Find advice and support
Report online
Track your case

Article 5 of the General Data Protection Regulations (GDPR) sets out the main responsibilities for organisations. Find out more about what the Information Commissioner, the regulator for Personal Data, says about these principles.


How do we process your data lawfully, fairly and in a transparent manner?

West Midlands Police ensures the lawful processing of personal data by conducting Data Protection Impact Assessments (DPIA) for all new projects. An internal governance structure exists to protect personal data, which incorporates departments like Information Management (including Information Security and Assurance and Records Management) and Internal Audit, projects like Fairness in Policing, meetings like the Strategic Information Management Board and the Information Assurance Working Group, and key roles like the Senior Information Risk Owner, Information Asset Owners, Information Asset Leads, the Accreditor, the Data Protection Officer, and the Caldicott Guardian, each with their own terms of reference. Policies informed by best practice, relevant subject matter experts, and reviewed by the whole business ensure information is collected, processed, and disposed of appropriately.

Internal audit processes and external inspections ensure these controls are effective in maintaining individual’s rights.

These pages exist to provide transparency for the processing of personal data by West Midlands Police.


How do we make sure that personal data is collected for specified, explicit, and legitimate purposes?

By conducting DPIAs and through the governance structure described above, West Midlands Police makes sure that personal data is only collected for a specified, explicit, and lawful purpose.

West Midlands Police retains some information beyond the periods set out in the retention schedules for archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes. Prior to accepting information in to the museum, it is assessed to ensure that retaining it for these objectives is not incompatible with the original purpose for which it was collected.

We regularly review our processing activities to check that the relationship, the processing, and the purposes have not changed. We have processes in place to refresh consent at appropriate intervals, including any parental consents. We consider using privacy dashboards or other preference-management tools as a matter of good practice.


How do we ensure our processing of personal data is adequate, relevant, and limited to only what is necessary to achieve the purpose?

Collection of new data is governed by DPIAs, as is a change in the way in which it is processed. Routine sharing of data with other entities is governed by an information sharing agreement, which stipulates the conditions under which information can be shared, and outlines the minimum information required to achieve the purpose.

We regularly review our processing activities to check that the relationship, the processing, and the purposes have not changed. We have processes in place to refresh consent at appropriate intervals, including any parental consents. We consider using privacy dashboards or other preference-management tools as a matter of good practice.


How do we ensure personal data is accurate and kept up-to-date?

West Midlands Police has a programme of proactive data quality checks undertaken by dedicated staff. In addition to proactive audits, internal processes are in place so that Police Officers and Police Staff can reactively notify dedicated teams of suspected data quality issues.

Data Quality statistics are reported to the Accreditor and Senior Information Risk Owner (SIRO) every month to enable senior management oversight. Risk areas are highlighted on department and force level risk registers to enable effective prioritisation of resources.

If you think we hold inaccurate data about you, you can request its correction by using the details listed on the ‘Individual Rights’ tab.


How do we ensure your data is not kept for longer than is necessary?

Physical files are subject to a robust management plan which ensures regular review and archiving in secure locations. Where IT systems permit, and for all new systems, retention criteria are applied automatically. Where automatic retention cannot be applied for technical reasons, retention criteria are applied on a case-by-case basis by the relevant business area.

West Midlands Police retains some information beyond the periods set out in the retention schedules for archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes. Prior to accepting information in to the museum, it is assessed to ensure that retaining it for these objectives is not incompatible with the original purpose for which it was collected.

If you think we are holding your personal data for longer than is necessary, or you wish to object to your data being held in the force museum you can request its deletion by using the details listed on the ‘Individual Rights’ tab.


How do we ensure that personal data is processed in a manner that ensures appropriate security?

West Midlands Police follows best practice from organisations like the National Cyber Security Centre and the Centre of Protection for National Infrastructure. The organisation follows the College of Policing’s Authorised Professional Practice for Information Assurance, and is aligned to the principles contained in ISO/IEC 27002:2013.

Security of personal data is led by Information Security and Assurance, who report to the Accreditor and Senior Information Risk Owner. Additional dedicated security positions provide extra support: Security Architect and Information Systems Security Officer provide technical expertise to IT and Digital; and Counter-Terrorism Security Advisors and Design Out Crime Officers provide additional physical security advice to the organisation.

All new systems are subject to a security review and production of a risk assessment, completed by Information Security and Assurance. Where applicable, new systems are subject to a well-scoped IT Health Check conducted by an independent CHECK-certified third party. Our premises and our networks are designed and managed using a layered approach to security, so that failure of any single control does not result in a breach. All buildings and IT systems are subject to routine maintenance, testing, audit, and review, with remedial action being taken using a risk-based approach. Staff behaviour is governed by appropriate, policy, training, technical, and procedural measures; all of which is reviewed by Information Security and Assurance prior to publishing. Our operating procedures and policies include guidelines as to what use may be made of any personal information processed by the system to which they apply. These procedures are reviewed regularly to ensure effective information security.

Third parties who store or process data on our behalf are subject to the same standards as we would apply to our own organisation, and where appropriate, this requirement forms part of our contract.


 

Feedback

Did you find the page you were looking for?
Did you find the information useful?
Rate this page (1 star poor – 5 stars excellent).
*Required field.