Privacy

The Police and Crime Commissioner (PCC) is a public authority, established in legislation through the Police Reform and Social Responsibility Act 2011. For the purposes of this Privacy Notice, the term ‘PCC’ is used to encompass the person elected as the PCC and any staff authorised to work for or on their behalf or under their direction and control (i.e. the OPCC).

The PCC processes personal information for two broad purposes:

1. To discharge the remit, powers and duties of the PCC including rendering assistance to the public in accordance with PCC policies and procedures; and any duty or responsibility of the PCC arising from common law or statute.
2. The provision of services to support the remit of the PCC – including (but not limited to):
   • Management of public engagement and communications, media relations, social media, advertising and website maintenance;
   • Financial management, accounts and administration;
   • Police Property Act Fund (PPAF) grant awards;
   • National Fraud Initiative;
   • Internal audit;
   • OPCC staff recruitment, training and development, staff administration, occupational health and welfare (please note this may include work experience placements);
   • Management of complaints from members of the public;
   • Management of OPCC information technology systems;
   • Independent Custody Visitor Scheme;
   • Police and Crime Panel; and
   • Provision of support and administration to committees and panels that serve the PCC and Chief Constable to discharge their respective statutory responsibilities (e.g. Joint Independent Audit Committee and the Complaints and Standards Committee).

The lawful basis for our use of your information will vary depending on the particular circumstance. These are some examples:

• Contract: The use of your personal information could be necessary for the performance of a contract.
• Public task: The use of your personal information could be necessary for the performance of public interest tasks or in the exercise of official authority vested in the PCC e.g. in relation to Independent Custody Visitor Scheme or grant applications.
• Legal obligation: The use of your personal information could be necessary for compliance with a legal obligation, e.g. as an employer we need to process personal data to comply with the legal obligation to disclose employee salary details e.g. to Her Majesty’s Revenues and Customs (HMRC); use of ethnicity data to comply with equality legislation.
• Consent: If you give your consent, then we can process your personal information for that particular purpose.
• Vital interest: Lawful purpose for processing your data is necessary in order to protect the vital interests of you or another person, e.g. a danger to life.

At times, the OPCC may also process ‘special category’ data, which is more sensitive data that the GDPR states requires more protection. This type of data includes:

• Race;
• Ethnic origin;
• Political views;
• Religion;
• Trade union membership;
• Genetics;
• Biometrics;
• Health; and
• Sexual orientation.

When processing ‘special category’ data we must identify a lawful basis under Article 6 (as above) as well as a separate condition for processing under Article 9. There are ten conditions available under Article 9 and more information can be found on the ICO website: Special category data | ICO

If the OPCC process criminal data, such as data on offences and convictions, we will follow the appropriate safeguards for this data under Article 10 of the GDPR, as this is also separate from personal data and special category data.

The information we collect may be shared with other relevant organisations such as policing organisations (e.g. Thames Valley Police, Hampshire Constabulary), local authorities (e.g. County, Unitary, District and Parish Councils), other public services (e.g. NHS), ombudsmen and regulatory authorities (e.g. Independent Office for Police Conduct).  Your personal information may be processed by an external service provider acting on our behalf to provide relevant services.  

We will only share your personal information when we are permitted to do so or are required to by law, or we have your consent to do so as required by data protection law. We do not pass personal data to other organisations for marketing purposes without your consent.  

We handle personal information in accordance with data protection law. Your personal information held on our systems and in our files is secure and is only accessed by our staff, contractors working on our behalf, outsourced providers in accordance with their contract and volunteers when required to do so for lawful purposes.  

We will ensure that your personal information is handled fairly and lawfully with appropriate justification. We will only use your information for lawful purposes.  

We will strive to ensure that any personal information used by us or on our behalf is compliant with the 7 data protection principles:   

• Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Collection of personal data should be for a specified and legitimate purpose.
• The data we collect should be adequate, relevant and limited to what is necessary.
• The data we hold must be accurate and, where necessary, kept up to date.
• The data we hold must be kept in a form which permits identification of data subjects for no longer than is necessary.
• The data we hold must be processed in a manner that ensures appropriate security of the personal data.
• The PCC is responsible for complying with the GDPR and demonstrate that compliance by having in place appropriate technical and organisational measures to meet the requirements of accountability.

We take the security of all personal information under our control very seriously. We will comply with the relevant parts of the legislation relating to security.  

We will ensure that appropriate policy, training, technical and procedural measures are in place. These will include, but are not limited to, ensuring our buildings are secure and protected by adequate physical means. The areas restricted to our staff are only accessible by those holding the appropriate identification and means of access, and have legitimate reasons for entry. Audits of our building’s security are carried out to ensure they are secure and meet appropriate industry and government security standards.  

Regular audits and inspections are carried out to protect our manual and electronic information systems from data loss and misuse, and only permit appropriate access to them when there is a legitimate reason to do so.   

Emails that we send to you or you send to us may be kept as a record of contact. We may also store your email address for future use. If we need to email sensitive or confidential information to you, we will check that we are using the correct email address and may use additional security measures.  

The platform used by the OPCC is police.uk is part of the UK government’s secure email framework and is accredited to the DCB1596 standard, which requires security measures such as Transport Layer Security (TLS). This utilises two important security layers:

• Authentication- which confirms the server’s identity before building a secure connection, thereby ensuring that data is only sent to a genuine server.
• Encryption- which scrambles the connection between services, ensuring that the data is protected during transit.

We may retain records of telephone calls, texts, emails and other electronic communications to and from our organisation to assist in the purposes we have described. 

Under the General Data Protection Regulation you have certain rights:  

• You have the right to be informed of collection or use of your data.  This information can be found contained within this notice. 
• You are entitled to request access to and a copy of any information we hold about you. 
• If you find that the information that the OPCC holds about you is no longer accurate, you have the right to ask to have this corrected.  We may not always be able to change or remove the information.  However, we will correct factual inaccuracies and may include your comments in the records. 
• In certain circumstances, you have the right to have your personal data deleted. 
• You have the right to restrict the processing of your personal data in certain circumstances. 
• You can ask us to stop processing your personal data in relation to any service from the OPCC.  This may delay or prevent us delivering a service to you.  We will try to meet your request but we may be required to hold or process information to meet our legal duties. 

If you wish to exercise the above mentioned rights, please contact our Data Protection Officer using the details below. If you wish to request your personal data, we will respond to you within one calendar month.  If we are unable to comply with your request within the allotted timescale, we will inform you as to the reasons why, how your request will be progressed and your legal rights.  

You may find it useful to look at our Data Protection Policy.

We will keep your personal information as long as is necessary for the particular purpose or purposes for which it is held. This is set out in our Records, Retention and Disposal Policy.

The IT system that the OPCC uses is provided by Thames Valley Police (TVP) and is therefore securely managed within the UK. In exceptional circumstances, when using external providers, your data may be required to be transferred out of the EU, however this will only be done under a proper risk assessment and GDPR compliant agreement being put in place.

If you have any concerns about how we have handled your personal information you should contact our Data Protection Officer by email to PCC@thamesvalley.police.uk or by writing to:

Data Protection Officer,

Office of the Police and Crime Commissioner for Thames Valley,

The Farmhouse,

Thames Valley Police HQ (South),

Oxford Road,

Kidlington,

OX5 2NX

Telephone:  01865 541957   

Please note that if you make contact via telephone you may not be able to speak to the Data Protection Officer directly, however one of our team will take all the relevant details from you to pass on.

The Information Commissioner’s Office (ICO) is the Independent Authority responsible within the UK for ensuring we comply with data protection legislation. 

If you have a concern about how we have used your personal information or you believe you have been adversely affected by our handling of your data, please let us know, however if we are unable to resolve your issues, you may wish to contact the ICO using the information below:   

The Information Commissioner’s Office  

Wycliffe House  

Wilmslow  

Cheshire  

SK9 5AF   

Telephone:  0303 123 1113  

Email: casework@ico.org.uk   

Further information about the ICO can be found by visiting their website.