The Office of the Police and Crime Commissioner (OPCC) complies with the General Data Protection Regulation 2018 and the Data Protection Act 2018 and is exempt from registering as a data controller with the Information Commissioners’ Office (ICO). We are committed to keeping your personal information accurate and up to date and we will not keep your information longer than necessary.
This Privacy Notice explains how we use your personal information and the ways in which we protect your privacy. Personal information is any information which relates to a living individual, (such as names, addresses, medical conditions, ethnicity, political opinions and criminal convictions).
This Privacy Notice applies to all personal data (of both OPCC staff and members of the public) collected for, or on behalf of, the OPCC. This includes information collected by letter, email, face-to-face, telephone or online.
You may also receive a Privacy Notice specific to the service you are receiving.
By using our website and engaging with us by any means, you agree to accept this Privacy Notice which may be reviewed from time-to-time so please refer back to this Privacy Notice each time you submit personal data to us.
Why do we process personal information?
The Police and Crime Commissioner (PCC) is a public authority, established in legislation through the Police Reform and Social Responsibility Act 2011. For the purposes of this Privacy Notice, the term ‘PCC’ is used to encompass the person elected as the PCC and any staff authorised to work for or on their behalf or under their direction and control (i.e. the OPCC).
The PCC processes personal information for two broad purposes:
- To discharge the remit, powers and duties of the PCC including rendering assistance to the public in accordance with PCC policies and procedures; and any duty or responsibility of the PCC arising from common law or statute.
- The provision of services to support the remit of the PCC – including (but not limited to):
- Management of public engagement and communications, media relations, social media, advertising and website maintenance
- Financial management, accounts and administration
- Police Property Act Fund (PPAF) grant awards
- National Fraud Initiative
- Internal audit
- OPCC staff recruitment, training and development, staff administration, occupational health and welfare (please note this may include work experience placements)
- Management of complaints from members of the public
- Management of OPCC information technology systems
- Independent Custody Visitor Scheme
- Police and Crime Panel
- Prison Leavers Pilot
- Provision of support and administration to committees and panels that serve the PCC and Chief Constable to discharge their respective statutory responsibilities (e.g. Joint Independent Audit Committee and the Professional and Ethical Standards Panel).
The lawful basis for our use of your information will vary depending on the particular circumstance. These are some examples:
- Contract: The use of your personal information could be necessary for the performance of a contract.
- Public task: The use of your personal information could be necessary for the performance of public interest tasks or in the exercise of official authority vested in the PCC e.g. in relation to Independent Custody Visitor Scheme or grant applications.
- Legal obligation: The use of your personal information could be necessary for compliance with a legal obligation, e.g. as an employer we need to process personal data to comply with the legal obligation to disclose employee salary details e.g. to Her Majesty’s Revenues and Customs (HMRC); use of ethnicity data to comply with equality legislation.
- Consent: If you give your consent, then we can process your personal information for that particular purpose.
- Vital interest: Lawful purpose for processing your data is necessary in order to protect the vital interests of you or another person, e.g. a danger to life.
At times, the OPCC may also process ‘special category’ data, which is more sensitive data that the GDPR states requires more protection. This type of data includes:
- Ethnic origin
- Political views
- Trade union membership
- Biometrics Health
- Sexual orientation
When processing ‘special category’ data we must identify a lawful basis under Article 6 (as above) as well as a separate condition for processing under Article 9. There are ten conditions available under Article 9 and more information can be found on the ICO website:
If the OPCC process criminal data, such as data on offences and convictions, we will follow the appropriate safeguards for this data under Article 10 of the GDPR, as this is also separate from personal data and special category data.
Who do we share your personal information with?
The information we collect may be shared with other relevant organisations such as policing organisations (e.g. Thames Valley Police, Hampshire Constabulary), local authorities (e.g. County, Unitary, District and Parish Councils), charities (who may be able to offer support), other public services (e.g. NHS), ombudsmen and regulatory authorities (e.g. Independent Office for Police Conduct). Your personal information may be processed by an external service provider acting on our behalf to provide relevant services.
We will only share your personal information when we are permitted to do so or are required to by law, or we have your consent to do so as required by data protection law.
You can find a copy of our Information Sharing Agreement with Thames Valley Police on our Policies and Procedures webpage.
We do not pass personal data to other organisations for marketing purposes without your consent.
How do we handle your personal information?
We handle personal information in accordance with data protection law. Your personal information held on our systems and in our files is secure and is only accessed by our staff, contractors working on our behalf, outsourced providers in accordance with their contract and volunteers when required to do so for lawful purposes.
We will ensure that your personal information is handled fairly and lawfully with appropriate justification. We will only use your information for lawful purposes.
We will strive to ensure that any personal information used by us or on our behalf is compliant with the 7 data protection principles:
- Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Collection of personal data should be for a specified and legitimate purpose.
- The data we collect should be adequate, relevant and limited to what is necessary.
- The data we hold must be accurate and, where necessary, kept up to date.
- The data we hold must be kept in a form which permits identification of data subjects for no longer than is necessary.
- The data we hold must be processed in a manner that ensures appropriate security of the personal data.
- The PCC is responsible for complying with the GDPR and demonstrate that compliance by having in place appropriate technical and organisational measures to meet the requirements of accountability.
How do we keep your personal information safe?
We take the security of all personal information under our control very seriously. We will comply with the relevant parts of the legislation relating to security.
We will ensure that appropriate policy, training, technical and procedural measures are in place. These will include, but are not limited to, ensuring our buildings are secure and protected by adequate physical means. The areas restricted to our staff are only accessible by those holding the appropriate identification and means of access, and have legitimate reasons for entry. Audits of our building’s security are carried out to ensure they are secure and meet appropriate industry and government security standards.
Regular audits and inspections are carried out to protect our manual and electronic information systems from data loss and misuse, and only permit appropriate access to them when there is a legitimate reason to do so.
Emails that we send to you or you send to us may be kept as a record of contact. We may also store your email address for future use. If we need to email sensitive or confidential information to you, we will check that we are using the correct email address and may use additional security measures.
Monitoring of communications
We may retain records of telephone calls, texts, emails and other electronic communications to and from our organisation to assist in the purposes we have described.
Under the General Data Protection Regulation you have certain rights:
- You have the right to be informed of collection or use of your data. This information can be found contained within this notice.
- You are entitled to request access to and a copy of any information we hold about you.
- If you find that the information that the OPCC holds about you is no longer accurate, you have the right to ask to have this corrected. We may not always be able to change or remove the information. However, we will correct factual inaccuracies and may include your comments in the records.
- In certain circumstances, you have the right to have your personal data deleted.
- You have the right to restrict the processing of your personal data in certain circumstances.
- You can ask us to stop processing your personal data in relation to any service from the OPCC. This may delay or prevent us delivering a service to you. We will try to meet your request but we may be required to hold or process information to meet our legal duties.
If you wish to exercise the above mentioned rights, please contact our Data Protection Officer using the details below. If you wish to request your personal data, we will respond to you within one calendar month. If we are unable to comply with your request within the allotted timescale, we will inform you as to the reasons why, how your request will be progressed and your legal rights.
You may find it useful to look at our Data Protection Policy.
How long will you keep my personal information?
We will keep your personal information as long as is necessary for the particular purpose or purposes for which it is held. This is set out in our Records, Retention and Disposal Policy
Data Transfers outside of the EU
The IT system that the OPCC uses is provided by Thames Valley Police (TVP) and is therefore securely managed within the UK. In exceptional circumstances, when using external providers, your data may be required to be transferred out of the EU, however this will only be done under a proper risk assessment and GDPR compliant agreement being put in place.
If you have any concerns about how we have handled your personal information you should contact our Data Protection Officer by either email, telephone or write to:
Office of the Police and Crime Commissioner for Thames Valley
Thames Valley Police HQ (South)
Telephone: 01865 541957
If you want to raise a concern with the Supervisory Authority
The Information Commissioner’s Office (ICO) is the Independent Authority responsible within the UK for ensuring we comply with data protection legislation. If you have a concern about how we have used your personal information or you believe you have been adversely affected by our handling of your data, please let us know, however if we are unable to resolve your issues, you may wish to contact the ICO using the information below:
The Information Commissioner’s Office
Telephone: 0303 123 1113
You can also download a full copy of our Privacy Statement.