Personal information charter
This notice sets out how the statutory obligations relating to the management of personal data will be addressed by the Biometrics Commissioner and the Office of the Biometrics Commissioner (OBC).
Introduction
This notice is provided in accordance with the Data Controller’s obligations under Article 13 of the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA18) and known generally together as the data protection legislation. It has been created following the guidance issued by the Information Commissioner’s Office (ICO) and in consideration of additional guidance material generated by the Home Office.
The OBSCC will record and store all personal information securely and thereafter ensure that data is retained for no longer than is necessary. This data is held securely, and for such time as is necessary to complete the process for which it was recorded: definitions of ‘personal data’, ‘controller’ and ‘processor’ contained in Article 4 of the UK GDPR.
Information will be provided in the language in which it is held or in such other language that is legally required. Where there is a legal requirement for the OBSCC to translate any information, this will be done within reasonable timescales. Obligations under disability and discrimination legislation and any other legislation to provide information in other forms and formats will be addressed when providing information in accordance with this scheme.
Who we are and what we do
The Commissioner for the Retention and Use of Biometric Material (“Biometrics Commissioner”) and the Surveillance Camera Commissioner are statutory roles which were established by the Protection of the Freedoms Act 2012 (PoFA) (see sections 20 and 34, respectively). The two posts are currently carried out by one full time Biometrics and Surveillance Camera Commissioner whose role is to:
- keep under review the retention and use by the police of DNA samples, DNA profiles and fingerprints
- decide applications by the police to retain DNA profiles and fingerprints (under section 63G of the Police and Criminal Evidence Act 1984)
- review national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints
- provide reports to the Home Secretary about the carrying out of his functions
- encourage compliance with the Surveillance Camera Code of Practice
- review how the code is working
- provide advice to ministers on whether or not the code needs amending
As an Arm’s Length Body to the Home Office, the Biometrics and Surveillance Camera Commissioner is registered with the Information Commissioner as a data controller who determines the purposes and means of processing personal data by his team within the parameters permissible by Home Office policies.
The OBSCC is comprised of nine (FTE) members of staff who are employed by the Home Office. They are data processors and are responsible for processing personal data on behalf of the Biometrics and Surveillance Camera Commissioner.
More information about the role of the Biometrics and Surveillance Camera Commissioner and his team is provided on the Biometrics Commissioner’s website and the Surveillance Camera Commissioner’s website.
The OBSCC solely uses Home Office systems in connection with the management of personal data. Home Office policy in relation to the management of personal data is applied to ensure compliance with the requirements of data protection legislation. The Home Office Data Protection Officer (DPO) provides the independent statutory functions in compliance with Article 37 of the GDPR.
What data do we collect?
The following personal data is managed by the OBSCC:
- personal data received in emails, letters and other communication/telecommunication from members of the public and external stakeholders.
- personal data received and stored on Home Office allocated mobile communication devices.
- personal data received from internal Home Office stakeholders including HR data.
- personal data received from the police in relation to applications to the Commissioner to retain biometrics.
- personal data received for the purpose of expenses claims
- personal data received from external stakeholders via informed consent for the purpose of receiving the OBSCC newsletter
What we do with your data?
The OBSCC will only share your personal data where there is a basis in law and a legitimate reason to do so in connection with the business and responsibilities of the OBSCC such as with other government department or law-enforcement bodies.
All electronic based information received by the OBSCC is recorded and retained on Home Office systems. Emails and communications data are stored on secure Home Office electronic systems which are password protected and subject to internal review processes in accordance with our retention policy (see below). Hard copy documentation is recorded and retained in secure storage and subject to internal review processes in consideration of our retention policy (see below).
What gives us the right to process your data?
The Biometrics and Surveillance Camera Commissioner performs the statutory roles under sections 20-21 and 34-35 of PoFA 2012. The Commissioner has a responsibility to record information received, and to process it and retain it where to do so is necessary for him to discharge his statutory functions, and to demonstrate legitimacy and transparency of those functions he undertakes in support of the public interest.
The statutory responsibilities of the Biometrics Commissioner arise from Section 20(2-9) and 21(1) PoFA.
The statutory responsibilities of the Surveillance Camera Commissioner arise from Section 34(2), 35(1) PoFA and Chapter 5 of the Surveillance Camera Code of Practice (SC Code). The SC Code is issued by the Secretary of State in accordance with Section 29 PoFA.
The OBSCC processes personal data to perform a public task under Article 6(1)(e) of the UK GDPR – that is, that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Further the OBSCC processes personal data in relation to our newsletter under Article6(1)(a) of the UK GDPR – that is, the individual has given clear consent to process their personal data for a specific purpose. Consent can be withdrawn any time via the opt-out link in the newsletter or by emailing enquiries@obscc.org.uk.
Privacy information
The OBSCC processes personal data to enable the Commissioner to effectively discharge his responsibilities. Personal data is retained securely only for as long as is necessary for the purposes for which it was collected and retained for no longer than the retention periods set out below.
The OBSCC may share your data within the Home Office, with other regulators, with law enforcement and with others stakeholders but only in circumstances where it is necessary to do so for the lawful, diligent and expeditious undertaking of the Commissioner’s functions.
The OBSCC will only share your data otherwise than in accordance with the above with your freely given and informed consent.
Retention schedules
The table below sets out the types of personal data obtained by the Commissioner and his team, and the retention periods for such data:
Personal data | Retention period |
---|---|
OBSCC-generated documents in relation to S63G PACE biometric retention applications: BC1 application form, decision recommendation, file minutes and decision letters | Held for 3 years from a final decision being made by the Commissioner. This information relates to a statutory undertaking and is relevant to matters for which the Commissioner may be held accountable. Note: A summary of applications that does not directly identify any individual will be kept for over three years for research/analysis purposes only. Any research/analysis may be used to inform a report which will be wholly anonymised. |
Police documents received in relation to S63G PACE biometric retention applications (e.g. PNC print, crime report, CPS form, witness statement, interview record) | Held for 3 months from a final decision being taken by the Commissioner. This information is relevant to a statutory undertaking and this retention allows for reviews of decisions taken in relation to 63G applications where cases are challenged. |
Police and local authority documents received in relation to the Commissioner’s biennial surveys. | Held for a maximum of 5 years. This is to assist the Commissioner in understanding levels of compliance with the PoFA and the Surveillance Camera Code of Practice. |
Formal letters and other written correspondence to and from the Commissioner and/or the OBSCC team. | Held for a maximum of 3 years to accord with the duration of the Commissioner’s term plus one year. This is because matters will be of relevance to a statutory undertaking, public interest or matters in connection with which the OBSCC may be held to account and the extra year takes into account the potential for a successor to be appointed and ensure continuity as necessary. |
Correspondence/communications data to and from OBSCC mailboxes (including internal emails/Communications with the Home Office). | Held for a maximum of 3 years. This is because the Commissioner has to address, account for or otherwise make reference to matters which are connected to him, some of which may be over a protracted period and involve a duty to retain records. Correspondence also may contain detail to Section 63G applications which is necessary to retain as it is relevant to a statutory undertaking, is relevant to matters to which the Commissioner may be held accountable and ensures continuity for new staff in the OBSCC. |
Data obtained through internal and external recruitment campaigns. | Held for a period of 2 years. Details obtained via recruitment campaigns are processed by the HO Science Directorate and held for a period of 2 years in line with HO policy. |
Expenses information from expenses claims from stakeholders. | Held for a period of 7 years. Details of stakeholder expenses claims made under Home Office rules following attendance at meetings/other legitimate purposes are processed by the HO Science Directorate and held for 7 years to allow for appropriate auditing of Home Office accounts. |
Other financial information | Held for a period of 2 years. Details of any ad-hoc financial information the office may receive and retained to allow for appropriate auditing of Home Office accounts. |
Personal data received via informed consent for the purpose of receiving the OBSCC newsletter. | Held until such time that individuals unsubscribe from the newsletter communications or email OBSCC directly to request for their data to be deleted. |
Stakeholder contact details | Stakeholder contact details are held until such time that the OBSCC is informed that individuals have left their position. |
There will inevitably be exceptions to the above which out of necessity may arise from a legal responsibility or legal requirement or significant public interest.
Data Protection Officer
The Data Protection Officer (DPO) for the Home Office provides the statutory DPO function for the OBSCC. The Home Office DPO is an independent officer whose duties and responsibilities are defined by the data protection legislation.
The contact details of the Home Office DPO are:
Office of the DPO
Peel Building
2 Marsham Street
London
SW1P 4DF
Email: dpo@homeoffice.gov.uk
To assist the Home Office DPO, the OBSCC have identified two Data Protection Practitioners who will act as the key point of contact with the Home Office DPO in respect of all responsibilities which arise in respect of data protection legislation responsibilities.
The Data Protection Practitioners are as follows:
For enquires please contact enquiries@obscc.org.uk
Alternatively, you can write to us at:
Office of the Biometrics and Surveillance Camera Commissioner
Data Protection Practitioner
The Home Office
2 Marsham Street
Westminster
London
SW1P 4DF
Your rights
Unless subject to an exemption under data protection legislation, you have the following rights in respect of your personal data:
- the right to request a copy of the personal data which the Biometrics and Surveillance Camera Commissioner and his team hold about you
- the right to request the rectification of personal data which the Biometrics and Surveillance Camera Commissioner and his team hold about you
- the right to have your data erased and to withdraw your consent to data processing where your consent has been specifically sought and obtained
- the right to request restrictions on further processing of your personal data to limit the way the Biometrics and Surveillance Camera Commissioner and his team uses your data
- the right to object to the holding and/or processing of your personal data
- the right to request that your personal data be deleted
Such requests should be made by email to enquries@obscc.org.uk
If you believe that your information has not been handled correctly you may write directly to the Office of the DPO at the address above and ask that they investigate the matter.
You also have the right to complain to the Information Commissioner’s Office (ICO) if you are dissatisfied with the manner in which your personal data has been handled.
You can contact the ICO via email or call on 0303 123 1113.
Alternatively, you can write to the ICO at:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF