New Data Protection Legislation – Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) – was implemented on 25th May 2018. This privacy notice has been updated to make it easier for you to understand what personal data we will process, how and why.
This Privacy Notice is divided into three parts:
- Part 1: How we process your personal data
- Part 2: Your rights around that personal data
- Part 3: Other useful information
The Chief Constable of Kent Police is registered with the Information Commissioner as a ‘Controller’ and is obliged to ensure that Kent Police handles all personal data in accordance with Data Protection Legislation. On occasions the Chief Constable may operate as a Joint Controller with one or more other Controllers.
Kent Police is a ‘Competent Authority’ as defined in Section 30 of the DPA.
In accordance with the requirements of the new legislation a Data Protection Officer has been employed by Kent Police. The Data Protection Officer is an independent role that is responsible for ensuring that the personal information held is processed in accordance with the prescribed obligations of the legislation. The new law, for the first time, gives them duties that they must undertake by law.
The Data Protection Officer is available to provide you with advice and assistance if you have any queries or concerns about how Kent Police process your personal data. The contact details of the Data Protection Officer can be found near the end of this Notice.
Kent Police also have a Public Disclosure Team, as part of the Information Security and Governance Department, who handle rights applications under the new law. The contact details of the Public Disclosure Team (PDT) Information Rights Team are also included in this Privacy Notice.
Kent Police takes its responsibilities and obligations under the Data Protection Legislation very seriously and ensures that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the Police Service.
Why do we process personal data?
Kent Police processes personal data for two broad purposes: a) ‘Law Enforcement Purposes’ and b) ‘General Purposes’ which are activities to support the Law Enforcement Purposes.
Law Enforcement Purposes include:
- The prevention, investigation, detection or prosecution of criminal offences
- The execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
- The policing purpose
When Kent Police process your personal data for Law Enforcement Purposes it could be because you are involved in an incident that has been reported to the police – perhaps as a witness, victim or suspect. It could be because you are involved in a crime that is being investigated or are associated with intelligence that the police have gathered. Other uses include roads policing, accident investigation, surveillance, and public order.
General Purposes include:
- Staff/pension administration, occupational health and welfare
- Management of public relations, journalism, advertising and media
- Management of finance, payroll, benefits, accounts, audit, internal review
- Internal review, accounting and auditing
- Property management
- Insurance management
- Vehicle and transport management
- Payroll and benefits management
- Management of complaints
- Management of information technology systems
- Legal services
- Information provision
- Licensing and registration
- Pensioner administration
- Research including surveys
- Performance management
- Sports and recreation
- System testing and fault resolution
- Administration of rights applications
- Health and safety management
Where Kent Police process your personal data for Law Enforcement Purposes the Force must comply with the Data Protection Act 2018 (DPA), but not the General Data Protection Regulation (GDPR).
When Kent Police process your personal data for General Purposes the Force must comply with the General Data Protection Regulation (GDPR) and various parts of the Data Protection Act 2018 (DPA).
Although the rules for both purposes are similar, they are not identical – for example, you have fewer rights when Kent Police process your personal data for Law Enforcement Purposes than when processed under General Purposes.
Whose personal data do we process?
For both law enforcement and general purposes, Kent Police may process personal data relating to a wide variety of individuals (known as ‘categories of data subjects’) including the following:
- Staff including volunteers, agents, temporary and casual workers
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the individual concerned
- Advisers, consultants and other professional experts
- Offenders and suspected offenders
- Former and potential members of staff, pensioners and beneficiaries
- Other individuals necessarily identified in the course of police enquiries and activity
What types of personal data do we process?
For both law enforcement and general purposes, Kent Police may process personal data relating to or consisting of the following (known as ‘categories of personal data’):
- Personal details i.e. name, address and biographical details
- Family, lifestyle and social circumstances
- Education and training details
- Financial details
- Goods or services provided
- Racial or ethnic origin
- Membership of extremist political parties
- Religious or other beliefs of a similar nature
- Trade Union membership
- Physical or mental health or condition
- Sexual orientation
- Offences (including alleged offences)
- Criminal proceedings, outcomes and sentences
- Physical identifiers including DNA, fingerprints and other genetic samples
- Sound and visual images including photographs and video
- Licenses or permits held
- Criminal Intelligence
- References to manual records or files
- Information relating to health and safety
- Complaint, incident and accident details
For General Processing ‘Special Category Data’ is personal data that is regarded as particularly sensitive and includes information relating to:
- Ethic origin
- Political opinions
- Religious/philosophical beliefs
- Sex life
- Sexual orientation
- Trade union
- Genetic data i.e. biological sample
- Biometric data i.e. fingerprint, face recognition, DNA, palm print, iris recognition
For General Processing Kent Police will only process Special Category Data where a condition in Article 9 of the GDPR is met. In addition, for General Processing, Kent Police will only process ‘Criminal Offence Data’ – personal data relating to criminal convictions and offences or related security measures – where a condition in Schedule 1 of the DPA is met.
Similarly, for Law Enforcement Processing Kent Police will only process personal data pertaining to your: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health (related); or sex life or sexual orientation, in certain circumstances. This type of processing is called ‘Sensitive Processing’. Kent Police carry out Sensitive Processing where one of the following apply:
- Consent is given
- For statutory purposes
- The administration of justice
- Protecting an individual’s vital interests
- Safeguarding children and individuals at risk
- If the information is already in the public domain
- For legal claims
- Preventing fraud
- Archiving, historical or statistical purposes
Where do we obtain personal data from?
For both law enforcement and general purposes, Kent Police may collect personal data from a wide variety of sources, other than directly from you, including the following:
- Other law enforcement organisations
- HM Revenue and Customs
- International law enforcement agencies and bodies
- Licensing authorities
- Legal representatives
- Prosecuting authorities
- Defence solicitors
- Security companies
- Partner agencies involved in crime and disorder strategies
- Private sector organisations working with the police in anti-crime strategies
- Voluntary sector organisations
- Approved organisations and people working with the police
- Independent Office for Police Conduct (IOPC)
- Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS)
- Office of the Police, Fire and Crime Commissioner (OPFCC)
- Central government, governmental agencies and departments
- Emergency services
- Relatives, guardians or other persons associated with the individual
- Current, past or prospective employers of the individual
- Healthcare, social and welfare advisers or practitioners
- Education, training establishments and examining bodies
- Business associates and other professional advisors
- Employees and agents of Kent Police
- Suppliers, providers of goods or services
- Persons making an enquiry or complaint
- Financial organisations and advisors
- Credit reference agencies
- Survey and research organisations
- Trade, employer associations and professional bodies
- Local government
- Voluntary and charitable organisations
- Ombudsmen and regulatory authorities
- The media
- Processors working on behalf of Kent Police
How do we collect personal data?
Kent Police collects personal data either from you or from other sources, dependent on circumstances.
The following are examples of how Kent Police may obtain personal data directly from you:
- From conversations with you (in person or via telephone)
- From written communications from you (e.g. letters, emails, social media)
- From website interactions with you
- From forms completed by you (e.g. job applications)
The following are examples of how Kent Police may obtain personal data about you from other sources:
- From conversations with other individuals (in person or via telephone)
- From written communications from other individuals (e.g. letters, emails, social media)
- From observation or monitoring
- From Body Worn Video
- From CCTV and audio systems
- From forms completed by other individuals
See the Covid-19 privacy notice for more information about how we may seek to collect and hold additional information about you in relation to the challenges we are all facing during the Coronavirus pandemic.
Which lawful basis do we use to process this information?
Kent Police must have a valid lawful basis in order to process your personal data.
When Kent Police process your personal data for Law Enforcement Purposes it is done so under Common Law Policing Powers, and either with your consent or because the processing is necessary for the performance of a task carried out for Law Enforcement Purposes.
When Kent Police process your personal data for General Purposes there are five lawful bases available, the lawful basis will depend on the purpose for processing the personal data:
- Consent – you have provided clear consent to process the personal data for a specific purpose
- Contract – the processing is necessary for a contract (i.e. employment contract)
- Legal obligation – the processing is necessary for Kent Police to comply with the law
- Vital interest – the processing is necessary to protect someone’s life
- Public Task – the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law
How do we process personal data?
For both law enforcement and general purposes, Kent Police will process personal data in accordance with the DPA and the GDPR – Data Projection Legislation.
Where Kent Police process personal data for Law Enforcement Purposes, it will be done so in accordance with the DPA data protection principles and where processed for personal data for General Purposes it will be done so in accordance with the GDPR data protection principles.
Data Protection Act
General Data Protection Regulation (GDPR)
Principle (a) – lawfulness, fairness and transparency:
Processed lawfully and fairly
Processed lawfully, fairly, in a transparent manner in relation to individuals
Principle (b) – purpose limitation:
Collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with the purpose for which it was originally collected
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; though further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes
Principle (c) – data minimisation:
Adequate, relevant and not excessive in relation to the purpose for which it is processed
Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed
Principle (d) – accuracy:
Accurate and, where necessary, kept up to date, and every reasonable step is taken to ensure that personal data is accurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay
Accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that is inaccurate will be erased or rectified without delay where necessary
Principle (e) – storage limitation:
Kept for no longer than is necessary for the purpose for which it is processed.; and appropriate time limits are established for the periodic review of the need for the continued storage of personal data for any of the Law Enforcement Purposes
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; however, personal data may be stored for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
Principle (f) – integrity and confidentiality:
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Kent Police will strive to ensure that all personal data processed, under their controllership, is not excessive, is reviewed appropriately, and is securely destroyed when no longer required. Kent Police respect individuals’ rights and will be able to demonstrate compliance with the DPA and GDPR data protection principles
How do we ensure the security of personal data?
Kent Police takes the security of all personal data very seriously. Ensuring compliance to the relevant parts of the DPA and the GDPR relating to security, as well as seeking to comply with the National Police Chiefs Council (NPCC) Security Systems Policy and relevant parts of the ISO 27001 Information Security Standard.
Kent Police ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection. These measures will protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These measures are continuously managed and enhanced to ensure up-to-date security.
Who do we disclose personal data to?
For both law enforcement and general purposes, Kent Police may disclose personal data to a wide variety of recipients in any part of the world, including those from whom personal data is obtained.
This may include disclosures to other law enforcement agencies, partner organisations/agencies working on crime reduction initiatives, partners in the Criminal Justice arena, Victim Support, and to bodies or individuals working on our behalf (such as, IT contractors or survey organisations).
Kent Police may also disclose to other bodies or individuals where necessary to prevent harm to individuals. Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstances, and with necessary controls in place.
Where you have provided your personal data to us for the purposes of the police constable recruitment process, your data, including biographical monitoring information, will be shared with the College of Policing.
It will be stored on their secure network or within their Assessment Information Management System (AIMS). From this information, your name, email address and candidate reference number will be uploaded to the new online assessment platform for constable recruitment and shared with the third party provider hosting the system in order to progress your application virtually.
Some of the bodies or individuals to which Kent Police may disclose personal data to are situated outside of the European Union – some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If personal data is transferred to such territories, the proper steps will be taken to ensure that it is adequately protected, as required by the DPA and GDPR.
Kent Police will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the Child Maintenance Service, the National Fraud Initiative, and the Home Office and to the Courts.
Kent Police may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
How long do we retain personal data?
Kent Police keep personal data for as long as is necessary for the particular purpose, or purposes, for which it is held.
Personal data which is placed on the Police National Computer is retained, reviewed and deleted in accordance with the agreed national retention periods which are subject to periodic change.
Other records containing personal data relating to intelligence, digital media, custody, crime, firearms, child abuse investigations, and domestic violence will be retained in accordance with the College of Policing’s Authorised Professional Practice for Information Management. This can be found on the College of Policing’s website www.app.college.police.uk. These records are retained in accordance with the Kent Police’s procedure W1012 Records Review, Retention & Disposal.
Monitoring and cookies
Kent Police may monitor or record and retain telephone calls, texts (SMS), emails and other electronic communications to and from the Force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist law enforcement or general purposes.
Kent Police does not place a pre-recorded ‘fair processing notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.
This Privacy Notice is divided into three parts:
- Part 1: How we process your personal data
- Part 2: Your rights around that personal data
- Part 3: Other useful information
 Defined by the statutory Code of Practice on the Management of Police Information 2005 as ‘protecting life and property, preserving order, preventing the commission of offences, bringing offenders to justice, and any duty or responsibility of the police arising from common or statute law.’
 Kent Police is required to conduct Customer Satisfaction Surveys to evaluate our performance and effectiveness. Kent Police may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the services Kent Police are providing to the public. Kent Police use the information given to improve our service and wherever possible, Kent Police, like many police forces uses a private company to undertake such surveys on our behalf with strict controls to protect the personal data of those involved.
 GDPR Article 9(1)
 GDPR Articles 10 & 11
 DPA Part 3 Section 35(8)
 DPA Part 3 Section 35
 GDPR Article 6(1)
 DPA Part 3 Sections 34 to 40
 GDPR Article 6