The Cumbria Office of the Police and Crime Commissioner is registered with the Information Commissioner as a ‘data controller’ in respect of its processing of personal data. Contact details for the OPCC are shown below:
Cumbria Office of the Police and Crime Commissioner
Phone: 01768 217734
New data protection laws were implemented on 25th May 2018 and as your privacy is very important to us our Privacy Notice has been updated to make it easier for you to understand what personal information we may process and why. ‘Processing’ includes how we collect personal data(1), why we collect it, share it, retain it and dispose of it. This Notice also provides you with details of the rights you have in regard to any personal information we hold about you now and any personal information we might collect about you in the future.
In accordance with the requirements of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, a Data Protection Officer has been designated to help ensure that the personal information we hold is processed in accordance with the requirements of the legislation. The Data Protection Officer is also available to provide you with advice and assistance if you have any queries or concerns about how we process your personal data. The legislation permits a Data Protection Officer to act for more than one data controller and the Data Protection Officer for the OPCC is also designated to act as the Data Protection Officer for Cumbria Constabulary.
The Data Protection Officer can be contacted using the above contact details.
(1) ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms, it means any information handled by the Office of the Police and Crime Commissioner that relates to an identified or identifiable living individual, directly or indirectly. In particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Why do we handle personal information?
We process personal information to assist us with the performance of our core statutory functions (including any incidental functions) such as:-
- Ensuring the maintenance of an efficient and effective police force in Cumbria
- Community safety and the prevention of crime
- To ensure we meet our legal obligations
- To allow us to meet community needs and concerns
- Where necessary for law enforcement or community safety functions
- The prevention and detection or crime
- The apprehension and prosecution of offenders
- Where necessary to protect individuals from harm or injury
- To enable us to set police and crime objectives
- Staff recruitment, management & vetting in support of our core functions
You can find out more about our statutory functions by looking at the ‘what we do’ page on this website, or by clicking here https://cumbria-pcc.gov.uk/what-we-do/
Whose personal data do we handle?
In order to carry out the purposes described above we may obtain, use, disclose, handle etc. personal data relating to a wide variety of individuals including the following:
- Complainants and enquirers
- Relatives, guardians and associates of the people we are processing personal data about
- Advisers, consultants and other professional experts
- Staff, former staff and potential staff including volunteers, agents, temporary and casual workers
What types of personal data do we handle?
In order to carry out the purposes described above we may obtain, use, disclose, handle etc. personal data relating to, or consisting of the following:
- Personal details such as name, address and biographical details
- Complaint details
- Family, lifestyle and social circumstances;
- Information relating to criminal, or alleged criminal offences
- Racial or ethnic origin
- Education and training details
- Employment details
- Financial details
- Sound and visual images
- References to manual records or files
- Information relating to health and safety
We will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal information could be information which is held on a computer, in a paper record such as a file including images.
Where do we obtain personal data from?
In order to carry out the purposes described under why ‘we handle personal data’ we may obtain personal data from a wide variety of sources, including the following:
- Complainants and enquirers and correspondents to the OPCC
- Family and associates of the people we hold information about
- Police forces
- Regulatory bodies
- Local and central government
- Partner agencies, approved organisations and individuals working with the police
- Legal representatives
- Current past and prospective employees
- Legal representatives
- Offices of the Police and Crime Commissioner
- Service providers
Who do we disclose personal data to?
There may be occasions when we need to disclose your personal data to other organisations, such as partner organisations. We will only do so where we have your consent, or where there is another legal basis to do so, or where information is required to be disclosed to comply with a legal obligation.
We may disclose personal information to other bodies or individuals where necessary to prevent harm to individuals, or where disclosure is necessary for the prevention or detection of crime or the apprehension or prosecution of offenders.
Personal information may also be disclosed when we are required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the Child Support Agency, the National Fraud Initiative, the Home Office and to the Courts.
The types of organisations to whom we may disclose personal information include, but are not limited to:
- Police forces
- Partner agencies working on crime reduction initiatives,
- Partners in the Criminal Justice arena
- Local and central government
- Bodies or individuals working on our behalf such as IT contractors or survey organisations.
Sometimes we use other organisations to process personal information on our behalf. We will only do this after we have ensured that appropriate controls are in place to ensure the information is only used for a specific purpose, is kept secure and securely destroyed when no longer required.
How do we handle personal data?
In order to achieve the purposes described under section 2 we will process personal information in accordance with requirements of the EU GDPR and Data Protection Act 2018.
In particular, we will ensure that personal information is handled in accordance with the Data Protection Principles, which require that personal data is:
- Processed fairly, lawfully and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary;
- Kept secure.
Personal information will not be held longer than is necessary and it will be disposed of in a secure manner when no longer required. Further information about how long we retain personal information can be found in our Retention Schedule
How do we ensure the security of personal data?
We take the security of all personal information under our control very seriously. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse. We will only permit access to systems when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
Rights of individuals whose personal data we process
Under the provisions contained within the EU GDPR, you have the following rights:
The right to be informed – this is covered by this Privacy Notice and in other specific Notices we may provide at the time we collect information.
The right of access (Subject Access Request) – You can request access to a copy of personal information that we hold about you (subject to exemptions), along with certain supplementary information that we are required to provide to you.
Right to request rectification – You are entitled to have personal data we hold rectified if it is inaccurate or incomplete.
Right to erasure – This right enables you to request the deletion or removal of personal information where there is no compelling reason for it to continue to be processed.
Right to restrict processing – Individuals have a right to ‘block’ or restrict the processing of personal data. When processing is restricted, organisations are permitted to store the personal data but not to further process it.
Right to data portability – The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
Right to object – Individuals have a right to object to the processing of their personal data in certain circumstances.
Rights related to automated decision making – This relates to where automated individual decision-making occurs (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Consent – In addition to the above rights, under GDPR and the Data Protection Act 2018, where you have previously provided your consent for us to use your personal data, you have a right to withdraw that consent. Please note, however, we won’t always require consent to process your personal information – for example, if we need the data to meet regulatory requirements, or to perform a contract with you.
If you wish to exercise any of the above rights please contact the Data Protection Officer using the details provided on page one of this notice.
Grant and Funding Applications
The information you submit on a grant or funding application will be held by the Cumbria Office of Police and Crime Commissioner and will contribute directly to the decision that is made regarding allocations of funding and for our own research purposes. In addition your application form may be shared with third parties and partner agencies who may be involved in the decision making process. We may be required to disclose information outside of the Cumbria Office of Police and Crime Commissioner to help prevent fraud, or if required by law.
Full grant applications will be retained for a maximum of 6 years (plus current year). Information will be retained on a database at the Cumbria Office of Police and Crime Commissioner for statistical and monitoring purposes.
If your application is successful, details of grants will be published on the Cumbria Office of Police and Crime Commissioner website. No personal information will be published.
If at any point you wish to make a complaint about how we have used your personal information to us, please contact the Data Protection Officer using the details provided on page one of this Notice.
The Information Commissioner is the independent supervisory authority with responsibility for overseeing compliance with the EU GDPR and Data Protection Act 2018. If you have a concern about how we have used your personal information, you may also wish to contact the Commissioner using the details provided below.
The Information Commissioner’s Office
Privacy Notice Review
We will review this Privacy Notice regularly and may make changes from time to time. This Notice was last updated on 1st June 2018.