Data protection legislation requires that the PSNI is open and transparent in relation to how it uses personal data and that anyone processing personal data comply with six data protection principles of good practice. Please also refer to the PSNI’s Adult Privacy Notice and Children's Privacy Notice for more information about how PSNI process personal data.
- What is Personal Data?
- The Data Protection Principles
- Obtaining Information under Data Protection including individuals rights
The use and disclosure of personal data is governed in the United Kingdom by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Where PSNI is processing information for their law enforcement purposes PSNI must comply with Part 3 of the Data Protection Act, personal data processed for all other purposes will be done so in line with GDPR. The Chief Constable of the Police Service of Northern Ireland is registered with the Information Commissioner as a ‘data controller’ for the purposes of this legislation. As such he is obliged to ensure that the Police Service of Northern Ireland handles all personal data in accordance with the legislation. The Police Service of Northern Ireland takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the service.
What is ‘personal data’?
This is defined as information relating to an ‘identifiable nature person’ who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Data Protection Principles
These principles must be complied with by the PSNI when processing personal data, unless an exemption from them applies.
Law Enforcement Processing
- Processing of personal data for any law enforcement purposes must be lawful.
- The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and personal data collected must not be processed in a manner that is incompatible with the purpose for which it was originally.
- Personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
- Personal data processed for any of the law enforcement purposes must be accurate and where necessary, kept up to date and every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
- Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purposes for which it is processed. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.
- Personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.
All Other Types of Processing
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Obtaining information under data protection legislation, including individuals rights
- To prevent or detect crime. It is often the case that to prevent or detect crime or to locate an offender the PSNI must obtain information from another organisation or share information with them. The legislation allows PSNI and other organisations to both request and disclose this type of information, lawfully. When the PSNI requests information from another organisation we must complete a form and send it to the organisation, which may hold the information.
- Individuals’ rights. Individuals have a number of rights under the data protection legislation:
- Subject Access. If you would like to exercise this right please click here for your information.
- Right to rectification, erasure, restriction, and data portability, the right to object, and the right not to be subject to automated processing. If you would like to exercise any of these rights please click here for more information
