This privacy notice explains how Merseyside Police collects, stores, uses, discloses, retains and destroys personal data, the steps we take to ensure that it is protected and also describes the rights individuals have in regard to their personal data handled by Merseyside Police. All of these activities are known collectively as ‘processing’ personal data. This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.
This is a general notice intended to cover all processing. Other privacy notices are available and will be created which focus upon specific processing in different business areas of Merseyside Police.
Since 25 May 2018 the use and disclosure of personal data is governed in the United Kingdom by the EU regulation 2016/679 – The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA) which incorporates the EU Directive 2016/680 known as the Law Enforcement Directive (LED). The Chief Constable of Merseyside Police as a ‘data controller’ has previously registered with the Information Commissioner (ICO) and is obliged to ensure that Merseyside Police handles all personal data in accordance with the DPA and the GDPR. An annual fee is now payable to the ICO who is the ‘supervisory authority’ that is referred to in the legislation.
This document is a statutory requirement of Article 13 of the GDPR and Section 44 of the Data Protection Act 2018.
Merseyside Police puts into place measures to ensure that personal data is handled appropriately in order to obtain and maximise individuals’ trust and confidence in the police service.
What is personal data?
‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms it means any information handled by Merseyside Police that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Why do we collect and use personal information?
Merseyside Police processes personal data for two broad purposes:
1. The Policing Purpose, which includes the prevention and detection of:
apprehension and prosecution of offenders
protecting life and property
maintaining of law and order
rendering assistance to the public in accordance with force policies and procedures
any duty or responsibility of the police arising from common or statute law
2. The provision of services to support the Policing Purpose, which include:
Staff administration, employment, health and welfare
Management of public relations, journalism, advertising and media
Management of finance
Internal review, accounting and auditing
Vehicle and transport management
Payroll and benefits management
Management of complaints
Vetting of employees, volunteers, contractors or processors
Management of information technology systems
Licensing and registration
Research, including surveys*
Sports and recreation
Health and safety management
*A note about surveys
Merseyside Police is required to conduct Customer Satisfaction Surveys to evaluate our performance and effectiveness. We may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the services we are providing to the public. We use the information given to improve our service and wherever we can, Merseyside Police uses a third party to undertake such surveys on our behalf with strict controls to protect the personal data of those involved.
Whose personal data do we handle?
In order to carry out the purposes described under the section ‘Why do we collect and use personal information?’ above, Merseyside Police may collect, store, use, disclose (see section ‘Who do we disclose personal information to?’ below) and retain personal data relating to a wide variety of individuals including the following:
Staff including volunteers, agents, cadets, temporary and casual workers
Complainants, correspondents and enquirers
Relatives, guardians and associates of the individual concerned
Advisors, consultants and other professional experts
Offenders and suspected offenders
Former and potential members of staff, pensioners and beneficiaries
Other individuals necessarily identified in the course of police enquiries and activity
Merseyside Police will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information such as CCTV or Body Worn Videos images.
What types of personal data do we handle?
In order to carry out the purposes described under the section ‘Why do we collect and use personal information?’ above Merseyside Police may process and may retain personal data relating to or consisting of the following:
Personal details such as name, address and biographical details
Family, lifestyle and social circumstances
Education and training details
Goods or services provided
Racial or ethnic origin
Religious or other beliefs of a similar nature
Trade union membership
Physical or mental health or condition
Offences (including alleged offences)
Criminal proceedings, outcomes and sentences
Physical identifiers including DNA, fingerprints and other genetic or biometric samples
Sound and visual images
Licences or permits held
References to manual records or files
Information relating to health and safety
Complaint, incident and accident details
Whilst the categories of information above may not be complete if other categories are occasionally gathered for a law enforcement purpose or as part of general processing of personal data, no inference should be drawn that all of the above categories of personal data is held in respect of every data subject (person) in respect of whom personal data is held.
Where do we obtain personal data from?
In order to carry out the purposes described under section ‘Why do we collect and use personal information?', Merseyside Police may collect personal data from a wide variety of sources other than direct from yourself, including the following:
Individuals including data subjects or third parties
Local Authorities or government agencies
The Home Office
Other law enforcement agencies
HM Revenue and Customs
International law enforcement agencies and bodies
Partner agencies involved in crime and disorder strategies
National or local government, or private agencies for safeguarding
Private sector organisations working with the police in anti-crime strategies
Voluntary sector organisations
Approved organisations and people working with the police
Independent Police Complaints Commission
Her Majesty’s Inspectorate of Constabulary
Police and Crime Commissioners
Central government, government agencies and departments
Relatives, guardian or other persons associated with the individual
Current, past or prospective employers of the individual
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Business associates and other professional advisors
Employees and agents of Merseyside Police
Supplier, providers of goods or services
Persons making an enquiry or complaint
Financial organisations and advisors
Credit reference agencies
Survey and research organisations
Trade, employer associations and professional bodies
Voluntary and charitable organisations
Ombudsmen and regulatory authorities
Data processors working on behalf of Merseyside Police
Merseyside Police may also obtain personal data from other sources such as its own CCTV systems, Body Worn Video or correspondence.
Which lawful basis do we use to process this information?
As a public body, we collect and use information in relation to offenders, suspected offenders, victims and witnesses in order to carry out a task that is in the public interest, for example, ‘Public Task’: the processing is necessary for the performance a task carried out in the public interest or for official authority vested in the controller. The task or function must have a clear basis in law.
We use different lawful basis’s to process the personal data of the individuals/staff that work for us, these are documented separately. Other lawful bases under which Merseyside Police may also process personal data are listed below:
General Processing of information – Articles 6.1 of GDPR (a) to (e) as referenced in DPA Part 2, Chapter 2 section 8
Processing of personal data and criminal convictions and offences data – Article 9 & 10 of GDPR and Part 2, Chapter 2 sections 10,11 and schedule 1 Parts 1, 2 & 3 of DPA
Merseyside Police has an appropriate policy document that is required under schedule 1 Part 4 Ss 38 & 39 in order that some aspects of data processing which is undertaken is lawful
How do we handle personal data?
In order to achieve the purposes described in section ‘Why do we collect and use personal information?’, Merseyside Police will handle personal data in accordance with the DPA and the GDPR. In particular we will ensure that any personal data is:
processed lawfully, fairly, in a transparent manner and with appropriate justification
collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
accurate and, where necessary, kept up to date
kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data are processed
processed in a manner that ensures appropriate security
Merseyside Police will work to ensure that any personal data used by us or on our behalf is not excessive, reviewed appropriately and securely destroyed when no longer required. We will also comply with individuals’ rights as detailed in section ‘What are the rights of the individuals whose personal data is handled by Merseyside Police’ below.
How do we ensure the security of personal data?
Merseyside Police takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the DPA and the GDPR relating to security, and seek to comply with the National Police Chiefs Council (NPCC) and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to achieve adequate and up-to-date security in an evolving cyber, electronic and technical landscape.
Who do we disclose personal information to?
In order to carry out the purposes described under section ‘Why do we collect and use personal information?’ above Merseyside Police may disclose personal information to a wide variety of recipients including those from whom personal data is obtained.
This may include disclosures to other law enforcement agencies, partner agencies working on crime reduction initiatives, partners in the
Criminal Justice arena, Victim Support and to bodies or individuals working on our behalf such as IT contractors or survey organisations. We may also disclose to other bodies or individuals where necessary to prevent harm to individuals and for safeguarding purposes.
Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstances, and with an identified lawful basis for doing so with adequate technical and governance controls in place.
Some of the bodies or individuals to which we may disclose personal data are situated outside of the European Union – some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal information to such territories, we will take appropriate steps to ensure that it is adequately protected as required by the Data Protection Act 2018.
Merseyside Police will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. Merseyside Police may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
What are the rights of the individuals whose personal data is handled by Merseyside Police?
The GDPR provides certain rights for individuals however all of these rights do not apply when it comes to Law Enforcement processing and even then the applicable rights do not apply in all circumstances, there are exemptions and restrictions that can be legitimately applied to prevent individuals from exercising rights, see below:
The right to be informed
This area is covered by this privacy notice.
The right of access
A Subject Access request. The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by Merseyside Police as detailed under Article 15 of the GDPR. Details of the application process, known as ‘Subject Access’ can be found in this Data Protection access form.
Alternatively individuals may contact Merseyside Police in person or via telephone to make the request. The preferred method is via the application process because the process to verify that an individual is who they say they are is achieved more quickly.
Subject access rights do not apply to the processing of ‘relevant personal data’. (‘Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority. Access to ‘relevant personal data’ is governed by the appropriate legislation covering the disclosure of information in criminal proceedings, such as (in England and Wales) the Criminal Procedure and Investigations Act 1996.)
The right to rectification
Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure.
The right to erasure
Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances, for example if there is no compelling reason for its continued processing. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties. The erasure of personal data relating to criminal offences cannot be considered until its full period of retention has been reached (as detailed in the National Retention and Disposal Schedule which has been adopted by Merseyside Police).
The right to restrict processing
Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect but it is not possible to confirm the accuracy of the data. Merseyside Police can refuse this request where it is necessary and proportionate or relates to ‘relevant personal data’, i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
Rights in relation to automated decision making including profiling
Article 22 of the GDPR has rules to protect individuals if solely automated decision making (making a decision without any human involvement) and profiling.
An individual has the right to withdraw their consent
This logically only applies where personal data is being processed solely with the consent of the data subject. It will not apply if the data is processed under a different lawful base.
For all of these rights Merseyside Police will take any action necessary to prove that the requestor is actually the individual who is the subject of the personal data concerned or that the requestor is legitimately acting on behalf of the data subject.
How long does Merseyside Police retain personal data?
Merseyside Police keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held. Personal data which is placed on the Police National Computer is retained, reviewed and deleted in accordance with the agreed national retention periods which are subject to periodic change.
Other records containing personal data relating to intelligence, digital media, custody, crime, firearms, investigations including child abuse and domestic violence will be retained in accordance with the NPCC endorsed guidance on the Management of Police Information (MoPI) 2006, (this can be found on the College of Policing’s website APP Information Management. Merseyside Police have adopted this Retention and Disposal Schedule 2017.
Merseyside Police may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section ‘Why do we collect and use personal information?’ above. Merseyside Police does not place a pre-recorded ‘privacy notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.
A 'cookie' is a piece of information stored on your hard drive which allows web servers to collect information from your visit to the site. It saves a small amount of data to your computer, which the website then uses on repeat visits.
Any individual with concerns over the way that Merseyside Police handles their personal data or for further details on any of the above may contact the Data Protection Officer (DPO) as below:
Data Protection Officer Merseyside Police PO Box 59 Liverpool L69 1JD
Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are/have been adversely affected by the handling of personal data by Merseyside Police. Such complaints should be made direct to the Information Commissioner:
The Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF