Current timestamp: 18/06/2025 03:21:05
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Data Protection Policy

1. Statement of Policy

The Data Protection Policy enables Dyfed-Powys Police to establish good practices around the use and handling of information, promote a culture of awareness and improvement and comply with legislation. Its aim is to provide Officers, Police staff and volunteers with a framework that outlines the appropriate use of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and other related legislation.

This policy is essential in helping Dyfed-Powys Police officers, Police staff and volunteers understand how to look after the information they use to fulfil their duties and provide the best possible service. It should also assist in promoting a culture of awareness and improvement across the Force in respect to everyone’s responsibilities and accountability regarding data protection, the data protection principles, data protection breach reporting and data subject rights.

Information is a powerful tool and a vital asset.  It is of paramount importance that officers, Police staff and volunteers, have access to the information they need to undertake their duties safely and effectively, but also that confidential and sensitive information remains secure. This applies to information relating to the organisation, its personnel, and the public, this will include information that has been obtained from external parties and organisations and being processed by the Force.  It is also vital that appropriate policies, procedures and processes provide a solid foundation for data protection compliance across the entire Force.

This policy, along with the Privacy Notice and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources and in accordance with the Data Protection Legislation.

Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

 

2. Policy Scope

Dyfed-Powys Police has a statutory obligation to process personal data in accordance with the provisions of the UK GDPR in respect of non-law enforcement processing and the DPA 2018 in respect of law enforcement processing.

Dyfed-Powys Police complies with the College of Policing Authorised Professional Practice (APP) on Information Management.  The APP provides clear standards and guidance in regard to UK data protection legislation. In addition, Dyfed-Powys Police follows relevant guidance provided by the Information Commissioner’s Office (ICO) regarding data protection matters.

All officers, Police staff and volunteers are required to understand their responsibilities under UK data protection legislation. Data protection is the responsibility of ALL personnel and this policy must be adhered to at all times. This policy is triggered as soon as an authorised individual encounters personal data processed by, or on behalf of, Dyfed-Powys Police.

There are many potential risks to the Force, if this policy is not adhered to. These include, but are not limited to:

  • Inability to secure and maintain individuals’ trust and confidence in the Force
  • Damage to the Force reputation.
  • Failure to comply with relevant legislation.
  • The potential breach of UK data protection legislation, resulting in potential action being taken against the Force by the ICO, for being unable to meet its information rights obligations.
  • Inaccurate information being held which could have an impact on operational and business/corporate requirements.

 

Definition of Data Protection terms

Data subjects for the purpose of this policy include all living individuals about whom the Force holds personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in the Force’s possession). Personal data can be factual (for example, a name, a unique reference number, address or date of birth) or it can be an opinion about that person, their actions and behaviour. See further below.

Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the UK- General Data Protection Regulation (UK-GDPR). The Chief Constable is the Data Controller of all personal data that Dyfed Powys Police collects or uses (processes) in its day-to-day business and in providing services.

Data Processors include any person or organisation that is not a data user that processes personal data on behalf of the Force (Data Controller) and on the instructions of the Data Controller. Employees of data controllers are excluded from this definition, but it includes suppliers, providers and contractors which process personal data on Dyfed Powys Police’s behalf.

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, viewing, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

Special Category Data (also known as “sensitive personal data”) includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The definition also includes the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation. Special Category Data can only be processed under strict conditions. Personal Data relating to criminal convictions and offences is subject to additional requirements and should be handled in a similar way to Special Category Data.

Third Party – Any individual/organisation other than the data subject, the data controller, the Force or its agents.

Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. A DPIA should be carried out for processing that is likely to result in a high risk to individuals. The DPIA must: describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

 

3.  Powers and Policy/Legal Requirements

Dyfed-Powys Police has a legal obligation to comply with UK data protection legislation. Dyfed-Powys Police will also refer to the College of Policing, APP - Information Management – Data Protection. 

Relevant legislation includes:

  • The Data Protection Act 2018 (DPA 2018)
  • The UK General Data Protection Regulation (UK GDPR)
  • Computer Misuse Act 1990
  • Freedom of Information Act 2000
  • Crime and Disorder Act 1998
  • Criminal Justice and Immigration Act 2008
  • Human Rights Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Protection of Freedoms Act 2012
  • Criminal Procedures Investigations Act 1996 (CPIA)

Data v Information

Data comprises raw, unprocessed facts that need context to become useful, while information is data that has been processed, organized, and interpreted to add meaning and value. This policy refers to both data and information.

What is personal data?

  • The UK GDPR applies to the processing of personal data that is:
    • wholly or partly by automated means; or
    • the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
  • Personal data only includes information relating to natural persons who:
    • can be identified or who are identifiable, directly from the information in question; or
    • who can be indirectly identified from that information in combination with other information.
  • Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.

The processing of personal data, by the Force, is governed by the DPA 2018 and the associated UK GDPR. Everyone needs to be aware that this processing of data can be categorised in two ways:

  1. Processing under PART 2 of the DPA 2018 – General processing

Part 2 of the DPA 2018 applies to “general data”, which is personal data that is processed for a reason not involving law enforcement or national security e.g. employment purposes or public relations.

  1. Processing under PART 3 of the DPA 2018 – Law enforcement processing

Part 3 of the DPA 2018 applies to “competent authorities” such as Police Forces that process data for law enforcement purposes.

Officers, Police Staff and Volunteers need to be aware that unauthorised access to data/information or information systems other than for its intended purpose, is not permitted (eg undertaking a PNC enquiry or researching Force systems to satisfy personal curiosity rather than for a genuine policing purpose). Such action could result in a breach of Data Protection legislation. It may also result in investigation by PSD and Information Management staff and may be referred to the Information Commissioner’s Office, who may pursue action through the courts. Staff must ensure that when accessing Force systems and processing Force data that they have a lawful policing purpose to do so.

The data protection principles, as defined under the UK GDPR, should sit at the centre of the Force’s approach to processing personal data. Full details are available in the Data Protection Guidance Document.

Anyone processing personal data for Law Enforcement purposes under Part 3 of the DPA must comply with the six Data Protection Principles relating to the processing of personal data. These provide that personal data must be:

The first data protection principle

Processing of personal data for any of the law enforcement purposes must be lawful and fair.

The second data protection principle

The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;

Personal data collected must not be processed in a manner that is incompatible with the purpose for which it was originally collected.

The third data protection principle

Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

The fourth data protection principle 

Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;

Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

The fifth data protection principle

Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.

Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes. Retention periods relevant to the Force can be found within the Records Management section of the Intranet.

The sixth data protection principle

Personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

All Force personnel should also have an understanding of data subject rights, under UK data protection legislation. Full details are available in the Data Protection Guidance Document, with specific guidance surrounding requests for personal data available.

This policy should also be read in conjunction with the following related policies, protocols, practices and/or service agreements:

  • Data Protection Guidance Document
  • Data Protection Breach Policy
  • Information Security Policy
  • Freedom of Information Policy
  • Information Sharing Policy
  • Data Protection Impact Assessment (DPIA) Policy
  • Records Management Policy
  • Data Protection Compliance Audit Policy
  • Information Risk Management Policy
  • College of Policing Authorised Professional Practice (APP) Information Management
  • College of Policing APP – Compliance Audit
  • The National Police Chiefs Council (NPCC) Data Protection Manual of Guidance
  • NPCC National Guidance on the minimum standards for the Retention and Disposal of Police Records
  • Police Information and Records Management Code of Practice
  • The Information Commissioner’s Office’s Code of Practice and Guidance
  • NPCC Senior Information Risk Owner (SIRO) handbook
  • NPCC Information Asset Owner (IAO) handbook

4.  Options and Contingencies

Roles and Responsibilities within Dyfed-Powys Police

  • Chief Constable

The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy and data protection across the entire Force. The Data Controller has specific responsibilities under the UK-GDPR and the Data Protection Act 2018.

  • Senior Information Risk Owner (SIRO)

The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO). They are responsible for:

  • Overall accountability for information risk across the Force
  • Representing and championing information risk
  • Remaining up to date on all necessary training in order to remain effective in their role as SIRO
  • Understanding the impact of information risks on the Force’s risk register, and how those risks may be minimised and managed, and
  • Chairing the Information Assurance Board
  • The SIRO has specific responsibilities in relation to information risk as identified within the NPCC SIRO Handbook (2018)

 

  • Data Protection Officer (DPO)

The Head of Information Management of Dyfed-Powys Police is the appointed Data Protection Officer (DPO). They are responsible for:

  • Protecting the confidentiality of personal data across the Force
  • Representing and championing data protection issues and requirements
  • Ensuring that the Force satisfies the highest practical standards for handling personal data
  • Enabling suitable information sharing with other bodies
  • Ensuring that data protection issues are appropriately reflected in Force policies, procedures, processes and strategies for personnel
  • Assisting the Force in demonstrating compliance with UK data protection legislation as part of the enhanced focus on accountability
  • Acting as a point of contact for data subjects and the ICO, and
  • Informing and advising on data protection obligations Force wide.
  • The Data Protection Officer has specific tasks mandated by data protection legislation.

 

  • Information Asset Owner(s) (IAO)

Information Asset Owners (IAO) are senior employees who are the nominated owners of one or more identified information assets. They are responsible for:

  • Monitoring and understanding what information – paper and electronic – is being held and how it is maintained; knowing and approving who has access to it and why.
  • Seeking to use information fully within the law
  • Identifying and addressing risks to the information, and
  • Encouraging a culture that values, protects and uses information for the public good.
  • An IAO has a range of responsibilities which are described within the NPCC’s IAO Handbook.

 

  • Data Protection Advisor

The Data Protection Advisor is responsible for:

  • Maintaining awareness of data protection issues across the Force
  • Encouraging a culture that values, protects and uses information for the public good
  • Reviewing and updating the Data Protection Policy when appropriate, in line with legislation
  • Reviewing and updating all procedures and processes relating to this policy where appropriate
  • Ensuring all line managers are aware of their responsibilities and accountability regarding data protection and the requirements of this policy
  • Ensuring all employees are provided with the appropriate and necessary training to further their understanding of the principles of data protection and their application, and
  • Informing and advising on data protection obligations Force wide.

 

  • Line Managers

All Line Managers are responsible for ensuring that the Data Protection Policy is implemented and adhered to within their department.

 

  • All Officers, Police staff and Volunteers

All officers, Police staff and volunteers are responsible for adhering to the Data Protection Policy and related documentation. They will receive instruction, direction and updates regarding the policy from:

  • Line managers
  • Dyfed-Powys Police DPO
  • Mandatory data protection e-learning module(s). All employees, throughout the organisation, are required to be up-to-date with data protection training and refresher training commensurate with their role - full details are available in the Data Protection Guidance Document.
  • Dyfed-Powys Police Intranet, and
  • Policy and procedure manuals and documentation

Information Assurance Board

The role of the Information Assurance Board is:

  • To maintain strategic oversight, and support the management of, all activities related to the use, processing, retention, and transmission of information or data under the control of Dyfed-Powys Police and the structures, systems and processes used for those purposes in accordance with the College of Policing APP on Information Management.
  • Provide governance support and direction to the Information Management and Compliance Department in line with the Force vision to ‘Safeguard our Communities Together’, and
  • Work in line with the other groups and boards in delivering the mission, vision and values of the Force, the Chief Constable’s vision and the delivery plan in support of the Police and Crime Plan.

 

Code of Ethics principles

The Code of Ethics is a national code of practice, which defines core policing values and the standards of behaviour for everyone who works in policing. In line with these nine principles, the Data Protection Policy seeks to embed the following:

Code of Ethics

In line with the ethical policing principles, this Policy seeks to address the following:-

  • Public service – “working in the public interest, fostering public trust and

confidence, and taking pride in providing an excellent service to the public”. the

policy is clear and ensures integrity within its purpose; the policy contains

clearly defined responsibilities.

  • Courage – “making, communicating and being accountable for decisions, and

standing against anything that could bring our profession into disrepute” the

policy is lawful and proportionate and respectful of the rights of individuals.

Respect and empathy – “encouraging, listening to and understanding the views of others, and seeking to recognise and respond to the physical, mental and emotional challenges that we and other people may face.” The policy promotes equality and diversity considerations wherever possible and is not unlawfully or unfairly discriminatory.

The ethical policing principles will be used to help the Force make and reflect on professional decision making in regard to information risk.

 

5.   Take action and review

This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Data Protection Advisor on a biennial basis to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, ICO guidance etc.

The effectiveness of the policy will be monitored on a regular basis over and above the two-year review period and any major concerns will be escalated as appropriate. 

Effectiveness of the policy will be measured through the Force Data Protection Compliance Audit process. The aim being to check awareness of and compliance with UK data protection legislation in practice. Also, measuring the number of queries directed at the Department in regard to the policy will allow its effectiveness to be measured.

In the case of any queries regarding this policy, its content, or associated guidance documentation - individuals should contact:

Dyfed-Powys Police Data Protection Advisor

  • Email: [email protected]
  • Post: Data Protection Advisor, Dyfed-Powys Police, PO BOX 99, Llangunnor, Carmarthenshire, SA31 2PF

Appropriate promotion of this policy will take place, which can include awareness raising when training inputs and presentations are provided to employees across the Force. The policy will be made available on the Force intranet and internet sites.  Publication via the internet will ensure that it is available for public view.

Any issues of concern or risk in respect to compliance with UK data protection legislation across the Force will be escalated to the Force Data Protection Officer, Force SIRO and Information Assurance Board, dependent on severity.

Information regarding potential data protection breaches across the Force, will be processed in line with the Force Data Protection Breach Policy. Full details surrounding the process of reporting a personal data breach are available in the Data Protection Guidance Document. Such reporting, and subsequent investigation may highlight issues with this policy and associated guidance, which could result in a necessary review. If this is the case, relevant action will be taken. The Data Protection Advisor will work closely with representatives from the relevant departments to address the issues and ensure that any lessons learned will be fully reported and cascaded as necessary. Data protection breaches are reported upon to the Information Assurance Board, the Policing Board and the Joint Audit Committee.

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: November 2024