Data Protection Standard Operating Procedurethe Regulation EU 2016/679, otherwise known as the General Data Protection Regulation (GDPR) and its recitals; the Data Protection Act 2018

Version 7.00 (Publication Scheme)

Data Protection

Standard Operating Procedure

Notice:

This document has been made available through the Police Service of Scotland Freedom of Information Publication

Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have

been redacted due to legal exemptions

Owning Department: Professionalism and Assurance

Version Number: 7.00 (Publication Scheme)

Date Published: 23/09/2018

Version 7.00 (Publication Scheme) 2

Compliance Record

Equality and Human Rights Impact Assessment (EqHRIA) Date Completed / Reviewed:

23/05/2018

Information Management Compliant: Yes

Health and Safety Compliant: Yes

Publication Scheme Compliant: Yes

Version Control Table

Version History of Amendments Approval Date

1.00 Initial approved version 14/03/2013

2.00 No change to content, updated to new template. 04/11/2016

3.00 Cyclical review. SOP fully rewritten. 06/11/2017

4.00 SOP rewritten to incorporate the Data Protection Act 2018 and the General Data Protection Regulation.

23/05/2018

5.00 Amendment to section 19 - changes to sections referred to under the Data Protection Act.

06/11/2018

6.00 General Data Protection Regulation links updated 17/09/2019

7.00

Hyperlinks to GDPR corrected in following paragraphs: 3.1, 4.3, 5.1, 6.1, 6.3, 7.4, 11.2, 11.3, 12.1, 13.1, 14.2, 15.4, 18.2 and bullet point one in Appendix ‘A’.

23/09/2019


Contents 1. Purpose

2. Training in Data Protection 3. Data Protection Legislation 4. Definitions under the Data Protection Legislation 5. Compliance with the Data Protection Principles 6. Lawfulness of Processing – General Data Protection Regulation 7. Use of Consent for Processing – General Data Protection Regulation 8. Lawfulness of Processing – Law Enforcement 9. Use of Consent for Processing – Law Enforcement 10. Transparency and Accountability 11. Privacy Notices 12. Rights of the Data Subjects 13. Data Protection Impact Assessments and Data Protection by Design and

Default 14. Data Processors 15. Record of Processing Activities 16. Role of the Data Protection Officer 17. Personal Data Breaches 18. Failure to Comply with the Provisions of the Data Protection Legislation 19. Criminal Offences 20. Purposes for which Personal Data are Processed


21. Accessing Police Scotland Systems

21.1 Personal Data within Police Scotland Systems to which Access is Permitted

21.2 Personal Data within Police Scotland Systems to which Access is not Permitted

21.3 Personal Data Accessed Through Normal Working Practices

22. Disclosure of Personal Data Held Within Police Scotland Systems 23. Suspected Breaches of the Act – Sections 166 to 169 24. Concerns Regarding Conduct of Others 25. How Officers and Staff may obtain their Personal Data held by Police Scotland 26. Further Advice and Guidance

Appendices

Appendix ‘A’ List of Associated Legislation

Appendix ‘B’ List of Associated Reference Documents

Appendix ‘C’ List of Associated Forms

Appendix ‘D’ Glossary of Terms

Appendix ‘E’ Contact Details


1. Purpose 1.1 This Standard Operating Procedure (SOP) supports the Police Service of

Scotland (hereafter referred to as Police Scotland) Data Protection Policy. 1.2 This SOP provides both officers and staff, hereafter referred to as employees,

with information regarding the latest Data Protection (DP) legislation. 1.3 It also provides all employees of Police Scotland with clear guidance on the

correct use of the personal data held, examples of misuse and details of the criminal offences under the new DP legislation that can be committed when personal data are misused.

2. Training in Data Protection 2.1 All police officers, staff, special constables, temporary and agency staff, and

contractors will receive induction training before being given access to information and ICT systems.

3. Data Protection Legislation 3.1 The term ‘data protection legislation’ means

the Regulation EU 2016/679, otherwise known as the General Data Protection Regulation (GDPR) and its recitals;

the Data Protection Act 2018 (the Act);

and

any regulations made under the Act

3.2 As an EU regulation, the GDPR came into direct effect in the UK on 25th May 2018 without going through parliament.

3.3 The GDPR is in two separate sections. The recitals at the beginning, followed

by Articles. The Articles are law (similar to sections of an act) and the recitals provide guidance on the interpretation of the Articles. The recitals may change with the development of case law but the Articles will not.

3.4 The GDPR deals with the protection of individuals (data subjects) with regards

to the general processing of personal data, which for ease of reference means it relates to personal data processed for non-law enforcement purposes. General processing includes the processing of criminal convictions etc. for non-law enforcement purposes, e.g. vetting.

3.5 An EU Directive for the processing of personal data for law enforcement

purposes was agreed by all EU countries which had to be transposed into UK legislation.


3.6 The 2018 Act repeals the Data Protection Act 1998 with effect from 25th May 2018 and incorporates the EU Law Enforcement Directive and derogations (exemptions) allowed by both the GDPR, and the Directive.

3.7 The Act has seven parts and eighteen Schedules:

Part 1 gives an overview of the Act and defines some of its key terms.

Part 2 covers general processing in line with the GDPR. It also covers other general data processing in areas outside the scope of EU law.

Part 3 covers the processing of personal data for law enforcement purposes.

Part 4 covers the processing of national security data (MI5, MI6 and GCHQ).

Part 5 preserves the functions of the Information Commissioner’s Office (ICO).

Part 6 covers the enforcement of the data protection regime and the ICO’s powers.

Part 7 relates to various issues including regulations to be made under the Act and penalties for offences.

4. Definitions under the Data Protection Legislation 4.1 All processing of personal data must comply with the relevant parts of the

Data Protection (DP) legislation. 4.2 The definitions of commonly used terms in relation to processing are as

follows:

‘Personal Data’ means any information relating to an identified or identifiable living individual (the data subject).

‘Identifiable Individual’ is one who can be identified, directly or indirectly, in particular by reference to:

a) an identifier such as a name, ID number, location data or online identifier

or

b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual

‘Processing’ in relation to personal data is anything at all that we do with personal data, e.g. gathering, holding, accessing, altering, disclosing, deleting, etc.


‘Controller’ means a person or legal person, public authority, agency or other body which alone or jointly with others, decides the purposes and means of processing of personal data. Police Scotland as a public authority is the controller for all personal data processed by the organisation.

‘Processor’ means a person or legal person, public authority, agency or body which processes personal data on behalf of the controller (other than an employee of the controller).

‘Law Enforcement Purposes’ are defined as the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”. Processing personal data for law enforcement purposes can only be carried out by competent authorities listed in Schedule 7 of the Act. Police Scotland is a competent authority.

‘Restriction of Processing’ means the marking of stored personal data with the aim of limiting their processing in the future.

‘Criminal Convictions and Offences or Related Security Measures’ include personal data relating to:

a) the alleged commission of offences by the data subject or

b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

‘Special/Sensitive Categories’ of data means processing of personal data revealing:

racial or ethnic origin

political opinions

religious or philosophical beliefs

Trade Union membership

data concerning health

data concerning an individual’s sex life or sexual orientation and

the processing of genetic data or biometric data for the purposes of uniquely identifying an individual.

4.3 For other definitions see Article 4 of the GDPR and Part 2 and 3 of the Act.

4.4 The DP legislation places a number of legal requirements on controllers and

these are dealt with below.


5. Compliance with the Data Protection Principles 5.1 Article 5 of the GDPR prescribes the principles relating to the processing of

personal data. 5.2 Part 3 of the Act prescribes the principles for processing law enforcement

information. 5.3 All of the principles must be complied with in all cases, unless an exception

applies. 5.4 The reason for processing personal data must be established to ensure the

correct data protection legislation is applied.

6. Lawfulness of Processing – General Data Protection Regulation

6.1 There are a number of conditions, at least one of which must apply before

personal data can be processed. These are listed in Article 6. 6.2 Police Scotland has often relied on the ‘legitimate interests’ condition. This is

no longer an option when Police Scotland is carrying out its public tasks and so another condition must be found. The most common will be Article 6.1(e), ‘processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller’.

6.3 Processing special categories of personal data requires that a further

condition is satisfied; these are listed in Article 9.

7. Use of Consent for Processing – General Data Protection Regulation

7.1 All other conditions for processing personal and special categories of personal

data must be considered before consent. 7.2 The guidance is that as a public authority and an employer, Police Scotland

should avoid the use of consent due to the imbalance of power between the organisation and its employees or the public.

7.3 If it is identified that consent is the only lawful basis for processing then careful

consideration must be given as to why the processing is required. 7.4 Article 7 prescribes the conditions for processing using consent. 7.5 Consent of the data subject means any:

freely given

specific


informed

and

unambiguous indication

of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

7.6 Each of the points must be satisfied for the consent to be valid. 7.7 A data subject must also be able to withdraw consent as easily as they

provided it, at no detriment to them. 7.8 The ICO has guidance on the use of consent. This may be expanded on in

time. 7.9 Information Management (IM) must be consulted before processing begins if it

is believed consent be the most appropriate condition for processing. See also Section 13 below regarding Data Protection Impact Assessments.

8. Lawfulness of Processing – Law Enforcement 8.1 Processing personal data for law enforcement purposes is defined in the first

principle in Section 35 of the Act. 8.2 It states that processing personal data for law enforcement purposes must be

lawful and fair, and that it will be lawful only to the extent that it is based on law and either:

(a) the data subject has given consent to the processing for that purpose,

or

(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

8.3 It goes on to say that when the processing is of sensitive personal data, the

processing is only permitted in one of two cases. These are that:

(a) the data subject has given consent to the processing and

(b) at the time the processing is carried out, an appropriate policy document (APD) is in place

or

(a) the processing is strictly necessary for law enforcement purposes,

(b) the processing meets at least one of the conditions in Schedule 8

and

(c) at the time the processing is carried out an Appropriate Policy Document (APD) is in place


8.4 Details of what must be included in an APD is in Section 42 of the Act and

further guidance can be obtained from IM.

9. Use of Consent for Processing – Law Enforcement 9.1 It is envisaged that using consent for law enforcement purposes will be rare

e.g. biometric data for elimination purposes, which will not be a common occurrence.

9.2 When it does occur, the data subject must be informed in a clear and

unambiguous manner about the voluntary nature of their agreement and should be given the possibility to withdraw it at any time, e.g. in the case of collection of fingerprints or biological samples.

9.3 The consent of a data subject must be recorded.

10. Transparency and Accountability 10.1 One major difference between the previous data protection act and the GDPR

is that in addition to complying with the principles, Police Scotland now has to be able to demonstrate compliance.

10.2 This means that documentation must be produced and retained to enable

Police Scotland to demonstrate this and to prove compliance to the satisfaction of the Information Commissioner’s Office (ICO).

11. Privacy Notices 11.1 The GDPR requires that controllers must provide certain information to a data

subject in writing at the time the information is collected from the individual. 11.2 This is done by the means of a privacy notice which also complies with the

accountability principle. Article 13 of the GDPR gives details of what must be included. However, the information in that Article does not need to be provided insofar as the data subject already has the information.

11.3 If information is gathered from someone other than the data subject, further

information must also be provided. This is dealt with in Article 14. 11.4 When processing personal data for law enforcement purposes the Act requires

that the controller makes certain information available in a privacy notice to data subjects. The Act does not require that we provide the information directly to the data subjects, but instead it can be done by making it generally available to the public, e.g. on the internet.


11.5 There are exemptions in relation to what must go in a privacy notice. These are detailed in both the GDPR and the Act.


12. Rights of the Data Subjects 12.1 The GDPR (Articles 15 to 19 and 21) and the Act (Sections 45 to 47) confer a

number of rights on the data subjects. 12.2 These rights are:

Right of access to their personal data held by Police Scotland by means of a Subject Access Request (SAR) – (Refer to the Police Scotland Subject Access Requests SOP). These requests are dealt with by IM

Right to have inaccurate data rectified, this includes having incomplete personal data completed

Right to erasure of personal data (‘right to be forgotten’). This is particularly important when the processing has been based on the consent of the data subject

Right to restriction of processing

Right to object to processing. This right does not apply when the information is processed for law enforcement purposes.

12.3 There are conditions attached to these rights which are detailed in the Articles

and Sections stated above.

13. Data Protection Impact Assessments and Data Protection by Design and Default

13.1 Article 25 of the GDPR and Section 64 of the Act provide that Police Scotland

has a legal obligation to implement technical and organisational measures to demonstrate that we have considered and integrated data protection into the processing activities.

13.2 Wherever a policy, project, system, process or initiative includes the

processing of personal data, that processing must be compliant with data protection legislation at the point of delivery.

13.3 Completing a Data Protection Impact Assessment (DPIA) will assist in

assessing whether the proposed processing delivers ‘Data Protection by Design and by Default’ in compliance with data protection legislation. DPIAs also contribute to the requirement to keep records of personal data processing activities.

13.4 Advice must be sought from the Data Protection Officer (DPO) when carrying

out a DPIA. 13.5 The DPIA must be done at the very beginning of a project. This ensures that

necessary changes can be made to the envisaged processing, rather than issues only being identified later in the project when making changes can be costly.


13.6 The DPIA Guidance and Templates are on hosted on the Police Scotland

Intranet. There are separate templates and guidance for GDPR processing and law enforcement processing.

13.7 Further guidance will be provided by IM.

14. Data Processors 14.1 A processor is a person or legal person, public authority, agency or body

which processes personal data on behalf of the controller (other than an employee of the controller).

14.2 When engaging a processor to carry out the processing of personal data on

behalf of Police Scotland, certain conditions must be met and a contract put in place which is binding on the processor. These are listed in Articles 28 and 29 of the GDPR and Sections 59 and 60 of the Act.

14.3 Many of these contracts will be dealt with by procurement. 14.4 Further guidance on this can be obtained from IM.

15. Record of Processing Activities 15.1 The DP legislation requires that controllers must keep a record of all

processing activities. 15.2 If a processor is involved in the processing of Police Scotland’s personal data,

that processor must also keep such a record. 15.3 This information will be collected as a result of the internal audit carried out by

the DP Reform Team initially, however, if any new processing is envisaged, or it is intended to use personal data already held, for another purpose, then in addition to carrying out a DPIA (see paragraph 6.6), a record must be kept of the processing activities decided upon.

15.4 The record must contain the details listed in Article 30 of the GDPR for general

processing and Section 44 of the Act for law enforcement processing. 15.5 These details must then be forwarded to the records manager within IM who

will retain them, as they must be made available to the ICO on request.

16. Role of the Data Protection Officer 16.1 As a public authority, Police Scotland must have a Data Protection Officer

(DPO).


16.2 The role and tasks of the DPO are laid down in the data protection legislation. 16.3 As a minimum, the DPO must:

inform and advise the controller, any processor and employees of their obligations under the legislation

monitor compliance of Police Scotland with the data protection legislation

monitor compliance with the policies of Police Scotland in relation to the processing of personal data

provide advice on, and monitor the progress of DPIAs

consult, co-operate and act as the single point of contact with the ICO. 16.4 The name and contact details of the DPO must be published and

communicated to the ICO. Data subjects can contact the DPO directly in relation to the processing of their personal data and to the exercise of their right under the data protection legislation.

17. Personal Data Breaches 17.1 A personal data breach is defined as:

‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

17.2 A personal data breach must be reported to the ICO within 72 hours of it being

discovered. Failure to report a personal data breach to the ICO can lead to a fine of 10 million euros.

17.3 Examples of data breaches include:

personal data being sent to an incorrect recipient, either by e mail or post

disclosure of information to a person who is not entitled to have it

unauthorised accessing of information

and

theft or loss of:

o a USB stick

o clerical papers

o laptop or Surface Pro

o RAS token

o Blackberry or mobile phone

o PDAs

o DVDs


o Warrant cards

Note: This list is not exhaustive. 17.4 Anyone who identifies a personal data breach must report it immediately in

line with the Information Security Incident Reporting SOP.

18. Failure to Comply with the Provisions of the Data Protection Legislation

18.1 Failure to comply with the data protection legislation can leave Police Scotland

open to administrative fines by the ICO of up to 20 million euros.

18.2 Further details relating to administrative fines are in Article 83 and Section 154 et seq. of the Act.

19. Criminal Offences 19.1 There are a number of criminal offences under the DP legislation. These are

detailed in Sections 170 to 173 of the Act. They are: It is an offence for a person to knowingly or recklessly –

(a) obtain or disclose personal data without the consent of the controller

(b procure the disclosure of personal data to another person without the consent of the controller,

or

(c) after obtaining the personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

19.2 It is an offence to sell or offer to sell personal data held by Police Scotland. 19.3 It is an offence to knowingly or recklessly, without the consent of the controller

to re-identify information which is personal data that has been previously de-identified.

19.4 It is an offence for a controller or a person employed by a controller, an officer

of the controller, or subject to the direction of a controller to:

alter

deface

block

erase

destroy or


conceal

information with the intention of preventing disclosure that a person making a subject access request would have been entitled to.

20. Purposes for which Personal Data are Processed 20.1 Personal data are processed by Police Scotland for:

all aspects of policing

the provision of services to support policing

the provision of administration and ancillary support to policing. 20.2 All officers and staff will receive training specific to the relevant systems and

processes they use and this may consist of on the job training.

21. Accessing Police Scotland Systems 21.1 Personal Data within Police Scotland Systems to which Access is

Permitted

21.1.1 Access to personal data within Police systems, whether held electronically or in manual records is permitted by Police Scotland to enable officers/employees to carry out their specific roles within their business areas.

21.1.2 The permission to access a system extends only to the specific records within

that system which need to be accessed to allow officers and staff to carry out their role.

21.1.3 Certain employees, as part of their specific roles are permitted to access

records of other employees of Police Scotland. Examples of these are, Anti-Corruption Unit (ACU), Information Management (IM), Professional Standards Department (PSD), People and Development (P&D), and Information Communications Technology (ICT).

21.1.4 In all such cases, the access is limited to those records necessary for the

purpose of carrying out the duties of the role. 21.1.5 Officers and staff may access their own SCoPE record and the SCoPE

records for other personnel within Police Scotland for whom they have management responsibilities or when required for P&D or for administrative or business purposes.

21.2 Personal Data within Police Scotland Systems to which Access is not

Permitted

21.2.1 Employees do not have permission to access any record which is not necessary for the purposes of their job role. Accessing such records may constitute a criminal offence. (See Section 19). Such records include:


records of people known to them through their personal life*, even if requested to by such a person; (see also paragraph 21.3, below relating to accessing such records through the normal course of the job role).

records to trace a person, vehicle or address for personal reasons,

records of any other police employee including their own; (but see 21.1 above)

accessing any record out of curiosity, or due to an interest in a specific type of case, e.g. sexual or violent, or because a case is high profile.

21.2.2 *The term ‘personal life’ relates to their life outside the Force but is not

intended to include a person with whom officers and staff have a passing acquaintance. It is not a chance meeting with a person which may be repeated from time to time.

21.2.3 Subject to paragraph 21.2.5, below, officers and staff should not be allowed to

be involved in an investigation relating to anyone known to them through their personal life, except in the role of a witness if necessary, and under no circumstances should they attempt to access the records of the investigation.

21.2.4 Accessing records contrary to the instructions above may constitute a criminal

offence and will be investigated by PSD. 21.2.5 Should it be necessary for an officer to be involved in an investigation of a

person known to them through their personal life, e.g. where no other officer is available, the relevant supervisor must allocate the investigation to another officer as soon as possible. In any cases of doubt, guidance should be sought from PSD/ACU.

21.2.6 Any unsuccessful unauthorised attempts to access data will be considered a

breach of professional behaviour and may be investigated under the relevant conduct/disciplinary procedures. This includes attempts to access data (i.e. searches) where there is no record in existence, access to the record has been restricted or access was unsuccessful for any other reason. Police Scotland has the ability and right to monitor access or attempts to access the data it holds.

21.2.7 These controls are not designed to restrict officers and staff from performing

their roles. A reasonable test to apply is to ask “Taking account of the instructions within this document, can I justify accessing this record for a specific lawful purpose?”

21.2.8 If there is any doubt, then do not access the record. Instead guidance should

be sought from the relevant line manager, IM, PSD or ACU. The contact details are in Appendix ‘E’.

21.3 Personal Data Accessed Through Normal Working Practices

21.3.1 If during the course of carrying out their role, an officer or member of staff

discovers that they have accessed the record of an individual known to them


through their personal life, they must immediately log out of the record relating to that person, bring it to the attention of their supervisor, and provide them with evidence in support of why the record was accessed. The supervisor will then take action as in paragraph 21.3.4. The exception to this is when accessing the information is necessary for an ongoing incident or emergency, and the supervisor must be notified immediately after the event.

21.3.2 This action is necessary for the protection of the individual officer or member of staff should there be any question of why the record was accessed.

21.3.3 The supervisor should keep a record of the report and can seek advice from

PSD if required.

21.3.4 The supervisor must allocate the work to another officer or member of staff unless it is not possible due to exceptional circumstances, e.g. there is no one else available to whom the work can be allocated. Permission to continue with the work must be authorised by an officer not below the rank of at least Inspector or by a senior police staff manager not below Band ‘G’ and at least one rank/grade above the individual concerned. The authorisation must be recorded and available in an auditable format.

22. Disclosure of Personal Data held within Police Scotland Systems

22.1 Information must only be disclosed when it is lawful to do so. 22.2 Officers and staff will be trained for their roles (see paragraph 20.2) and this

will include guidance, when relevant to the role, on sharing information routinely with a variety of external bodies/partner organisations such as Local Authorities.

22.3 When there is any question or doubt as to whether the information should be

disclosed, advice must be sought from the relevant supervisor or Information Management. It must not be assumed that because an external body/partner asks for the information, that they are entitled to have it. Further guidance can be obtained from the Information Sharing SOP.

22.4 The DP legislation does not apply to the personal data of the deceased, but it

does apply to the living relatives of, or other people who had been involved with the deceased. Care must be taken therefore not to breach the legislation by making unlawful disclosures regarding these persons when making disclosures relating to a deceased person.

22.5. Unlawful disclosure of personal data is that which is made knowingly or

recklessly and without the consent of the data controller. For example, a disclosure which:

does not form part of a business process,

or


is made to a person who is not authorised to have it, (such as a disclosure of an investigation to the person under investigation)

is a criminal offence and therefore strictly forbidden.


23. Suspected Breaches of the Act – Sections 166 to 169 23.1 All suspected breaches of the Act, will either be:

reported to the Crown Office and Procurator Fiscal Service (COPFS) Criminal Allegations Against the Police Department (CAAPD) or

will be dealt with in accordance with agreed protocols. 23.2 For officers below the rank of Assistant Chief Constable, regardless of whether

COPFS decides to prosecute, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct. Any such breach will be referred to PSD for consideration of conduct proceedings under the relevant legislation.

The regulations to which this paragraph relates are:

The Police (Conduct) (Scotland) Regulations 1996,

The Police Service of Scotland (Conduct) Regulations 2013,

and/or

The Police Service of Scotland (Conduct) Regulations 2014. 23.3 For senior officers, i.e. Assistant Chief Constable, Deputy Chief Constable and

Chief Constable, a breach of the Act can also constitute a breach of the Standards of Professional Behaviour and amount to misconduct or gross misconduct and will be dealt with in accordance with the relevant legislation, i.e.

The Police (Conduct) (Senior Officers) (Scotland) Regulations 1996 ,

The Police (Conduct) (Senior Officers) (Scotland) Regulations 1999

The Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013

23.4 For police staff a breach of the Act can also constitute a breach of the

Disciplinary SOP and/or the Code of Conduct. Any breach of the Code of Conduct will be investigated and assessed, and considered in line with the Disciplinary SOP.

23.5 Any breach may also be reported to the Information Commissioner’s Office

(ICO) in accordance with the Information Security Incident Reporting SOP.

24. Concerns Regarding Conduct of Others 24.1 If an officer or member of staff has any concerns regarding the conduct of a

colleague or a person known to them through their personal life, they must not access/attempt to access any records of that individual but instead they can use any of the following channels to report them:

through line management channels;


directly to ACU or PSD;

through the “Integrity Matters” link on the intranet which also provides guidance on what should be reported. This can be done anonymously if preferred;

through Crimestoppers.

25. How Officers and Staff may obtain Their Personal Data held By Police Scotland

25.1 As already stated, officers and staff may access their own SCoPE record. If

however they want to know what other personal data is held by Police Scotland in relation to them they may obtain it by making a Subject Access Request (SAR) using Police Scotland Form 052-002 and submitting it to the e-mail address on the form. There is no charge for this.

25.2 Guidance on how to make a SAR is on the Police Scotland website. Further

information can also be obtained from IM. Contact details are in Appendix E.

26. Further Advice and Guidance 26.1 Further advice and guidance regarding the contents of this SOP can be

obtained from IM, ACU or PSD. Contact details are in Appendix E.


Appendix ‘A’

List of Associated Legislation

The General Data Protection Regulation

Data Protection Act 2018 (DPA 2018)

The Police (Conduct) (Scotland) Regulations 1996

The Police Service of Scotland (Conduct) Regulations 2013

The Police Service of Scotland (Conduct) Regulations 2014



The Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013

The Human Rights Act 1998

Public Records (Scotland) Act 2011


Appendix ‘B’

List of Associated Reference Documents Policies

Data Protection Policy Standard Operating Procedures

Email and Internet Security SOP

Government Security Classification SOP

ICT User Access Security SOP

Information Security SOP

IT Security SOP

Record Retention SOP

Secure Disposal and Destruction of Data SOP

Information Sharing SOP

ICT Acceptable Use of Computer Systems SOP

Mobile Data and Remote Working SOP

Information Security Incident Reporting SOP

Disciplinary SOP Guidance

Code of Conduct


Appendix ‘C’

List of Associated Forms

Subject Access Request Form 052-002


Appendix ‘D’

Glossary of Terms

ACU Anti-Corruption Unit

CAAPD Criminal Allegations Against the Police Department (of COPFS)

CHS Criminal History System

COPFS Crown Office and Procurator Fiscal Service

FOI Freedom of Information

GDPR General Data Protection Regulation

ICT Information Communications Technology

IM Information Management

P&D People and Development

PNC Police National Computer

PSD Professional Standards Department

PSI Police Scotland Identifier

SAR Subject Access Request

SCoPE System to Co-ordinate Personnel and Establishment

SID Scottish Intelligence Database

SOP Standard Operating Procedure

The Act The Data Protection Act 2018

URN Unique Reference Number


Appendix ‘E’

Contact Details

Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30, Prejudice to Effective Conduct of Public Affairs.