The Chief Constable, Shaun Sawyer is defined as the ‘Data Controller’ for the purposes of the legislation and is required to ensure Devon and Cornwall Police (D&CP) handles all personal information in accordance with that legislation.
Devon and Cornwall Police is registered with the Information Commissioner's Office (registration number: Z4883316).
Contact details for the data controller are:
Alliance Data Protection Office, Devon and Cornwall Police, Force Headquarters, Middlemoor, Exeter, Devon, EX2 7HQ
Email: Data Protection Alliance
Telephone: 01392 226622
The Data Protection Act and the EU General Data Protection Regulation ensure that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:
- Process all personal information lawfully, fairly and in a transparent manner.
- Collect personal information for a specified, explicit and legitimate purpose.
- Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
- Ensure the personal information is accurate and up to date.
- Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected.
- Keep your personal information securely using appropriate technical or organisational measures.
Why do we process personal information?
Devon and Cornwall Police (D&CP) have a statutory duty to uphold the law, prevent crime, bring offenders to justice and protect the public. To do this it is necessary for us to process your personal information under the lawful basis of ‘public interest’ and ‘official authority’. This means we process your personal information for carrying out tasks that are laid down in law and collectively described as the administration of justice.
We process some personal information under the lawful basis of ‘legal obligation’ for example when we provide salary information for tax purposes, or use ethnicity data for equality legislation purposes.
Some personnel information is used by us under the lawful basis of ‘legitimate interests’ when processing information to manage the human resources of all our employees such as their professional development, and to protect our network and information security such as vetting.
We also have a public interest, legal obligation or legitimate interest and are required by the Home Office to carry out user satisfaction surveys to evaluate our performance and effectiveness. We may contact you if you have been a victim of crime or reported an incident to us to ask for your opinion about the service you have received. Sometimes, like many police services, we may use a private company to undertake these surveys. The information we obtain from the surveys are used wherever possible to help us improve. D&CP will only use the minimum amount of personnel information necessary to carry out a particular activity, such as your name and address, reasons why you have had contact with the police are not disclosed.
We obtain, hold, use and disclose personal information for these purposes:
- For the Administration of Justice – which includes the prevention and detection of crime; apprehension and prosecution of offenders; protecting life and property; preserving order; maintenance of law and order; assisting the public in accordance with force policies and procedures; national security; defending civil proceedings and any duty or responsibility of the police arising from common or statute law.
- The provision of services to support the Administration of Justice, our legal obligations and legitimate interests – this includes staff administration; occupational health and welfare; management of public relations, journalism, advertising and media; management of finance; internal review; accounting and auditing; training; property management; insurance management; vehicle and transport management; payroll, pensions and benefits management; management of complaints; vetting; management of information technology systems; legal services and defending ourselves in civil proceedings; information provision; licensing and registration; pensioner administration; research, including customer surveys; performance management; sports and recreation; management of safety and health; procurement; planning; system testing and security.
- Whose personal information do we hold? In order to carry out the purposes described above D&CP may obtain, use and disclose personal information relating to a wide variety of individuals including: our staff, officers, volunteers, agents, temporary and casual workers; suppliers; complainants, correspondents, litigants and enquirers; relatives, guardians and associates of the individual concerned; advisers, consultants and other professional experts; offenders and suspected offenders; witnesses; victims (current, past and potential); former and potential members of staff, pensioners and beneficiaries; other individuals necessarily identified in the course of our police enquiries and activity.
We will use the minimum amount of personal information necessary to fulfil a particular purpose or purposes. Personal information can be information that is held on a computer, in a paper record such as a file or images, but it can also include other types of electronically held information such as CCTV images.
What type of personal information is it?
The type of personal information we hold will vary depending upon the reason you have had contact with us but it may include: your name and address; date of birth; contact details (e.g. telephone number, email address); custody records; medical and hospital records; phone and electronic device download data; risk assessment; fingerprints, DNA or photograph; family, lifestyle and social circumstances; education and training details; employment details; financial details; goods or services provided; racial or ethnic origin; political opinions; religious or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; offences and alleged offences; criminal proceedings, outcomes and sentences; cautions; physical identifiers including DNA, fingerprints and other genetic samples; sound and visual images; licenses or permits held; criminal intelligence; references to manual records or files; information relating to safety and health; complaint, incident, civil litigation and accident details.
We will use the minimum amount of personal information necessary to fulfil a particular purpose. Your personal information may be held on a computer system, in a paper record such as in a physical file or a photograph, but it can also include other types of electronically held information such as CCTV or body worn video.
Where do we get the personal information from?
To carry out the purposes we have described we may obtain personal information from a wide variety of sources, including: other law enforcement agencies; HM Revenue and Customs; international law enforcement agencies and bodies; licensing authorities; legal representatives; prosecuting authorities; solicitors; courts; prisons and young offender institutions; security companies; partner agencies involved in crime and disorder strategies; private sector organisations working with the police in anti-crime strategies; voluntary sector organisations; approved organisations and people working with the police; Independent Office for Police Conduct; Her Majesty’s Inspectorate of Constabulary; auditors; Police and Crime Commissioners; central government, governmental agencies and departments; emergency services such as the fire brigade, National Health Service or ambulance; persons arrested; victims; witnesses; relatives, guardians or other persons associated with the individual; current, past or prospective employers of the individual; healthcare, social and welfare advisers or practitioners; education, training establishments and examining bodies; business associates and other professional advisors; employees, officers and agents of D&CP; suppliers, providers of goods or services; persons making an enquiry or complaint; financial organisations and advisors; credit reference agencies; survey and research organisations; trade union, staff associations and professional bodies; local government; voluntary and charitable organisations; social services; probation service; Disclosure and Barring Service; housing providers; HM Armed Forces; Office of the Biometrics Commissioner; Ombudsmen and regulatory authorities; the media; data processors working on behalf of D&CP; CCTV systems; body worn video and from correspondence sent to us.
There may be times where we obtain personal information from sources such as other police services and our own police systems such as the Crime Reporting System known as STORM and records management systems like UNIFI or Niche.
How do we handle your personal information?
We handle personal information according to the requirements of the UK Data Protection Act. Your personal information held on our systems and in our files is secure and is accessed by our staff, police officers, contractors working on our behalf, outsourced providers in accordance with their contract and volunteers when required to do so for a lawful purpose.
We will ensure that your personal information is handled fairly and lawfully with appropriate justification. We will only use your information for lawful purposes in connection with our requirement to uphold the law, prevent crime, bring offenders to justice, protect the public, manage our personnel and protect our network infrastructure, legal interests and information security.
We will strive to ensure that any personal information used by us or on our behalf is of the highest quality in terms of accuracy, relevance, adequacy, not excessive is kept as up to date as possible and is protected appropriately. We will regularly review to ensure it is still required and is lawful for us to continue to retain it and when no longer required we will securely destroy it.
We will respect your individual rights under the Act.
Who do we share your personal information with?
To carry out the purposes described D&CP may disclose personal information to a wide variety of recipients in any part of the world, including those from whom personal data is obtained. This may include:
- Disclosures to other law enforcement agencies (including international agencies);
- Police and Crime Commissioners;
- Force insurer;
- NHS Trusts;
- Youth offending teams;
- Probation service;
- Prison service;
- Partner agencies working on crime reduction initiatives;
- Partners in the Criminal Justice arena;
- Victim Support Service provider;
- To bodies or individuals working on our behalf such as IT contractors or survey organisations;
- Local government;
- Authorities involved in offender management;
- Central government;
- Ombudsmen and regulatory authorities;
- The media;
- International agencies concerned with the safeguarding of international and domestic national security;
- Third parties involved with investigations relating to the safeguarding of national security;
- To other bodies or individuals where necessary to prevent harm to individuals.
Disclosures of personal information are made on a case-by-case basis, using the personal information appropriate to a specific purpose and circumstances, and with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal information are situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the legislation.
D&CP will also disclose personal information to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order.
This may include:
- Serious Fraud Office;
- Child Maintenance Service;
- National Fraud Initiative;
- Home Office;
- Department for Work and Pensions;
- Public inquiries;
- Disclosure and Barring Service;
- General Medical Council;
- Nursing and Midwifery Council.
D&CP may also disclose personal information on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
How do we keep your personal information safe?
D&CP takes the security of all personal information under our control very seriously. We will comply with the relevant parts of the legislation relating to security, and seek to comply with the College of Policing Information Assurance authorised practice, and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place. These will include, but are not limited to, ensuring our buildings are secure and protected by adequate physical means. The areas restricted to our police officers and staff are only accessible by those holding the appropriate identification, and have legitimate reasons for entry. We carry out audits of our buildings security to ensure they are secure. Our systems meet appropriate industry and government security standards.
We carry out regular audits and inspections, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so. Our standard operating procedures and policies contain strict guidelines as to what use may be made of any personal information contained within them. These procedures are reviewed regularly to ensure our security of information is kept up-to-date.
What are my Rights?
Right to be Informed
This places an obligation upon D&CP to tell you how we obtain your personal information and describe how we will use, retain, store and who we may share it with.
We have written this Privacy Notice to explain how we will use your personal information and tell you what your rights are under the legislation.
Right of Access
The legislation allows you to request access to your personal information free of charge and requires us to provide you with access to it normally within one month of receipt of your request unless an exemption from doing so can be lawfully applied. Should you wish to request access to the personal information we may be holding about you please use this link: Requesting my information.
Right to Rectification
If the personal information D&CP is holding about you is inaccurate or incomplete you have the right to request us to correct it. If you need to tell us your information is not correct, you should raise your concern by contacting our Data Protection Officer using the details below. We will respond to you within one month unless the request for amendment is complex.
Right to Erasure - also known as ‘the right to be forgotten’
Under certain circumstances, you have the right to have your personal information deleted to prevent its continued processing where there is no justification for us to retain it.
Circumstances that are likely to require us to delete your information include:
- Where your personal information is no longer necessary in relation to the purpose for which it was originally collected and processed;
- When an individual withdraws consent if we are relying on your consent to hold it;
- If we are relying on the legitimate interests as our basis for processing and you have objected and there is no overriding reason for us to continue processing;
- When an individual has objected to its processing and D&CP is processing it for direct market research;
- The personal data was unlawfully processed by us in breach of the 1stprinciple of the legislation;
- The personal information has to be deleted to comply with a legal obligation;
- The personal information is processed in relation to offer information society services to a child.
The right of erasure does not apply if your personal information is being processed by us:
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest or in the exercise of official authority;
- For the establishment, exercise or defence of legal claims;
- To exercise the right of freedom of expression and information;
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to make it impossible to carry out or seriously impair that processing.
If you wish to request your information is deleted you should raise a request by contacting our Data Protection Officer whose contact information is below. We will respond to you within one month unless the request is complex.
Right to Restrict Processing
Under certain circumstances you have the right to ask us to restrict the processing of your personal information. This may be in cases where:
- You are contesting the accuracy your information and while we are verifying the accuracy of it
- Your information has been unlawfully processed and you oppose its erasure and have requested a restriction instead;
- You have objected to us processing your information under article 21(1) and we are considering whether our legitimate grounds override those of yourself;
- Where D&CP no longer requires your information but you need it to establish, exercise or defend a legal claim.
If you wish to tell us to restrict the processing of your information you should raise your concern by contacting our Data Protection Officer whose contact information is below. We will respond to you within one month unless the request for is complex.
Right to Data Portability
The right to data portability allows you to obtain and reuse your personal information for your own purposes from one environment to another.
This right only applies to personal information provided by an individual, where the processing is based on their consent or for the performance of a contract and when that processing is carried out by automated means.
The processing of personal information within D&CP is necessary for the purposes we have described as the basis of public interest and official authority and are required by statute to uphold the law, prevent crime, bring offenders to justice and protect the public. Please note article 20(3) and Recital 68 say this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in exercise of official authority.
Right to Object
You have the right to object to:
- Processing based on legitimate interests or performance of a task in the public interest and or exercise of official authority;
- Processing of your information for scientific and historical research and statistics;
- Direct marketing.
Any objection must be on grounds relating to your particular situation. Should you wish to object you can raise your concern by contacting our Data Protection Officer whose contact information is below.
Where article 21(6) processing of personal information for research or statistical purposes is necessary for the performance of a task carried out for reasons of public interest we are not required to comply with an objection to the processing. An example of this is crime mapping where we use information to identify areas of specific criminality.
Rights related to automated decision making and profiling
Under the legislation you have the right not to be subject to a decision when it is based on solely automated processing, including profiling and which produces a legal effect or similar significant effect on you.
This right does not apply if the decision is authorised by law, is necessary for entering into or performance of a contract or is based on your consent.
In the legislation profiling has been described as any form of automated processing of personal data intended to evaluate certain personal aspects about you to predict things about you such as your behaviour, interests, movements or performance at work.
The majority of work undertaken by D&CP does not involve automated processing because our processes involve some type of human interaction and decision making.
Two processes which have been identified within D&CP that involve automated processing are as follows:
- The first is in relation to staff attendance and management intervention. When certain attendance triggers are met by our staff e.g. sickness absence, an automated email is sent to the line manager to inform them of the next steps in the process.
- The second area of automated processing is in relation to staff annual pay increments. For example, new members of staff might be appointed to a pay scale with increments. The member of staff will automatically progress to the next pay increment on a yearly basis until they reach the top of their pay scale.
If you have any concerns about automated decision making or automated profiling you should contact our Data Protection Officer whose details are above.
How long will you keep my personal information?
D&CP keeps your personal information as long as is necessary for the particular purpose or purposes for which it is held. Personal information which is placed on the Police National Computer (PNC) is retained, reviewed and deleted in accordance with the Retention Guidelines for Nominal Records on the Police National Computer
Other records that contain your personal information relating to criminal investigations; digital-media; custody; contracts; firearms; employment; domestic violence are retained in accordance with the College of Policing guidance on the Management of Police Informationand the Retention and Disposal Schedule (please see the document below). In broad terms these are structured according to the offence type or category, i.e serious offences against a person, firearm licences or staff administration records.
Monitoring of communications
D&CP may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes we have described.
D&CP does not place a pre-recorded ‘Privacy Notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call. You may view it on our web site at any time or ask for a copy by contacting our Data Protection Office.
Links to Sub-Privacy Notices
The following business areas have identified the need for sub-privacy notices to help explain in more detail how they use personal information:
- Privacy Notice for Human Resources Operations
- Privacy Notice for Alliance Learning and Development
- Privacy Notice for the National Fraud Initiative (NFI)
- Privacy Notice for Positive Action
- Privacy Notice for Resourcing
- Privacy Notice for Witness Care Units and Crown Court Information Teams
- COVID-19 Privacy Notice
- Privacy Notice for Vetting
Appropriate Policy Documents
Under the Data Protection Act 2018 Schedule 1 Part 4, we are required to produce a policy document explaining how we ensure compliance with the Act for the processing of special categories of personal data. We are also required by Section 42 of the Data Protection Act to produce an equivalent document for sensitive processing for law enforcement purposes. These documents are available below:
Links to other websites
This Privacy Notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Cookies and other Web Services
Please refer to our cookies page.
If you want to raise a concern with the Supervisory Authority
The Information Commissioner is the independent Authority responsible within the UK for ensuring we comply with data protection legislation. If you have a concern about how we have used your personal information or you believe you have been adversely affected by our handling of your data you may wish to contact them using the information below:
The Information Commissioner’s Office,
Telephone: 0303 123 1113
Changes to our Privacy Notice
We keep our Privacy Notice under regular review. This Privacy Notice was last updated on 24 September 2018.
If we plan to use your personal information for a new purpose we will update our Privacy Notice and communicate the changes before we start any new processing.