Privacy Notice

18 June 2018

Privacy Notice

This notice explains how All Wales Police processes personal data about individuals, which includes the collection, storage, and sharing of that information. It also describes the steps we take to ensure that the personal data we hold is protected, and explains the rights individuals have in regard to their personal data handled by All Wales Police.

The processing of personal data is governed by the General Data Protection Regulation (GDPR) and relevant Data Protection legislation. All Wales Police Forces are registered with the Information Commissioner as a ‘Controller.' We are obliged to ensure that all personal data is held and processed in accordance with the law.

All Wales Police takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals' trust and confidence in All Wales Police.

1. Why do we handle personal data?

All Wales Police obtains, holds, uses and discloses personal data for two broad purposes:

      i.         The Policing Purpose – which includes (but not limited to):

• the prevention and detection of crime;
• apprehension and prosecution of offenders;
• protecting life and property;
• preserving order;
• maintenance of law and order;
• rendering assistance to the public in accordance with national police standards, policies and procedures;
• national security;
• defending civil proceedings, and
• any duty or responsibility of the police arising from common or statute law.

     ii.         The provision of services to support the Policing Purposes – which include (but are not limited to):

• Staff administration, occupational health and welfare;
• Training;
• Payroll and benefits management;
• Management of complaints;
• Vetting;
• Management of information technology systems;
• Legal services (which includes the defending of civil proceedings within the statutory limitation period);
• Pension administration;
• Research, including surveys and analytics;
• Social media correspondence and analysis;
• Updates, newsletters and events.

All Wales Police will only use appropriate personal data that is necessary to fulfil our particular purposes.

2. Our lawful basis for processing data.

The GDPR allows for personal data to be processed under one of six conditions. With consideration to the purposes mentioned above, All Wales Police will in the majority of cases, rely on the condition of processing personal data due to it being necessary for the performance of a task carried out in the public interest or exercise of official authority vested in the controller. Where All Wales Police uses information for the purposes of a newsletter mailing list or anything considered to be 'marketing' then your information will be processed under the condition of consent.

As All Wales Police processes many categories of data for various reasons, All Wales Police may also rely on other lawful bases like those necessary for a contract, those necessary for compliance with a legal obligation, or in your vital interest.

Where sensitive or 'special categories' data is being collected, additional lawful bases will apply like having explicit consent, necessary for employment, social security, defending against legal claims, for a substantial public interest and for preventative or occupational health or medicine, amongst other reasons.
In each case where information is being requested by All Wales Police we will specify at the time of collection of data, usually through a service specific privacy notice, which lawful basis above we are relying on for the processing of that data.

3. Whose personal data do we handle?

In order to carry out the purposes described under section 1 above, All Wales Police may obtain, use and disclose (see section 8 below) personal data relating to a wide variety of individuals including the following:

• Staff including volunteers, agency workers, temporary workers and partner agencies;
• Suppliers and contractors;
• Complainants, correspondents, litigants and enquirers;
• Relatives, guardians and associates of the individual concerned;
• Advisers, consultants and other professional experts;
• Offenders and suspected offenders;
• Witnesses;
• Individuals passing information to All Wales Police;
• Victims (current, past and potential);
• Former and potential members of staff, pensioners and beneficiaries;
• Other individuals necessarily identified in the course of police enquiries and activity.

4. What types of personal data do we handle?

In order to carry out the purposes described under section 1 above, All Wales Police may obtain, use and disclose (see section 8 below) personal data relating to or consisting of the following:

• Personal details such as name, address, email, and biographical details;
• Family, lifestyle and social circumstances;
• Skill and interests;
• Education and training details;
• Employment details;
• Financial details;
• Services provided;
• Race and other protected characteristics (e.g. disability, age);
• Other special categories of data like sexuality, religion;
• Criminal records;
  Physical identifiers including DNA, fingerprints and other genetic samples;
• Sound and visual images;
• Criminal Intelligence;
• Complaint, incident, civil litigation and accident details.

5. Where do we obtain personal data from?

In order to carry out the purposes described under section 1 above, All Wales Police may obtain personal data from a wide variety of sources, other than the individual directly, which includes the following:

• Other law enforcement agencies;
• HM Revenue and Customs;
• International law enforcement agencies and bodies;
• Licensing authorities;
• Legal representatives;
• Prosecuting authorities;
• Defence solicitors;
• Courts;
• Prisons;
• Security companies;
• Partner agencies involved in crime and disorder strategies;
• Private sector organisations working with the police in anti-crime strategies;
• Voluntary sector organisations;
• Approved organisations and people working with the police;
• Independent Office for Police Conduct;
• Her Majesty's Inspectorate of Constabulary;
• Auditors;
• Police Authority;
• Central government, governmental agencies and departments;
• Emergency services;
• Relatives, guardians or other persons associated with the individual;
• Current, past or prospective employers of the individual;
• Healthcare, social and welfare advisers or practitioners;
• Education, training establishments and examining bodies;
• Business associates and other professional advisors;
• Employees and agents of All Wales Police;
• Suppliers, providers of goods or services;
• Persons making an enquiry or complaint;
• Financial organisations and advisors;
• Credit reference agencies;
• Survey and research organisations;
• Trade, employer associations and professional bodies;
• Local government;
• Voluntary and charitable organisations;
• Ombudsmen and regulatory authorities;
• The media;
• Data Processors working on behalf of All Wales Police.

All Wales Police may also obtain personal data from other sources such as its own CCTV systems, Body Worn Video, training records, or correspondence.

6. How do we handle personal data?

In order to achieve the purposes described under section 1, All Wales Police will handle personal data in accordance with the GDPR and relevant Data Protection legislation. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification.

We will strive to ensure that any personal data used by us or on our behalf is accurate and relevant. We will also ensure it is:

• not excessive;
• kept up to date as required;
• protected appropriately; and is
• reviewed, retained and securely destroyed when no longer required.

We will also respect individuals' rights under the GDPR and relevant Data Protection legislation.

7. How do we ensure the security of personal data?

All Wales Police takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the GDPR and associated Data Protection legislation relating to security, and seek to comply with the National Police Chief's Council (NPCC) Community Security Policy and relevant parts of the ISO27001 Information Security Standard.

We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.

8. Who do we disclose personal data to?

In order to carry out the purposes described under section 1, All Wales Police may disclose personal data to a wide variety of recipients, including those from whom personal data is obtained (as listed above). This may include the following:

• Disclosures to other law enforcement agencies (including international agencies);
• Partner agencies working on crime reduction initiatives;
• Partners in the Criminal Justice arena;
• Other partner agencies working with All Wales Police;
• Victim Support Services;
• To bodies or individuals working on our behalf such as IT contractors or survey organisations;
• Local government;
• Central government;
• Ombudsmen and regulatory authorities;
• The media;
• International agencies concerned with the safeguarding of international and domestic national security;
• Third parties involved with investigations relating to the safeguarding of national security;
• To other bodies or individuals where necessary to prevent harm to individuals

Disclosures of personal data will be made on a case-by-case basis, using the personal data that is appropriate and proportionate to a specific purpose and lawful basis, and with necessary controls in place.

Some of the bodies or individuals to which we may disclose personal data may be situated outside of the European Union - some of which do not have laws that protect data as extensively as in the United Kingdom. If we do transfer personal data to such territories, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the GDPR and relevant Data Protection legislation.

All Wales Police will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. All Wales Police may also disclose personal data on a discretionary basis, as allowed by law.

9. What are the rights of the individuals whose personal data is handled by All Wales Police?

Individuals have various rights under the GDPR, which can be found under articles 12 to 22 of the regulation. Below are the common rights that are likely to apply to the processing of information by All Wales Police:

i.         The right of individuals to access personal information held about them 'Subject Access request'
The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by All Wales Police. Details of the application process can be found on our 'Subject Access' page on our website.

Alternatively individuals may contact our Data Protection Officer (see section 12 below).

ii.         The right to object to how we process personal information
All Wales Police will make it clear in our service specific privacy notices the lawful basis as to why we collected that personal information. If the lawful basis was for the following reasons then individuals will have a right to object to that processing, (subject to exemptions):

• The performance of a task carried out in the public interest or exercise of official authority vested in All Wales Police
• For scientific or historical research purposes

However, All Wales Police will consider if your objection is appropriate under these bases, and will depend on the justification and reasons provided. These will be balanced against the All Wales Police's need to process that information and a response outlining our decision will be provided.

A request to object to the processing of personal information may be sent to the Data Protection Officer (see section 12 below).

iii.         The rights to object to automated decisions and profiling
Although All Wales Police is unlikely to carry out any automated decision making that does not involve some human element, the GDPR does provide for this specific right in cases where this may occur. Subject to certain exemptions, an individual has the right to require that All Wales Police ensures that no decision that would significantly affect them is taken by All Wales Police, or on our behalf, purely using automated decision-making software. If there is a human element involved in the decision-making the right does not apply.

A request to object to the automated decision making or profiling may be sent to the Data Protection Officer (see section 12 below).

iv.         The right to be forgotten (the right to erasure of personal data)
Individuals have the right to request that All Wales Police deletes personal information that is held about them. However this right will not apply in all cases.

If All Wales Police obtained information about an individual with their consent, and it relates to information that we are not required to keep by law or required to keep for a limited time while a complaint or appeal window is open then we will likely be able to comply with a request to delete the information.

However if All Wales Police is relying on another legal basis to process the personal data or is required to keep the data in accordance with our retention schedule or to be able to deal with complaints or appeals then a request for deletion of data may be refused under the relevant exemptions.

A request to delete personal information as described above may be sent to the Data Protection Officer (see section 12 below).

v.         The right to rectification or restriction of the processing of personal data
If an individual feels that All Wales Police holds information about them that is not accurate, they have the right to request that this is rectified and made accurate. This could be information that is felt to be incomplete or not factually correct.

If the information to be corrected is disputed and would require more time to establish the accuracy of the data, you may also request that the personal information be restricted so that further processing of that information does not take place, or if necessary, is done so in a restricted way.

A request for rectification or restriction may be sent to the Data Protection Officer (see section 12 below).

   vi.         This right only applies to the personal data individuals provided to All Wales Police and does not include data All Wales Police created during the processing of that data. This right only applies if the data was processed under the lawful basis of consent or for the performance of a contract.

A request for data portability may be sent to the Data Protection Officer (see section 12 below).

  vii.         The right to complain to All Wales Police and to the Information Commissioner's Office (ICO)
The ICO is the supervisory authority that is responsible for upholding the GDPR and related Data Protection legislation in the UK. You have the right to complain to the ICO if you believe the processing of personal data is in breach of the GDPR or related Data Protection legislation. However the ICO guidance suggests complaints should be directed to the 'Controller', which in this case would be All Wales Police, in the first instance to allow All Wales Police to properly address any concerns first.

In the event that you would like to raise a data protection complaint with All Wales Police regarding the processing of your personal data, please contact us using the details provided in the contact us page.

If after making a data protection complaint to All Wales Police you still feel your concerns were not full addressed you can contact the ICO on the details below:

The Information Commissioner's Office,
Wycliffe House,
Wilmslow,
Cheshire,
SK9 5AF
Telephone: 01625 545700 or 0303 123 1113 (local rate)
Website: https://ico.org.uk/

10. How long does All Wales Police retain personal data?

All Wales Police keeps personal data as long as is necessary for the particular purpose or purposes for which it is held. Our information is held in accordance with our Retention, Review and Disposal schedule.

11. Monitoring

All Wales Police may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from All Wales Police in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above.

12. Contact Us

To exercise any of the rights under section 9 above relating to personal data being held by All Wales Police, a request should be made using the details below. Any individual with concerns over the way All Wales Police handles their personal data may also contact our Data Protection Officer using the details provided on our contact us page.