Policies

The request was partially successful.

Dear Sussex Police and Crime Commissioner,

1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work
5) a copy of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?
6) please can I have a copy of the risk rating that you use to evaluate data security incidents?

Yours faithfully,

Paul knight

Graham Kane, Sussex Police and Crime Commissioner

8 Attachments

Dear Mr Knight
 
Thank you for your email to the Sussex Police & Crime Commissioner, Katy
Bourne, who has asked me to respond on her behalf.
 
I can confirm that your request has been received and is currently being
processed under the terms of the Freedom of Information Act 2000. A
response will be provided to you within the statutory timescale of 20
working days from receipt of your request as defined by the Act, subject
to the information being both available and not being exempt.
 
Kind regards
 
Graham Kane
Head of Performance
T: 01273 481561
A: Sackville House, Brooks Close, Lewes, East Sussex, BN7 2FZ
 
[1][IMG][2][IMG] 
[3][IMG][4][IMG] [5][IMG][6][IMG] [7][IMG][8][IMG] [9][IMG][10][IMG] [11][IMG][12][IMG]
[13][IMG][14][IMG]
 
 

The OSPCC may collect personal data from your contact. For more
information about the personal data the OSPCC may collect and hold,
including our Privacy Notice, Publication Scheme, Disposal and Retention
Schedule and Information Sharing Agreement between the OSPCC and Sussex
Police, please refer to the Data Protection page on our website that can
be viewed through the following link:
[15]https://www.sussex-pcc.gov.uk/about/tran...
 
This message is intended for the use of the addressee only and may contain
confidential or privileged information. If you have received it in error
please notify the sender and destroy it. You may not use it or copy it to
anyone else. E-mail is not a secure communications medium. Please be aware
of this when replying. All communications sent to or from the Sussex
Police & Crime Commissioner may be subject to recording and/or monitoring
in accordance with relevant legislation. Although the Office of the Sussex
Police Crime & Commissioner has taken steps to ensure that this e-mail and
any attachments are virus free, we can take no responsibility if a virus
is actually present and you are advised to ensure that the appropriate
checks are made.

 

show quoted sections

Graham Kane, Sussex Police and Crime Commissioner

17 Attachments

Dear Mr Knight
 
Further to your request for information under the Freedom of Information
Act 2000, set out below:
 
1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work
5) a copy of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?
6) please can I have a copy of the risk rating that you use to evaluate
data security incidents?
 
I can confirm that some of the information you requested is held by the
Office of the Sussex Police & Crime Commissioner (OSPCC), under Section
1(1)(a) of the Act.
 
1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use
 
The following template is used as a guide by the OSPCC to acknowledge any
subject access request made by email or letter:  
 
Dear NAME
 
Thank you for your email to the Sussex Police & Crime Commissioner, Katy
Bourne, who has asked me to respond on her behalf.
 
I can confirm that your Subject Access Request has been received and will
be processed under the terms of Article 15 of the General Data Protection
Regulation (GDPR) within 30 calendar days from the date of receipt.
Therefore, you will receive a response from the Office of the Sussex
Police & Crime Commissioner by DAY MONTH YEAR.
 
In the meantime, I would be grateful if you could please provide me with
proof of identity in the form of either a copy of your passport, driving
licence or birth certificate.
 
Kind regards
 
The following template is used as a guide by the OSPCC to respond to any
subject access request made by email or letter:
 
Dear NAME
 
I can confirm that the Office of the Sussex Police & Crime Commissioner
(OSPCC) holds the following personal information about you as at DAY MONTH
YEAR:
 
INSERT – LIST OF ALL INFORMATION HELD
 
The Privacy Notice for the OSPCC sets out how your personal data will be
processed in accordance with Article 15 of the GDPR.
 
It is worth emphasising that no automated decision-making is used by the
OSPCC.
 
The OSPCC also has a Disposal and Retention Schedule for the maintenance
of its records – this sets out how long the data will be retained for.
 
If you are unhappy with the service that you have received in relation to
your request and wish to make a complaint or request a review of this
decision, this should be made in writing to the Chief Executive &
Monitoring Officer. Further information can be found using the following
link: [1]www.sussex-pcc.gov.uk/contact-us/how-to-make-a-complaint/
 
If you are not content with the outcome of your complaint or review, you
may apply directly to the ICO for a decision. Further information can be
found using the following link: [2]https://ico.org.uk/Global/contact_us
 
Kind regards
 
2) a copy of the last 5 dpias completed
 
The OSPCC only collects a small amount of personal information directly
from members of the public when they make contact with the office by
email, letter or through an online form. Information may also be collected
from the public when contact is made by telephone, subscription to the
newsletter, responding to a survey, contact on social media or by entering
information or feedback on the OSPCC website. When contact is made with
the OSPCC, a name, address, e-mail address, telephone number and the
nature of the contact may be collected. The Privacy Notice for the OSPCC
provides further information about how personal information is used by the
OSPCC – this can be viewed through the following link:
[3]https://www.sussex-pcc.gov.uk/media/4348...
 
As such, the OSPCC has only completed one Data Protection Impact
Assessment (DPIA) since November 2012 and relates to the procurement of
correspondence system to handle all enquiries received by the OSPCC from
members of the public. The DPIA is attached, with redactions made relating
to Section 40 – Personal Information.
 
3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media
 
Further to 25 May 2018 and the introduction of the GDPR, a mandatory
National Centre for Applied Learning Technologies (NCALT) training
package, ‘Managing Information’, was launched for all police officers and
staff (including all staff within the OSPCC) to complete in respect of the
changes that were made to data protection.
 
The Managing Information programme explains how to handle, record and
share information. It incorporates the changes introduced by the GDPR and
Law Enforcement Directive (LED) – all of which are enshrined in domestic
legislation within the Data Protection Act (DPA) 2018. The module is aimed
at anyone who works in non-operational police support roles and consists
of two courses: one course with all of the learning content and another
course containing a set of knowledge-check questions.
 
Upon completion of the module, there is no specific requirement for staff
to complete annual refresher training in this respect, other than the
information that is sent out to the staff within the OSPCC to remind them
of their responsibilities and to reinforce some of the key messages in
this area.
 
4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work
 
All staff within the OSPCC are reminded regularly about data breaches and
provided with practical instructions to help ensure that the OSPCC remains
compliant with the new legislation. An example of some of these
instructions can be viewed below:
 
What is a data breach?
 
The Information Commissioner’s Office (ICO) defines a data breach as:
 
“… a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data.
This includes breaches that are the result of both accidental and
deliberate causes. It also means that a breach is more than just about
losing personal data.”
 
The access, disclosure or loss of this information could cause an
individual serious harm. For example, identify theft, financial loss, a
threat to physical safety, loss of employment and reputational damage.
 
What constitutes a data breach?
 

* Loss or theft of data or equipment on which data is stored (e.g. a
laptop, USB stick or DVD);
* Inappropriate access controls allowing unauthorised use;
* Equipment failure;
* Human error;
* Unforeseen circumstances, such as a fire or flood;
* Hacking attack (e.g. NHS ransomware attack); and
* ‘Blagging’ offences where information is obtained by deceiving the
organisation who holds it.

What should I do if I think there’s been a data breach?
 
If you suspect a breach has occurred, you must report the incident to
myself or Mark within 24 hours of being made aware of the breach. The
OSPCC must report any breaches to the ICO within 72 hours.
 
The IT Service Desk (either within East Sussex County Council or Sussex
Police) must also be notified immediately if there is an IT breach,
depending on who is responsible for the maintenance of the equipment. This
includes but not exclusively: a breach to the network, laptop or when a
device is lost, stolen or compromised.
 
Hints and tips
 

* Check email recipients before sending – Outlook often automatically
fills in the ‘to’ field with the most recent recipient. Please check
which Tom, Dick or Harry you are actually sending the email to before
you click send;
* Does your paperwork need to leave the OSPCC? If you’re transporting
sensitive documents, can you guarantee their safety? Laptops and
documents must never be left in vehicles, unattended or out of sight;
* If you are issued with a portable device, e.g. a laptop, mobile
telephone or USB stick, you are responsible for its security. Never
leave the password with the device either!;
* Always lock your computer screen if you are leaving your desk for any
length of time; and
* Ensure discs and USB sticks are encrypted. If they cannot be encrypted
then make sure they are kept safe and signed for when transferred.

 
Sharing information with partners
 
Whilst the OSPCC must conform to the new regulations, we must also ensure
that information sharing between Sussex Police and other trusted partner
agencies remains uninterrupted, with data kept and shared carefully for
legitimate and appropriate purposes.
 
We should also understand the importance of managing personal information
fairly, ethically and sensitively, whilst recognising the harm it could
cause if it was to be accessed by the wrong hands. Care must be taken in
this area because it forms a crucial part of the trust that the public put
in both the police and the public service. We are also all individually
responsible for making sure the data the OSPCC holds is accurate, handled
securely and only shared when it is appropriate to do so. 
 
5) a copy of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?
 
The OSPCC has not implemented any specific policies within the past two
years to help reduce the environmental impact that the organisation has.
 
6) please can I have a copy of the risk rating that you use to evaluate
data security incidents?
 
Any potential data security incidents are managed by the OSPCC on a
case-by-case basis. All members of staff within the OSPCC are aware of the
process in place to report an suspected data breaches and also the
importance of doing this is a timely manner. The OSPCC has never knowingly
had a data breach that has resulted in a report to the ICO.   
 
I hope this information is useful to you and thank you once again for
taking the time to contact the Commissioner.
 
If you are unhappy with the service that you have received in relation to
your request and wish to make a complaint or request a review of this
decision, this should be made in writing to the Chief Executive &
Monitoring Officer. Further information can be found using the following
link: [4]www.sussex-pcc.gov.uk/contact-us/how-to-make-a-complaint/
 
If you are not content with the outcome of your complaint or review, you
may apply directly to the Information Commissioner’s Office for a
decision. Further information can be found using the following link:
[5]https://ico.org.uk/Global/contact_us
 
Kind regards
 
Graham Kane
Head of Performance
T: 01273 481561
A: Sackville House, Brooks Close, Lewes, East Sussex, BN7 2FZ
 
[6][IMG]   [7][IMG]   [8][IMG]   [9][IMG]   [10][IMG]   [11][IMG]
[12][IMG]
 
 

The OSPCC may collect personal data from your contact. For more
information about the personal data the OSPCC may collect and hold,
including our Privacy Notice, Publication Scheme, Disposal and Retention
Schedule and Information Sharing Agreement between the OSPCC and Sussex
Police, please refer to the Data Protection page on our website that can
be viewed through the following link:
[13]https://www.sussex-pcc.gov.uk/about/tran...
 
This message is intended for the use of the addressee only and may contain
confidential or privileged information. If you have received it in error
please notify the sender and destroy it. You may not use it or copy it to
anyone else. E-mail is not a secure communications medium. Please be aware
of this when replying. All communications sent to or from the Sussex
Police & Crime Commissioner may be subject to recording and/or monitoring
in accordance with relevant legislation. Although the Office of the Sussex
Police Crime & Commissioner has taken steps to ensure that this e-mail and
any attachments are virus free, we can take no responsibility if a virus
is actually present and you are advised to ensure that the appropriate
checks are made.

show quoted sections