Our processes for privacy and data protection.
Privacy notice
The College of Policing process personal data on a day-to-day basis. We hold certain information about you this is known as personal data. The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This privacy notice tells you how we process personal data. It describes the steps we take to ensure data is protected, and explains the rights individuals have in regard to their personal data.
We are registered with the Information Commissioner as a Data Controller. As such we are obliged to ensure that all personal data is held and processed in accordance with the law. We take that responsibility very seriously and take great care to ensure that personal data is handled appropriately in order to secure and maintain individuals' trust and confidence.
1. Why do we process personal data?
We process personal data for three broad purposes:
a. Our core purposes
- share knowledge and good practice
- set standards
- support professional development
- connecting to everyone working in policing and law enforcement
- developing evidence-based knowledge
- providing a voice of professional policing
b. The policing purpose – which include (but not limited to):
- the prevention and detection of crime
- apprehension and prosecution of offenders
- protecting life and property
- preserving order
- maintenance of law and order
- rendering assistance to the public in accordance with national police standards, policies and procedures
- national security
- defending civil proceedings
- any duty or responsibility of the police arising from common or statute law
c. The provision of services to support our core and policing purposes – which include (but not limited to):
- staff administration, occupational health and welfare
- training
- payroll and benefits management
- management of complaints
- vetting
- management of information technology systems
- legal services (which includes the defending of civil proceedings within the statutory limitation period)
- pension administration
- research, including surveys and analytics
- social media correspondence and analysis
- updates, newsletters and events
We will only use appropriate personal data that is necessary to fulfil a particular purpose or purposes.
2. Lawful basis
Data Protection legislation allows for personal data to be processed under one of six conditions. With consideration to the purposes mentioned above, we will process data under the following lawful bases.
Public task
Processing personal data is necessary for the performance of a task carried out in the public interest or exercise of official authority vested in the College.
Legal obligation
We need to process your personal data to satisfy our legal obligations as the Local Authority.
Contractual obligation
Because we need to process your personal data to meet our contractual obligations to you.
Legitimate interest
We rely on a legitimate interest to process your personal data in a way that has minimal privacy impact.
Consent
When relying on consent we ensure that it is only used where we do not have an alternative power. Consent will always be clear and concise and ensure that the decision is informed and genuine. Individuals can withdraw their consent at any time by contacting our Data Protection Officer: [email protected]
Where special categories of data are being collected, additional lawful basis will apply such as having explicit consent, necessary for employment, social security, defending against legal claims, for a substantial public interest and for preventative or occupational health or medicine.
3. What types of personal data do we process?
We may process personal data relating to or consisting of the following:
- contact details, including name, address, telephone numbers and email address
- identifying details, including date of birth, national insurance number and employee and membership numbers
- special categories of data, such as health data, race, religion, sexuality
- family, lifestyle and social circumstances
- skills and interests
- education and training details, including examination results
- employment details
- financial details
- feedback and opinions
- goods or services provided
- criminal records and intelligence
- physical identifiers including biometric data
- sound and visual images, including CCTV
- vetting data
- recruitment data
- complaint, incident, civil litigation and accident details
4. Where do we obtain personal data from?
In most cases personal data is obtained directly from the data subject however we may also obtain personal data from a variety of sources such as:
- law enforcement agencies, such as your local force
- HM Revenue and Customs
- licensing authorities
- legal representatives
- prosecuting authorities
- security companies
- voluntary sector organisations
- approved organisations and people working with the police
- government agencies and departments
- emergency services
- relatives, guardians or other persons associated with the individual
- current, past or prospective employers of the individual
- healthcare, social and welfare advisers or practitioners
- education, training establishments and examining bodies
- business associates and other professional advisors
- suppliers, providers of goods or services
- persons making an enquiry or complaint
- financial organisations and advisors
- trade, employer associations and professional bodies
- ombudsmen and regulatory authorities
- CCTV, including ANPR
- the media
Where you have provided us with personal data about other individuals, such as family members or dependants please ensure that those individuals are aware of the information contained within this notice.
5. How do we handle personal data?
We will always handle personal data in accordance with the UK GDPR and relevant Data Protection legislation. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification.
We will strive to ensure that any personal data used by us or on our behalf is accurate and relevant. We will also ensure it is:
- not excessive
- kept up to date as required
- protected appropriately
- reviewed, retained and securely destroyed when no longer required
We will also respect individuals' rights under the UK GDPR and relevant Data Protection legislation.
6. How do we ensure the security of personal data?
We take the security of all personal data under our control very seriously. All personal data will be processed in line with the principles set out within the ICO Regulations and Data Protection legislation that we must comply with, specifically the accountability principle.
We will:
- seek to comply with the relevant parts of the ISO27001 Information Security Standard
- continue to strengthen our processes for maintaining the privacy of all personal data that we hold
- have need for all of our employees to comply fully with Data Protection legislation
- ensure that appropriate technical and organisational measures are in place
- take a data protection by design and default approach, including carrying out data protection impact assessments
- protect our manual and electronic information systems from data loss and misuse
- implement strict access controls to our systems
- adopt and implement appropriate policies and training
- fully investigate any data protection and security breaches and implement measures to prevent reoccurrence
These procedures are continuously managed and enhanced to ensure up-to-date security and protection.
7. Who do we disclose personal data to?
We may disclose personal data to a wide variety of recipients, including those from whom personal data is obtained (as listed above).
This may include the following:
- disclosures to other law enforcement agencies (including international agencies)
- partner agencies working on crime reduction initiatives
- partners of the College
- victim Support
- third parties working on our behalf such as IT contractors or survey organisations
- government agencies and departments
- education, training establishments and examining bodies
- approved data processors working with the College
- ombudsmen and regulatory authorities
- the media
- third parties involved with the safeguarding of international and domestic national security
- to other bodies or individuals where necessary to prevent harm to individuals
Disclosures of personal data will be made on a case-by-case basis, using the personal data that is appropriate and proportionate to a specific purpose. We will always ensure that we have a lawful basis to share the data concerned and with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal data may be situated outside of the United Kingdom (UK) and the European Union (EU). If we do transfer personal data to such territories, we ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the UK GDPR and relevant data protection legislation.
8. Individual rights
Under Data Protection legislation you have a number of individual rights.
Your right of access
You have the right to ask us for copies of your personal information. Formally known as a subject access request.
Your right to rectification
You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing
You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability
You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one calendar month to respond to you.
Contact us at [email protected] if you wish to make a request.
9. How long does the College retain personal data?
We will only keep your personal data for as long as we need to in order to fulfil the purpose(s) for which it was collected and for so long afterwards as we consider may be required to deal with any questions or complaints that we may receive, unless we elect to retain your data for a longer period to comply with our legal and regulatory obligations.
More details can be found on the College’s retention, review and disposal schedule.
10. Monitoring
We may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the College in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described within this notice.
11. Updating this notice
We may update this notice periodically. Where we do this we will inform you of the changes and the date on which the changes take effect.
We also have service specific privacy notices that will be communicated to individuals who use the service or participate in the activity.
12. Contact us
For any queries or concerns related to the way the College handles personal data please contact our Data Protection Officer.
College of Policing
Leamington Road,
Ryton-on-Dunsmore,
Coventry,
Warwickshire,
CV8 3EN
13. Making a complaint
If you have any concerns about our use of your personal information, you can make a complaint to us using the contact details above. We respectfully ask that you submit your first complaint to us in the first instance to allow the College to properly address any concerns
If after making a complaint to the College you still feel your concerns were not fully addressed you can contact the ICO on the details below:
The Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire
SK9 5AF
Email: [email protected]
Phone: 0303 123 1113