Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
The Data Protection Impact Assessment Policy enables Dyfed-Powys Police to establish good practices around the use and handling of information, promote a culture of awareness and improvement and comply with legislation. Its aim is to provide employees with a framework that outlines the appropriate process for managing projects that process personal data, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and other related legislation.
The Information Commissioner’s Office (ICO) defines a Data Protection Impact Assessment (DPIA) as a process to help an organisation identify and minimise the data protection risks of a project. A DPIA must be completed for any processing that is likely to result in a high risk to individuals, as well as any major, new project or initiative involving the use of personal data. However, a DPIA can be used for any project or piece of work that may involve personal data, to help identify and address privacy risks in every area of work.
A DPIA is a “living” document and should be revisited regularly to ensure that there have been no changes to how the data is being used, and that there are no new risks.
A DPIA can assist an Information Asset Owner (IAO) asses risks associated with the information assets they have responsibility for. It will assist the IAO to understand and address risks associated with information assets on behalf of the Senior Information Risk Owner (SIRO) and their end users, and to ensure that the data is fully used within the law.
This policy is essential in helping Dyfed-Powys Police officers, staff and volunteers understand the correct process for managing projects and initiatives that process personal data. Information is a powerful tool and a vital asset, in regard to both law enforcement processing and the management of services and resources across the Force.
It is of paramount importance that officers, staff and volunteers understand how to handle personal data lawfully and that they understand their responsibilities when considering new methods of processing. This applies to information relating to the organisation, its officers, staff and volunteers and the public. It is also vital that appropriate policies, procedures and processes provide a solid foundation for data protection compliance across the entire Force.
Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.
Dyfed-Powys Police has a statutory obligation to process personal data in accordance with the provisions of the UK-GDPR in respect of non-law enforcement processing and the DPA 2018 in respect of law enforcement processing.
Under the UK-GDPR Articles 35 and 36 and Recitals 74-77, 84, 89-92, 94 and 95 there are legal requirements imposed on the Force in regard to the completion of DPIAs. The aim of this policy is to ensure consistency in Dyfed-Powys Police’s management of any major, new projects or initiatives involving the use of personal data (even if there is no specific indication of likely high risk) and compliance with the relevant legislation and best practice guidance.
Dyfed-Powys Police complies with the College of Policing Authorised Professional Practice (APP) on Information Management. The APP provides clear standards and guidance in regard to privacy by design and default and DPIAs under UK data protection legislation. In addition, Dyfed-Powys Police follows any, and all relevant guidance provided by the Information Commissioner’s Office (ICO) regarding data protection matters.
All officers, staff and volunteers are required to understand their responsibilities under UK data protection legislation, with specific staff groups requiring more detailed knowledge around DPIAs. Data protection is the responsibility of ALL officers, staff and volunteers and this policy must be adhered to.
This policy is triggered as soon as a new project or initiative involving the use of personal data is identified, or there is a change to the nature, scope, context or purposes of processing underway in an existing project that involves personal data.
If this policy is not adhered to and/or DPIAs are not completed at the appropriate time, potential risks to the Force include, but are not limited to:
Dyfed-Powys Police has a legal obligation to comply with UK data protection legislation. Dyfed-Powys Police will also refer to the College of Policing, APP - Information Management – Data Protection – Data protection impact assessment (DPIA).
Relevant legislation includes:
The requirement of completing DPIAs, by the Force, is governed by the UK GDPR. Key staff groups with any level of involvement in new projects and initiatives across the Force are required to understand their responsibilities under this legislation in regard to recognising when a DPIA is required and knowing which department to contact for advice and guidance.
This includes, but is not limited to, Information Asset Owners (IAO), Information Asset Administrators (IAA) and Project Managers, however, anyone who is starting a project or piece of work that involves personal data may be required to undertake a DPIA before that personal data is used for their intended purpose.
Further details are available in the DPIA Guidance document.
This policy should also be read in conjunction with the following related policies, protocols, practices and/or services agreements:
Roles and Responsibilities within Dyfed-Powys Police
Chief Constable
The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy and data protection across the entire Force. UK-GDPR Article 35 sets out the responsibilities of the Data Controller in regard to the undertaking of DPIA’s.
Senior Information Risk Owner (SIRO)
The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO). They are responsible for:
Data Protection Officer (DPO)
The Head of Information Management of Dyfed-Powys Police is the appointed Data Protection Officer (DPO). They are responsible for:
Information Asset Owner(s) (IAO)
Information Asset Owners (IAO) are senior officers and staff who are the nominated owners of one or more identified information assets. They are responsible for:
Data Protection Advisor
The Data Protection Advisor is responsible for:
Project Managers
Project Managers are responsible for:
Senior Manager – Governance and Change – Service Improvement Unit
The Senior Manager, Governance and Change, Service Improvement Unit is responsible for
Information Security Officer
The Information Security Officer is responsible for:
Information Sharing Officers
Information Sharing Officers are responsible for:
Data Protection Compliance Officer
The Data Protection Compliance Officer is responsible for:
Records and Data Quality Supervisor
The Records and Data Quality Supervisor is responsible for:
All Officers, Staff and Volunteers
All officers, staff and volunteers are required to understand their responsibilities under UK data protection legislation, and to know to contact the Information Management Department with any DPIA related queries.
Data Protection by Design and Default
The UK-GDPR sets out a legal requirement in that it requires that the Force puts in place technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by default’. This requires that the Force integrates or ‘bakes in’ data protection into its processing activities and business practices, from the design stage right through the lifecycle. Data protection by design is about considering data protection and privacy issues up front in everything that the Force does. It can help the Force ensure that it complies with the UK GDPR’s fundamental principles and requirements and forms part of the focus on accountability. The DPIA process can assist the Force in complying with this requirement on behalf of the Data Controller.
This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Data Protection Advisor on a biennial basis to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, ICO guidance etc.
The effectiveness of the policy will be monitored on a regular basis over and above the two-year review period and any major concerns will be escalated as appropriate.
Effectiveness of the policy will be measured through the Force Data Protection Compliance Audit process and auditing the access to the document and associated guidance documentation. The aim being to check awareness of the need to complete DPIAs and ensuring compliance with UK data protection legislation. Also, measuring the number of queries directed at the Department in regard to the DPIA process and the policy will allow its effectiveness to be measured.
In the case of any queries regarding this policy, it’s content, or associated guidance documentation - individuals should contact:
Appropriate promotion of this policy will take place, which can include awareness raising when training inputs and presentations are provided to employees across the Force. The policy will be made available on the Force intranet and internet sites. Publication via the internet will ensure that it is available for public view.
Any issues of concern or risk in respect to compliance with UK data protection legislation across the Force will be escalated to the Force Data Protection Officer, Force SIRO and Information Assurance Board, dependent on severity.
Information regarding any other potential data protection issues across the Force, will be processed in line with the Force Data Protection Policy. Such reporting, and subsequent investigation, may highlight issues with this policy and associated guidance, which could result in a necessary review. If this is the case, relevant action will be taken. The Data Protection Advisor will work closely with representatives from the relevant departments to address the issues and ensure that any lessons learned will be fully reported and cascaded as necessary.
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: September 2024