This Privacy Notice explains how Merseyside Police collects, stores, uses, discloses, retains and destroys personal data , the steps we take to ensure that it is protected and also describes the rights individuals have in regard to their personal data handled by Merseyside Police . All of these activities are known collectively as ‘processing’ personal data.
This is a general notice intended to cover all processing. Other privacy notices are available and will be created which focus upon specific processing in different business areas of Merseyside Police.
Since 25 May 2018 the use and disclosure of personal data is governed in the United Kingdom by the EU regulation 2016/679 – The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA) which incorporates the EU Directive 2016/680 known as the Law Enforcement Directive (LED). The Chief Constable of Merseyside Police as a ‘data controller’ has previously registered with the Information Commissioner (ICO) and is obliged to ensure that Merseyside Police handles all personal data in accordance with the DPA and the GDPR. An annual fee is now payable to the ICO who is the ‘supervisory authority’ that is referred to in the legislation.
This document is a statutory requirement of Article 13 of the GDPR and Section 44 of the Data Protection Act 2018.
Merseyside Police puts into place measures to ensure that personal data is handled appropriately in order to obtain and maximise individuals’ trust and confidence in the police service.
Why do we collect and use personal information?
Merseyside Police processes personal data for two broad purposes:
The Policing Purpose – which includes the prevention and detection of crime; apprehension and prosecution of offenders; protecting life and property; preserving order; maintaining of law and order; rendering assistance to the public in accordance with force policies and procedures; and any duty or responsibility of the police arising from common or statute law.
The provision of services to support the Policing Purpose – which include:
Staff administration, employment, health and welfare;
Management of public relations, journalism, advertising and media;
Management of finance
Internal review, accounting and auditing;
Vehicle and transport management;
Payroll and benefits management;
Management of complaints;
Vetting of employees, volunteers, contractors or processors;
In order to carry out the purposes described under section 1 above, Merseyside Police may collect, store, use, disclose (see section 8 below) and retain personal data relating to a wide variety of individuals including the following:
Staff including volunteers, agents, cadets, temporary and casual workers;
Complainants, correspondents and enquirers;
Relatives, guardians and associates of the individual concerned;
Advisors, consultants and other professional experts;
Offenders and suspected offenders;
Former and potential members of staff, pensioners and beneficiaries;
Other individuals necessarily identified in the course of police enquiries and activity.
Merseyside Police will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information such as CCTV or Body Worn Videos images.
What types of personal data do we handle?
In order to carry out the purposes described under section 1 above, Merseyside Police may process and may retain personal data relating to or consisting of the following:
Personal details such as name, address and biographical details;
Family, lifestyle and social circumstances;
Education and training details;
Goods or services provided;
Racial or ethnic origin;
Religious or other beliefs of a similar nature;
Trade union membership;
Physical or mental health or condition;
Offences (including alleged offences);
Criminal proceedings, outcomes and sentences;
Physical identifiers including DNA, fingerprints and other genetic or biometric samples;
Sound and visual images;
Licences or permits held;
References to manual records or files;
Information relating to health and safety;
Complaint, incident and accident details.
Whilst the categories of information above may not be complete if other categories are occasionally gathered for a law enforcement purpose or as part of general processing of personal data, no inference should be drawn that all of the above categories of personal data is held in respect of every data subject (person) in respect of whom personal data is held.
Where do we obtain personal data from?
In order to carry out the purposes described under section 1 above, Merseyside Police may collect personal data from a wide variety of sources other than direct from yourself, including the following:
Individuals including data subjects or third parties;
Local Authorities or government agencies;
The Home Office
Other law enforcement agencies;
HM Revenue and Customs;
International law enforcement agencies and bodies;
Partner agencies involved in crime and disorder strategies; National or local government, or private agencies for safeguarding
Private sector organisations working with the police in anti-crime strategies;
Voluntary sector organisations;
Approved organisations and people working with the police;
Independent Police Complaints Commission;
His Majesty’s Inspectorate of Constabulary;
Police and Crime Commissioners;
Central government, government agencies and departments;
Relatives, guardian or other persons associated with the individual;
Current, past or prospective employers of the individual;
Healthcare, social and welfare advisers or practitioners;
Education, training establishments and examining bodies;
Business associates and other professional advisors;
Employees and agents of Merseyside Police;
Supplier, providers of goods or services;
Persons making an enquiry or complaint;
Financial organisations and advisors;
Credit reference agencies;
Survey and research organisations;
Trade, employer associations and professional bodies;
Voluntary and charitable organisations;
Ombudsmen and regulatory authorities;
Data processors working on behalf of Merseyside Police.
Merseyside Police may also obtain personal data from other sources such as its own CCTV systems, Body worn video or correspondence.
Which lawful basis do we use to process this information?
As a public body, we collect and use information in relation to offenders, suspected offenders, victims and witnesses in order to carry out a task that is in the public interest, e.g. ‘Public Task’: the processing is necessary for the performance a task carried out in the public interest or for official authority vested in the controller. The task or function must have a clear basis in law.
We use different lawful basis’s to process the personal data of the individuals/staff that work for us, these are documented separately. Other lawful bases under which Merseyside Police may also process personal data are listed below;
General Processing of information – Articles 6.1 of GDPR (a) to (e) as referenced in DPA Part 2, Chapter 2 section 8.
Processing of personal data and criminal convictions and offences data – Article 9 &10 of GDPR and Part 2, Chapter 2 sections 10,11 and schedule 1 Parts 1, 2 & 3 of DPA.
Merseyside Police has an appropriate policy document that is required under schedule 1 Part 4 Ss 38 & 39 in order that some aspects of data processing which is undertaken is lawful.
How do we handle personal data?
In order to achieve the purposes described under section 1 above, Merseyside Police will handle personal data in accordance with the DPA and the GDPR. In particular we will ensure that any personal data is:
Processed lawfully, fairly, in a transparent manner and with appropriate justification;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Accurate and, where necessary, kept up to date;
Kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data are processed;
Processed in a manner that ensures appropriate security.
Merseyside Police will work to ensure that any personal data used by us or on our behalf is not excessive, reviewed appropriately and securely destroyed when no longer required. We will also comply with individuals’ rights as detailed in section 9 below.
How do we ensure the security of personal data?
Merseyside Police takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the DPA and the GDPR relating to security, and seek to comply with the National Police Chiefs Council (NPCC) and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to achieve adequate and up-to-date security in an evolving cyber, electronic and technical landscape
Who do we disclose personal information to?
In order to carry out the purposes described under section 1 above, Merseyside Police may disclose personal information to a wide variety of recipients including those from whom personal data is obtained. This may include disclosures to other law enforcement agencies, partner agencies working on crime reduction initiatives, partners in the Criminal Justice arena, Victim Support and to bodies or individuals working on our behalf such as IT contractors or survey organisations. We may also disclose to other bodies or individuals where necessary to prevent harm to individuals and for safeguarding purposes.
Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstances, and with an identified lawful basis for doing so with adequate technical and governance controls in place.
Some of the bodies or individuals to which we may disclose personal data are situated outside of the European Union – some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal information to such territories, we will take appropriate steps to ensure that it is adequately protected as required by the Data Protection Act 2018.
Merseyside Police will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. Merseyside Police may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
What are the rights of the individuals whose personal data is handled by Merseyside Police?
The GDPR provides certain rights for individuals however all of these rights do not apply when it comes to Law Enforcement processing and even then the applicable rights do not apply in all circumstances, there are exemptions and restrictions that can be legitimately applied to prevent individuals from exercising rights, see below:
The right to be informed – this area is covered by this privacy notice
The right of access – A Subject Access request. The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by Merseyside Police as detailed under Article 15 of the GDPR. Details of the application process, known as ‘Subject Access’ can be found from the force internet in the ‘Useful Links’ at the bottom of the Home page by selecting ‘Accessing Information’ then ‘Data Protection’ or via this hyperlink Data Protection access forms
Alternatively individuals may contact Merseyside Police in person or via telephone to make the request. The preferred method is via the application process because the process to verify that an individual is who they say they are is achieved more quickly.
Subject access rights do not apply to the processing of ‘relevant personal data’ 
The right to rectification – Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure.
The right to erasure – Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances, for example if there is no compelling reason for its continued processing. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties. The erasure of personal data relating to criminal offences cannot be considered until its full period of retention has been reached (as detailed in the National Retention and Disposal Schedule which has been adopted by Merseyside Police).
The right to restrict processing – Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect but it is not possible to confirm the accuracy of the data. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
Rights in relation to automated decision making including profiling – Article 22 of the GDPR has rules to protect individuals if solely automated decision making (making a decision without any human involvement) and profiling.
An individual has the right to withdraw their consent – This logically only applies where personal data is being processed solely with the consent of the data subject. It will not apply if the data is processed under a different lawful base.
N.B. - For all of these rights Merseyside Police will take any action necessary to prove that the requestor is actually the individual who is the subject of the personal data concerned or that the requestor is legitimately acting on behalf of the data subject.
How long does Merseyside Police retain personal data?
Merseyside Police keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held. Personal data which is placed on the Police National Computer is retained, reviewed and deleted in accordance with the agreed national retention periods which are subject to periodic change.
Other records containing personal data relating to intelligence, digital media, custody, crime, firearms, investigations including child abuse and domestic violence will be retained in accordance with the NPCC endorsed guidance on the Management of Police Information (MoPI) 2006, (this can be found on the College of Policing’s website APP Information Management and the National Retention and Disposal Schedule, (this can be found on the National Police Chief’s Council website www.npcc.police.uk). Merseyside Police have adopted this Retention and Disposal Schedule. It is available via this hyperlink NPCC Retention and Disposal schedule 2017
Merseyside Police may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above. Merseyside Police does not place a pre-recorded ‘privacy notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.
A 'cookie' is a piece of information stored on your hard drive which allows web servers to collect information from your visit to the site. It saves a small amount of data to your computer, which the website then uses on repeat visits.
We use the following cookies on the website for the reasons explained below.
Google Analytics sets the following cookies:
This cookie is used to distinguish users, which helps us count how many people visit our website
Used to manage the rate at which page view requests are made
Like _ga, this lets us know if you’ve visited before, so we can count how many of our visitors are new to the site or to a certain page
This works with _utmc to calculate the average length of time you spend on the site
When you close the browser
This works with _utmb to calculate when you close your browser
This tells us how you reached the site (eg from another website or a search engine)
If you don't want to send information to Google Analytics, you can use Google's opt-out browser add-on or you can configure your browser to enable you to choose which cookies you allow to be created.
Any individual with concerns over the way that Merseyside Police handles their personal data or for further details on any of the above may contact the Data Protection Officer (DPO) as below:
Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are/have been adversely affected by the handling of personal data by Merseyside Police. Such complaints should be made direct to the Information Commissioner:
‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms it means any information handled by Merseyside Police that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.
Merseyside Police is required to conduct Customer Satisfaction Surveys to evaluate our performance and effectiveness. We may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the services we are providing to the public. We use the information given to improve our service and wherever we can, Merseyside Police uses a third party to undertake such surveys on our behalf with strict controls to protect the personal data of those involved.
‘Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority. Access to ‘relevant personal data’ is governed by the appropriate legislation covering the disclosure of information in criminal proceedings, such as (in England and Wales) the Criminal Procedure and Investigations Act 1996.