Data Protection and the Police
Data Protection and the Police.
The Privacy and Data Protection Authority (PDPA) in Iceland has received your e-mail questionnaire of 11 April 2003, regarding data protection legislation in our country and the extent to which it applies to the police.
The answers to your questions are as follows:
1 General
1.1 Are the police covered by the data protection legislation in your country?
Answer: With the exception of the articles stated in Art. 3, Para. 2 of Act no. 77/2000, on the Protection of Privacy as regards the Processing of Personal Data, (Data Protection Act) the police, as well as other data controllers is subject to the stipulations of the aforementioned Act. The articles in question concern the right of access to general information on personal data processing and to information concerning the data subject, restrictions thereof, duty of notification, warnings regarding electronic surveillance, erasure, and prohibition of use, of personal data that are neither incorrect nor misleading, and the data controllers' duty to provide information on the processing to the data subject, both when the information is collected from the data subject himself as well as when obtained from someone else.
On the basis of Art. 45, Para. 3 of the Data Protection Act, Art. 19, Para. 3 of Act no. 19/1991, on criminal case procedure and Art. 5, Para. 1, litra i of the Police Act no. 90/1996, the Ministry of Justice in Iceland has issued a Regulation no. 322/2001, on the use of Personal Data in the Police Sector. The regulation contains stipulations on warnings regarding electronic surveillance conducted by the police, erasure of personal data having exceeded the purposes for their processing. The regulation also prescribes the duty of the police to notify the PDPA about electronically processed files that it maintains and the contents of such notifications. It also dictates in which cases, and by what method, the data subject may access personal data on himself, which have been registered by the police, and the right of police to disclose personal data in other instances.
1.2 If so, is the Data Protection Authority responsible for ensuring that the police authorities are complying with data protection legislation?
Answer: According to Art. 37, Para. 3, point 2 of the Data Protection Act, the PDPA shall monitor the compliance of data controllers/processors with the Act. As we have already pointed out, apart from the provisions listed under 1.1., the police is not exempt from this stipulation.
It is also worth mentioning that according to Art. 18 of Act no. 16/2000, on the Schengen information system (SIS) in Iceland, the PDPA shall monitor to ensure that the entry, handling and security of data in the information system are in conformity with the Act and the rules applying to the protection of the individual and individual privacy.
1.3 What powers, if any, does the Data Protection Authority have in relation to the processing of personal data by the police?
Answer: Art. 40-42 of the Data Protection Act, prescribe resources/sanctions, including cessation of processing and daily fines, for the PDPA to ensure compliance with the Act. The police is subject to those stipulations as well as other data controllers.
A special rule applies to the PDPA's monitoring of the security of personal data in the Schengen Information System. According to Art. 18, Para. 3 of Act no. 16/2000, the PDPA, should the Authority have criticisms to make of the way the information system is operated, it shall submit such criticisms and proposals for rectification to the Commissioner of the Icelandic National Police and the Ministry of Justice.
1.4 What dealings has the Data Protection Authority had with the police?
Answer: As well as handling requests/inquiries from individuals, the PDPA has also met with the CINP, who is the data controller of all electronical police registers, to discuss data protection requirements. There has also been other general consultation on an informal basis. We have also called for, and received, Security Policy, Risk Assessment and Security Manual (security requirements) from the CINP and the Road Traffic Authority (RTA) where the computer systems of N.SIS and the National Police Force's mainframe system are located and operated. A security Audit on the RTA's premises is under way to ensure compliance with the security requirements put forward in the Data Protection Act as well as in rules no. 299/2001, on the security of Personal Data.
2. Supervising the transmission of personal data from Europol
2.1 Has the Data Protection Authority supervised any transmission of personal data to or from Europol?
Answer: No.
2.2 If there has been supervision, how was this carried out and what was the outcome?
Answer: See point 2.1.
2.3 If no supervision has taken place, is any planned for the near future?
Answer: No plans have as yet been made regarding such supervision.
3. Right of access
3.1. Do individuals have right of access to police records?
Answer: According to Art. 8 of Regulation no. 322/2001, the data subject is entitled to the following information from the police:
1) What information regarding him has been or is being processed.
2) The purpose of the processing.
3) Who receives, has received or will receive data on him.
3.2 Is the right of access direct or indirect?
Answer: The right of access is direct.
3.3 To which authority should individuals make requests for access to police records?
Answer: To the CINP (see above). The address is:
Rikislogreglustjori
Skulagata 21
150 Reykjavik
Tel: (354) 570-2500
Fax: (354) 570-2501
Special application forms can be filled out at local police stations or at the CINP's premises. Requests for access to information in the SIS must also be directed to the CINP (SIRENE office).
3.4 What information are individuals requested to supply when making a request for access to police records?
Answer: The applicant must issue some proof of identification and the application form must be filled out in the presence of a member of the police personnel. The applicant can only request access to information regarding himself, however, a legal guardian can request access to information on his protegé.
3.5 Are individuals required to pay a fee in order to gain access to their police records, and if so, how much is it?
Answer: No fee is required. Each individual will only be granted access annually, unless special circumstances for more frequent access apply.
3.6 Is there a specific period of time in which the authorities are required to respond to a request for access to police records?
Answer: All applications must be answered without undue delay and no later than a month upon reception.
3.7 Do exemptions from the right of access exist?
Answer: The right of access does not apply if the information must inevitably be kept confidential for police purposes or if necessary for the data subjects' protection or if essential in order to protect the fundamental rights and freedom of other parties. The reasons for the restriction of right of access must be stated to the extent possible with regard to confidentiality.
Concerning requests for access to the SIS, in cases, where it is necessary to keep the information secret in order to achieve the intended aim of the entry into the information system, or in view of the interests of other persons and when discreet surveillance is in progress, the data subject shall not have the right to be informed of the recorded data. In such instances, the applicant will be given the same standard reply as an applicant who is not registered; i.e: "No information is registered/it is not permitted to disclose registered information."
3.8 Is an individual able to ask the Data Protection Authority to investigate or verify the decision of the police authority?
Answer: As stated under point 1.1 Art. 18 of the Data Protection Act on the data subjects' right of access to information concerning him, does not apply to the police. As stated under point 3.1, Art. 8. of Regulation no. 322/2001, entitles the data subject right of access to the information stated therein.
The regulation is issued by the Ministry of Justice, see point 1.1., since the CINP's office is under the Ministry's administrative authority. Therefore, the CINP's decisions must be referred to the Ministry of Justice. The Ministry can seek the DPA's opinion on the CINP's decision.
3.9 Is the Data Protection Authority able to overrule the decision of the police and, if so, in what circumstances?
Answer: See point 3.8. Other decisions made by the police than those regarding the provisions stated under 1.1, can be overruled by the PDPA.
Encl. Icelandic Data Protection Act no. 77/2000.