Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
The Data Protection Breach Policy enables Dyfed-Powys Police to establish good practices around the use and handling of information, promote a culture of awareness and improvement and comply with legislation. Its aim is to provide officers, staff and volunteers with a framework that outlines the appropriate handling of data protection breaches and provide assurance that the Force acts responsibly to protect the personal data it processes in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and other related legislation.
The Information Commissioner’s Office (ICO) defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, which includes breaches that are the result of both accidental and deliberate causes. This means that a breach is more than just losing personal data.
This policy is essential in helping Dyfed-Powys Police officers, staff and volunteers understand how to respond when a potential data protection breach is identified. Information is a powerful tool and a vital asset, in regard to both law enforcement processing and the management of services and resources across the Force. It is of paramount importance that employees understand how to protect personal data effectively and that confidential and sensitive information remains secure, but also what to do in the event that personal data may have been compromised in some way. This applies to information relating to the organisation, its employees and the public. It is also vital that appropriate policies, procedures and processes provide a solid foundation for data protection compliance across the entire Force.
Applies (but not limited) to:
All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.
Dyfed-Powys Police has a statutory obligation to process personal data in accordance with the provisions of the UK GDPR in respect of non law enforcement processing and the DPA 2018 in respect of law enforcement processing.
Under the DPA 2018, Part 3, sections 67 and 68 and the UK GDPR Articles 33, 34, 58, 84 and Recitals 75, 85-88 there are strict duties imposed on the Force in regard to the handling of data protection breaches. The aim of this policy is to standardise Dyfed-Powys Police’s management of data protection breaches and ensure compliance with the relevant legislation and best practice guidance.
Dyfed-Powys Police complies with the College of Policing Authorised Professional Practice (APP) on Information Management. The APP provides clear expectations and guidance in regards to the management of data protection breaches. In addition, Dyfed-Powys Police follows any and all relevant guidance provided by the Information Commissioner’s Office (ICO) in regard to data protection matters.
All police officers, staff and volunteers are required to understand their responsibilities under UK data protection legislation in regard to recognising and reporting a data protection breach. Data protection is the responsibility of ALL officers, staff and volunteers and this policy must be adhered to. This policy is triggered as soon as a potential data protection breach is identified in regard to personal data processed by, or on behalf of, Dyfed-Powys Police.
If this policy is not adhered to and/or data protection breaches are unaddressed, potential risks to the Force include, but are not limited to:
Breaches are also likely to have a significant detrimental effect on individuals. For example:
In more serious cases, for example those involving victims and witnesses, a data protection breach may cause more significant detrimental effects on individuals.
Dyfed-Powys Police has a legal obligation to comply with UK data protection legislation. Dyfed-Powys Police will also refer to the College of Policing, APP - Information Management – Data Protection – Data Breach.
Relevant legislation includes:
The process of managing data protection breaches, by the Force, is governed by the DPA 2018 and the associated UK GDPR. All officers, staff and volunteers are required to understand their responsibilities under this legislation in regard to recognising and reporting a data protection breach. Full details are available in the Data Protection Guidance Document.
This policy should also be read in conjunction with the following related policies, protocols, practices and/or service agreements:
Roles and Responsibilities within Dyfed-Powys Police
Chief Constable
The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy and data protection across the entire Force. This policy serves to ensure compliance by the Data Controller of their responsibility under Article 24 (2) of the UK GDPR.
Senior Information Risk Owner (SIRO)
The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO). They are responsible for:
Data Protection Officer (DPO)
The Head of Information Management of Dyfed-Powys Police is the appointed Data Protection Officer (DPO). They are responsible for:
Information Asset Owner(s) (IAO)
Information Asset Owners (IAO) are senior staff who are the nominated owners of one or more identified information assets. They are responsible for:
Data Protection Advisor
The Data Protection Advisor is responsible for:
All Police Officers, Staff and Volunteers
All police officers, staff and volunteers are responsible for adhering to the Data Protection Breach Policy and related documentation. They will receive instruction, direction and updates regarding the policy from:
Information Assurance Board
The role of the Information Assurance Board is:
Third Party Agreements
This policy will apply where a supplier or other third party, eg data processor requires and is supplied with personal data by the Force to deliver a service. Third parties will ensure that the Force is informed of any breach or ‘data loss’ event in a timely manner and in line with contractual agreements set in place between the third party and the Force.
Code of Ethics
In line with the ethical policing principles, this Policy seeks to address the following:-
The ethical policing principles will be used to help the Force make and reflect on professional decision making regarding data protection breaches.
This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Data Protection Advisor or Data Protection Officer on an annual basis followed by biennial reviews to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, ICO guidance etc.
The effectiveness of the policy will be monitored on a regular basis over and above the review period and any major concerns will be escalated as appropriate.
Effectiveness of the policy will be measured through the Force Data Protection Compliance Audit process and auditing the access to the document and associated guidance documentation. The aim being to check awareness of the need to report data protection breaches and ensuring compliance with UK data protection legislation. Also, measuring the number of data protection breaches reported and queries in regard to the policy directed at the Department will allow its effectiveness to be measured.
Any amendments to this policy will be approved by the Information Assurance Board.
In the case of any queries regarding this policy, it’s content, or associated guidance documentation - individuals should contact:
Appropriate promotion of this policy will take place, which can include awareness raising when training inputs and presentations are provided to police officers, staff and volunteers across the Force. The policy will be made available on the Force intranet and internet sites. Publication via the internet will ensure that it is available for public view.
Any issues of concern or risk in respect to compliance with UK data protection legislation across the Force will be escalated to the Force Data Protection Officer, Force SIRO and Information Assurance Board, dependent on severity.
Information regarding any other potential data protection issues across the Force, will be processed in line with the Force Data Protection Policy. Such reporting, and subsequent investigation, may highlight issues with this policy and associated guidance, which could result in a necessary review. If this is the case, relevant action will be taken. The Data Protection Advisor will work closely with representatives from the relevant departments to address the issues and ensure that any lessons learned will be fully reported and cascaded as necessary.
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: April 2024