentioned previously. Those support purposes include the management of finance, staff training and administration, health and welfare management, property management, provision of legal services, management of the IT infrastructure, media, licensing and registration.
3.3 Determining if Access or Use is Appropriate
Generally access or use of a particular item of police information is appropriate when a user does so in order to:
Follow a published force procedure or policy;
Comply with an approved information sharing agreement;
Undertake a regular process that is part of their role.
However, where there is doubt, users may ask themselves questions to help them decide:
Question 1: Does my role require that I access or use the particular piece of police information in question in the way proposed?
If the answer is ‘No’ then access or use would not be appropriate;
If the answer is ‘Yes’ you should then ask a further question:
Question 2: Would my access or use be for the benefit or the purposes of Essex Police?
If the answer is ‘No’ then the access or use would be inappropriate as the activity would be for your personal purposes or benefit;
If the answer is ‘Yes’ then you should ask a further question:
Question 3: Would the access or use be necessary for one of the valid policing purposes? - either one of the Operational Policing Purposes, or the Support Purposes, as previously explained.
If the answer is ‘Yes’ then the access or use is likely to be appropriate;
If the answer is ‘No’ then the access or use is inappropriate.
Access, attempted access, or use other than in accordance with the above will be considered as misuse of police information.
Misuse of police information will occur where a user accesses, attempts to access, or uses any item of police information:
When the access or use is not for a valid policing purpose; or,
In a manner beyond that required by their official role to achieve the force’s operational and support purposes; or,
In contravention of published force policy, procedure or information sharing agreement or data processing contract; or,
Where the primary motivation is for user’s own or a third party’s personal purposes, benefit or curiosity.
The list above is not exhaustive.
Misuse will also occur where an individual (person 1) directs a user (person 2) to access or use police information inappropriately on person 1’s behalf.
3.5 Access and Use of Police Information for Training Purposes
Databases, systems or applications installed for training purposes will only be used for that purpose.
Officers and staff must never use ‘live’ police information for training purposes except where that activity takes place within formal training sessions supervised by trainers, or in circumstances prescribed by the relevant information system owner (see W 1005 Procedure/SOP – Information Asset Owners for details of information asset owners and their ‘custodians’).
Access to police information for training purposes must be 'blind' to the identity of the individual to whom the information relates. In practical terms that would preclude access by a user to information relating to friends, acquaintances, neighbours, family members, work colleagues, famous people etc.
3.6 Access and Use of Police Information for Testing of the IT infrastructure
It is recognised that users within IT Services may, in specific circumstances, need to access and use police information when attempting to identify the cause of issues with the IT infrastructure or when testing the impact of changes made to that infrastructure.
This could involve running searches across a database in order to identify whether expected data is returned from those searches.
On such occasions a user’s default position should be to conduct such tests against test data rather than live data. If that is not feasible, the user may test against live data. However, due to integrity considerations access to, and use of, police information for testing purposes must be 'blind' to the identity of the individual to whom the information relates. In practical terms this means the user must not conduct a search where the search criteria used relate to themselves friends, acquaintances, neighbours, family members, work colleagues, famous people etc. or where it could be reasonably assumed the search was likely to return information relating to such people.
3.7 Users’ Access and Personal Relationships
It is recognised that on occasions a user, as part of their role, may be required to access or use police information concerning people they know outside of the police environment, such as friends, acquaintances, neighbours, or family members.
Where this occurs the user must report the circumstances to their supervisor or line manager who will reallocate the task to another user unless such a course of action is considered impracticable.
3.8 Overheard Conversations
Users may overhear conversations or otherwise become aware of information not considered relevant to their role. Where such instances occur users must always treat such information with the strictest confidence. This will include not disclosing the information further to any individual either inside or outside the organisation unless required to do as part of their official police role.
3.9 Reporting Suspected Misuse of Police Information
Any individual who witnesses, identifies or becomes aware of possible misuse use of police information should refer the matter to the Professional Standards Department.
They may choose to do this anonymously, using confidential reporting routes.
A failure to report misuse may, in itself, be regarded as a disciplinary matter.
Dependent upon the circumstances misuse of police information may result in disciplinary action and/or a criminal investigation.
Misuse of police information relating to individuals’ ‘personal data’ is likely to be an offence under the Data Protection Act 2018.
Section 170 of the Act criminalises the deliberate or reckless obtaining, disclosing, procuring disclosure to another and retention of personal data without the consent of the ‘controller’. It also makes it an offence to sell or offer to sell personal data that was obtained, disclosed or retained unlawfully.
Section 170 of the Act states:
(1) It is a criminal offence for a person user knowingly or recklessly - (a) to obtain or disclose personal data without the consent of the controller, (b) to procure the disclosure of personal data to another person without the consent of the controller, or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. Section 170(4) of the Act states:
It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed. Section 170(5) of the Act states:
It is an offence for a person to offer to sell personal data if the person — (a) has obtained the data in circumstances in which an offence under subsection (1) was committed, or (b) subsequently obtains the data in such circumstances.
In the case of Essex Police the ‘controller’ is the Chief Constable. Their consent is demonstrated via by force policy and procedure, approved working practices, instructions and operational orders.
Section 170(2) and (3) of the Act provide defences for the Section 170(1) offence.
Misuse of police information may also be a Common Law offence of Misconduct in Public Office. The punishment for this offence comes with a potentially unlimited custodial sentence and unlimited fine.
Misuse of police information can also be a criminal offence under Sections 1 to 3 of the Computer Misuse Act 1990.
Even where a criminal prosecution is not pursued it is likely that misusers of police information will be liable to disciplinary action that could result in dismissal.
3.11 National Crime Recording Standard (NCRS)
Where the offence under investigation is a notifiable crime (e.g. Section 170, Data Protection Act 2018), then it must be recorded as a crime in line with the National Crime Recording Standard (NCRS) and the Home Office Counting Rules (HOCR).
3.12 Use of Officers’ and Police Staff Members’ Personal Mobile Phone
In June 2019 the Joint Negotiating and Consultative Committee (JNCC), a regular corporate meeting where Chief Officers meet with representatives of The Superintendents’ Association, the Police Federation and Unison, agreed the circumstances were officers and police staff members could be contacted by the Force using their personal mobile phones.
The JNCC agreed that those who take part in voluntary arrangements such as MAT, on call will normally be contacted through their work mobile phone or personal mobile phone if they have agreed to provide their number and allowed the force to contact them in this way; this will remain the case while the force explores an IT solution.
Individuals who need immediate or urgent court warnings/de-warnings will normally be contacted through force equipment but, where it is essential to do so, personal mobile phones may be used.
There may arise an accident or emergency situation whereby personal mobile phones may need to be used as the most immediate and effective way of trying to reach individuals or their families where there is an overriding necessity to do so.
However, the force also recognises that all contact must be legitimate and proportionate so it would never endorse the use of personal mobile phones for the purposes of routine business such as duty planning, unless the individual had given consent for this to be so.
The force recognises that individuals supply it with information that must be treated with respect, guarded closely and only utilised in accordance with the law.
4.0 Equality Impact Assessment
EIA – March 2020.
5.0 Risk Assessment
Any failure by an individual to follow the provisions specified within this procedure may result in an increased risk of harm to the reputation of the organisation or to the individual subject of the police information that was unlawfully accessed or used.
Essex Police must ensure that any information held by it as a data controller is held in accordance with the Data Protection Act 2018. A failure to adhere to the provisions of that act may well result in irreparable damage to the reputation of the organisation including considerable financial loss resulting from litigation or enforcement action by the Commissioner arising from a failure to discharge its lawful responsibilities.
Inappropriate access or disclosure of police information to an individual outside the provisions of this procedure may expose that individual to an increased level of risk of harm. Any circumstances relating to the misuse of police information must be reported immediately to the Professional Standards Department who will complete a full assessment of the risk brought about by the unlawful access or disclosure relating to any individual subject of that information. The risk assessment will be regularly updated throughout the process of the investigation.
The following have been consulted during the formulation of this document:
7.0 Monitoring and Review
This procedure will be reviewed every year by the Head of Information Management.
Additional review may take place where the need is identified. The Information Management Board will maintain oversight of this procedure.
8.0 Governing Force policy.
Related Force policies or related procedures
W 1000 Policy – Information Management
W 1001 Procedure/SOP – ICT Acceptable Use
W 1002 Procedure/SOP – User Account Management
W 1005 Procedure/SOP – Information Asset Owners
W 1011 Procedure/SOP – Data Protection
W 1012 Procedure – Records Review, Retention and Disposal
W 1014 Procedure – Information Sharing Agreements
W 2011 Procedure – Transaction Monitoring and Audit
W 2040 Procedure – Records Centre (Dunmow)
8.1 Data Security
Essex Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2 Retention & Disposal of Records
Essex Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
We will only hold data for as long as necessary for the purposes for which we collected. Victims/public should be reminded that Essex Police take the protection of personal data seriously as described in the privacy notice.
9.0 Other source documents, e.g. legislation, Authorised Professional Practice (APP), Force forms, partnership agreements (if applicable)