Privacy Statement

1 Introduction

Your privacy is important to us. We aim for full transparency on how we gather, use and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Notice explains at a high level how we process personal data and the rights that you have in regard to how your personal data is handled. This Privacy Notice is supported by more detailed purpose-specific Privacy Notices where required. One of the key rights enshrined in the legislation is a right to be informed, which means that the Office of the Police and Crime Commissioner (OPCC) for Lancashire must give you detailed information about the ways in which we use, share and store your personal information. All information provided to you by the OPCC should be concise, transparent, intelligible, easily accessible, and it must be in clear and plain language. We provide privacy information to people at different times and in a number of formats, such as in an email reply, on the PCC’s website and on our telephone recorded message. If you have any feedback on how effective the delivery of our privacy information is then we would welcome your comments. The OPCC for Lancashire is registered with the Information Commissioner as a data controller under number Z3466326 (Police & Crime Commissioner for Lancashire) and is obliged to ensure that the OPCC for Lancashire handles all personal data in accordance with the UK GDPR and Data Protection Act 2018. The OPCC for Lancashire’s Data Protection Officer is available to provide you with advice and assistance if you have any queries or concerns about how we process your personal data. Contact details for the Data Protection Officer can be found at the end of this Notice.

1.1 What is Personal Data?

The UK GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Therefore, personal data is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual.

2 Why do we process personal data?

We process personal information for two main purposes:

1. So that we can do the job of the PCC, within the role, remit and power of the PCC. This includes helping people within with PCC policies and procedures, duty or responsibility within the law. 

2. So that we can provide services within the role and remit of the PCC. Examples of these processes include:

• • Communication from and to members of the public
  • Management of Freedom of Information requests
  • Management of complaints
  • Commission of Victim Services
  • Set police and crime plan priorities
  • Meeting the needs and concerns of the community
  • Meet all our statutory obligations
  • Review of Constabulary Professional Standards Department (PSD) complaints
  • Staff/pension administration, occupational health and welfare
  • Management of public relations, journalism, advertising and media
  • Management of finance, payroll, benefits, accounts, audit, internal review
  • Internal review, accounting and auditing
  • Training
  • Property management
  • Insurance management
  • Vehicle and transport management
  • Payroll and benefits management
  • Management of information technology systems
  • Legal services
  • Information provision
  • Licensing and registration
  • Research including surveys
  • Performance management
  • Procurement
  • Planning
  • Security
  • Health and safety management

3 Whose personal data do we collect?

In order to achieve the purposes described above, the OPCC for Lancashire may process personal data relating to individuals and other organisations such as:

• OPCC staff including volunteers, agents, temporary and casual workers
• Suppliers
• Complainants, correspondents and enquirers
• Relatives, guardians and associates of the individual concerned
• Witnesses, Victims, other members of the public
• Advisers, consultants and other professional experts
• Former and potential members of staff, pensioners and beneficiaries

4 What types of personal data do we collect?

We will use the minimum amount of personal information necessary to fulfil a particular purpose.

4.1 Personal Information

We may collect and process the following types of information: •

• Personal details such as name, address, email address, telephone number
• Complaint details
• Family, lifestyle and social circumstances
• Complaint, incident and accident details
• Employment details
• Financial details
• Photographs and Videos of you, i.e. sound and visual images
• Education and training details
• Offences (including alleged offences)
• Criminal proceedings, outcomes and sentences
• References to manual records or files
• *Special categories of personal data:

4.2 Sensitive / Special Category data

‘Special Category Data’ is personal data that is regarded as particularly sensitive and includes information relating to your:

• Race
• Ethic origin
• Political opinions
• Religious/philosophical beliefs
• Health
• Sex life
• Sexual orientation
• Trade union
• Genetic data
• Biometric data

5 Where do we obtain personal data from?

In order to carry out the purposes the OPCC for Lancashire may obtain personal information from a wide variety of sources, including the following:

• Persons making an enquiry or complaint
• Individuals themselves
• Relatives, guardians or other persons associated with the individual
• Other Police and Crime Commissioners
• Lancashire Constabulary and other law enforcement agencies
• HM Revenue and Customs
• International law enforcement agencies and bodies
• Legal representatives
• Local Authority and Parliamentary representatives
• Partner agencies involved in crime and disorder strategies
• Private sector organisations working with the police in anti-crime strategies
• Voluntary sector organisations
• Approved organisations and people working with the police and PCC
• Independent Office for Police Conduct (IOPC)
• Information Commissioner’s Office (ICO)
• Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS)
• Auditors
• Central government, governmental agencies and departments
• Local government
• Emergency services
• Current, past or prospective employers of the individual
• Healthcare, social and welfare advisers or practitioners
• Education, training establishments and examining bodies
• Business associates and other professional advisors
• Employees and agents of Lancashire Constabulary
• Suppliers, providers of goods or services
• Financial organisations and advisors
• Survey and research organisations
• Trade, employer associations and professional bodies
• Voluntary and charitable organisations
• The media
• Data Processors working on behalf of the Police and on behalf of the OPCC
• Members of Parliament
• Commissioned service providers

6 How do we collect personal data?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

• You have made a complaint/review
• You have made an information request to us
• You wish to attend, or have attended, an event
• You have applied for a job, secondment or voluntary position with us
• Submission of a request for funding
• Correspondence between us, including emails
• Filling in forms on our website
• Responding to consultations or surveys
• Reporting problems or issues with our service or site

We also receive personal information indirectly, in the following scenarios:

• From public figures such as an MP or a legal representative who is contacting us on your behalf
• A complainant refers to you in their complaint correspondence
• Dealing with Lancashire Constabulary in relation to a complaint you have made about them to us •
• Approving and signing of contracts (all contracts are provided in the OPCC’s name but the work is completed and subsequently managed by Lancashire Constabulary)
• Whistleblowers include information about you in their reporting to us
• From other regulators or law enforcement bodies
• An employee of ours gives your contact details as an emergency contact or a referee
• Pictures of you at events

We may capture data through automatic information and cookies. We may capture and store some information about your computer, such as your IP address, operational system and browser type for system administration. We will use this data to help us understand our user’s browsing patterns. We may also obtain information about your general usage of our website by using a cookie file, which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive.

We partner with Microsoft Clarity to capture how you use and interact with our website through behavioural metrics, heat maps, and session replay to improve and market our information and services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of our information and services as well as online activity and we use this information for site optimisation. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

You can read more about the Cookie Policy through the link at the bottom of the website.

7 Lawfulness of processing

The OPCC for Lancashire must have a valid lawful basis in order to process your personal data. We process your personal data for General Purposes and there are six lawful bases available as listed below. Which basis is most appropriate to use will depend on our purpose for processing the personal data and our relationship with you.

a) Consent: We have been given clear consent to process the personal data for a specific purpose.  However, you can remove your consent at any point by contacting the office.

b) Contract: The processing is necessary for a contract that we have with an individual

c) Legal obligation: the processing is necessary for us to comply with the law

d) Vital interest: the processing is necessary to protect someone’s life

e) Public Task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

f) Legitimate interests (this is only available to public authorities in limited circumstances)

Where any special category data (as explained previously) is processed, we will only process this when we meet a special condition under Article 9 of the GDPR. The PCC’s main statutory function is set out in the following legislation, but is not limited to:

• Police and Social Responsibility Act 2011
• Police Act 1996
• Policing Protocol Order 2011 (as amended)
• Proceeds of Crime Act 2002
• Policing & Crime Act 2017
• Police (Conduct) Regulations 2020
• Police (Complaints & Misconduct) Regulations 2020
• The Accounts and Audit Regulations 2011
• Money Laundering Regulations 2003
• Local Government & Housing Act 1989 (S155) •
• Local Government and Finance Act 1988 Sec 112 and 114
• Local Authorities (Goods & Services) Act 1970
• Elected Local Policing Bodies (Specified Information Order 2011 (as amended) SI 2012/2479 and SI 2021/547
• Police Pension Fund Regulations 2007
• Police Pensions Act 1976
• Freedom of Information Act 2000
• Police Reform Act 2002
• Human Rights Act 1998
• Employment Rights Act 1996
• The Equality Act 2010

8 How do we process personal data?

8.1 Data Protection Principles In order to achieve the purposes described under Section 2 the OPCC for Lancashire will process personal data in accordance with the UK GDPR. Personal data will be:

a) Processed lawfully, fairly, in a transparent manner in relation to individuals

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; though further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes

c) Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed

d) Accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that is inaccurate will be erased or rectified without delay where necessary

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; however, personal data may be stored for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures The OPCC for Lancashire will strive to ensure that any personal data used by us or on our behalf is not excessive, that it is reviewed appropriately, and is securely destroyed when no longer required. We will also respect individuals’ rights as detailed at Section 12 below and we will be able to demonstrate compliance with the DPA and UK GDPR data protection principles.

9 How do we ensure the security of personal data?

The OPCC for Lancashire takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the DPA and the UK GDPR relating to security, incorporating relevant parts of the ISO27001 Information Security Standard. Your personal and sensitive / special category data will only be stored and processed on servers based in the European Economic Area. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so. We use Microsoft products including Office 365 to assist us in our daily business. Microsoft’s Office 365 includes numerous security features to ensure compliance with the most up to date security standards. The Microsoft privacy notice can be seen using the following link https://privacy.microsoft.com/en-gb/privacystatement. 

10 Who will we disclose personal data to?

The majority of times, we do not share your information with any organisation or person outside of the PCC’s office. For example, if you contact the OPCC about an issue within the remit of the PCC, then the OPCC will reply directly to you, keeping your personal information within the PCC’s office. However, in some circumstances we need to share your personal information with other Organisations (other Data Controllers) that we work with, including:

• Lancashire Constabulary
• Lancashire Fire & Rescue Services
• Lancashire District Local Authorities
• Lancashire Upper-tier Councils (Lancashire County Council, Blackburn with Darwen Council and Blackpool Council)
• HMRC
• Government departments
• Information Commissioner’s Office
• Independent Office of Police Conduct
• Internal and External Auditors
• Joint Audit and Ethics Committee
• Home Office
• Community groups
• Charities
• Other not-for-profit entities
• Employment agencies

We may need to share your personal data with these organisations so that they can carry out their responsibilities. Disclosures of personal information will be made on a case-by-case basis, using the personal information appropriate to a specific purpose and circumstances, and with necessary controls in place. For example…

• We may contact Lancashire Constabulary if your enquiry is about an operational policing matter, under the direction and control of the Chief Constable and strictly outside of the PCC’s remit
• When an MP writes to the OPCC about a constituent and gives personal information about that resident. The OPCC may first have to make enquiries with the Police before replying to the MP
• If a third-party seeks information from us about an individual, for example, a Solicitor on behalf of a client, then we will seek written consent from the individual first before disclosing any personal information
• Following the changes to the Police (Complaints and Misconduct Regulations) 2020 on a case-by-case basis the OPCC may share your data with a third-party provider who will provide an independent review of your complaints

There may also be occasions where we need to share your personal information due to a public safety or security reason such as:

• For the investigation, detection and prevention of a crime
• Where there is a legal duty to share the information and the importance of doing so outweighs the importance of confidentiality
• If there are serious risks to the public, our staff or other professionals
• To protect children or vulnerable adults
• There is a public interest that outweighs the duty of confidence

We will never share your information for marketing purposes. We will only ever share your information if we are satisfied our partners or suppliers have sufficient measures in place to protect your information in the same way we do. Before sharing information, we will ensure that:

• Privacy notices are completed (if appropriate)
• Appropriate controls are in place to ensure information is kept secure
• Information Sharing Agreements or contractual arrangements are in place showing the rules to be adopted for a sharing exercise
• Subject access rights are catered for

We will not pass any personal information on to third parties, other than those who either process information on our behalf or because of a legal obligation or other lawful basis for processing. We will not disclose information that you provide in confidence to us to anyone else, except in those situations when disclosure is required by law, or where we have a good reason to believe that failing to share the information would put someone at risk. As a public authority, the OPCC for Lancashire is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds in order to prevent and detect fraud. The Cabinet Office is responsible for carrying out data matching exercises. We participate in the Cabinet Office’s National Fraud Initiative, a data monitoring exercise, to assist in the prevention and detection of fraud. We provide particular data sets to the Minister for the Cabinet Office for a monitoring exercise. The Cabinet Office carry this exercise our pursuant to their statutory powers under the Local Audit and Accountability Act 2014.

11 How long does the OPCC for Lancashire retain personal data?

We will only keep your information for as long as it is required. The retention period is either dictated by law or agreed within our retention schedule. Once your information is no longer needed, it will be securely and confidentially destroyed.

12 What are the rights of the individuals whose personal data is processed by the OPCC for Lancashire?

Under the DPA, UK GDPR, Environmental Information Regulations 2004 and the Freedom of Information Act 2000, you have a number of information rights. You have certain rights under the UK GDPR:

• The right to be informed – with privacy notices such as this;
• The right to access personal information we hold about you, subject to exemptions. This right is commonly referred to as making a Subject Access Request (SAR);
• The right to rectification if personal data is inaccurate or incomplete;
• The right to request erasure of your details.
• 5he right to restrict processing.
• The right to data portability.
• The right to object.
• You have rights in relation to automated decision-making and profiling

Rights applications are free of charge; however, in some circumstances, charges can be made. If you want to exercise any of these rights, you may write to the Data Protection Officer – see the Contact Us section below.

13 Access to official information

Under the Freedom of Information (FOI) Act 2000 and the Environmental Information Regulations (EIR), you have a right to request any recorded official information held by the OPCC for Lancashire (subject to exemptions). If you want to make a FOI or EIR request, please use the contact details detailed in the Contact Us section below.

14 Changes to our Privacy Notice

Our Privacy Notice may change from time to time. This site will always contain the current Privacy Notice.

15 Contact Us

If you have any concerns about how the OPCC for Lancashire is handling your personal data, these can be raised with the Data Protection Officer: Data Protection Officer, OPCC for Lancashire, PO Box 100, County Hall, Preston, PR1 0LD 01772 533587 commissioner@lancashire-pcc.gov.uk Alternatively, please use the “contact us” form on the website. You can make a complaint to the Information Commissioner’s Office (ICO) if you are unhappy with any aspect of how the OPCC for Lancashire processes your personal information. The Information Commissioner is the independent regulator responsible for enforcing the Data Protection Act and advising on privacy rights. The ICO contact details are as follows: The Information Commissioner’s Office Wycliffe House Wilmslow Cheshire SK9 5AF 01625 545700 www.ico.gov.uk