All police forces will have an updated form in use.  Organisations should be
familiar with this form if they receive requests from the police.  If unsure
about the legitimacy of a request, a phone call to a police station to check
it out should help.

Whilst requests for data on authorised forms might sometimes be abused a
cautionary tale:  As part of a partnership initiative under the Crime and
Disorder Act a certain organisation offered to arrange a process with a
police officer for the police force to access their database containing
details of every school child within that particular county.  The offer was
not directly from an LEA.  The police officer, following enquiries on the
legality of the offer, declined it.

It is always worthwhile being aware of where your data is, who has copies of
it and what they are doing with it.  Basic data protection practice really,
but I must admit it is most difficult  to achieve in practice.....

It is nice to see another police force data protection practitioner
(dataprotection.lbp(a)) actively participating rather than just listening to
the group.  Well done.


Ian

----- Original Message -----
From: "Smith Mervyn, IM&T Security Officer"
<[log in to unmask]>
To: "'p=NHS NATIONAL INT;a=NHS;c=GB;dda:RFC-822=pmd(a)st-andrews.ac.uk;'"
<IMCEAX400-c=GB+3Ba=NHS+3Bp=NHS+20NATIONAL+20INT+3Bdda+3ARFC-822=pmd+28a+29s
[log in to unmask]>
Cc: "Nicholson Christopher, Director of Planning & Information"
<[log in to unmask]>; "Doane Beverley, Medical
Records Manager" <[log in to unmask]>; "Lakin Sandra,
Medical Records" <[log in to unmask]>; "Beck-Samuels Peter Dr.
Medical Director" <[log in to unmask]>; "'data
protection discussion list'" <[log in to unmask]>
Sent: Wednesday, October 18, 2000 3:09 PM
Subject: RE: Requests for Personal Data by the Police - Policy and
Procedures


> Hi Pete
>
> Thanks for a very useful response.  But nobody so far is admitting to
having
> a formal written policy!
>
> The ACPO form - I did once see a police officer produce the old (84 Act)
> version years ago when I worked for Sheffield City Council.  It was part
of
> ACPO's DP Code of Practice (in Sweet & Maxwell's DP Encyclopaedia -
> excellent if you can afford it).  According to previous postings on this
> list last March, the form is undergoing updating for the 98 Act,
> unsurprisingly. I don't know whether the updated version is available yet.
>
> Thanks again
>
> Mervyn Smith
> IM&T Security Officer
> Dept. of Information
> Wensley Court
> Rotherham District General Hospital
> Moorgate Road
> ROTHERHAM  S60 2UD
> Tel:  01709 820000 Ext. 6272
> Fax: 01709 304303
> Email: [log in to unmask]
>
>
> -----Original Message-----
> From: p=NHS NATIONAL INT;a=NHS;c=GB;dda:RFC-822=pmd(a)st-andrews.ac.uk;
> Sent: 18 October 2000 15:34
> To: Smith Mervyn, IM&T Security Officer
> Subject: Re: Requests for Personal Data by the Police - Policy and
> Procedures
>
>
> Hi Mervyn
>
> I think my response ought to be typical of Higher Education
> Institutions, so here's what we do locally regarding requests from the
> Police for information pertaining to students (or our staff), although
> the analogy is probably closest between HE students and NHS Patients.
> The only exceptions I'm aware of have been made under the separate
> disclosure exemption regarding National Security issues.
>
> In general, we assure our students in particular (and also staff) that
> their personal data is treated as confidential and all details
> pertaining to individuals are only collected for designated and
> published purposes. We have no formal sector 'charter' for this, but
> have something similar to your Patients Charter as in-house Practice
> and inform our students of its terms. Our staff have access to
> personal details of students only on a need-to-know basis, and all
> students are given the opportunity annually to advise us whether they
> would like to have their contact-details (only) made available to
> other local students (via internal Directories etc). Access to student
> data from outwith the University is generally barred except through
> our central Registry Office which is where any Police enquiries would
> end up. In the case of Police queries the general rule is that we
> absolutely veto any requests to 'browse' our student (or staff) files
> .... and it is worth noting here that  browse-requests come in
> periodically from places like the DSS and are always turned down.
> [Incidentally, we extend this right of privacy even to student's
> parents which may seem odd at first, but this is because our
> 'educational contract' is with individual students who are mature
> adults. Our Registrar has fielded not a few calls from irate parents
> who wanted to know why we hadn't informed them that their son/daughter
> had withdrawn from studies or changed address!]
>
> However, if the Police can identify a single individual person whom
> they would wish to contact for the purposes of 'prevention or
> detection of crime', then we would generally comply with the request
> and release the local contact address of that individual (but no other
> data) .... but we are cognisant that this breaches DPA Principles and
> a log is kept of the circumstances of the event and the fact that we
> took advantage of the appropriate disclosure exemption clause (as you
> quote). In any event, such disclosures would only be permitted by a
> senior member of staff. We do not use the ACPO form to which you refer
> (in fact I'd not heard of it).
>
> Hope that's useful.
>
> Cheers, Pete
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Pete Dewar
> Business Systems Manager &
> Data Protection Coordinator
> IT Services, University of St Andrews
> Tel: 01334 462541 Fax: 01334 462759
> Email: [log in to unmask]
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> -----Original Message-----
> From: Smith Mervyn, IM&T Security Officer
> <[log in to unmask]>
> To: 'data protection discussion list' <[log in to unmask]>
> Date: 18 October 2000 11:35
> Subject: Requests for Personal Data by the Police - Policy and
> Procedures
>
>
> >Has any contributor to this discussion group got a policy / procedure
> for
> >dealing with requests for personal data by the police which they
> would be
> >prepared to share with me and others?  I have already put quite a lot
> of
> >time and effort into researching the issues, but I always find it
> easier to
> >have something to start with!
> >
> >As you can see, I work in the NHS and the situation is potentially
> more
> >difficult than say with those of you working in academic
> institutions,
> >because of the confidential nature of health information.  I have
> appended
> >the 1996 from the Department of Health 'The Protection and Use of
> Patient
> >Information' which does seem to tie our hands somewhat!
> >
> >I would also be interested in knowing whether any of you are
> insisting on
> >the police using the ACPO form when making inquiries, the one which
> refers
> >to exemption from the non-disclosure provisions under S.29(3) of the
> Data
> >Protection Act 1998, and before that to S.28(3) of the DPA 1984.
> >
> >Mervyn Smith
> >IM&T Security Officer
> >Dept. of Information
> >Wensley Court
> >Rotherham District General Hospital
> >Moorgate Road
> >ROTHERHAM  S60 2UD
> >Tel:  01709 820000 Ext. 6272
> >Fax: 01709 304303
> >Email: [log in to unmask]
> >
> >
> >The Protection And Use of Patient Information
> >Guidance from the Department of Health
> >
> >Status of the guidance
> >2. The guidance is based on two fundamental considerations:
> > i. patients' expectation, set out in the Patient's Charter, that
> >information about them will be treated as confidential;
> > ii. the importance of making patients fully aware that NHS staff and
> >sometimes staff of other agencies need to have strictly controlled
> access to
> >such information, anonymised wherever possible, in order to deliver,
> plan
> >and manage services effectively.
> >3. Patient information is currently protected by the common law duty
> of
> >confidence and, in the case of computerised information, by the Data
> >Protection Act 1984. There are some other specific statutory
> provisions (for
> >example, relating to information about sexually transmitted
> diseases), as
> >well as professional ethical , duties of confidence.
> >Guidance
> >1.3. As a consequence, patient information will be seen and used by a
> number
> >of NHS professional and administrative staff, as well as staff of
> other
> >agencies contributing to a patient's care. Most patients would be
> unlikely
> >to trust staff with detailed information about themselves and their
> clinical
> >condition if they thought this might be passed on to others without
> proper
> >controls. It is therefore a central tenet of the NHS that, in the
> words of
> >the Patient's Charter and you (1995), "everyone working for the NHS
> is under
> >a legal duty to keep your records confidential".
> >BASIC PRINCIPLES
> >2.1. In general - and in all walks of life - any personal information
> given
> >or received in confidence for one purpose may not be used for a
> different
> >purpose or passed to anyone else without the consent of the provider
> of the
> >information. This duty of confidence is long- established at common
> law ...
> >2.2. Personal information held on a computer system is safeguarded by
> the
> >Data Protection Act  ...
> >2.3. In addition health professionals have ethical duties of
> confidence.
> >Patient information
> >2.4. In this guidance the term, "patient information", applies to all
> >personal information about members of the public held in whatever
> form by or
> >for NHS bodies or staff.  As well as obvious material such as medical
> >records, it includes personal "non-health" information (e.g. a
> patient's
> >name and address or details of his or her financial or domestic
> >circumstances) ...(my emphasis)
> >The relationship with patients
> >2.5. It is neither practicable nor necessary to seek a patient's (or
> other
> >informant's) specific consent each time information needs to be
> passed on
> >for a particular purpose. The public expects the NHS, often in
> conjunction
> >with other agencies, to respond effectively to its needs; it can do
> so only
> >if it has the necessary information. Therefore, an essential feature
> of the
> >relationship between patients and the NHS is the need for patients to
> be
> >fully informed of the uses to which information about them may be
> put: see
> >section 3 and paragraph 4.4.
> >When information may be passed on
> >2.6. In summary, information may be passed to someone else:
> >* with the patient's consent for a particular purpose; or
> >* on a "need to know" basis if the following circumstances apply:
> > for NHS purposes  ... or
> > the information is required by statute or
> >court order; or
> > passing on the information can be justified
> >for other reasons, usually for the protection of the public: see
> section 5.
> >
> >SAFEGUARDING INFORMATION REQUIRED FOR NHS AND RELATED PURPOSES
> >Who has a duty of confidence?
> >4.1. The duty of confidence derives from the personal nature of the
> >information recorded. It is unaffected by questions of who owns or
> holds
> >particular records. Consequently, the following all have
> responsibilities
> >for protecting information:
> > all NHS bodies and those carrying out functions on behalf of the NHS
> >have a common law duty of confidence to patients and a duty to
> support
> >professional ethical standards of confidentiality;
> > everyone working for or with the NHS who records, handles, stores or
> >otherwise comes across information has a personal common law duty of
> >confidence to patients and to his or her employer. This applies
> equally to
> >those, such as students or trainees, on temporary placements;
> > health professionals have, by virtue of professional regulation, an
> >ethical duty of confidence which, when considering whether
> information
> >should be passed on, includes paying special regard to the health
> needs of
> >the patient and to his or her wishes;
> > other individuals and agencies to whom information is passed
> >legitimately may use it only as authorised for specific purposes and
> >possibly subject to particular conditions.
> >
> >PASSING ON INFORMATION FOR OTHER PURPOSES OR AS A LEGAL REQUIREMENT
> >Release of information to protect the public
> >5.6. It may sometimes be justifiable to pass on patient information
> without
> >consent or statutory authority. Disclosures for the "discovery of
> iniquity"
> >are traditionally cited. Most commonly these involve the prevention
> of
> >serious crime, but can extend to other dangers to the general public,
> such
> >as a public health risk or risk of violence, where, as already noted,
> >essential information may need to be shared with other agencies.
> >5.7. Each case must be considered on its merits, the main criterion
> being
> >whether the release of information to protect the public should
> prevail over
> >the duty of confidence to the patient. The possible therapeutic
> consequences
> >for the patient must be considered whatever the outcome. Decisions
> will
> >sometimes be finely balanced and may concern matters on which NHS
> staff find
> >it difficult to make a judgement. Therefore it may be necessary to
> seek
> >legal or other specialist advice or to await or seek a court order.
> It is
> >important not to equate "the public interest" with what may be "of
> interest"
> >to the public.
> >Tackling serious crime
> >5.8. Passing on information to help tackle serious crime (see
> examples at
> >Annex D) may be justified if the following conditions are satisfied:
> >without disclosure, the task of preventing, detecting or prosecuting
> the
> >crime would be seriously prejudiced or delayed;   information is
> limited to
> >what is strictly relevant to a specific investigation;   there are
> >satisfactory undertakings that the information will not be passed on
> or used
> >for any purpose other than the present investigation.
> >5.9. Requests for information relating to a number of patients in
> order to
> >identify one or more is likely to be justified only if there is a
> very
> >strong public interest.
> >Annex D PASSING ON INFORMATION IN CONNECTION WITH SERIOUS CRIME
> > Passing on information to help prevent, detect or prosecute serious
> crime
> >may sometimes be justified to protect the public. There is no
> absolute
> >definition of "serious" crime, but section 116 of the Police and
> Criminal
> >Evidence Act 1984 identifies some "serious arrestable offences".
> These
> >include: Treason, murder, manslaughter, rape, kidnapping, certain
> sexual
> >offences, causing an explosion ,certain firearms offences, taking of
> >hostages, hijacking, causing death by reckless driving, offences
> under
> >prevention of terrorism legislation (disclosures now covered by the
> >Prevention of Terrorism Act 1989)
> >making a threat which if carried out would be likely to lead to:
> serious
> >threat to the security of the state or to public order, serious
> interference
> >with the administration of justice or with the investigation of an
> offence,
> >death or serious injury, substantial financial gain or serious
> financial
> >loss to any person. In other cases, it may be as well to seek legal
> advice
> >before taking a decision to release information.
> >
> >
> >
> >
>



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%