Police

Regulation on management of personal information by the police.

No. 322 9 April 2001 with amendment no. 926/2004

Article 1

Scope

This regulation applies to electronic processing of personal information by the police. The regulation only pertains to the electronic processing of personal information for police work according to Article 1 of the Police Act.

Article 2

Police records

The National Commissioner of the Icelandic Police keeps the following records:

  1. Case records on charges received by the police on offences where the following information is recorded:
    1. names of parties to the case and others concerned, as well as personal identification number, legal domicile and residence,
    2. scene of an offence or event,
    3. offence category or subject category,
    4. vehicles and other case-related items,
    5. case-related narcotics,
    6. list of the case reports,
    7. information on case investigation process.
  2. Police record books on communications received where the following information is recorded:
    1. names of communicating parties and others concerned, as well as personal identification number, legal domicile and residence,
    2. scene of the offence or event,
    3. offence category or subject category,
    4. vehicles and other case-related items,
    5. which policemen were on a scene,
    6. who reports on an event,
    7. police equipment on a scene,
    8. information on a case conclusion.
  3. Record of persons arrested where the following information is recorded:
    1. name of an arrested person, personal identification number, legal domicile and residence,
    2. offence causing an arrest,
    3. scene of arrest and timing,
    4. information on notifications to relatives and other authorities,
    5. who carries out an arrest, reports and decides on detention,
    6. condition of a person upon arrest,
    7. other information on arrest, condition of the arrested person and case treatment during an arrest.
  4. Other records necessary for police work in order to prevent impending danger and counter offences.

The National Commissioner of the Icelandic Police may authorise individual Chiefs of Police to keep records on certain items if deemed necessary for specific police work.

Article 3

Notification of personal information processing to the Data Protection Authority

The National Commissioner of the Icelandic Police shall notify the Data Protection Authority of the records he keeps and the records he has authorised Chiefs of Police to keep according to Article 2, Paragraph 2.

The notification shall indicate the following points:

  1. nature of a record;
  2. purpose of a record;
  3. what information a record contains;
  4. who has access to a record or individual parts thereof;
  5. with whom information from a record in shared.

In addition to the points accounted in Paragraph 2, a notification of a record shall, in accordance with Article 2, Paragraph 2, indicate who takes care of and is responsible for the record processing.

In the event of a change in the record or its use the National Commissioner of the Icelandic Police shall notify the Data Protection Authority of this change.

Before a new method of electronic processing of personal information is used, the police shall seek the opinion of the Data Protection Authority on whether this processing is in accordance with laws and regulations on protection of individuals and freedom from interference with privacy and, if applicable, whether special measures shall be taken to ensure the legality of the processing.

Article 4

Security and internal control

The National Commissioner of the Icelandic Police and the Chief of Police in each district are responsible for the processing of personal data and that their treatment is in accordance with rules and standards set by the Data Protection Authority on how the security of personal information shall be ensured. In compliance with this a regular security assessment shall be made and systematic security measures taken.

The National Commissioner of the Icelandic Police and Chiefs of Police shall implement and organise continued internal control of personal information processing. Control shall aim at ensuring information reliability and preventing access, alterations or sharing of information without authorisation.

The Data Protection Authority shall be notified regularly of measures taken according to this Article.

Article 5

Processing of personal information

Processing of personal information shall be limited to information necessary for police work. As far as possible personal information processing shall be limited to verified information.

Personal information gathered for police work may not be used for other purposes, cf. however Article 6.

If possible, various categories of stored personal information shall be distinguished according to their exactitude and reliability. Information on facts shall be distinguished from data based on opinion og assessment. Information regarding administrative organisations shall be distinguished from information regarding police work.

Article 6

Sharing of personal information

Personal information shall be shared within the police to the extent necessary for police work. The prosecuting authority and the Prison and Probation Administration have access to personal information to the extent that is necessary to carry out legally stipulated tasks.

Personal information will only be shared with other authorities than mentioned in Paragraph 1 or with private parties in the following instances:

  1. according to the consent of the registered person;
  2. according to legal authorisation or;
  3. according to authorisation from the Data Protection Authority or;
  4. if the sharing of information is necessary to prevent serious and imminent danger.

Personal information will be shared with foreign police authorities only in the following instances:

  1. according to legal authorisation or;
  2. according to obligation by international law or;
  3. if sharing information is necessary to prevent serious and imminent danger or to counter serious offences, provided that the state to which the information is sent observes appropriate protection of personal information.

As far as possible the reliability of information shall be verified before it is shared. If information is not exact or out of date it shall not be shared. In the event that such information has been shared, the police shall as far possible prevent that it affects the interest of the registered person.

Article 7

Use of shared personal information

Personal information shared by the police may not be used for other purposes than described in the request for information. The use of information for other purposes is subject to the approval of the police authority concerned.

Article 8

The registered person’s right to information.

The registered person has the right to know from the police:

  1. what information on him/her is being or has been processed;
  2. the purpose of the processing;
  3. who receives, has or will receive information on him/her.

If requested, the police shall provide this knowledge in writing. Communications in writing shall be dealt with according to Paragraph 1 as soon as possible but within one month from reception.

Article 9

Limitation of the right to information

The right of the registered person to information according to Article 8 is void if the information must inevitably be kept confidential for the purpose of police work or if necessary in order to protect the registered person or the rights and freedom of others.

Limitation of the right to information of the registered person shall be justified as far as possible without disclosing any confidential information.

Article 10

Duty of notification of gathering of personal information

If personal information is gathered and kept without the knowledge of the registered person, the person concerned shall as far as possible be notified of the processing of information in the event that such a notification is not considered to obstruct police work. This does not apply if information has been deleted.

Article 11

Electronic surveillance

When law enforcement is carried out with electronic surveillance in public places this surveillance shall be indicated by a sign or other clear evidence.

Article 12

Correction or deletion of wrong and misleading personal information

If wrong, misleading or incomplete personal information has been recorded or personal information has been recorded without required authorisation, the police shall see to it that information be corrected, deleted or completed if the deficiency in question can influence the interest of the registered person.

Article 13

Access to personal information and its deletion

Access of police officers to personal information shall not exceed what is necessary with regard to the tasks they are entrusted with.

In the event recorded personal information is no longer necessary for police work due to its age or for other reasons, it shall be deleted. If it is prohibited to delete information the National Commissioner of the Icelandic Police shall take special measures to limit access to such information and he may, according to circumstances, prohibit their use.

The National Commissioner of the Icelandic Police shall notify the Data Protection Authority of decisions taken according to this Article.

Article 14

Date of entry into force etc.

This regulation, set according to Article 19, Paragraph 3 of the Code of Criminal Procedure No. 19 of 26 March 1991; item i, Article 5, Paragraph 1 of the Police Act No. 90 of 13 June 1996, cf. legislation No. 15 of 14 April 2000; and Article 45, Paragraph 3 of the Act on the Protection of Individuals with regard to the Treatment of Personal Data No. 77 of 23 May 2000, shall enter into force immediately.

At the same time the regulation on police treatment of personal data No. 794 of 25 October 2000 expires.

Ministry of Justice and Ecclesiastical Affairs, 9 April 2001.

Sólveig Pétursdóttir, Minister.

Björn Fridfinnsson.

Regulation on amendment to the regulation on management of personal information by the police, No. 322 9 April 2001.

Article 1

The following changes will be made to Article 2 of the regulation:

  1. After point 3 a new point is inserted which reads thus:
    Database in which information is recorded on individuals, groups, associations, companies or other related to the following offence categories:
    1. narcotics,
    2. child pornography,
    3. money laundering,
    4. terrorism,
    5. financing of organised criminal activity,
    6. illegal immigration.
  2. Point 4 becomes point 5.

Article 2

The following paragraph is added to Article 3:

If it may be assumed that the public release of a notification of a record to the Data Protection Authority endangers the law enforcement interest that the record is intended to serve, the Data Protection Authority can, following a request thereon from the National Commissioner of the Icelandic Police, decide that the notification be not publicly released.

Article 3

This regulation, set according to Article 19, Paragraph 3 of the Code of Criminal Procedure No. 19 of 26 March 1991; item i, Article 5, Paragraph 1 of the Police Act No. 90 of 13 June 1996, cf. legislation No. 15 of 14 April 2000; and Article 45, Paragraph 3 of the Act on the Protection of Individuals with regard to the Treatment of Personal Data No. 77 of 23 May 2000, shall enter into force immediately.

Ministry of Justice and Ecclesiastical Affairs, 19 November 2004.

Björn Bjarnason, Minster.

Ásgerdur Ragnarsdóttir.