national probation service - london crc probation · national probation service – data protection...

UNCLASSIFIED National Probation Service – Data Protection Policy

UNCLASSIFIED Ref.: data_protection_policy_v2.4

National Probation Service – Data Protection Policy

Page i

National Probation Service

Data Protection Policy

January 2008




Page ii

REFERENCES

Title: Data Protection Policy for the National Probation Service

Synopsis: Data Protection Policy to cover all members of the NPS Community

Reference: PIT-SEC-POL-0005 Data Protection Policy V2.3

Status: Issued

Version No.: 2.4

Date: 20th December 2007

Originator: A. Pearson

References:

British Standards Institute

BS ISO/IEC 27001:2005 Information Security Management Systems — Specification with Guidance for Use

ISO/IEC 27001-1:2000 Information Security Management – Part 1: Code of Practice for Information Security Management, BSI, 2000

National Probation Directorate /Home Office

Manual of Protective Security

NPS Business Continuity Policy

NPS Clear Desk Policy

NPS Community Information Security Policy

NPS Email & Internet Communications Policy

NPS Incident Management Policy

NPS IS & Network Monitoring Policy

NPS IT Asset and IT Media Disposal Policy

NPS Logical Access Control Policy

NPS Password Policy

NPS Physical Security Policy

NPS Protective Marking Policy

NPS Remote working Policy

NPS Vetting Policy

The Stationery Office

Computer Misuse Act 1990

Copyright, Designs and Patents Act 1988

Crime and Disorder Act 1998

Criminal Justice and Court Service Act 2000




Page iii

Data Protection Act 1998

Data Protection Codes of Practice

Disability Discrimination Act 1995

Electronic Communications Act 2000

Human Rights Act 1998

Lawful Business Practice (Interception of Communications) Regulations 2000

Official Secrets Act 1989

Police and Criminal Evidence Act 1984

Privacy and Electronic Communications (EC Directive) Regulations 2003

Race Relations Act (Amendment) 2000

Regulation of Investigatory Powers Act 2000

Other OMNI contract

NOMIS Data Protection Policy V1.0

Manual of Protective Security (MPS)

CHANGE RECORD

Issue No.

Date Issued by Reason for Issue

0.1 – 1.1

08/08/02 -15/12/04

S. Chiverton Initial draft – Prior Issued Policy

1.2 22/02/05 L.Moeller GSI Revisions

1.3 31/03/05 A. Pearson Integration with NOMIS Data Protection Policy

2.0 14/04/05 L Moeller Deployment to Areas

2.1 06/04/06 A Isom Update to Processes for Handling Subject Access Requests

2.2 06/04/06 A Isom Update of definitions

2.3 13/04/06 A Isom Incorporation of Requirements for processing CONFIDENTIAL data

2.4 20/01/08 R Nicholls Addition of PROTECT and updated references




Page iv

DISTRIBUTION LIST

Copy Issued to

1 NOMS NPS Security Project Board

2 NOMS Union and Employer Consultative Groups

3 NOMS Live Services

4 NPS Chief Officers and the NPS




Page v

Table of Contents

1. INTRODUCTION .............................................................................................................. 1

1.1. BACKGROUND ............................................................................................................ 1 1.2. POLICY INTENTION...................................................................................................... 1 1.3. CITATION AND COMMENCEMENT .................................................................................. 1

2. NPS INFORMATION ........................................................................................................ 3

2.1. GOVERNMENT PROTECTIVE MARKING SCHEME............................................................ 3 2.2. EQUALITY, DIVERSITY AND HUMAN RIGHTS .................................................................. 3

3. REQUIREMENTS OF THE DATA PROTECTION ACT 1998 ......................................... 4

3.1. RIGHTS AND PRINCIPLES............................................................................................. 5

4. DATA PROTECTION POLICY......................................................................................... 6

4.1. SCOPE OF THIS POLICY............................................................................................... 6 4.2. POLICY OBJECTIVES ................................................................................................... 6 4.3. NOTIFICATION............................................................................................................. 6 4.4. THE EIGHT PRINCIPLES............................................................................................... 7 4.5. RETENTION GUIDELINES .............................................................................................. 7

5. DATA DESTRUCTION................................................................................................... 10

6. SUBJECT ACCESS REQUESTS .................................................................................. 11

6.1. SUBJECT ACCESS REQUESTS PROCESS PRIOR TO IMPLEMENTATION OF NOMIS ........ 11 6.2. SUBJECT ACCESS REQUEST PROCESS AFTER IMPLEMENTATION OF NOMIS............... 12 6.3. THIRD PARTY REQUESTS FOR PERSONAL DATA .......................................................... 13 6.4. VEXATIOUS REQUESTS ............................................................................................. 13

7. RESPONSIBILITIES....................................................................................................... 14

7.1. LOCAL SYSTEMS CONTROLLER ................................................................................. 14 7.2. ALL AUTHORISED USERS........................................................................................... 15

8. LOCAL PROCEDURES AND CODES OF PRACTICE................................................. 29

ANNEX A: NOMIS AIMS FOR DATA SHARING ........................................................... 30

ANNEX B – DATA SHARING................................................................................................. 31

ANNEX C – TEMPLATE DATA PROTECTION NOTIFICATION .......................................... 34

ANNEX D – NOMIS DATA RETENTION POLICY ................................................................. 40

ANNEX E - NPS DATA PROTECTION ACT CHECKLIST .................................................... 43

ANNEX F DEFINITIONS ......................................................................................................... 44


Unclassified Ref.: data_protection_policy_v2.44


Page 1

1. INTRODUCTION

1.1. Background

The National Probation Service (NPS) areas are required to collect, use, store and process personal and sensitive personal information on Offenders, Visitors, Victims, NPS staff (including contractors and temporary staff) etc. in order to fulfil both primary operational functions and statutory requirements in the management of Offenders.

By processing NPS information there is a potential risk that the freedoms and rights of the data subjects might be prejudiced. It is therefore important that each Area, and all authorised users are sufficiently informed of their duties, obligations and liabilities in accordance with the Data Protection Act 1998 (DPA) in order to;

• Protect the data subject and the organisation from compromise of personal information;

• Ensure that authorised users and Local System Controllers comply with the eight Principles of the Data Protection Act 1998 and associated Regulations;

• Provide a secure Information Management system in compliance with ISO 27001;

• Comply with the Common Law Duty of Confidentiality;

• Ensure that authorised users understand that they shall not breach the Data Protection Act when fulfilling a Freedom of Information Act 2000 request.

1.2. Policy Intention

This policy provides clear objectives and responsibilities for each data controller within the NPS Community, any data processors of NPS information and all authorised users to ensure no compromise of NPS information and/or personal information.

Furthermore, this Policy ensures that authorised users comply with the Data Protection Act 1998 and the NOMIS Data Protection Policy which supports the NOMIS Aims for Data Sharing which are included at Annex A to this Policy.

1.3. Citation and Commencement

This document will be known as the “National Probation Service Data Protection Policy” (ref. PIT-SEC-POL-0005 PIT-SEC-POL-0005 Data




Page 2

Protection Policy V2.3) and will come into immediate effect for all NPS areas and authorised users. This Policy supersedes all previous versions.

This document will be subject to periodic review and amendment. areas must ensure that the current version is deployed and made available to all relevant authorised users. In the event of any query concerning this Policy, enquiries should be made to the NOMS OMNI Security Team ([email protected]).




Page 3

2. NPS INFORMATION

The NPS processes personal information and sensitive personal information relating to offenders, victims, staff, contractors, temporary staff (including partner organisations) and other third parties. This information is contained in NPS electronic case management systems, physical files, document extracts and may also be stored on portable storage devices such as laptops, removable discs, CDs and diskettes.

Authorised users will also disclose personal data and sensitive personal data to the NOMIS data controller if the authorised user inputs information into NOMIS (see Annex B Data Sharing). Likewise, an authorised user may have personal data and/or sensitive personal data disclosed to them by the NOMIS data controller when the authorised user is given the ability to view NOMIS information.

If all of the above information (NPS information and NOMIS information) were to be subject to disclosure to an unauthorised third party there is a risk that “harm” may come to the data subject of the personal information and potentially expose a probation areas, the NPS and/or the Home Office to litigation.

The risk of harm is defined within the Government Protective Marking Scheme and as such, all authorised users must comply with the NPS Protective Marking Policy.

2.1. Government Protective Marking Scheme

For the avoidance of any doubt all personal data and all sensitive personal data processed by NPS and each probation area shall be treated as being at least ‘RESTRICTED’ information (unless following a risk assessment it is agreed that ‘PROTECT’ is appropriate) and must therefore be handled in accordance with the Government Protective Marking Scheme and the Manual of Protective Security.

2.2. Equality, Diversity and Human Rights

In accordance with the Race Relations (Amendment) Act 2000 this policy has been subject to assessment of the potential adverse impact it may have on minority ethnic groups. Following this assessment it is not believed that this Policy will have any such adverse impact.

This Policy has been developed in accordance with gender, disability and human rights legislation.

This Policy can be made available in accordance with the Freedom of Information Act 2000.




Page 4

3. REQUIREMENTS OF THE DATA PROTECTION ACT 1998

The Data Protection Act applies to all recorded personal data pocessed by probation areas and therefore applies to all personal data and sensitive personal data that forms part of NPS information.

Personal data relates to living, identifiable individuals and includes:

♦ Factual information; ♦ Expressions of opinion; ♦ Indications of intent (by the NOMS organisation holding the

information or otherwise).

Sensitive personal data relates to living, identifiable individuals and encompasses their:

♦ ethnic origin; ♦ political opinions; ♦ religious or other beliefs; ♦ trade union membership; ♦ physical or mental health; ♦ sexual life; ♦ offences; ♦ criminal proceedings and sentencing.

Probation areas process large amounts of personal data and sensitive personal data. The Data Protection Act not only confers on individuals a right of access to their personal data being processed by a probation area subject to exemptions laid down in the Act but obliges probation areas (each as separate data controllers) to process such information fairly.

It is critical that disclosures to third parties are not made inappropriately and in breach of the Data Protection Act. In practice, this will often mean that Areas must not disclose personal data and/or sensitive personal data on any individual to a third party without the data subject’s explicit consent. However, such personal data may be disclosed without the data subjects consent to third parties when it is necessary to carry out the functions of the probation area (which will cover most day to day duties), when it is ‘reasonable in all the circumstances and/or when there is an agreed protocol in place to govern it, e.g. with the police.

Under some circumstances areas will be required to make disclosures of NPS information to third parties by law, e.g. to the courts. Under these circumstances disclosure can be made without breaching the Act.




Page 5

3.1. Rights and Principles

Any individual on whom personal data is being processed by NPS enjoys seven rights under the DPA. These are the:

♦ right of subject access; ♦ right to prevent processing likely to cause damage or distress; ♦ right to prevent processing for the purposes of direct

marketing; ♦ rights in relation to automated decision-taking; ♦ right to take action for compensation if the individual suffers

damage by any contravention of the Act by the data controller; ♦ right to take action to rectify, block or destroy inaccurate data;

and ♦ right to make a request to the Information Commissioner to

assess if any provision of the Act has been contravened.

The Data Protection Act also lays down eight principles which govern how the NPS and each individual Area must process personal data. These are that personal data must be:

1. Processed fairly and lawfully;

2. Processed for limited purposes;

3. Adequate, relevant and not excessive in relation to the purposes for which they are recorded;

4. Accurate and, where necessary, be kept up to date;

5. Kept no longer than is necessary for the purpose of purposes for which is it is being processed;

6. Processed in accordance with the Data subject’s rights under the Act;

7. Kept secure and protected against unauthorised disclosure, loss or damage; and

8. Adequately protected if transferred to countries outside the European Economic Area.

The principles place a number of obligations and responsibilities on each data controller within the NPS and therefore also Local Systems Controllers and authorised users which must be complied with. See section 7 of this Policy.




Page 6

4. DATA PROTECTION POLICY

4.1. Scope of this Policy

This Policy applies to all authorised users of NPS information and NOMIS information including permanent and temporary staff employed within the NPS community as well as all contractors, partners and third parties who will have access to personal information processed by the NPS or within an aArea. This Policy applies to all NPS information including sensitive personal data processed by the NPS.

4.2. Policy Objectives

The objectives of this Policy are to:

♦ Ensure that each probation area always holds a current and valid Data Protection Notification which warrants that they can process personal data for all their statutory requirements as well as to allow effective Data Sharing with the NOMIS data controller;

♦ Ensure that no unlawful or unauthorised processing, compromise, misuse or disclosure occurs in respect of any NPS information, NOMIS information or personal information (including sensitive personal information);

♦ Ensure that all areas comply with the rights of the data subject as defined within the Data Protection Act 1998;

♦ Ensure that all authorised users comply with this Policy;

♦ Ensure that all NPS Areas comply with the Data Protection Act 1998;

♦ Ensure that all authorised users and Local System Controllers comply with the requirements of the NOMIS Data Protection Policy.

4.3. Notification

It is a legal requirement that every data controller is registered with the Information Commissioner using a Data Protection Notification.

Each Local System Controller must therefore ensure that their Data Protection Officer completes and submits an up to date Data Protection Notification (the Template for which is detailed at Annex C to this Policy) with the Information Commissioner’s Office on at least an




Page 7

annual basis to describe all the purposes for which it processes personal data.

This Notification ensures that each probation area is legally allowed to process NPS information to fulfil NPS Statutory responsibilities as well as share data in accordance with the aims and objectives of NOMIS and therefore with all those organisations who have a legitimate business need to share Offender Information.

Authorised users must only process NPS information in accordance with this Policy and must only share NPS information in accordance with their particular area’s Data Protection Notification.

4.4. The Eight Principles

The NPS areas must comply with the 8 Principles of the Data Protection Act 1998. The principles contain a number of obligations and responsibilities on the Local Systems Controller and the authorised user. See Section 7.

4.5. Retention guidelines

Under the Data Protection Act 1998 there is a requirement to retain personal data for no longer than is necessary to meet the purposes for which they are collected which will include all personal information processed by the NPS and all personal data contained within NOMIS.

The Rehabilitation of Offenders Act 1974 requires that Offender Information shall not be retained for longer than 10 years after a qualifying sentence under the Act has become spent. In order to comply with both pieces of legislation, ensure that the NOMS community requirements for data retention are met as well as meet the aims and objectives of NOMIS. The NOMIS Data Retention Policy contained within the NOMIS Data Protection Policy must be complied with in respect of NOMIS information (See Annex D).

The NPS area shall store NPS information for a period of time according to the subject and issue that it is relating to. There is a legal requirement to provide retention periods for NPS information and ensure that NPS information is periodically reviewed and that any unnecessary, inaccurate, irrelevant or excessive information is removed and securely destroyed1.

1 Reference NPS IT Asset and IT Media Disposal Policy, NPS Protective Marking Policy.




Page 8

The following retention periods are based on the ACOP Data Protection Code of Practice 2002 and the requirements of the Data Protection 1998. Any retention period should be treated as a benchmark as there might be situations where the data should be held for shorter or longer periods than those recommended in the table below, and these periods may also be altered by subsequent legislation or NOMS regulations.

Archived and current records will be disposed of within one year of the known death of the data subject, unless there are any requirements for the record to be made available for review.

Information relating to: Suggested retention period:

Non statutory offender contact

1 year from last recorded contact

Statutory offender contact – determinate sentences

6 years from termination of last statutory supervision or report preparation.

Retention of archived records beyond the initial 6 years must be based on clearly documented criteria, e.g. reference to risk of harm, and should be for a specified period only before further management review. The period and reasons for extension must be documented on the case file.

Statutory offender contact – life sentences

Upon death of lifer or 99 years after date of birth.

Victims 1 year from the expiry date (SED) of the relevant sentence.

Staff records – unsuccessful applicants

6 months after unsuccessful job application.

Staff records – employees

6 years after leaving Service.

CRB disclosures 6 months from date of receipt

Area and Board members and any other individuals with whom the Area has had financial dealings

6 years after membership or payments cease.

CCTV images recorded for accredited and other programmes for

2 years from end of the programme, or on completion of quality assurance audit, whichever is the later date.




Page 9

offenders.

CCTV images recorded for crime prevention and health and safety purposes.

30 days maximum, but less if this is long enough for any crime or health and safety incident to have been detected.




Page 10

5. DATA DESTRUCTION

Authorised users shall securely dispose of electronic copies of NPS information in accordance with the retention policy in section 4 above.

When any IT asset that has ever been used, either temporarily or permanently to store NPS information is determined to be excess to requirements or due for disposal, the IT asset must be disposed of using a SEAP Approved Contractor only in accordance with the NPS IT Asset and IT Media Disposal Policy.

Any NPS information held in paper form that is selected for destruction must be removed in confidential waste bags and be disposed of by a competent SEAP security cleared operator or appropriate device e.g. cross cut shredder compliant with the Manual of Protective Security (MPS).




Page 11

6. SUBJECT ACCESS REQUESTS

A Subject Access Request is a request made under Section 7 of the Data Protection Act whereby a data subject (or someone working on their lawful authority) makes a written request for access to or a copy of any of their personal data being processed by a data controller including details of any third parties to whom such personal data has been shared.

In law, a Subject Access Request is made to a data controller and the data controller is required to provide an intelligible copy of all personal data and/or sensitive personal data that they are processing on the data subject and not any personal data being processed by any other data controller.

6.1. Subject Access Requests Process Prior to Implementation of NOMIS

If a valid Subject Access Request (made in writing, providing enough information so as to identify the data subject with an address or contact details for correspondence and the inclusion of a fee of £10) is received by any individual within a probation area prior to the implementation of NOMIS, the data subject must be provided with an intelligible copy of all their personal data and sensitive personal data held in any form by the probation area concerned.

Figure 1: Subject Access Request Process Prior to Implementation of NOMIS

All Subject Access Requests received by areas must be handled in accordance with this Policy and Local Procedures to be developed by each Local System Controller.

NPS

Probation Area

SARInformation

Probation Areas

Subject Access Request from Data Subject

Area Handles

SAR Directly

Personal Data Provided to Data Subject

NPS

Probation Area

SARInformation

Probation Areas


Area Handles

SAR Directly





Page 12

6.2. Subject Access Request Process After Implementation of NOMIS

In order to maintain an Open Government approach and to be as helpful as possible to data subjects, a different process must be followed when responding to valid Subject Access Requests after the implementation of NOMIS.

Although not legally obliged, data controllers will be required under this Policy upon receipt of a valid Subject Access Request from a data subject to provide to the data subject an intelligible copy of all their Personal data and sensitive personal data being processed by the probation area concerned. and a copy of the NOMIS ‘Subject Access Report’ available from NOMIS. Both sets of information must be provided to the data subject within 40 calendar days of receipt of the Subject Access Request.

Figure 1: Subject Access Request Process Prior to Implementation of NOMIS

A NOMIS ‘Subject Access Report’ created by an authorised user who is not a member of the NOMS Open Government Unit, shall automatically include the following statement:

“This NOMIS Subject Access Report is being provided voluntarily and we are not the data controller in respect of this information. The data controller is the Chief Executive of NOMS and therefore all queries pertaining to the Report should be directed to the Open Government

NOMIS

NPS

SARReport

Probation Area

SARInformation

Probation Areas


Area Handles

SAR Directly


NOMIS

NPS

SARReport

Probation Area

SARInformation

Probation Areas


Area Handles

SAR Directly





Page 13

Unit within NOMS. We cannot accept any liability for the accuracy of any information contained within this Report or omitted from this Report.”

If a data subject makes any subsequent requests for any further personal data and/or sensitive personal data that they believe is being processed on them within NOMIS, the data subject must be advised to contact the Open Government Unit within NOMS. The Open Government Unit will handle the data subject’s subsequent request directly.

6.3. Third party Requests for Personal data

In general, Subject Access Requests can be made on behalf of a data subject (e.g. by a solicitor or family member) provided it contains the fee and the signed authority of the data subject to disclose their personal data to that person.

6.4. Vexatious Requests

Probation areas are not required to comply with vexatious Subject Access Requests or requests which have been repeated within an unreasonably short length of time. The term “vexatious” is not defined in the Act.




Page 14

7. RESPONSIBILITIES

Each probation area must ensure that any processing of personal data and sensitive personal data is carried out in accordance with the Data Protection Act, their Data Protection Notification and the Data Protection Act Principles.

7.1. Local Systems Controller

There is a duty in law to maintain the Confidentiality of NPS information which is disclosed to a Probation area(s) and/or the NPS in pursuance of a statutory duty or under the Law of Confidence. Failure to maintain Confidentiality of NPS information may result in a breach of the Official Secrets Act 1989 or a civil suit.

Probation area Boards have a corporate responsibility whilst their members, employees, contractors and temporary staff have individual responsibility to maintain the Confidentiality of Personal information.

It is the responsibility of the Data controller to comply with the 8 principles of the Data Protection Act 1998. These are referenced in the table below.

It is the responsibility of the Data controller to ensure that before any Personal data is processed that at least one of the conditions set out in the DPA is met.

These include:

• The Data subject has given consent to the Processing (not required for the fulfilment of a statutory function);

• The Processing is necessary for the performance or setting up of a contract or other contract to which the Data subject is party;

• Processing is necessary for non-contractual legal obligations;

• Processing is necessary to protect the vital interests of the Data subject;

• Processing is necessary for the administration of justice or functions of a public nature (this will most often be the case in respect of individual Area’s Processing of both Offender and Victim Personal information);

• Processing is necessary for the purposes of the legitimate interests pursued by the Data controller or a third party to whom the Personal data is disclosed.




Page 15

If the Processing includes Sensitive Personal data at least one of the following further set of conditions must be met:

• The Data subject has given explicit consent to the processing (not required to fulfil a statutory function);

• Processing is lawful or a legal requirement in connection with employment;

• Processing is necessary to protect the vital interests of the Data subject or another person;

• The Data subject has already taken deliberate steps to make the information public;

• Processing is necessary in connection with legal proceedings;

• Processing is necessary for administration of justice or exercise of crown functions (this will most often be the case in respect of individual Area’s Processing of both Offender and Victim Personal information);

• Processing is necessary for medical purposes and is undertaken by a health professional.

Local System Controller responsibilities are detailed in the table below.

7.2. All Authorised users

Under the Data Protection Act 1998 individual employees, contractors, temporary staff and/or managers may be held criminally liable for instances in which Personal information, or information obtained in confidence, is disclosed, knowingly or recklessly, outside the terms of the relevant Probation area’s Data Protection Notification. In certain circumstances, Data subjects can sue for compensation if third parties (which can include employees, contractors and temporary staff who have no legitimate business justification to Process the Personal information) obtain Personal information about Data subjects unjustifiably (without legitimate business reason in accordance with the particular Areas’s Data Protection Notification).

Where any authorised user exceeds their lawful authority to process NPS or personal information, they may be liable to prosecution under the Computer Misuse Act 1990.

Authorised users’ responsibilities are detailed in the table below.

Breach of this policy may result in disciplinary action.


Unclassified Ref.: data_protection_policy_v2.4 National Probation Service – Data Protection Policy

Page 16

Local System Controller (Data controller) and Authorised user Responsibilities in accordance with the 8 Principles of the Data Protection Act 1998.

DPA Principle Data controller Authorised user

1 – Personal data shall be Processed Fairly and

Lawfully

Personal information must only be processed if one of the conditions laid down in Schedule 2 to the Data Protection Act is met such as those purposes specified in Part 1 of the Criminal Justice and Court Service Act 2000 and in any other relevant subsequent legislation.

Maintain an up to date data protection notification with the Information Commissioner as detailed within Annex C of this Data Protection Policy.

If there is no statutory purpose for processing Offender/Victim personal data ensure that the data subjects are informed of the purpose or purposes for which the NPS information is processed and the range of third parties with whom the data will be shared.

Only process sensitive personal data with the

Only process personal data in accordance with their particular area’s data protection notification.

Only process sensitive personal data with the express consent of the data subject or where it is



Page 17


express consent of the data subject or where it is required by law or by the statutory duties placed upon the NPS or in cases where one of the other conditions laid down in Schedule 3 to the Data Protection is met. For the avoidance of any doubt, if there is a statutory requirement to process sensitive personal data there is no requirement to obtain consent from the data subject.

Appoint a Data Protection Officer to ensure compliance with the Data Protection Act and this Policy including:

• Manage Data Protection Subject Access Requests and general Data Protection enquiries;

• Maintain an up to date level of knowledge of Data Protection Act legislation, case law and relevant developments within related legislative areas;

required by law or by the statutory duties placed upon the NPS or in cases where one of the other conditions laid down in Schedule 3 to the Data Protection Act is met. For the avoidance of any doubt, if there is a statutory requirement to process sensitive personal data there is no requirement to obtain consent from the Data subject.



Page 18


• Encourage, monitor and audit compliance with this NPS Data Protection Policy;

• Promote awareness and provide guidance and advice on the Data Protection Act 1998 as it applies within the particular probation area, through training and procedural development;

• Liaise with external organisations on Data Protection Issues;

• Advise Authorised users of their responsibilities under the Data Protection Act 1998, including Subject Access requests.

Manage all failures to comply with this Data Protection Policy in accordance with the NPS Incident Management Policy.

Report any failures to comply with this Data Protection Policy in accordance with the NPS Incident Management Policy.

2 – Personal data shall only be obtained and Processed

Ensure that the Data Protection Officer submits a valid data protection notification which is



Page 19


for one or more purposes registered with the Information Commissioner, using the template as detailed in Annex C of this Policy.

Maintain necessary updates and renewal of the Notification to ensure that the purpose or purposes for which the personal information is collected is available to the data subject.

Ensure that personal information forming NPS information that is shared with other organisations for research purposes is not used by the recipient to make any decisions concerning the data subject.

Ensure written consent of the data subject for any use of personal data for training or public relations purposes.

Ensure that if NPS information is shared with partners or organisations outside the NPS, and this is not a statutory duty or necessary for the administration of justice or does not meet one of the other conditions laid down in Schedule 2 of

Ensure that any potential changes to processing are reported immediately to the Data Protection Officer.

Do not share personal information with third parties for research purposes without the express permission of the Local System Controller.

Never use personal data for public relations purposes without the express consent of the Local System Controller.



Page 20


the Data Protection Act, an Information Sharing Protocol is in place to certify that the recipients have appropriate security measures implemented.

3 – Personal data shall be adequate, relevant and not excessive in relation to the

purpose or purposes for which they are Processed

Ensure that only relevant personal data is collected and processed on data subjects.

Ensure that excessive personal data is not processed on data subjects.

Ensure that there is adequate personal data held on a data subject to make sure that the data subject making a Subject Access Request can be identified and validated as being the subject of the personal data.

Review any active relevant filing system containing personal data at regular intervals to ensure that the personal data held therein is no more than is required for the notified purposes and the personal data is adequate to identify the data subject and fulfil the purpose for which it

Ensure that only relevant personal data is collected and processed on data subjects.

Ensure that no excessive personal data is processed on data subjects and/or stored in private files.



Page 21


has been collected.

Ensure that all data collection forms and procedures do not seek personal data beyond that which is relevant and necessary for the purposes for which it is processed.

4 – Personal data shall be accurate and, where

necessary, kept up to date

Ensure that procedures are in place to achieve the highest possible level of accuracy of personal data processed in the area.

Provide procedures and communicate these to authorised users for updating personal records promptly as new data becomes available.

Undertake regular audits of personal data accuracy according to local procedures.

Ensure an audit trail of any disputes regarding the accuracy of personal data and any assessments of the data subject.

Comply with local procedures to ensure data accuracy.

Update all personal data as soon as any changes come to your attention.

If a data subject disputes the accuracy of the personal data being processed on them, contact your Local System Controller if you cannot resolve the issue quickly and readily.



Page 22


Provide written procedures and communicate these to Authorised users for responding to complaints about the accuracy of data processed by the organisation.

Comply with local procedures for managing complaints about personal data accuracy.

5 – Personal data shall not be kept for longer than is

necessary for the purpose or purposes for which it is

Processed

Comply with the Data Retention Guidelines (ref: 4.5) included within this Policy.

Produce local procedures in accordance with the ACOP Data Protection Code of Practice 2001.

Conduct regular audits to ensure that all archived electronic and paper files will be marked with an earliest date for disposal or for further review.

Ensure that all reviews of archived files beyond their earliest disposal date will be conducted at least annually.

Comply with the Data Retention Guidelines included within this Policy.

Mark all personal data in accordance with the local procedures.

6 – Personal data shall be processed in accordance with the rights of the Data

Comply with the Subject Access Guidelines (ref:6) contained within this Data Protection



Page 23


subject Policy.

Provide written procedures for handling and responding to a Subject Access Request (SAR) and communicate these to all authorised users.

Develop written complaints procedures, communicate these to authorised users and make them available for any data subject or any other interested party.

Ensure that the number of subject access requests, objections to processing, and objections to data accuracy, are recorded and reviewed regularly to assess implications for local procedures.

Provide a written notice to explain the basis of the decision to any data subject who is significantly affected by a decision based solely on the processing by automatic means of personal data.

Ensure that all relevant filing systems

Handle Subject Access Requests in accordance with local procedures.

Ensure that any complaints relating to the use of personal data are handled in accordance with local procedures.

Obtain authority from a senior manager before relying on a statutory exemption under the DPA 1998, for withholding personal data from a SAR.

Ensure that no personal data on a Third party is released as part of a SAR without the consent of the Third party, unless this is public knowledge or reasonable to disclose given the circumstances.

Ensure positive identification of the data subject before any personal data is disclosed.



Page 24


maintained by the probation area that may be accessed in response to a subject access request are defined.

7 - appropriate technical and organisational

measures shall be taken to secure Personal data

Ensure that NPS information security policies are implemented and complied with throughout the area.

Ensure all authorised users sign a Confidentiality Statement in accordance to the common law duty of confidentiality and the protection of personal data in accordance to the DPA.

Provide written information describing local procedures and training to inform all Authorised users of their responsibilities for Data Protection, as set out in this Policy.

Ensure that NPS information is only processed on NPS IT Assets.

Provide local procedures for disposal of NPS information.

Sign a confidentiality statement to acknowledge that you have been informed of your individual responsibilities and liabilities for protecting personal data.

Read any briefing notices and undertake all training as required to ensure compliance with this Policy.

Do not process NPS information on non IT Assets.

Comply with local procedures for disposal of NPS information.



Page 25


Ensure that all authorised users comply with the following NPS Policies;

• NPS Business Continuity Policy

• NPS Clear Desk Policy

• NPS Email & Internet Communications Policy

• NPS Community Information Security Policy

• NPS Incident Management Policy

• NPS IS & Network Monitoring Policy

• NPS IT Asset and IT Media Disposal Policy

• NPS Logical Access Control Policy

Ensure that you comply with the following NPS Policies when processing NPS information;

• NPS Business Continuity Policy

• NPS Clear Desk Policy

• NPS Email & Internet Communications Policy

• NPS Community Information Security Policy

• NPS Incident Management Policy

• NPS IS & Network Monitoring Policy

• NPS IT Asset and IT Media Disposal Policy

• NPS Logical Access Control Policy



Page 26


• NPS Password Policy

• NPS Physical Security Policy

• NPS Protective Marking Policy

• NPS Remote working Policy

• NPS Vetting Policy

Ensure that use of CCTV is reviewed annually for compliance with the DPA.

Ensure that the local Codes of Conduct and Disciplinary Procedures address breaches of the NPS Data Protection Policy.

• NPS Password Policy

• NPS Physical Security Policy

• NPS Protective Marking Policy

• NPS Remote working Policy

• NPS Vetting Policy

Take special precautions when working in remote working locations to ensure the confidentiality and integrity of NPS information. Particular note should be taken of NPS diaries which will contain personal data about other colleagues as well as Offenders and Victims.

Do not give any unauthorised user access to any personal data contained on any IT Asset.

Never share your password for access to IT Assets with any third party or any other



Page 27


authorised user.

Never attempt to access the Communications Infrastructure using any other authorised user’s password.

Protect all personal data in accordance with the Government Protective Marking Scheme (GPMS) and NPS Protective Marking Policy.

Never share personal data such as that contained within ViSOR with any third party such as friends or family.

Never leave a computer terminal ‘unlocked’ i.e. available to any third party to use.

Ensure that all electronic copies and paper based copies of personal data cannot be viewed or retrieved by any third party or any authorised user who does not have the appropriate access permissions to see the information.



Page 28


8 – Personal data shall not be transferred outside the European Economic Union

without an adequate level of protection

Ensure that no personal data is transferred outside the European Economic Union, unless the personal data is protected appropriately in other ways, the Data subject has given explicit consent or the transfer is in accordance to statutory requirements.

Do not transfer any personal data contained within or derived from NPS or NOMIS to countries outside the European Economic Area unless there is a statutory requirement to do so and/or the data subject has given their explicit consent in writing or Schedule 4 to the Data Protection Act applies.

Complete and ensure ongoing compliance with the NPS Data Protection Checklist as detailed in Annex E.




Page 29

8. LOCAL PROCEDURES AND CODES OF PRACTICE

Local procedures and Codes of Practice, in support of this policy, provide detailed information relating to Data Protection within each Probation area.

In the event of any uncertainty Authorised users should contact their Local System Controller, who is responsible for creation and maintenance of local procedures.

Local procedures shall include such definitions as are necessary and shall describe the specific details involved and special arrangements within the Area, including staff contact details etc.




Page 30

ANNEX A: NOMIS AIMS FOR DATA SHARING

Principle 1 NOMS Information is a corporate resource. It belongs to the organisation - it does not belong to any individual or group, except where specific confidentiality rules apply.

Principle 2 There must be a shared understanding that any party who uses the NOMIS system, by implication, allows all parties, with relevant access controls, to use the system to read, create and update data present on NOMIS.

Principle 3 Information must be made accessible to others in the NOMS community, except where there is a specific reason not to.

Principle 4 It is necessary to adopt a consistent approach to managing information across the whole of the NOMS.

Principle 5 Information will need to be retained for prescribed periods on behalf of NOMS.

Principle 6 Information created on behalf of NOMS must be accurate and fit for purpose.

Principle 7 NOMS staff are personally responsible for the effective management of the information they create or use.

Principle 8 In managing information staff must comply with the relevant statutory and regulatory requirements.

Principle 9 All data that is held on NOMIS will be at no higher than “RESTRICTED”.




Page 31

ANNEX B – DATA SHARING

NOMIS

In order to create an effective end to end Offender Management Service and effective rehabilitation of Offenders it is essential to have an unfettered exchange of Offender Information within the NOMS community and with particular Third Parties such as the Department for Health, Voluntary and Community Sector who run accredited rehabilitation programmes and DfES.

This requires the ability to share Offender and Victim Information in both a timely and efficient manner with those users who have a legitimate business need to utilise the information. This will materially assist with the management and rehabilitation of Offenders and will help work towards a real reduction in re-offending rates.

The most effective way to achieve this is to share Offender Information electronically in real time within the legal framework of the Data Protection Act 1998 and other related legislation. Delays in information exchange may potentially cause harm to Offenders, employees and contractors as well as victims.

NOMIS is a single national database, the first of its kind, to provide such a real time data sharing capability.

The sharing of Offender Information has many risks associated with it. The NOMIS Code of Connection and Authorised users’ compliance with all the supporting NOMIS policies and procedures ensures that NOMIS maintains the Confidentiality, Integrity and Availability of NOMIS information at all times.

The NOMIS Data controller requires that all Authorised users accessing NOMIS comply with the NOMIS Data Protection Policy.

There will be occasions when NOMIS information will need to be shared with other Criminal Justice Organisations and third parties in pursuance of their support for an offender outside of traditional rehabilitation facilities.




Page 32

NOMIS Data controller

The Data controller for NOMIS is the Secretary of State who has delegated their responsibilities and powers for NOMIS to the Chief Executive of NOMS and shall be referred to within this Policy as the NOMIS Data controller.

For the avoidance of any doubt the Data controller for all information contained within NOMIS is the Chief Executive of NOMS. As such, no other person or organisation is authorised to determine the manner in which NOMIS is used by any Authorised user.

This Policy details the manner in which the Chief Executive of NOMS requires that NOMIS and all NOMIS information be handled and Processed.

As such, all Authorised users and Local System Controllers must comply with the NOMIS Code of Connection, the NOMIS Data Protection policy and all other policies and procedures which form part of the NOMIS Code of Connection. Failure to do so will result in removal of all access rights to NOMIS and in certain cases may lead to criminal and/or civil actions being taken against an individual.

Disclosure of NOMIS information

NOMIS information will be disclosed to Authorised users within NOMS Organisations whenever an Authorised user accesses an Offender or Victim record within NOMIS.

This is a legal disclosure of the Offender (and potentially victims as well) Personal data and/or Sensitive Personal data from the NOMIS Data controller to the Authorised user.

For the avoidance of any doubt, the NOMIS Data Protection Policy must be complied with by all Authorised users to govern their Processing of Offender (and potentially Victim as well) Personal data and Sensitive Personal data when the NOMIS Data controller discloses Personal data from NOMIS to an Authorised user.




Page 33

Transfers of NOMIS information in to other Systems

Authorised users may, on occasions, be required to transfer NOMIS information into IT systems not controlled by the NOMIS Data controller.

Such transfers of NOMIS information may only be made in pursuance of a statutory duty and shall comply at all times with the written instructions of the NOMIS Data controller which may be amended from time to time.

Transfer of NOMIS information to Third Parties

There will be occasions when NOMS will need to take copies of information derived from NOMIS to share with other organisations such as Social Services and Customs and Excise, for example.

For the avoidance of any doubt Authorised users shall only transfer copies of Personal data and/or Sensitive Personal data to organisations listed on the NOMS Data Sharing List managed by the NOMS Open Government Unit. For advice as to which organisations NOMIS information can be shared with, contact the NOMS Open Government Unit.




Page 34

ANNEX C – TEMPLATE DATA PROTECTION NOTIFICATION

Purpose 1 STAFF ADMINISTRATION

This is processing for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the Data controller.

Data subjects Probation Board and Area members Staff employed by service providers commissioned/contracted to NOMS Staff including volunteers, agents, temporary and casual workers – past, present and prospective.

Data Classes Criminal proceedings, outcomes and sentences Disability/impairment Education and training details Employment details Family, lifestyle and social circumstances Financial details Goods or services provided Offences (including alleged offences) Personal details Physical or mental health Racial or ethnic origin Religious or other beliefs of a similar nature Sexual life Sexual Orientation Trade Union Membership

Recipients Central Government (including the National Probation Directorate/National Offender Management Service) Current, past or prospective employers of the data subject Data processors Data subjects themselves Education, training establishments and examining bodies Employees and agents of the data controller Employment and recruitment services Financial organisations and advisers Healthcare, social and welfare advisers or practitioners Local Government (including Probation area Boards) Relatives, guardians or other persons associated with the data subject




Page 35

Suppliers, providers of goods and services Trade, employer associations and professional bodies Secretary of State

Transfers of Personal data None outside of the European Economic Area

_______________________________________________________________

Purpose 2 ADMINISTRATION OF JUSTICE

Discharging court business Internal administration and management of courts of law or tribunals Prevention of crime Protection of the Public and Staff Research concerned with the effectiveness of Probation practice Supervision, management, punishment and rehabilitation of offenders

Data subjects Advisers, consultants and other professional experts Complainants, correspondents and enquirers Customers and clients Health Care providers Local Authority staff Offenders and suspected offenders Persons given a caution or final warning Persons subject to judicial disposals including convictions, bind-overs, discharges, acquittals, orders made under legislation (e.g. Harassment Act 1997) Police officers Relatives, guardians and associates of the data subject Sentencers Staff from organisations providing services to NOMS and to an Offender Staff including volunteers, agents, temporary and casual workers Suppliers of services and facilities that support the administration of justice Victims of crime Witnesses

Data Classes Business activities of the data subject Criminal intelligence Criminal proceedings, outcomes and sentences




Page 36

Disabilities/Impairments Education and training detail Employment details Family, lifestyle and social circumstances Financial details Goods or services provided Offences (including alleged offences) Personal details Physical or mental health or condition Political opinions Racial or ethnic origin References to manual records or files Religious or other beliefs of a similar nature Sexual life Trade Union Membership

Recipients Central government Contracted out prisons Courts/Tribunals Crown Prosecution Service Current, past or prospective employers of the data subject Data processors Data subjects themselves Defence solicitors Department of social security Education, training establishments and examining bodies Employees and agents of the data controller Healthcare, social and welfare advisers or practitioners International law enforcement agencies and bodies Judges and Magistrates Law enforcement agencies and investigating bodies Legal representatives Licensing authorities Local government Non Home Office police forces Ombudsmen and regulatory authorities Police forces Political organisations Prisons Probation Service Areas Providers of services including partnership agencies Relatives, guardians or other persons associated with the data subject Religious organisations




Page 37

Suppliers, providers or goods or services, including partnership organisations Survey and Research Organisations The media Victims of Crime Secretary of State

Transfers of personal data Worldwide.

_______________________________________________________________

Purpose 3 ADMINISTRATION AND ANCILLARY SUPPORT

Contingency planning Management information and records (e.g. fleet and housing management, information technology kit management) Training and system testing

Data subjects Advisers, consultants and other professional experts Complainants, correspondents and enquirers Customers and clients Members of the Probation area Board Relatives, guardians and associates of the data subject Staff including volunteers, agents, temporary and casual workers Suppliers of goods and services

Data Classes

Education and training details Employment details Goods or services provided Personal details Physical or mental health or condition Racial or ethnic origin

Recipients

Central government departments (including the National Probation Directorate / National Offender Management Service and HM Prison Service) Current, past or prospective employers of the data subject Data processors




Page 38

Education, training establishments and examining bodies Employees and agents of the data controller Local government departments (including other probation area boards) Police forces Suppliers, providers of goods and services The data subject themselves Trade, employer associations and professional bodies Secretary of State

Transfers of personal data None outside the European Economic Area

_______________________________________________________________

Purpose 4 CRIME PREVENTION AND PROSECUTION OF OFFENDERS (INCLUDING CCTV)

Includes use of closed-circuit television for the monitoring and collection of sound and/or visual images for the purpose of maintaining the security of premises, for preventing crime and investigating crime.

Data subjects Advisers, consultants and other professional experts Complainants, correspondents and enquirers Customers and clients Legal Adviser and representatives Members of the public and those inside, entering or in the immediate vicinity of the area under surveillance Members or supporters of the probation area board Offenders and suspected offenders Relatives, guardians and associates of the data subject Staff, including volunteers, agents, temporary and casual workers Suppliers

Data Classes Criminal proceedings, outcomes and sentences Criminal Proceedings, Outcomes And Sentences Education and Training Detail Employment Details Family, Lifestyle and Social Circumstances Financial Details Goods or services provided Offences (including alleged offences) Offences (Including Alleged Offences)




Page 39

Personal appearance and behaviour Personal details, including personal appearance and behaviour Physical or Mental Health or Condition Political Opinions Racial or Ethnic Origin Religious or Other Beliefs Of A Similar Nature Sexual Life Sexual Orientation Sound and/or visual images Trade Union Membership

Recipients Business associates and other professional advisers Central Government Current, past or prospective employers of the data subject Data processors Data subjects themselves Education, training establishments and examining bodies Employees and agents of the data controller Healthcare, social and welfare advisers or practitioners Local Government Persons making an enquiry or complaint Police forces Relatives, guardians or other persons associated with the data subject Suppliers, providers of goods or services, including private security organisations. Trade, employer associations and professional bodies Secretary of State

Transfers None outside the European Economic Area




Page 40

ANNEX D – NOMIS DATA RETENTION POLICY

Basic Offender Data

Means the following information in respect of an individual Offender:

1. Name and aliases; 2. Current address; 3. PNC number; 4. Date of birth; 5. Conviction code (i.e. result code which will be unique for each

separate criminal offence); 6. Biometric information;

NOMIS Information - Data Retention

Sentence Expiry Date

Time

99 Years10 Years

1. With the exception of identified Schedule 1 Offenders

and Lifers, NOMIS shall

automatically weed out and

permanently delete Information

within an Offender’s and Victim’s

NOMIS record that does not

constitute Basic Offender Data,

Basic Victim Data, Offender

Archive Data or Victim ArchiveData.

2. NOMIS shall automatically

archive ‘Offender Archive

Data’ and ‘Victim Archive Data’.

3. NOMIS shall retain Basic

Offender Data and Basic Victim

Data for access by those

Authorised Users of NOMIS with the appropriate

Security Role Based Access

Permissions

Offender Archive Data and Victim Archive Data

shall be restored if an Offender is charged

with a further crime and either remanded in

custody or remanded for court reports

including bail reports


delete the entire Offender’s

and Victim’s NOMIS record

including all Basic Offender Data, Basic Victim Data,

Offender Archive Data,

Victim Archive Data

and full NOMIS records for

identified Schedule 1 Offenders and Lifers

NOMIS Information - Data Retention

Sentence Expiry Date

Time

99 Years10 Years

1. With the exception of identified Schedule 1 Offenders

and Lifers, NOMIS shall

automatically weed out and

permanently delete Information

within an Offender’s and Victim’s

NOMIS record that does not

constitute Basic Offender Data,

Basic Victim Data, Offender

Archive Data or Victim ArchiveData.


archive ‘Offender Archive

Data’ and ‘Victim Archive Data’.

3. NOMIS shall retain Basic

Offender Data and Basic Victim

Data for access by those

Authorised Users of NOMIS with the appropriate

Security Role Based Access

Permissions

Offender Archive Data and Victim Archive Data

shall be restored if an Offender is charged

with a further crime and either remanded in

custody or remanded for court reports

including bail reports


delete the entire Offender’s

and Victim’s NOMIS record

including all Basic Offender Data, Basic Victim Data,

Offender Archive Data,

Victim Archive Data

and full NOMIS records for

identified Schedule 1 Offenders and Lifers




Page 41

7. NOMIS Offender Unique Reference Number; 8. Last Offender Manager/Probation area/Prison; 9. Date of last contact/completion of sentence; 10. Warning flags.

Basic Victim Data

Means the following information in respect of an individual Victim:

1. Name and aliases; 2. Current address; 3. PNC number (if applicable); 4. Date of birth; 5. Biometric information where available; 6. NOMIS Offender Unique Reference Number; 7. Summary of offence committed against them; 8. Link to offender record; 9. Date of last contact.

Offender Archive Data

Means the following information in respect of an individual Offender:

1. Previous addresses; 2. Last Prison or Probation Assessment whichever is the latter; 3. Location reference: what prison, cell, probation office within which

the Offender resided during the term of their sentence and name of last supervising Offender Manager;

4. List of previous sentences and for each: a. Summary of the offence; b. Summary of the sentence; c. Prisons and Probation areas where the sentence was served; d. Offending behaviour courses/other interventions details.

5. OASys assessments and sentence plans and review; 6. Safety assessments including:

a. Suicide risk and self harm (with details of potential self harm, circumstances and care plan etc);

b. OASys ROSH level; c. Risk Management plan and MAPPA details where applicable d. Previously violent and/or aggressive and/or abusive behaviour

towards others that was: i. Risk of harm to children, specified adults, self, specified

group, general public, staff;




Page 42

ii. Motivated by prejudice (racial, homophobic, religious, offence related);

iii. Sexually motivated; iv. Gang related; v. Drug related; vi. Debt related; vii. Power and control related; viii. Fear; ix. Mental illness.

e. Potentially violent towards prisons/probation/intervention provider staff.

7. Potential escaper; 8. Security and medical alert information; 9. Health problems that prison staff need to be aware of such as:

a. Epileptic; b. Heart problems; c. Diabetic; d. Impairments/disability requirements; e. Any other health condition that would require a duty of care from

the NOMS community to retain in respect of the Offender.

Victim Archive Data

Means the following information in respect of a individual Victim:

1. Previous addresses; 2. Copies of police statements; 3. Full details of Offence 4. Victim’s description of offence; 5. Full contact history.

Schedule 1 Offenders and Lifers

For the avoidance of any doubt all Schedule 1 Offender and Lifer information shall be retained in full within NOMIS for a period of 99 years.




Page 43

ANNEX E - NPS DATA PROTECTION ACT CHECKLIST

NPS Data Protection Policy requirement ��

Annual Notification to the Information Commissioner using NPS template �

The Probation area has identified and nominated a Data Protection Officer �

The Probation area provides written information to all staff and service users about their data protection rights.

�

The Probation area provides written information to all staff about their data protection duties and responsibilities

�

Sharing Personal data with organisations outside the NPS is within the terms of an information sharing agreement, unless DPA 98 exceptions apply.

�

Data collection procedures reviewed to ensure no excessive collection. �

Written procedures are in place to audit data accuracy. �

Written procedures are in place for responding to Subject Access Requests. �

Written procedures are in place for responding to complaints about data accuracy.

�

Written procedures are in place for responding to objections to Processing. �

Written procedures are in place to ensure compliance with baseline retention periods for Personal data.

�

Appropriate technical and organisational measures have been implemented to protect personal data held by the area, namely:

a) A clear desk policy is enforced throughout the area. �

b) A confidentiality statement is signed by all personnel with authorised access to Personal data in the Area.

�

c) Controls are in place to ensure the secure Processing of Personal data away from probation board premises.

�

d) No Personal data processed on equipment other than IT Assets �

Annual audit of CCTV recording �




Page 44

ANNEX F DEFINITIONS

Term Definition

ACOP Data Protection Code of Practice 2001

Means the Data Protection Code of Practice 2001 produced by the Association of Chief Officers of Probation which was developed to provide the Police Service with a set of guiding Data Protection principles.

authorised staff / authorised users

Means any Probation area employee, contractor, temporary staff or any other person who has auditable authority from a Chief Officer (Local System Controller) to access, view and Process NPS information.

compromise Means to make all or any part of NPS information available to those who are Unauthorised staff and/or the unauthorised modification or destruction of data and/or Personal data by Authorised staff, Unauthorised staff or third parties.

confidentiality Means the protection of NPS information from any unauthorised form of disclosure or misuse, where the information is not a matter of public knowledge and is entrusted in confidence.

data controller Means a person (a Probation area in this context) who determines the purposes for which, and the manner in which, Personal information is, or is to be, processed. This may be an individual or an organisation, and the Processing may be carried out jointly or in common with other persons.

data processor Means any person who processes data on behalf of the Data controller, following instructions from the Data controller on what, for which purpose and in which manner Personal data is to be Processed.

Data Protection Notification

Means the method by which a Data controller fulfils it’s legal requirement of advising the Information Commissioners Office of the purposes for which it processes Personal




Page 45

Term Definition

information.

Data Protection Officer Means a role or function within a Probation area to take overall responsibility for implementing the appropriate controls to ensure compliance with both the Area’s Data Protection Notification, this Data Protection Policy, the NOMIS Data Protection Policy and the Data Protection Act 1998.

data subject Means the data subject (individual) who is the subject of the Personal information.

disposal/disposed/dispose Means the secure destruction in accordance with the Government Protective Marking Scheme of NPS information so that it is permanently destroyed and not capable of being retrieved in any format.

Information Commissioner Means the UK supervisory authority reporting directly to UK Parliament for the purpose of overseeing and enforcing compliance with both the Data Protection Act 1998 and the Freedom of Information Act 2000.

Local System Controller Means the Chief Officer of each of the Probation areas who is responsible for the provision of adequate and appropriate physical and technical security within each of the Probation areas or such person to whom a Chief Officer has formally delegated such responsibility.

Notification Means the method by which a Data controller fulfils its legal requirement of advising the Information Commissioner’s Office, the UK supervisory authority reporting directly to the UK Parliament for the purpose of overseeing and enforcing compliance with both the Data Protection Act 1998 and the Freedom of Information Act 2000.

NOMIS The National Offender Management Information




Page 46

Term Definition

Service.

NOMIS data controller Means the Secretary of State who has delegated his responsibilities to the Chief Executive for NOMS.

NOMIS information Means any information including both Personal data and Sensitive personal data relating to offenders, victims, visitors, staff (including Contractors and temporary staff), or any third party that is held within NOMIS as well as any copies of such information derived from NOMIS held in any format by anyone within the NOMS community to include hard copy documentation, files and such electronic information stored on media such as CD, removable drives etc.

NOMS Means the National Offender Management Service

NOMS community Means the Home Office, NOMS, Her Majesty’s Prison Service, the National Probation Directorate, all Probation areas, all Contracted out Prisons and any other organisation that has auditable authority from the NOMIS Business Management Group to allow access to NOMIS and all other organisations with whom NOMS has a data sharing protocol in place to share NOMIS information.2

NPS Means the 42 National Probation areas collectively

NPS information Means any Personal information relating to offenders, victims, staff (including Contractors and temporary staff), or any third party that is held by a Probation area as well as any Protectively marked information (other than

2 For all queries on whether a valid data sharing protocol is in place to allow sharing of

NOMIS Information, contact the Open Government Unit within NOMS.




Page 47

Term Definition

UNCLASSIFIED) and/or third party confidential or sensitive information held in any format by NPS to include hard copy documentation, files and such information stored on media such as CD, removable drives etc.

OMNI contract Means the NPS ISAT contract awarded to the Prime Contractor.

OMNI environment Means the technical environment supported by the Prime Contractor as required under the OMNI Contract.

personal information/data Means information which relates to a living individual who can be identified from that information, or from that information and other information which is in the possession of, or likely to come into the possession of the Data controller. It includes any expression of opinion about the individual and any indication of the intentions of the Data controller or any other person in respect of the individual.

Prime Contractor Means Steria Limited who is the Home Office chosen provider to fulfil the OMNI contract, or any successor.

probation area(s) / area(s) Means each (and collectively all if used in the plural) of the 42 National probation areas that form the National Probation Service.

process/ processing Means anything that can be done to Personal data which includes consulting, adapting, disclosing, holding, altering, storing, retrieving, accessing or archiving etc. of any NPS information.

protectively marked information

Means such information classification as defined within the NPS Protective Marking Policy in accordance with the Government Protective Marking Scheme and the Manual of Protective Security




Page 48

Term Definition

recipient Means any person to whom NPS information is disclosed.

remote working Means the Processing of NPS information in any format (electronic or physical) and on whatever media at a location not controlled by the Chief Officer of a Probation area.

sensitive personal data / sensitive personal information

Means Personal information relating to a Data subject’s race or ethnic origin, political opinions, religious belief, trade union membership, physical and mental health or condition, sexual life and any alleged or actual criminal activities or criminal record.

sentence expiry date Means the date when a prison sentence is complete including any period of post release licence and/or extended supervision provisions for certain sex offenders.

third party Means any person who is not the Data subject, the Data controller, a Data processor or any other party authorised to process Data for a Data controller or Data processor.

unauthorised user / unauthorised staff

Means any NPS employee, contractor, temporary staff or any other person who does not have auditable authority from a Local System Controller to access, view and Process NPS information and/or NOMIS information. This includes any Authorised user that exceeds their legitimate Access Rights.

national probation service - london crc probation · national probation service – data protection...

Documents