This notice explains how the College of Policing (‘the College’) processes personal data about individuals, which includes the collection, storage, and sharing of that information. It also describes the steps we take to ensure that the personal data we hold is protected, and explains the rights individuals have in regard to their personal data handled by the College.
The processing of personal data is governed by the General Data Protection Regulation (GDPR) and relevant Data Protection legislation. The College is registered with the Information Commissioner as a 'Data Controller' [registration no: Z3458257]. As such we are obliged to ensure that all personal data is held and processed in accordance with the law.
The College takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals' trust and confidence in the College.
1. Why do we handle personal data?
The College obtains, holds, uses and discloses personal data for three broad purposes:
A. Our Core Purposes – to -
B. The Policing Purpose – which include (but not limited to):
C. The provision of services to support our Core and Policing Purposes – which include (but not limited to):
The College will only use appropriate personal data that is necessary to fulfil a particular purpose or purposes.
2. Our lawful basis for processing data.
The GDPR allows for personal data to be processed under one of six conditions. With consideration to the purposes mentioned above, the College will in the majority of cases, rely on the condition of processing personal data due to it being necessary for the performance of a task carried out in the public interest or exercise of official authority vested in the College. Where the College uses information for the purposes of a newsletter mailing list or anything considered to be 'marketing' then your information will be processed under the condition of consent.
As the College processes many categories of data for various reasons, the College may also rely on other lawful basis like necessary for a contract, necessary for compliance with a legal obligation, in your vital interest, or for a legitimate interest.
Where sensitive or 'special categories' data is being collected, additional lawful basis will apply like having explicit consent, necessary for employment, social security, defending against legal claims, for a substantial public interest and for preventative or occupational health or medicine, amongst other reasons.
In each case where information is being requested by the College we will specify at the time of collection of data, usually through a service specific privacy notice, which of the lawful basis above we are relying on for the processing of that data.
3. Whose personal data do we handle?
In order to carry out the purposes described under sections 1 above, the College of Policing may obtain, use and disclose (see section 8 below) personal data relating to a wide variety of individuals including the following:
4. What types of personal data do we handle?
In order to carry out the purposes described under sections 1 above , the College of Policing may obtain, use and disclose (see section 8 below) personal data relating to or consisting of the following:
5. Where do we obtain personal data from?
In order to carry out the purposes described under section 1 above the College of Policing may obtain personal data from a wide variety of sources, other than the individual directly, which includes the following:
The College of Policing may also obtain personal data from other sources such as its own CCTV systems, training records, or correspondence
6. How do we handle personal data?
In order to achieve the purposes described under section 1, the College of Policing will handle personal data in accordance with the GDPR and relevant Data Protection legislation. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification.
We will strive to ensure that any personal data used by us or on our behalf is accurate and relevant. We will also ensure it is:
We will also respect individuals' rights under the GDPR and relevant Data Protection legislation.
7. How do we ensure the security of personal data?
The College of Policing takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the GDPR and associated Data Protection legislation relating to security, and seek to comply with the National Police Chief's Council (NPCC) Community Security Policy and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
8. Who do we disclose personal data to?
In order to carry out the purposes described under section 1, the College of Policing may disclose personal data to a wide variety of recipients, including those from whom personal data is obtained (as listed above). This may include the following:
Disclosures of personal data will be made on a case-by-case basis, using the personal data that is appropriate and proportionate to a specific purpose and lawful basis, and with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal data may be situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the GDPR and relevant Data Protection legislation.
The College of Policing will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. The College may also disclose personal data on a discretionary basis, as allowed by law
9. What are the rights of the individuals whose personal data is handled by the College? Individuals have various rights under the GDPR, which can be found under articles 12 to 22 of the regulation. Below are the common rights that are likely to apply to the processing of information by the College of Policing:
A. The right of individuals to access personal information held about them 'Subject Access request'
The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by the College of Policing. Details of the application process can be found on our 'Subject Access' page on our website.
Alternatively individuals may contact the College of Policing Data Protection Officer (see section 12 below).
B. The right to object to how we process personal information
The College of Policing will make it clear in our service specific privacy notices the lawful basis of why we collected that personal information. If the lawful basis was for the following three reasons then individuals will have a right to object to that processing:
The College will always allow individuals to object to direct marketing as this is a specific right that individuals have under the GDPR. However, the College will consider if your objection is appropriate under the other two basis, which will depend on the justification and reasons provided. These will be balanced against the College's need to process that information and a response outlining our decision will be provided.
A request to object to the processing of personal information may be sent to the College of Policing Data Protection Officer (see section 12 below).
C. The rights to object to automated decisions and profiling
Although the College of Policing is unlikely to carry out any automated decision making that does not involve some human element, the GDPR does provide for this specific right in cases where this may occur. Subject to certain exemptions, an individual has the right to require that the College of Policing ensures that no decision that would significantly affect them is taken by the College of Policing, or on our behalf, purely using automated decision-making software. If there is a human element involved in the decision-making the right does not apply.
A request to object to the automated decision making or profiling may be sent to the College of Policing Data Protection Officer (see section 12 below).
D. The right to be forgotten (the right to erasure of personal data)
Individuals have the right to request that the College deletes personal information that is held about them. However this right will not apply in all cases.
If the College obtained information about an individual with their consent, and it relates to information that we are not required to keep by law or required to keep for a limited time while a complaint or appeal window is open then we will likely be able to comply with a request to delete the information. An example of this may be the contact details of an individual who has provided this information for the purposes of receiving a newsletter or marketing material.
However if the college is relying on another legal basis to process the personal data or the College is required to keep the data in accordance with our retention schedule or to be able to deal with complaints or appeals then a request for deletion of data may be refused under the relevant exemptions.
A request to delete personal information as described above may be sent to the College of Policing Data Protection Officer (see section 12 below).
E. The right to rectification or restriction of the processing of personal data
If an individual feels that the College of Policing holds information about them that is not accurate, they have the right to request that this is rectified and made accurate. This could be information that is felt to be incomplete or not factually correct.
If the information to be corrected is disputed and would require more time to establish the accuracy of the data, you may also request that the personal information be restricted so that further processing of that information does not take place, or if necessary, in a restricted way.
A request for rectification or restriction may be sent to the College of Policing Data Protection Officer (see section 12 below).
F. The right to data portability
Individuals have a right to a copy of their personal data in an easily accessible electronic format that can be transferred to another system (structured, commonly used and machine readable form).
This right only applies to the personal data individuals provided to the College and does not include data the College created during the processing of that data. This right only applies if the data was processed under the lawful basis of consent or for the performance of a contract.
A request for data portability may be sent to the College of Policing Data Protection Officer (see section 12 below).
F. The right to complain to the College of Policing and to the Information Commissioner's Office (ICO)
The ICO is the supervisory authority that is responsible for upholding the GDPR and related Data Protection legislation in the UK. You have the right to complain to the ICO if you believe the processing of personal data is in breach of the GDPR or related Data Protection legislation. However the ICO guidance suggests complaints should be directed to the 'Data Controller', which in this case would be the College of Policing, in the first instance to allow the College to properly address any concerns first.
In the unlikely event that you would like to raise a complaint with the College, please contact us on the details provided under section 12 below.
If after making a complaint to the College you still feel your concerns were not full addressed you can contact the ICO on the details below:
The Information Commissioner's Office, Wycliffe House, Wilmslow, Cheshire, SK9 5AF Telephone: 01625 545700 Website: https://ico.org.uk/
10. How long does the College retain personal data?
The College keeps personal data as long as is necessary for the particular purpose or purposes for which it is held. Our information is held in accordance with our Retention, Review and Disposal schedule. When an individual provides us with their information, our updated service specific privacy notices will state how long we plan to keep that specific type of data for.
The College may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the College in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above.
12. Contact Us
To exercise any of the rights under section 9 above relating to personal data being held by the College, a request should be made using the details below. Any individual with concerns over the way the College handles their personal data may also contact our Data Protection Officer using the details below:
Mail: Data Protection Officer, Central House Beckwith Knowle Otley Road Harrogate HG3 1UF website: Requesting information under Data Protection