Guidance

Ministry of Defence Police privacy notice

Updated 19 July 2022

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 provide individuals with numerous rights including the ‘Right to be Informed’. The Ministry of Defence Police (MDP) holds both personal and non-personal information in a variety of databases and information stores which are critical to its statutory functions, together with systems relating to its support functions. This document sets out the standards you can expect from the MDP when we obtain, hold, retain, process and disclose information, including but not limited to personal data[1].

This document also describes your statutory rights in regard to information under the provisions of the General Data Protection Regulation (GDPR) and Data Protection Act 2018, Freedom of Information Act 2000 and Environmental Information Regulations 2004.

Freedom of information and Data Protection legislation

The Freedom of Information Act 2000 (FOIA 2000) was introduced to give the public greater access to information in relation to the workings of government and public bodies, to ensure transparency and greater accountability. The FOIA 2000 provides access to information held by public authorities and entitles individuals to request information from public authorities. The MDP is a “public authority” under the FOIA 2000 and the Freedom of Information (Scotland) Act 2002.

The use and disclosure of personal data is governed in the United Kingdom by the GDPR and Data Protection Act 2018. The MDP Chief Constable is the Data Controller and he has an obligation to ensure that MDP handles all personal data in accordance with the legislation.

The Force takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately, to secure and maintain individuals’ trust and confidence.

Standards

  • Information is handled in accordance with the GDPR and Data Protection Act 2018, which set out the Data Protection principles of good information handling practice to govern the fair and lawful processing, maintenance and security of the data.

We will take care to ensure information is:

  • Only collected and used by the MDP to carry out its legal and legitimate functions as defined by legislation, common law and best practice, in accordance with the Policing and Supported Policing Purposes which include:

  • Policing functions:

  • Preventing/detecting crime
  • Apprehending/prosecuting offenders
  • Protecting life and property
  • Preserving order
  • Maintaining law and order
  • Providing assistance to the public in accordance with Force policies and procedures
  • Any duty or responsibility of the police arising from common or statute law

  • Support functions:

  • Staff/pensioner administration, Occupational Health and Welfare
  • Public Relations/ Media
  • Finance/ Payroll/ Benefits/ Accounts/ Audits/ Internal Review
  • Training/ Health & Safety management
  • Property/ Insurance/ Vehicle/ Systems and Transport Management
  • Complaints
  • Vetting
  • Legal services/ Information provision
  • Management of information technology systems
  • Licensing/registration
  • Research (including surveys and analytics)/Performance Management
  • Sports/recreation
  • Procurement
  • Planning/ testing/ security
  • Strategy and policy development
  • Social media correspondence and analysis

  • Accurate, kept up-to-date and destroyed when no longer required

  • Adequate, relevant and not excessive – we will only ask for what we need

  • Adequately protected through a variety of physical, technological and procedural measures to maintain and safeguard the confidentiality, integrity and availability of the information, by preventing unauthorised access and unauthorised/ accidental disclosure, loss or corruption.

The MDP will only use appropriate personal data that is necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record (i.e. a file) or as images, but it can also include other types of electronically held information (i.e. CCTV images).

We process the following types/classes of information:

  • personal details
  • physical identifiers including facial images, voice recordings
  • family details
  • lifestyle and social circumstances
  • goods and services provided
  • financial details
  • employment and education details
  • intelligence material
  • sound and visual images
  • complaints
  • references to manual records or files
  • data relating to health and safety

We process Special Category information that may include details on:

  • physical or mental health
  • racial or ethnic origin
  • trade union membership
  • political opinions
  • religious or other beliefs
  • sexual life and sexual orientation
  • DNA, fingerprints and other genetic or biometric samples

We also process information relating to criminal conviction and offence data including:

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences
  • criminal intelligence

Where possible and/or appropriate you will be informed of the reason for collecting, holding and using your personal information. Although, in view of the statutory functions of the Force, this may not always be possible as doing so may prejudice the policing functions (as detailed above).

We process personal information about:

  • offenders and suspected offenders
  • victims
  • witnesses
  • persons given a caution or a warning
  • consultants and other professional experts
  • persons subject to judicial and other disposals including convictions, discharges, acquittals, and orders made under legislation
  • suspect offenders under the age of ten
  • staff, former staff and potential staff, including temporary and casual workers
  • complainants and enquirers
  • relatives, guardians and associates of the people we are processing personal information about
  • advisers, consultants and other professional experts
  • pensioners and beneficiaries
  • other individuals necessarily identified during police enquiries or activities
  • suppliers
  • individuals coming to the attention of the data controller as a result of any criminal activity considered to be a risk to national security

We sometimes need to share with other organisations, information on the individuals we process information about. Where this is necessary, we are required to comply with all aspects of the Data Protection legislation. What follows is a description of the types of organisations we may need to share some of the personal information we process with, for one or more reasons.

Where necessary, or required, we share information with:

  • other police forces
  • regulatory bodies
  • courts
  • prisons
  • non Home Office police forces
  • customs and excise
  • local and central government departments
  • security companies
  • partner agencies, approved organisations and individuals working with the police
  • Victim Support Services
  • press and the media
  • healthcare professionals
  • current, past and prospective employers
  • law enforcement and prosecuting authorities
  • legal representatives
  • defence solicitors
  • Independent Police Complaints Authority
  • the Disclosure and Barring Service
  • offices of the Police and Crime Commissioner
  • emergency services
  • persons making an enquiry or complaint
  • data processors
  • financial organisations
  • credit reference agencies
  • survey and research organisations
  • trade and employer associations and professional bodies
  • Crown Prosecution Service
  • HM Courts Service
  • international agencies concerned with the safeguarding of international and domestic national security anywhere in the world
  • third parties involved in investigations relating to the safeguarding of national security

Where possible, you will be informed if we intend to use or share your information for a non-obvious purpose.

We will work with partner agencies and may share your information with them. All attempts to anonymise the personal information will be considered in the first instance. Personal information will only be shared if there is a legal basis in which to do so and after having fully considered your rights to privacy.

We will actively manage our information assets in conjunction with Information Asset Owners who will manage and monitor the information through its lifecycle.

The MDP keeps personal data for as long as is necessary, for the purpose for which it was collected and recorded. Records containing personal data relating to matters of intelligence, public protection, violent and sexual offenders, missing persons, case and custody, crime and incident, firearms, child abuse investigations and domestic abuse will be retained in accordance with the College of Policing Authorised Professional Practice (APP) on the Management of Police Information. Other records are held in accordance with our Retention and Disposal Schedule.

Information Management policies and procedures are implemented and continually reviewed to ensure improvements in the way in which information is handled, by reflecting any changes in legislation and developments in case law as necessary.

All staff and contractors are suitably vetted and trained in the appropriate policies and procedures for ensuring the correct handling of personal information.

We will proactively monitor the legitimate use and quality of information through audits and transaction monitoring. Any breaches are taken seriously, and disciplinary/ criminal investigations are undertaken as necessary. The MDP will not tolerate any misuse of information.

The MDP takes the security of all personal data under its control very seriously. We comply with the relevant parts of the GDPR and Data Protection Act 2018, relating to security, and seek to comply with the National Police Chiefs’ Council (NPCC) Community Security Policy. We use a variety of physical, technical and procedural measures to protect personal information from unauthorised or accidental disclosure, loss or corruption.

We will ensure statutory rights to information under the provisions of the GDPR and Data Protection Act 2018; Freedom of Information Act 2000 and Environmental Information Regulations 2004 are addressed. Should you find any of the information we hold about you is incorrect or misleading, we will ensure it is thoroughly assessed and corrected where appropriate.

Individual rights

Individuals have several rights enshrined in the Data Protection legislation:

Right to be Informed

This is provided for in Articles 13 and 14 of GDPR and Section 44 of the Data Protection Act 2018 which sets out the general duties of a Controller. This Information Charter addresses that requirement.

Right of Access

Individuals have the right to apply for a copy of their personal data held by the Force. This right, commonly referred to as Subject Access, is created by Article 15 of GDPR and Section 45 of the Data Protection Act 2018. It is used by individuals who want to see a copy of the information an organisation holds about them (subject to exemptions).

Right to Rectification

Article 16 of GDPR and Section 46 of the Data Protection Act 2018 provides individuals with the right to have inaccurate personal data rectified or completed, if it is incomplete. This may involve the Force providing a supplementary statement to the incomplete data.

Right to Erasure

Article 17 of GDPR and Section 47 of the Data Protection Act 2018 provides individuals with the right to have personal data erased. This is known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Right to Restrict Processing

Article 18 of GDPR and Section 47 of the Data Protection Act 2018 provides individuals with the right to restrict processing of their personal data in certain circumstances. This means that an individual can limit the way an organisation uses their data.

Right to Data Portability

Article 20 of GDPR provides individuals with the right to receive the personal data they have provided to a Controller in a structured, commonly used and machine-readable format. It also gives them the right to ask a Controller to transmit this data directly to another Controller.

Right to Object

Article 21 of GDPR provides individuals with the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority;
  • direct marketing; and
  • processing for purposes for scientific/historical research and statistics.
  • Rights related to automated
  • decision making, including profiling

Article 22 of GDPR and Sections 49/50 of the Data Protection Act 2018 makes provision to protect individuals from processing carried out solely by automated decision making, that has legal or similarly significant effects on them.

More information

If individuals have any concerns regarding the way their personal data is handled by the Ministry of Defence Police or the quality of their personal data (i.e. in relation to accuracy, relevance, non-excessiveness etc.), they are encouraged to raise them with the Force Data Protection Advisor using the contact details provided below:

Data Protection Officer
MDP Headquarters
Palmer Pavilion
RAF Wyton
Huntingdon
Cambs
PE28 2EA

Email: MDP-DPA@mod.gov.uk

The Information Commissioner is the independent regulator responsible for enforcing the legislation and provides advice and guidance about the requirements. The Information Commissioner’s Office (ICO) can be contacted as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113 (local rate) / 01625 545 745 (national rate)

www.ico.org.uk

[1] ‘Personal Data’ is defined under Article 4(1) of the General Data Protection Regulation and Part 1 Section 3(2) of the Data Protection Act 2018. In practical terms it means information handled by Ministry of Defence Police that relates to identifiable living individuals. It can include intentions and expressions of opinion about an individual. The information can be held electronically or as part of a paper record and can include CCTV images and photographs. The legislation uses the term ‘processing’ to effectively cover any usage of personal data.