Current timestamp: 23/03/2025 03:47:37
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal ActivityLoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information Sharing Policy

1. Statement of Policy

This policy will ensure that Dyfed-Powys Police meets and implements the legal requirements under the Data Protection Act 2018 (DPA), the UK General Data Protection Regulation 2018 (UK GDPR) and the Human Rights Act 1998 (HRA) when sharing personal information.

To assist in ensuring compliance, Dyfed-Powys Police will follow the College of Policing Authorised Professional Practice (APP) on Information Management – Information Sharing. Additionally, Dyfed-Powys Police will follow guidance provided by the Information Commissioner’s Office (ICO) which includes the ICO Data Sharing Code of Practice.

Dyfed-Powys Police will adhere to the College of Policing APP and the Wales Accord on the Sharing of Personal Information (WASPI), as the basis for guidance and templates for the development and creation of information sharing agreements.

Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

  

2. Policy Scope

Information is a vital asset to the organisation.  Every department and individual uses information on a daily basis in order to fulfil the requirements of their role.  This resource has to be managed and used appropriately to ensure Dyfed-Powys Police (DPP) is effective and efficient in meeting its responsibility for policing purposes and its statutory obligations. A policing purpose is defined as:

  1. protecting life and property;
  2. preserving order;
  3. preventing the commission of offences;
  4. bringing offenders to justice;
  5. any duty or responsibility arising from common or statute law.

DPP is committed to working in a joined-up manner with partner agencies to tackle issues relating to policing, protecting the public, crime and anti-social behaviour.

Effective information sharing facilitates good relations within the police service, with partner agencies, third parties, other organisations and the communities of the Dyfed-Powys Police area.

Information sharing between DPP and third parties is encouraged, however, there are processes in place to ensure that this is done safely, securely and in line with legislation.

Where the regular sharing of information is required, formalised information sharing agreement (ISA) must in place where regular sharing of information is taking place.

DPP is a signatory to the Wales Accord on the Sharing of Personal Information (WASPI) and will pay due regard to the Accord and relevant guidance. Any ISAs will follow the WASPI template(s).

An updated list of sharing agreements is available through the Information Management and Compliance Department. Where there is no existing ISA, advice must be sought as to whether one would be required.

There are circumstances where an ISA may not be necessary, for example where the sharing is in emergency circumstances (more details below) or where non-regular sharing is taking place and there is a lawful basis engaged to cover that sharing.   Again advice must be sought from the Information Management and Compliance Department

Before any new regular sharing activity commences, a Data Protection Impact Assessment (DPIA) must be undertaken. This is used to identify privacy risks associated with the sharing of personal information in each case. A Template and guidance is available from the Information Management and Compliance Team

In emergency situations, Data Protection legislation allows the disclosure of personal data if it is in “the vital interests” of any person.  DPP will ensure that in these circumstances information is shared promptly and effectively. 

This applies only in exceptional, one-off disclosures of data in unexpected or emergency situations.

EXAMPLE:  Cases of life or death, where an individual’s identity and/or medical history is disclosed to a hospital’s A&E department to assist with treatment, following a serious traffic collision.

Disclosure should only take place when there are conditions of real urgency necessitating the immediate sharing of data without reference to written guidelines and/or agreements. The rationale for sharing the information in these circumstances should be recorded on the master Force Record ie STORM, NICHE etc along with the legal basis for sharing and who the information was shared with.

Information sharing will only take place within the appropriate statutory and common law framework.  Proper regard shall be paid to Data Protection legislation, the Human Rights Act 1998 and the common law duty of confidence.

All staff will be provided with the appropriate guidance with regard to the sharing of information with other agencies, to ensure that realistic expectations prevail and that common standards are applied across the organisations to address compliance with the Data Protection principles. 

Everyone is responsible for ensuring that when information is shared, it is done so lawfully,  proportionately and in line with organisational policies and procedures.

Guidance on the types of agreements that may be used can be discussed with the Information Sharing Team.

 

3.  Powers and Policy/Legal Requirements

Dyfed-Powys Police has a legal obligation to comply with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018.   Dyfed-Powys Police will refer to the College of Policing, APP - Information Management – Information Sharing, the ICO Code of Practice on Information Sharing and WASPI in the preparation of information sharing agreements.

The ICO (Information Commissioners Office) are the independent supervisory authority for data protection in the UK and uphold information rights for the public.  Any breaches of data under the UK GDPR or DPA may be enforced by them with the powers they hold, as set out in Part 6 of the DPA 2018.  This may, for example include warnings, fines or penalty notices.  For serious breaches, fines of up to £17.5 million may be imposed. 

Relevant legislation:

  • Data Protection Act 2018
  • UK General Data Protection Regulation (UK GDPR)
  • Human Rights Act 1998
  • Freedom of Information Act 2000

Other Policy, Code of Practice and Guidance Documents

  •  Article 29 Working Party (now the European Data Protection Board (EDPB)).
  • Dyfed-Powys Police Data Protection Impact Assessment guidance document
  • Dyfed-Powys Police Records Management Policy
  • Dyfed-Powys Police Data Protection Policy
  • Dyfed Powys Police Data Protection Breach Policy
  • College of Policing APP – Information Management – Information Sharing
  • ACPO Guide to Police Service Publication Scheme Compliance v4.0 (ACPO Minimum Requirements)
  • ICO Data sharing: a code of practice
  • ICO Data Sharing Information hub
  • ICO Data Protection Impact Assessments Guidance
  • International Standard on Records Management, ISO 15489
  • The Wales Accord on the Sharing of Personal Information (WASPI)
  • Code of Practice on police information and records management July 2023

In addition, certain data will be subject to other legislation covering particular subject areas.  Departments should ensure that they are aware of the legislation governing their work and its bearing on data sharing.

 

4.  Options and Contingencies

Roles and Responsibilities within Dyfed-Powys Police

Chief Constable: The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy and data protection across the entire Force.

Senior Information Risk Owner (SIRO): The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO). They are responsible for:

  • Overall accountability for information risk across the Force
  • Representing and championing information risk
  • Remaining up-to-date on all necessary training in order to remain effective in their role as SIRO
  • Understanding the impact of information risks on the Force’s risk register, and how those risks may be minimised and managed, and
  • Chairing the Information Assurance Board

 

Data Protection Officer (DPO): The Head of Information Management of Dyfed-Powys Police is the appointed Data Protection Officer (DPO). They are responsible for:

  • Protecting the confidentiality of personal data across the Force
  • Representing and championing data protection issues and requirements
  • Ensuring that the Force satisfies the highest practical standards for handling personal data
  • Enabling suitable information sharing with other bodies
  • Ensuring that data protection issues are appropriately reflected in Force policies, procedures, processes and strategies for officers, staff and volunteers
  • Assisting the Force in demonstrating compliance with UK data protection legislation as part of the enhanced focus on accountability
  • Acting as a point of contact for data subjects and the ICO, and
  • Informing and advising on data protection obligations Force wide.

Information Asset Owner(s): Information Asset Owners (IAO) are senior officers and staff who are the nominated owners of one or more identified information assets. They are responsible for:

  • Ensuring that the information assets that they have responsibility for are appropriately protected and any information sharing undertaken is shared appropriately, in line with legislation and any relevant information sharing protocols which are in place.
  • IAO’s are responsible for ensuring that appropriate information sharing protocols are in place where regular sharing of information is taking place between the Force and partner agencies.
  • IAO’s are responsible for ensuring that early engagement with the Information Management and Compliance Department takes place where new information sharing activities are being considered.
  • Monitoring and understanding what information – paper and electronic – is being held and how it is maintained; knowing and approving who has access to it and why.
  • Seeking to use information fully within the law
  • Identifying and addressing risks to the information, and
  • Encouraging a culture that values, protects and uses information for the public good.

 

Disclosure, Records and FOI Manager: The Disclosure, Records and FOI Manager has responsibility for the oversight of the preparation of information sharing protocols. They are responsible for:

  • To effectively direct, control, monitor and provide management oversight of the activities carried out by information sharing officers in order to ensure compliance.
  • Ensuring that information sharing staff have the relevant, support, skills and competencies required to undertake their role and ensuring that they have a good understanding of their role and responsibilities with the aim of providing an effective service in compliance with relevant legislation, guidance, policy etc.
  • Provide specialist advice on information sharing matters to staff across the Force.
  • Establish procedures and safeguards to manage the Chief Officer’s statutory obligations in respect to the disclosure of information under information compliance legislation.

 

Information Sharing Officers: Information Sharing Officers are responsible for:

  • The co-ordination and preparation of all information sharing protocols, data processing contracts, data disclosure agreements and associated documents.
  • To administer and co-ordinate the data protection impact assessment process within the Force.
  • Through proactively working with Force departments and Basic Command Units (BCUs) identify information sharing and information disclosure activities and ensure that, where necessary, data protection impact assessments have been undertaken and relevant agreements are in place
  • To develop and sustain effective working relationships with Dyfed-Powys Police officers, staff and volunteers, OPCC staff, partner agencies and other agencies.
  • To provide specialist advice to colleagues, partner agencies and other agencies on correct protocols to follow in respect to information sharing, data disclosures and the data protection impact assessment process.
  • To maintain a record of and manage agreements and accompanying documents in respect of all information sharing and data disclosures and data protection impact assessments for the Force.
  • To support the Disclosure, Records and FOI Manager to implement and monitor all procedural changes necessitated by legislative changes.
  • To keep up to date with developments and changes in relation to information sharing, information disclosure and data privacy and to keep abreast of national changes to Information Management and Compliance practices, changes to relevant legislation, Information Commissioner’s Office Code of Practice and guidance and the Wales Accord on the Sharing of Personal Information (WASPI) in order to provide guidance and support to staff, officers and external customers in such matters

 

Data Protection Advisor: The Data Protection Advisor is responsible for:

  • Providing Data Protection advice as part of the development of information sharing agreements to include advising on the legal basis for the sharing of personal information.
  • Maintaining awareness of data protection issues across the Force
  • Provide specialist advice on information sharing matters to staff across the Force
  • Encouraging a culture that values, protects and uses information for the public good
  • Ensuring all line managers are aware of their responsibilities and accountability regarding data protection.
  • Ensuring all officers, staff and volunteers are provided with the appropriate and necessary training to further their understanding of the principles of data protection and their application, and
  • Informing and advising on data protection obligations Force wide

 

Information Assurance Board: The role of the Board is:

  • To maintain strategic oversight, and support the management of, all activities related to the use, processing, retention, and transmission of information or data under the control of Dyfed-Powys Police and the structures, systems and processes used for those purposes in accordance with the College of Policing APP on Information Management which includes the Act and the Regulation.
  • Provide governance support and direction to the Information Management and Compliance Department in line with the Force vision to ‘Safeguard our Communities Together’; and
  • Work in line with the other groups and boards in delivering the mission, vision and values of the Force, the Chief Constable’s vision and the delivery plan in support of the Police and Crime Plan.

 

Line Managers:  All Line Managers are responsible for:

  • Ensuring that the Information Sharing Policy is implemented and adhered to within their department.
  • Ensuring that appropriate information sharing protocols are in place where regular sharing of information is taking place between the Force and partner agencies.
  • Ensuring that early engagement with the Information Management and Compliance Department takes place where new information sharing activities are being considered.
  • Ensuring that where information sharing is taking place that it is undertaken appropriately, in line with legislation and sharing activity is appropriately recorded.

 

All Officers, Staff and Volunteers: All officers, staff and volunteers have responsibility for:

  • Ensuring that they are familiar with the Data Protection Act 2018 and take personal responsibility to secure data, keep it up to date and share only what is necessary in line with legislation, guidance, and with force policies and procedures.
  • All officers, staff and volunteers are responsible for adhering to the Information Sharing Policy and related documentation.
  • Ensuring that appropriate information sharing protocols are in place when considering sharing information with partner agencies, unless the sharing is deemed to be urgent, as identified above.
  • Ensuring that where information sharing is taking place that it is undertaken appropriately, in line with legislation and sharing activity is appropriately recorded.
  • Ensure that only the minimum necessary amount of information will be shared.

 

5.  Take action and review

The SIRO, DPO and Information Assurance board will be kept informed of the Information Sharing agreements in place.

This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Information Sharing officer under the direction of the Disclosure, Records and FOI Manager every two years to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, ICO guidance, etc., unless changes before this period indicate that this policy requires updating. 

The effectiveness of the policy will be monitored regularly within the two-year review period and any major concerns will be escalated as appropriate.  Information sharing agreements will be subject to auditing to ensure the effectiveness of the provision of Information Sharing Agreements in line with this policy.

In the case of any queries regarding this policy, its content, or associated guidance documentation - individuals should contact Dyfed-Powys Police Information Sharing Officers or the Disclosure Records and FOI Manager.

Appropriate promotion of this policy will take place which can include awareness raising when training inputs and presentations are provided to staff across the Force. The policy will be made available on the Force Intranet and Internet. 

Where there are issues identified, the Information Sharing Officer(s) or the Disclosure, Records and FOI Manager will work closely with representatives from the relevant departments to address the issues and ensure that lessons are learned.

Any issues of concern or risk in respect to compliance with the sharing of information will be escalated to the Data Protection Officer, Data Protection Advisor, Force Information Security Officer, Force SIRO and/or the Information Assurance Board, dependent on severity.

Where it is established that a Data breach has occurred as a result of the sharing of information, the Force Data Protection Breach Policy and associated data breach reporting process will be followed.

If that reporting, and subsequent investigation, highlights issues with this policy, the information sharing process, information sharing protocols and or any associated guidance, then a review of those will be necessary The Disclosure, Records and FOI Manager will work closely with representatives from the relevant departments and the Data Protection Advisor to address the issues and ensure that any lessons learned are reported and cascaded as necessary.

Key Performance Indicators: Statistics in relation to past, current and future agreements will be reported monthly to the Data Protection Officer and quarterly to the Information Assurance Board.

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: September 2024