Privacy Notice – Law Enforcement
Date of completion of this notice – October 2020
Who we are
The Police Service of Scotland is a constabulary established under the Police and Fire Reform (Scotland) Act 2012. Its headquarters is located at Tulliallan Castle, Kincardine, FK10 4BE, United Kingdom, and you can contact our Data Protection Officer by post at this address, by email at: email@example.com, and by telephone on 101.
About this notice
This notice is to advise you (you are also referred to as the data subject) of how your personal data (information) will be dealt with (processed) by Police Scotland for law enforcement purposes and your rights in relation to that processing.
The Chief Constable of the Police Service of Scotland is the controller of your personal information and decides the purposes for which your personal information will be processed. Police Scotland can be contacted by telephoning 101.
Law enforcement purposes are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The information below provides details of:
- our lawful basis for processing personal information
- the types of information we may process for law enforcement purposes
- the categories of individuals affected
- the length of time we will keep the information
- who we may share it with.
Your information may be used when testing new information technology systems.
What is personal data?
“Personal data” is information that can identify a living individual, for example your name, date of birth and address. It also includes alleged or actual offending information.
There is also a type personal data referred to as “sensitive personal data” and this relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
What is Police Scotland’s lawful basis for processing personal and sensitive personal data?
The Police and Fire Reform (Scotland) Act 2012 states that it is the duty of a constable:
- to prevent and detect crime
- to maintain order
- to protect life and property
- to take such lawful measures, and make such reports to the appropriate prosecutor, as may be needed to bring offenders with all due speed to justice
- where required, to serve and execute a warrant…. in relation to criminal proceedings and
- to attend court to give evidence.
Under Schedule 7 of the Data Protection Act 2018 (the Act) the Chief Constable of the Police Service of Scotland is a competent authority, and Part 3 of the Act permits law enforcement processing by competent authorities.
Part 3 of the Act also permits processing of personal and sensitive personal data in certain cases based on the consent of the data subject. An example of this would be to take fingerprints from a resident to eliminate them from enquiries into the housebreaking of their home.
Whose personal and sensitive personal data is processed for law enforcement purposes?
In order to carry out our law enforcement functions, we process information relating to a variety of individuals including:
- people convicted of an offence
- people suspected of committing an offence
- consultants and other professional experts
- officers and staff
What personal and sensitive personal data is processed for law enforcement purposes?
Types of personal data we process may include information such as;
- personal details such as name and address
- information provided by victims or witnesses
- sound and visual images, such as CCTV
- financial details
- intelligence material
- complaint, incident and accident details
- alleged or actual offending information
- records accessed by officers and staff
Types of sensitive personal data we process may include information such as:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- sex life or sexual orientation
How long will Police Scotland retain the personal and sensitive personal data processed for law enforcement purposes?
Personal and sensitive personal data processed for law enforcement purposes are retained in accordance with the Police Scotland Record Retention SOP
Section – Crime and Productions
Reference – CRP-001 to CRP-006
Who will Police Scotland share the personal and sensitive personal data with?
When necessary or required for law enforcement purposes:
- Crown Office and Procurator Fiscal Service (COPFS)
- Other police forces in the UK including non-Home Office Forces
- Scottish Criminal Cases Review Commission
- ACRO Criminal Records Office
- Police forces outwith the UK
- Local and central government departments
- Security companies
- Licensing authorities
- Press and the media
- Police Investigations and Review Commissioner
- Other law enforcement and prosecuting authorities
- Legal representatives
- Defence solicitors
- Disclosure Scotland and the Disclosure and Barring Service
- Partner agencies involved in crime and disorder strategies, and public protection
- Private sector organisations working with police in anti-crime strategies
- Voluntary sector organisations
- Emergency services
- Professional advisers
- Financial organisations
- International agencies concerned with the safeguarding of international and domestic national security anywhere in the world
- Third parties involved in investigations relating to the safeguarding of national security.
In certain circumstances, we will share information, which was initially for a law enforcement purpose with selected third parties for non-law enforcement purposes:
- Insurance companies (for example, where information was initially gathered at the scene of road traffic collision and is subsequently shared to allow the company to identify other drivers for the purposes of an insurance claim).
- Criminal Injuries Compensation Authority.
- Schools and other educational establishments.
The above list is not exhaustive and may vary on a case-by-case basis. More information on non-law enforcement processing of information can be found in our other Privacy Notices.
You have certain rights in relation to how we process your personal information. These are listed below.
1. Right of access
You can make what is called a subject access request to us.
You are entitled to, amongst other things, a copy of the information we hold on you, although there are exceptions to this. For further information and details on how to make a subject access request please click here.
2. Right to rectification (correction)
We must correct without delay, any personal information we hold on you which is not accurate. If you think anything is wrong, you should contact us by post or e mail, where possible by completing the form on our website telling us what you think is wrong and why. There are exceptions to when we have to correct the information, and you will be advised if we have to apply them. If it is not possible to establish the accuracy of the personal information, we will restrict how we process it, for example restrict who can see your information, or who we disclose it to.
3. Right to erasure or restriction of processing
You have a right to request that we delete your personal information, but this will only be done when we are not legally required to keep it. On occasion it may be more appropriate to restrict how we process it, for example restrict who can see your information, or who we disclose it to. You can find more information on our website here.
4. Right to object
You also have the right to object to the processing we carry out, if our legal basis for doing so, (see the ‘Purpose and basis for processing’ table above), is for carrying out a task in the public interest, exercising our lawful duty or we believe it is in our legitimate interests. You can find more information on our website here.
5. Right to withdraw consent
Where we process your personal information for a particular purpose on the basis of your consent (see the ‘Purpose and basis for processing’ table above), you have the right to withdraw your consent. You can inform us of your wish to withdraw consent by contacting the department to which you originally gave the consent, or by telephoning 101.
The relevant personal data will be destroyed on receipt of the withdrawal of consent unless there is an overriding purpose for continued processing.
If we refuse to carry out your requests in full under paragraphs 1 to 5 above, you have the right to ask the Information Commissioner to check whether our decision is correct.
If you are unhappy in any way with how we have dealt with your information, you have the right to complain to the Information Commissioner.
The Information Commissioner can be contacted at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate)
Date of next review of this document – April 2022