Police CyberAlarm Tool Privacy Policy

The purpose of this document is to provide information about how Police CyberAlarm uses personal data.

It is not possible and/or would involve disproportionate effort for controllers to individually notify each individual whose personal data may be processed using this tool.

Member organisations which sign up to Police CyberAlarm are required to provide information to data subjects as to how their personal data will be used, and may be transferred to law enforcement agencies as part of their membership of Police CyberAlarm.

In addition, law enforcement entities which utilise Police CyberAlarm make their respective privacy policies available on their own websites.

Nevertheless, on behalf of each of the law enforcement entities which utilise Police CyberAlarm, the National Police Chiefs’ Council (NPCC) provides the following additional information concerning the processing of personal data specifically in connection with Police CyberAlarm.

1. Controller

At the pilot stage, Police CyberAlarm is being rolled out via Police Forces in the North East, North West, East Midlands and South Wales . If successful, Police CyberAlarm will ultimately be rolled out to all Police Forces across the United Kingdom and to related law enforcement entities.

When an entity decides why and how personal data is used, it is a “controller” of those data and is required to ensure that it handles those data in accordance with the law. The relevant data controller in respect of personal data once provided by member organisations is the Police Force which referred the relevant member organisation.

However, for the ease of data subjects, any communication or request relating to the programme may be directed to the NPCC on behalf of the relevant controller.

Our contact details are as follows:
National Police Chiefs' Council
10 Victoria Street
London
SW1H 0NN
info@npcc.pnn.police.uk

The NPCC’s Data Protection Officer may be contacted using the following contact details:
ACRO
PO BOX 481
Fareham
PO14 9FS
United Kingdom
npcc.data.protection@cru.pnn.police.uk

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance either using the contact webform on this site or using the contact details above.

2. Categories of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The personal data collected and processed in connection with the deployment of the Police CyberAlarm tool will include personal data, special category personal data and criminal conviction and offence data.

Personal data collected from member organisations will be comprised of:

  • online identifiers, such as IP address, relating to suspicious firewall activity; and,
  • conduct data, i.e. information relating to the conduct which led to it being identified as suspicious firewall activity.

This personal data relates to people suspected of committing an offence.

Data pertaining to suspicious firewall activity will be collated, analysed and may be matched against other data sources. Where an investigation is launched into suspicious firewall activity, further personal data may be sought and collected, which may include special category data, and this will take place in accordance with the relevant law enforcement agency’s own privacy policy.

3. Purpose and legal basis for processing

Personal data is processed in connection with Police CyberAlarm on the basis that it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, and for safeguarding National Security.

The processing of personal data for these purposes is authorised on the basis that it is necessary for the fulfilment of statutory functions, including as set out in the Police and Criminal Evidence Act 1984 and the Police Act 1996, The Police Reform Act 2002 and other enactments conferring powers or duties. These include:

  • protecting life and property;
  • preserving order;
  • preventing the commission of offences;
  • bringing offenders to justice; and,
  • any duty or responsibility arising from common or statute law.
4. Source(s) of personal data

Member organisations will be the primary sources of personal data collected in connection with Police CyberAlarm. Member organisations will identify in their own respective privacy policies that they may transfer personal data to law enforcement entities.

In addition, Police Forces may obtain personal data from other Police Forces and law enforcement agencies, third parties, and from the public domain.

5. Recipient(s) of personal data

We may share your personal data with the parties set out below in connection with the law enforcement purposes detailed above:

  • Police Forces in Great Britain and Northern Ireland;
  • Other law enforcement entities, such as the National Crime Agency and the National Cyber Security Centre;
  • Our third party service providers; and,
  • Our professional advisers.
6. Relevant international transfers

Personal data is not routinely transferred outside the EEA in connection with Police CyberAlarm.

7. Data retention

Personal data will be retained data in line with the law enforcement agencies’ retention policies and in accordance with the Management of Police Information, taking into account the type, content and sensitivity of the data, related records, the purposes for which the personal data is processed, and any legal or business requirements. Personal data will be retained for as long as necessary for the particular purpose or purposes for which it is held.

Personal data initially identified as constituting suspicious firewall activity is analysed and if it is not verified as being suspicious it will be deleted within 24 hours. If personal data is verified as being suspicious but is not correlated with further suspicious firewall activity, it will be deleted after 9 months.

8. Legal rights

You also have the right, with some exceptions, to ask us to provide a copy of any personal data we hold about you.

If the information we hold about you is inaccurate or incomplete, you can notify us and ask us to correct or supplement it.

If you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is investigated.

In some circumstances you can ask us to erase your personal data if it is no longer necessary for us to use your personal data, you object to the use of your personal data and we don't have a good reason to continue to use it, or we haven't handled your personal data in accordance with our obligations.

To exercise these rights, we need to be suitably satisfied of your identity and so may request that you provide identification documents or confirm other details we may hold about you.

You can exercise these rights by contacting our Data Protection Officer at the above address. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you are not happy with our response, you can contact the Information Commissioner's Office: https://ico.org.uk.

We keep this information under regular review. This version was last updated in September 2020.