Privacy
This policy often talks about “we” or “us”. This means the Office of the Police and Crime Commissioner (OPCC), including the Police and Crime Commissioner (PCC), staff and third parties working on our behalf.
The OPCC Chief Executive Officer (CEO) is our ‘Data Controller’ for the purposes of the data protection laws. The current data protection laws in the UK are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.
If you have provided us with personal information on behalf of another person, you should share this policy with them. View our Data Protection Policy (PDF).
Find out more about how and why we collect, store, and use your personal information:
Whose information do we hold?
In order to carry out the purposes described under section 1 above the OPCC may obtain, use and disclose (see section 7 below) personal information relating to a wide variety of individuals including the following:
- Staff including volunteers, agents, temporary and casual workers
- Suppliers
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the individual concerned
- Advisers, consultants and other professional experts
- Offenders and suspected offenders
- Witnesses
- Victims
- Former and potential members of staff, pensioners and beneficiaries
- Members of Parliament
- Local Authority employees
- Councillors
- Other individuals and members of the public, necessarily identified in the course of PCC enquiries and activity.
The OPCC will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal information could be information which is held on a computer, in a paper record such as a file, as images, but it can also include other types of electronically held information such as CCTV images.
What information do we hold about you?
We receive and hold personal information about you which may include:
- Your name, home address, telephone number
- Your age, date of birth and biographical details
- Family, lifestyle and social circumstances
- Complaint, incident and accident details
- Employment details
- Financial details
- Support Services provided
- Photographs and Videos of you, i.e. sound and visual images
- Education and training details
- Offences (including alleged offences)
- Criminal proceedings, outcomes and sentences
- Criminal Intelligence
- References to manual records or files
- *Special categories of personal data:
- Racial or ethnic origin
- Religious or other beliefs
- Political opinions
- Physical or mental health or condition
- Information relating to health and safety
- Sexual life
- Trade union membership
* ‘Special categories’ of personal data, as defined within the UK General Data Protection Regulation, includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sex life or sexual orientation, or trade union membership, and genetic data and biometric data.
Processing of special categories of personal data for the purpose of uniquely identifying you as an individual (a Data Subject) is prohibited, with exceptions which include:
- If you have given explicit consent to its processing
- Processing is necessary for the purposes of carrying out obligations and exercising specific rights of the Data Controller – the PCC – or of you, the Data Subject in the field of employment and social security and social protection law and providing for appropriate safeguards for the fundamental rights and the interests of you, the data subject
- Processing is necessary to protect the vital interests of you as the data subject, or of another natural person where you the data subject is physically or legally incapable of giving consent
- Processing relates to personal data which is already in the public domain by you the Data Subject
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- Processing is necessary for reasons of substantial public interest.
Why do we collect your personal data?
We receive your personal information for two main purposes:
- So that we can do the job of the PCC, within the role and remit and power of the PCC. This includes helping people within with PCC policies and procedures, duty or responsibility within the law.
- So that we can provide services within the role and remit of the PCC.
We can lawfully process personal data under any one or more of the following reasons:
- A public task
- Consent from you
- A contract
- A legal obligation
- Vital interests
- Legitimate interests.
The PCC’s main statutory function is set out in the following legislation:
Lawful basis:
- Police and Social Responsibility Act 2011
- Police Act 1996
- The Accounts and Audit Regulations 2011
- Local Government & Housing Act 1989 (S155)
- Local Government and Finance Act 1988 Sec 112 and 114
- Local Authorities (Goods & Services) Act 1970
- Elected Local Policing Bodies (Specified Information Order 2011 and amendment order 2012, S1 2012 / 2479)
- Police Pension Fund Regulations 2007
- Police Pensions Act 1976
- Freedom of Information Act 2000
- Police Reform Act 2002
- Employment Rights Act 1996
- The Equality Act 2010
The PCC’s role and services provided include:
- Communication from and to members of the public
- Management of Freedom of Information requests
- Management of complaints
- Management of public relations, journalism, advertising and media
- Vetting
- Commissioning Services
- Management of finance
- Internal review, accounting and auditing
- Training
- Property management
- Insurance management
- Vehicle and transport management
- Payroll and benefits management
- Management of information technology systems
- Recruitment
- Sports and recreation
- Procurement
- Planning
- System testing
- Security
- Performance management
- Legal services
- Health and safety management
- HR management
- Information provision
- Licensing and registration
- Pensioner administration
- Staff administration, occupational health and welfare
- Research, including surveys
Who might we share your personal information with?
In the majority of times we do not share your information with any organisation or person outside of the PCC’s office.
For example, if you contact the PCC about an issue within the remit of the PCC then the PCC will reply directly to you, keeping your personal information within the PCC’s office.
However, in some circumstances we need to share your personal information with other Organisations (other Data Controllers) that we work with, including:
- The Police, mainly Avon and Somerset Constabulary
- Members of Parliament (MP)
- Local Authorities – County and District Councils
- The Home Office
- Community groups
- Charities and other not for profit organisations
- Contractors
- Commissioned Service Providers
We may need to share your personal data with these organisations so that they can carry out their responsibilities.
For example we may contact the Police if your enquiry is about an operational policing matter, under the direction and control of the Chief Constable and strictly outside of the PCC’s remit.
Another example is when an MP writes to the PCC about a constituent and gives personal information about that resident. The PCC may first have to make enquiries with the Police before replying to the MP. If a third-party seeks information from us about an individual, for example, a Solicitor on behalf of a Client, then we will seek written consent from the individual first before disclosing any personal information.
A further example is following the changes to the Police (Complaints and Misconduct Regulations) 2020 on a case by case basis the OPCC may share your data with a third party provider who will provide an independent review of your complaints.
View our Information Sharing Agreement (PDF)
If we and the other Data Controllers listed above are processing your personal information jointly for the same purposes, then we and the other Data Controllers may be “joint Data Controllers” which means that we are all collectively responsible to you for your personal information.
Where we are processing your personal data for our own independent purposes then we are independently responsible to you and if you have any questions, wish to exercise your rights or want to raise a complaint, then contact us.
What do we do with your information?
We know that your personal information belongs to you and not us. That’s why when you, or a third party share your personal information with us we make sure that we keep it private and safe.
In order to carry out the role and duties of the PCC we may disclose personal information to a wide variety of recipients in any part of the world, including those from whom personal information is obtained.
This may include disclosures to:
- the Police and other law enforcement agencies
- other PCCs
- partner agencies working on crime reduction initiatives
- partners in the Criminal Justice arena
- Victim Support
- bodies or individuals working on our behalf such as IT contractors or survey organisations.
The PCC may also disclose to other bodies or individuals where necessary to prevent harm to individuals.
Where required, or appropriate to do so, personal data may be shared with Avon and Somerset Constabulary (including the Chief Constable, officers, staff, agents or appointed volunteers) to facilitate and support the PCC’s role and remit and to deliver applicable statutory functions.
Disclosures of personal information will be made on a case-by-case basis, using the personal information appropriate to a specific purpose and circumstances, and with necessary controls in place.
Some of the bodies or individuals to which the PCC may disclose personal information may be situated outside of the European Union – some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If the PCC transfers personal information to such territories, proper steps will be taken to ensure that it is adequately protected as required by the Act.
PCC will also disclose personal information to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the IOPC, Police, Action Fraud and the Home Office.
The PCC may also disclose personal information on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
Where is personal information obtained?
In order to carry out the purposes the PCC may obtain personal information from a wide variety of sources, including the following:
- Persons making an enquiry or complaint
- Individuals themselves
- Relatives, guardians or other persons associated with the individual
- Other Police and Crime Commissioners
- Avon and Somerset Police and other law enforcement agencies
- HM Revenue and Customs
- International law enforcement agencies and bodies
- Legal representatives
- Local Authority and Parliamentary representatives
- Partner agencies involved in crime and disorder strategies
- Private sector organisations working with the police in anti-crime strategies
- Voluntary sector organisations
- Approved organisations and people working with the police and PCC
- Independent Office for Police Conduct (IOPC)
- Her Majesty’s Inspectorate of Constabulary
- Auditors
- Central government, governmental agencies and departments
- Local government
- Emergency services
- Current, past or prospective employers of the individual
- Healthcare, social and welfare advisers or practitioners
- Education, training establishments and examining bodies
- Business associates and other professional advisors
- Employees and agents of The Constabulary
- Suppliers, providers of goods or services
- Financial organisations and advisors
- Credit reference agencies
- Survey and research organisations
- Trade, employer associations and professional bodies
- Voluntary and charitable organisations
- The media
- Data Processors working on behalf of the Police and on behalf of the PCC
- Members of Parliament
- Commissioned service providers
The PCC may also obtain personal information from other sources such as internal correspondence:
- Ombudsmen and regulatory authorities
- The Information Commissioner’s Office.
How is personal information handled?
We will handle personal information fairly and lawfully with appropriate justification.
We will strive to ensure that any personal information used by or on behalf of us is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness (minimal), is kept as up-to-date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required.
Your rights will also be respected.
How is your information kept safe and secure?
Rest assured, robust security has always been a crucial part of everything we do.
The new rules make sure that all organisations are set up to protect any personal data held and to act appropriately if something goes wrong.
We take the security of all personal information very seriously and we will comply with the law for safety and security.
We will make sure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect all personal information is secure from data loss and misuse and only permit access to your information when there is a reason within the PCCs role and remit to do so and then under strict guidelines as to what use may be made of any personal information.
These procedures are continuously managed and enhanced to ensure up-to-date security.
How long do we keep hold of your information?
We have a retention time for different types of personal information. This is listed in the Retention Policy.
We keep your personal information as long as is necessary for the particular purpose or purposes for which it is held. Personal information is retained, reviewed and deleted in accordance with agreed retention times which are subject to review.
View our Record Retention Scheme Policy
Contact our Data Protection Officer
If you have any queries about the way in which we collect, use, and protect the personal information you should contact us by:
- Email – pcc@avonandsomerset.police.uk
- Post –
Data Protection Officer Kate Britton
Avon and Somerset Police and Crime Commissioner
Valley Road, Portishead
BS20 8JJ
Please provide as much detail as possible when contacting us.
Know your rights
You have the following rights under data protection law (If your personal information is held for a law enforcement purpose the right to data portability and the right to object do not apply):
Right to be informed
You have the right to be informed about the collection and use of your personal information.
We will endeavour to provide information which is concise, transparent, and easy to understand.
- We must provide you with information including: our purposes for processing your personal data, how long we keep your personal data (i.e. the retention periods) and who it will be shared with. We call this ‘privacy information’ and this is this within this Privacy Notice.
- We must provide privacy information to you at the time we collect your personal data from you and this is why the PCC’s email address has an automatic acknowledgement and contains a link to this Privacy Information Notice.
- If we obtain personal data from other sources – third-parties – then we must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
- There are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you.
- The information we provide to you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
- We provide privacy information to people at different times and in a number of formats, such as in an email reply, on the PCC’s website and on our telephone recorded message.
- If you have any feedback on how effective the delivery of our privacy information is then we welcome your comments.
- We regularly review, and where necessary, update our privacy information. If we have any new uses of your personal data then we will bring it to your attention before we start the processing.
- Getting the right to be informed correct helps us comply with other aspects of the UK GDPR and to build trust with you. Getting it wrong means that we may be fined and can also lead to reputational damage for us.
There may be occasions when it is necessary and proportionate to restrict the provision of information in the context of law enforcement.
Right of access
The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal information processed by the PCC. Details of the application process, known as the ‘Right of Access’ can be found from the Information Commissioner’s website.
Alternatively, you can contact our Data Controller and we will provide a copy of your personal data that is currently undergoing processing. This is free of charge.
If the request is considered excessive or for any further copies requested by you, we will either charge a reasonable fee based on our administration costs or we may refuse the request and give reasons for doing so.
We will reply without delay and we will use all reasonable measures to verify your identity if you request access to your personal information and we will send a final response within one month of receiving the request.
Right to rectification
We want to make sure that your personal information is accurate and not out of date.
You have the right to ask us for the rectification of inaccurate personal information concerning you. Taking into account our purposes for the holding and processing of your data, you have the right to have incomplete personal information completed, including any supplementary statement you wish to make for us to hold.
Your request should be sent in writing to the Office of the PCC and we will reply within one month of receiving your request.
Right of erasure (‘right to be forgotten’)
You have the right to ask us to erase your personal information and we will do this without undue delay where your personal data is no longer necessary for the purpose that we were collecting and holding or processing it.
This is subject to compliance with any legal obligation for us. We will also inform any third-party if we have shared your personal information, to inform them of the erasure.
Right to restriction of processing
You have the right to ask us for a restriction on the processing of your personal information if it is inaccurate, unlawful or we no longer need your personal information but we are required by you to store the data regarding a legal claim, or you object to our processing and whilst this is reviewed.
We can continue to store your personal information but we will be restricted to the ways that we can use it.
Your request should be sent in writing to the Office of the PCC and we will reply within one month of receiving your request.
Right to data portability
You have more access and control over what happens to your personal information.
You have the right to receive your personal data which you have provided to us and you have the right to directly transmit your personal data to another Data Controller (an organisation that controls personal information) without undue delay from us.
This is only where you have given consent or contract for us to handle your personal information and the processing that we do is carried out in an automated way.
This doesn’t apply where we are acting under official authority or in the public interest.
Right to object
You have the right to object to us on grounds relating to your particular situation, at any time, to the processing of your personal data concerning you which relates to where processing is necessary for the performance of a task carried out in the public interest or official authority for us; or provides the legal foundation of legitimate interests of us.
We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Rights related to automated decision-making, including profiling
Please note that we do not do automated decision-making or profiling. However, for completeness we want to confirm this general right.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This right doesn’t apply if it is necessary for entering into, or performance of, a contract between you and us as the Data Controller; or it is authorised by a Union or Member State law to which our Data Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or it is based on your explicit consent.
Right to request the Information Commissioner to assess our Processing
You can ask the Information Commissioner to make an assessment if you believe that you have been adversely affected by the handling of your personal information by us or if you believe that we have not complied with the requirements of Data Protection Law. You can directly contact the Information Commissioner using the contact details below.
Generally if you have any concerns about the way that your personal information is handled by us or the lawfulness, fairness or quality (accuracy, relevance, non-excessiveness) of your personal information then you are welcome to raise them with us in the first instance, in order to allow us to try and address your concerns.
The Information Commissioner is the independent regulator responsible for enforcing Data Protection regulations and can provide useful information about the requirements and your rights.
The Information Commissioner’s Office may be contacteds:
- By post –
The Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire
SK9 5AF - By phone – 0303 123 1113 (local-rate) or 01625 545 745 if you prefer to use a national-rate number.
- Online – www.ico.gov.uk
Monitoring
Subject to the law, we’ll monitor or record and retain your telephone calls, texts, emails, social media posts and other communications in relation to your dealings with us.
We do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training and when we need to see a record of what’s been stated. We aim to communicate and correspond efficiently and effectively with you and to assist the role and remit of the PCC.