The use and disclosure of personal data is governed in the United Kingdom by the Data Protection Act 2018 (the Act). Under the Act the Commissioner of Police for the City of London is registered as a data controller. In the rest of this privacy notice the Commissioner of Police for the City of London is referred to as us.
This privacy notice explains:
how we collect, store, use, disclose, retain and destroy personal data through the website at cityoflondon.police.uk (those activities are also referred to as processing personal data)
the steps we take to ensure personal data we process is protected properly
the rights individuals have when we process their personal data
We will treat information you provide to us in using this website treated in confidence and we will not disclose it to third parties unless we are required to do so by law, or as explained in this privacy notice.
We gather information about site usage to help the development and improvement of services to the public, and to protect the integrity of our systems from malicious users. We also gather information through the various functions available on the site that allow you to provide us with information (such as online forms and the live-chat function) for the purposes described later in this privacy notice. Currently this information consists of:
information obtained by our content management system to examine what people are searching for, what they find, and occasions where no results are returned, and which does not identify individual users
information provided by users through online forms (for purposes including crime reporting, crime reporting advice and information, anti-social behaviour reporting, 'Clare's Law' applications, road traffic incident reporting, and firearms licence applications) and live-chat functionality, which may identify individual users and other individuals depending on what information users enters (it is possible we will be able to access information you enter on an online form even if you do not submit it, because of the way the website is set up to automatically save part-complete forms periodically)
your IP address and details of which browser you are using, which we record when you use our online forms
your IP address, used to identify your location if you use any geo-location features on this website site, and which we only use to show you relevant content, and which we do not store or share with third parties
What is personal data?
Personal data is any information we handle that relates to an identified or identifiable natural person. An 'identifiable natural person' is anyone who can be identified, directly or indirectly from information, including by reference to a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Our Contact Details and Data Protection Officer
Our Information Management Services Unit manages our data protection compliance. Our Data Protection Officer is the Director of Information.
We take our data protection responsibilities seriously and take great care to ensure we process your personal data properly to maintain your trust and confidence. You can contact our Information Management Services Unit or our Data Protection Officer if you have any questions or concerns about how we process your personal data.
Post: Information Management Services Bishopsgate Police Station 182 Bishopsgate London EC2M 4NP
We have a legal duty to uphold the law, prevent crime, bring offenders to justice, and protect the public. To do this we process your personal information for carrying out a range of activities commonly known as the ‘policing purpose’. These include:
preventing and detecting crime
apprehending and prosecuting offenders
protecting life and property
maintaining law and order
assisting the public
safeguarding national security
defending civil proceedings
fulfilling any other police duties or responsibilities arising under common or statute law
We also process personal data for purposes in support of the policing purpose. These include: recruitment; administration of current and former employees, contractors, and volunteers; property and asset management; financial management; media relations management, complaints handling; research, including surveys; and provision of educational programmes and support.
Whose personal data do we process?
We process information relating to a range of individuals, including:
victims of crime
witnesses to crime
people convicted of an offence
people suspected of committing an offence
complainants, correspondents and enquirers
advisors, consultants and other professional experts
applicants, current and former employees, cadets, agents, temporary and casual workers, and volunteers
representatives of individuals in this list, such as parents, other relatives, guardians, associates, legal representatives and people with power of attorney
What types of personal data do we process?
We may process personal data relating to or consisting of the following categories:
personal details (such as name, date and place of birth, postal and email addresses, social media accounts and biographical details)
family, lifestyle and social circumstances
education and training details
racial or ethnic origin
religious or other beliefs of a similar nature
trade union membership
physical, medical or mental health conditions
sexual life or orientation
criminal offences (including alleged offences)
criminal proceedings, outcomes and sentences
physical identifiers (including DNA, fingerprints and other genetic or biometric samples)
sound, voice and visual images (including body worn video, facial recognition software or interview recordings)
goods or services provided
licences or permits held (such as driving licence details or firearms certificates)
information identifying user vulnerability, persistent targeting, and/or hate crime status
references to manual records or files
information relating to health and safety
complaint, incident, and accident details
The types of personal data we process will vary depending on the purpose. We aim to process the minimum amount of personal data necessary for the relevant purpose. You should not assume that we hold personal data in all of the categories identified for every person whose personal data we process.
The categories identified may not be complete as occasionally we may gather personal data in other categories for the purposes described.
Where do we get the personal data we process?
We collect personal data from a variety of sources, including:
individuals who visit the website and interact with it (including by filling in and submitting forms), and their relatives, guardians and other persons associated with them
directly from victims, witnesses and suspects
individual's relatives, guardians and other persons associated with them
businesses (including security companies, and other suppliers of goods and services) and other private and public sector, not-for-profit, charitables or voluntary sector organisations working with the police in anti-crime strategies, investigative, and preventative measures or victim care
voluntary sector organisations
local authorities, national and local government departments and agencies (including the Home Office, His Majesty's Revenue and Customs, and private safeguarding agencies)
other law enforcement agencies and bodies (including international ones)
partner agencies involved in crime and disorder strategies
legal representatives, prosecuting authorities, the courts, probation and prison services, and responsible authorities
approved organisations and people working with the police
ombudsmen and regulatory bodies (including the Independent Police Complaints Commission, and His Majesty’s Inspectorate of Constabulary and Information Commissioner's Office)
Police and Crime Commissioners
other emergency services and armed forces
applicants, current, past or prospective employers of individuals
healthcare, social and welfare advisers or practitioners
education, training establishments and examining bodies
business associates and other professional advisors
applicants, our employees, agents, and other temporary and casual workers
persons making enquiries or complaints
financial organisations and advisors, and credit reference agencies
survey and research organisations or commercial companies
trade, employer associations; and professional bodies
our own public surveillance, CCTV and automated Number Plate Recogntion (ANPR) systems, interview recording system and body worn cameras
What is our lawful basis for processing personal data?
Where we process personal data for the policing purpose our legal basis for processing is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. Our functions and the official authority vested in us are set out, in the main, in the Police and Criminal Evidence Act 1984, the Police Act 1996, and the Police Reform Act 2002.
Where we process personal data relating to criminal convictions and offences, that processing is necessary for reasons of substantial public interest and involves the exercise of a function conferred on us by an enactment or rule of law. We have an appropriate policy document (as required under the Act) for that processing.
Where we process personal data for purposes other than the policing purpose our legal basis for processing will vary depending on the circumstances. Ordinarily, the relevant legal basis is that the processing is:
necessary for performing a contract
necessary to comply with a legal obligation (including employment law)
in the public interest or for official purposes
in our legitimate interests (and those interests are not overridden by your interests or fundamental rights and freedoms)
necessary to protect your vital interests
with your explicit consent (which you may withdraw at any time)
What security measures do we use when processing your personal data?
We take the security of all personal data under our control seriously. We comply with our legal obligations regarding security, relevant parts of the ISO27001 Information Security Standard, and where appropriate the College of Policing Authorised Professional Practice guidance on Information Assurance.
We ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse. We only permit access when there is a legitimate reason and under strict guidelines on what use may be made of any personal data contained within them. We continuously manage and enhance our compliance with relevant standards and guidance to achieve adequate and up-to-date personal data security.
What disclosures do we make of your personal data?
We may disclose personal data to a wide variety of recipients in any part of the world (including outside of the United Kingdom and the European Economic Area), including to those from whom we originally obtain personal data. Recipients may include:
law enforcement agencies
businesses (including security companies, and other suppliers of goods and services) and other private and public sector organisations, not-for-profit, charitable or volunatary sector organisations working with the police in anti-crime strategies, investigative or preventative, or victim care
partner agencies working on crime reduction or safeguarding initiatives
agencies and other third parties concerned with the safeguarding of and investigation relating to international and domestic national security
local authorities, national and local government departments and agencies (including the Home Office, HM Revenue and Customs, the Serious Fraud Office, the Child Maintenance Service, the National Fraud Initiative, and private safeguarding agencies)
Police and Crime Commissioners
legal representatives, prosecuting authorities, courts, probation and prison services, responsible authorities and other partners in the criminal justice arena
victim support service providers
bodies or individuals working on our behalf
analytical and survey companies
authorities involved in offender management
ombudsmen, auditors and regulatory authorities
other bodies or individuals where required under any legislation, rule of law, or court order
other bodies or individuals where necessary to prevent harm to individuals
We decide on disclosure case-by-case, disclosing only the personal information that is necessary and proportionate to a specific purpose and with appropriate controls and safeguards in place.
Where you have provided your personal data to us for the purposes of the police constable recruitment process, your data, including biographical monitoring information, will be shared with the College of Policing.
It will be stored on their secure network or within their Assessment Information Management System (AIMS). From this information, your name, email address and candidate reference number will be uploaded to the new online assessment platform for constable recruitment and shared with the third party provider hosting the system in order to progress your application virtually.
Because of the way the website is set up, all completed online forms are automatically sent securely to the central police IT team responsible for delivery of the National Police Chiefs' Council Digital Policing Portfolio, as well as us.
If we make disclosures outside of the United Kingdom and the European Economic Area to locations which do not have as extensive data protection laws we ensure that there are appropriate safeguards in place to certify that the personal data disclosed is adequately protected.
How long do we retain your personal data?
We keep your personal data for as long as necessary for the particular purpose or purposes for which we hold it.
If we place any of your personal data on the Police National Computer it will be retained, reviewed and deleted in accordance with agreed national retention periods, which are subject to periodic change (https://www.acro.police.uk/acro_std.aspx?id=699).
What are your rights over your personal data we process, and how can you exercise them?
Under the Act you have a number of rights that you can exercise in relation to personal data we process about you. You do not have to pay to exercise your rights (other than a reasonable fee if a request for access is clearly unfounded or excessive but we agree to fulfil it anyway).
We sometimes need to request specific information from you to help us confirm your identity and ensure your authority to exercise the rights.
Right of Access: You can request access to the personal data we hold about you free of charge. Normally we will provide it within one month of receipt of your request unless an exemption applies. You can request access to the personal data we hold about you using the contact details in this privacy notice.
Right to be Informed: You are entitled to be told how we obtain your personal information and how we use, retain, and store it, and who we share it with. This privacy notice gives you that information, as well as telling you what your rights are under the relevant laws.
Right to Rectification: If we hold personal data about you that is inaccurate or incomplete you have the right to ask us to correct it. You can ask us to correct your personal data using the contact details in this privacy notice. We will reply to you within one month unless the request is complex.
Right to Request Erasure: Under certain circumstances you have the right to ask us to delete your personal data to prevent its continued processing where there is no justification for us to retain it. The circumstances most likely to apply are:
where holding your personal data is no longer necessary in relation to the purpose for which we originally collected and processed it
where you withdraw your consent to us holding your personal data if we are relying on your consent to hold it
where we are relying on legitimate interests as our basis for processing and you have objected and there is no overriding reason for us to continue processing
The right of erasure does not apply if we are processing your personal data:
to comply with a legal obligation
for the performance of a task carried out in the public interest or in the exercise of official authority
for the establishment, exercise or defence of legal claims
to exercise the right of freedom of expression and information
for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to make it impossible to carry out or seriously impair that processing
If you want to ask us to delete your personal data you can do so using the contact details in this privacy notice. We will respond to you within one month unless the request is complex.
Right to Restrict Processing: Under certain circumstances you have the right to ask us to restrict the processing of your personal data. This may be in cases where:
you are contesting the accuracy your personal data while we are verifying the accuracy
your information has been unlawfully processed and you oppose its erasure and have requested a restriction instead
where we no longer require your personal data but you need it to establish, exercise or defend a legal claim and do not want us to delete it
You can ask us to restrict processing of your personal data using the contact details in this privacy notice.
Right to Data Portability: You have the right to obtain and reuse your personal information for your own purposes, transferring it from one environment to another. This right only applies to personal data provided by an individual, where the processing is based on their consent or for the performance of a contract and when that processing is carried out by automated means. If you wish to discuss this right, you can do so using the contact details in this privacy notice.
Right to Object: You have the right to object to:
processing based on legitimate interests or performance of a task in the public interest and or exercise of official authority
processing of your information for scientific and historical research and statistics
Any objection must be on grounds relating to your particular situation. If you wish to exercise your right to object you can do so using the contact details in this privacy notice. However, the right to object only applies where we are processing information under UK GDPR/Part 2 (General Processing) of the UK Data Protection Act 2018. There is no right to object under Part 3 (Law Enforcement Processing) of the UK Data Protection Act 2018.
Rights related to automated decision making and profiling: You have the right not to be subject to a decision when it is based on solely automated processing (including profiling) and which produces a legal effect or similar significant effect on you. This right does not apply if the decision is authorised by law, is necessary for entering into or performance of a contract, or is based on your consent. We are unlikely to carry out automated decision making because our processes involve some type of human interaction and decision-making. Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects about you to predict things about you such as your behaviour, interests, movements or performance at work. We do not currently carry out automated profiling. If you have any questions about automated decision-making or automated profiling you can raise them using the contact details in this privacy notice.
Cookies are used on this website to improve user experience and for essential functionality; they are not used for identification purposes.