Police Injury Pensions - Lawful Basis For Processing Personal Data

The request was successful.

Dear Information Commissioner's Office,

On 6th August 2018 Dominic Green, a Team Manager in the Information Commissioner’s Office, wrote to one or more police forces in respect of matters arising from case Reference Number RFA0734807.

For your reference, the letter begins with, ‘Thank you for my letter of 29th March 2018 regarding the data protection concerns that have been reported to the Information Commissioner’s Office . . .’

A focus of the correspondence was whether there existed a ‘lawful basis’ for police forces to process former officers’ personal data when conducting what is commonly referred to as a ‘review’ of the degree of disablement of individuals in receipt of a injury pension.

There had apparently been concerns raised regarding processing of medical records.

On page 3 of the letter is this:

‘Under the GDPR we would now ask that the constabulary considers what lawful basis for processing will be relied upon under Article 6, and in the case of special category personal date, Article 9 of the GDPR.'

I ask that if the ICO has received replies to Dominic Green's letter of 6th August 2018 from the force or forces who were engaged in this exchange of correspondence, then I would like a copy of the replies.

Also, if the ICO has communicated to any police force or police pension authority any opinion or offered any guidance on the issue of the ‘lawful basis’ or a ‘legal obligation’ for processing personal data, including special category personal data when conducting a review of former officers’ degree of disablement, then I would like a copy of that opinion or guidance.

Yours faithfully,

Paul Styles

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

1 Attachment

8 May 2019

 

Case Reference Number IRQ0835488

 

Dear Mr Styles

Thank you for contacting the Information Commissioner’s Office (ICO). We
received your information request on 7 April.
 
 
Your request
 
You asked us for the following: “replies to Dominic Green's letter of 6th
August 2018 from the force or forces who were engaged in this exchange of
correspondence, then I would like a copy of the replies. Also, if the ICO
has communicated to any police force or police pension authority any
opinion or offered any guidance on the issue of the lawful basis or a
legal obligation for processing personal data, including special category
personal data when conducting a review of former officers’ degree of
disablement, then I would like a copy of that opinion or guidance.”
 
We understand that you refer to Dominic Smith of our Data Protection
Complaints and Review Department and that this request relates to our
assessment of the compliance of Avon and Somerset Constabulary’s (ASC)
compliance with data protection legislation under our reference
RFA0734807.
 
We have considered your request under the Freedom of Information Act 2000
(FOIA).
 
Our response 
 
I can confirm that the ICO does indeed hold information within scope of
your request and you will find a copy of the correspondence between the
ICO and ASC relating to this case attached to this response.
 
A copy of the guidance we have communicated to police forces can be found
on pages 22-26 of the information attached.
 
I have redacted the mobile number of one of our contacts at ASC under
section 40 of the FOIA.
 
This information is exempt from disclosure to you under section 40 of the
FOIA.
 
Section 40(2) exempts information in response to a request if it is
personal data belonging to an individual other than yourself and it
satisfies one of the conditions listed in the legislation.[1][1] The
condition contained in section 40(3A)(a) applies - that disclosure would
breach one of the data protection principles. The principle is that -
 
“Personal data shall be processed lawfully, fairly and in a transparent
manner...” [2][2]
 
We do not consider that disclosing this information to you, and
consequently the public, is necessary or justified in order to satisfy
your information request and the requirements of the FOIA. In the
circumstances of this request there is no strong legitimate interest that
would override the prejudice to the rights and freedoms of the data
subject. We have therefore taken the decision that disclosing this
information to you would be unlawful.
 
This concludes our response. I hope you find this information helpful.
 
                        
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [3][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [4]here.
 
For information about what we do with personal data see our [5]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [6]ico.org.uk  [7]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [8]privacy
notice

 

 
 
 

------------------------

[9][1] Amendments to the Freedom of Information Act 2000 contained in the
Data Protection Act 2018.
[10][2] GDPR EU2016, Article 5(1)(a).

References

Visible links
1. https://v-whcwcmeh04.child.indigo.local/...
2. https://v-whcwcmeh04.child.indigo.local/...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/1883/ico-review...
5. https://ico.org.uk/global/privacy-notice/
6. http://ico.org.uk/
7. https://twitter.com/iconews
8. https://ico.org.uk/global/privacy-notice/
9. https://v-whcwcmeh04.child.indigo.local/...
10. https://v-whcwcmeh04.child.indigo.local/...