Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
This Privacy Notice explains how Merseyside Police collects, stores, uses, discloses, retains and destroys personal data [1], the steps we take to ensure that it is protected and also describes the rights individuals have in regard to their personal data handled by Merseyside Police [2]. All of these activities are known collectively as ‘processing’ personal data.
This is a general notice intended to cover all processing. Other privacy notices are available and will be created which focus upon specific processing in different business areas of Merseyside Police.
Since 25 May 2018 the use and disclosure of personal data is governed in the United Kingdom by the EU regulation 2016/679 – The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA) which incorporates the EU Directive 2016/680 known as the Law Enforcement Directive (LED). The Chief Constable of Merseyside Police as a ‘data controller’ has previously registered with the Information Commissioner (ICO) and is obliged to ensure that Merseyside Police handles all personal data in accordance with the DPA and the GDPR. An annual fee is now payable to the ICO who is the ‘supervisory authority’ that is referred to in the legislation.
This document is a statutory requirement of Article 13 of the GDPR and Section 44 of the Data Protection Act 2018.
Merseyside Police puts into place measures to ensure that personal data is handled appropriately in order to obtain and maximise individuals’ trust and confidence in the police service.
Merseyside Police processes personal data for two broad purposes:
In order to carry out the purposes described under section 1 above, Merseyside Police may collect, store, use, disclose (see section 8 below) and retain personal data relating to a wide variety of individuals including the following:
Merseyside Police will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information such as CCTV or Body Worn Videos images.
In order to carry out the purposes described under section 1 above, Merseyside Police may process and may retain personal data relating to or consisting of the following:
Whilst the categories of information above may not be complete if other categories are occasionally gathered for a law enforcement purpose or as part of general processing of personal data, no inference should be drawn that all of the above categories of personal data is held in respect of every data subject (person) in respect of whom personal data is held.
In order to carry out the purposes described under section 1 above, Merseyside Police may collect personal data from a wide variety of sources other than direct from yourself, including the following:
Merseyside Police may also obtain personal data from other sources such as its own CCTV systems, Body worn video or correspondence.
As a public body, we collect and use information in relation to offenders, suspected offenders, victims and witnesses in order to carry out a task that is in the public interest, e.g. ‘Public Task’: the processing is necessary for the performance a task carried out in the public interest or for official authority vested in the controller. The task or function must have a clear basis in law.
We use different lawful basis’s to process the personal data of the individuals/staff that work for us, these are documented separately. Other lawful bases under which Merseyside Police may also process personal data are listed below;
General Processing of information – Articles 6.1 of GDPR (a) to (e) as referenced in DPA Part 2, Chapter 2 section 8.
Processing of personal data and criminal convictions and offences data – Article 9 &10 of GDPR and Part 2, Chapter 2 sections 10,11 and schedule 1 Parts 1, 2 & 3 of DPA.
Merseyside Police has an appropriate policy document that is required under schedule 1 Part 4 Ss 38 & 39 in order that some aspects of data processing which is undertaken is lawful.
In order to achieve the purposes described under section 1 above, Merseyside Police will handle personal data in accordance with the DPA and the GDPR. In particular we will ensure that any personal data is:
Merseyside Police will work to ensure that any personal data used by us or on our behalf is not excessive, reviewed appropriately and securely destroyed when no longer required. We will also comply with individuals’ rights as detailed in section 9 below.
Merseyside Police takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the DPA and the GDPR relating to security, and seek to comply with the National Police Chiefs Council (NPCC) and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to achieve adequate and up-to-date security in an evolving cyber, electronic and technical landscape
In order to carry out the purposes described under section 1 above, Merseyside Police may disclose personal information to a wide variety of recipients including those from whom personal data is obtained. This may include disclosures to other law enforcement agencies, partner agencies working on crime reduction initiatives, partners in the Criminal Justice arena, Victim Support and to bodies or individuals working on our behalf such as IT contractors or survey organisations. We may also disclose to other bodies or individuals where necessary to prevent harm to individuals and for safeguarding purposes.
Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstances, and with an identified lawful basis for doing so with adequate technical and governance controls in place.
Some of the bodies or individuals to which we may disclose personal data are situated outside of the European Union – some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal information to such territories, we will take appropriate steps to ensure that it is adequately protected as required by the Data Protection Act 2018.
Merseyside Police will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. Merseyside Police may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
The GDPR provides certain rights for individuals however all of these rights do not apply when it comes to Law Enforcement processing and even then the applicable rights do not apply in all circumstances, there are exemptions and restrictions that can be legitimately applied to prevent individuals from exercising rights, see below:
The right to be informed – this area is covered by this privacy notice
The right of access – A Subject Access request. The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by Merseyside Police as detailed under Article 15 of the GDPR. Details of the application process, known as ‘Subject Access’ can be found from the force internet in the ‘Useful Links’ at the bottom of the Home page by selecting ‘Accessing Information’ then ‘Data Protection’ or via this hyperlink Data Protection access forms
Alternatively individuals may contact Merseyside Police in person or via telephone to make the request. The preferred method is via the application process because the process to verify that an individual is who they say they are is achieved more quickly.
Subject access rights do not apply to the processing of ‘relevant personal data’ [4]
The right to rectification – Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure.
The right to erasure – Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances, for example if there is no compelling reason for its continued processing. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties. The erasure of personal data relating to criminal offences cannot be considered until its full period of retention has been reached (as detailed in the National Retention and Disposal Schedule which has been adopted by Merseyside Police).
The right to restrict processing – Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect but it is not possible to confirm the accuracy of the data. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
Rights in relation to automated decision making including profiling – Article 22 of the GDPR has rules to protect individuals if solely automated decision making (making a decision without any human involvement) and profiling.
An individual has the right to withdraw their consent – This logically only applies where personal data is being processed solely with the consent of the data subject. It will not apply if the data is processed under a different lawful base.
N.B. - For all of these rights Merseyside Police will take any action necessary to prove that the requestor is actually the individual who is the subject of the personal data concerned or that the requestor is legitimately acting on behalf of the data subject.
Merseyside Police keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held. Personal data which is placed on the Police National Computer is retained, reviewed and deleted in accordance with the agreed national retention periods which are subject to periodic change.
Other records containing personal data relating to intelligence, digital media, custody, crime, firearms, investigations including child abuse and domestic violence will be retained in accordance with the NPCC endorsed guidance on the Management of Police Information (MoPI) 2006, (this can be found on the College of Policing’s website APP Information Management and the National Retention and Disposal Schedule (this can be found on the National Police Chief’s Council (NPCC) website). Merseyside Police has adopted the NPCC Retention and Disposal schedule 2020.
Merseyside Police may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above. Merseyside Police does not place a pre-recorded ‘privacy notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.
Cookies are used on this website to improve user experience and for essential functionality; they are not used for identification purposes.
Learn more about how we manage cookies.
Any individual with concerns over the way that Merseyside Police handles their personal data or for further details on any of the above may contact the Data Protection Officer (DPO) as below:
Ian Boyham
Telephone: 0151 777 8412
Email: [email protected]
Mail: Data Protection Officer, Merseyside Police, PO Box 59, Liverpool, L69 1JD
The Data Controller for Merseyside Police is;
Chief Constable Serena Kennedy
Telephone: 0151 709 6010
Email: [email protected]
Mail: Chief Constable, Merseyside Police, PO Box 59, Liverpool, L69 1JD
Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are/have been adversely affected by the handling of personal data by Merseyside Police. Such complaints should be made direct to the Information Commissioner:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Telephone: 0303 123 1113
[1] ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms it means any information handled by Merseyside Police that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
[2] This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.
[3] Merseyside Police is required to conduct Customer Satisfaction Surveys to evaluate our performance and effectiveness. We may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the services we are providing to the public. We use the information given to improve our service and wherever we can, Merseyside Police uses a third party to undertake such surveys on our behalf with strict controls to protect the personal data of those involved.
[4] ‘Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority. Access to ‘relevant personal data’ is governed by the appropriate legislation covering the disclosure of information in criminal proceedings, such as (in England and Wales) the Criminal Procedure and Investigations Act 1996.