Privacy Notice - PIRC Investigations LED - Part 3
Using Your Personal Data – PIRC Investigations
Law Enforcement Processing under Part 3 Data Protection Act 2018 and UK GDPR
Who we are
The Police Investigations and Review Commissioner (PIRC) is appointed by Scottish Ministers under the Police, Public Order and Criminal Justice (Scotland) Act 2006 (2006 Act) as amended (the 2006 Act). The role of the PIRC is to provide independent oversight of policing bodies in Scotland; investigating incidents involving the police and reviewing the way the police handle complaints from the public.
About this notice
This notice explains how your personal data (also referred to as ‘personal information’) will be dealt with (processed) by the PIRC and your rights in relation to that processing. The PIRC is known as the ‘controller’ of the personal data we collect.
Data protection law in the United Kingdom (UK) is governed by the Data Protection Act 2018 (DPA), the UK General Data Protection Regulation (UK GDPR) and the Law Enforcement Directive (LED). Part 2 of the DPA covers general processing under the UK GDPR. Part 3 of the DPA covers law enforcement processing under the LED. For PIRC investigations, processing is mainly under Part 3 with some processing under Part 2.
Law enforcement purposes are for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
This notice covers information processed for law enforcement purposes and provides you details of:
- what is personal data
- why we need your personal data
- what is our lawful basis is for processing
- the types of personal data we hold
- what we do with your personal data
- who we will share your personal data with
- the length of time we will keep your personal data.
What is personal data
Personal data is information that can identify you, for example, name, address, date of birth.
Special category personal data
There is an additional category of personal data called ‘special category personal data’. This is information which relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health data, sex life or sexual orientation.
Why we need your personal data
The PIRC conducts investigations under the 2006 Act, and The Police Investigations and Review Commissioner (Investigations Procedure, Serious Incidents and Specified Weapons) Regulations 2013.
We collect information, including personal data, under Part 3 DPA to carry out our functions under this legislation, those being:
- where the PIRC is directed or requested to conduct an investigation,
- where an incident is referred to the PIRC to assess whether or not an investigation is necessary, or
- where the Commissioner determines it is in the public interest to investigate.
PIRC investigations can be directed or requested by the Crown Office and Procurator Fiscal Service (COPFS), Police Scotland (or any other Scottish policing body), the Scottish Police Authority (SPA) or undertaken because the Commissioner considers that it is in the public interest to do so.
What is our lawful basis for processing
Under Schedule 7 of the Data Protection Act 2018, the PIRC is a competent authority, and Part 3 of the Act permits law enforcement processing by competent authorities.
PIRC processes personal data for law enforcement purposes as defined under section 31 of the DPA 2018 as:
“The prevention, investigation detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
The lawful basis for PIRC processing special category personal data for a law enforcement purpose is that that it is strictly necessary for the performance of a task carried out by the PIRC as a competent authority for law enforcement purposes1.
The types of personal data we hold
The types of personal data we process may include information such as:
- personal details such as name, address, date of birth
- sound and visual images, such as CCTV or mobile phone footage
- complaint details
- financial details
- policing material (including alleged or actual offending information and information and /or intelligence from policing systems)
- information provided by victims or witnesses.
We may also hold sensitive personal data and/or biometric data of the type described above.
In order to carry out our law enforcement functions, we process information relating to a variety of individuals including:
- people suspected of committing, or who have committed, an offence
- police officers and police staff
- consultants and other professional experts.
What we do with it
We use your personal data to conduct our investigations and we may use it when we report our findings to the relevant policing body, COPFS, or the SPA. In some cases, we may report our findings to the relevant policing body and COPFS. We will hold your personal data securely whether in paper or electronic format.
Who we will share your personal data with
We may share your information with another public body or another policing body operating in Scotland. However, we will only do this where sharing your information is necessary for us to carry out our investigations and reporting function, or, to allow the public body concerned to carry out its own function. The 2006 Act allows information sharing with any public body or office holder as specified in this Act and in specified circumstances.
We may also disclose personal data in exceptional circumstances. For example, where we are required by law to do so or where the health and safety of you or others is at risk.
We may use your information for statistical, research, training and development purposes. In these circumstances the processing is necessary for us to pursue our legitimate interests2. Information will not be used for these purposes where this would interfere with your fundamental rights. Processing these circumstances will be undertaken in terms of Part 2 of the DPA further detail can be found in the PIRC Processing under Part 2 DPA Privacy Notice.
We may also ask you to complete an equality monitoring questionnaire. This is optional and will not have an impact on the review process. Processing these circumstances will also be undertaken in terms of Part 2 of the DPA.
The outcome of our investigation may be published on our website at pirc.scot. It may also be featured in a press release. Reports and press releases are anonymised and will not contain your name. In most cases they will not contain information that could identify you or any other person involved in the investigation. In very limited cases, where you may be identified indirectly, we can discuss your particular privacy needs with you.
How long we keep it
We will hold your information for no longer than is necessary. The timescales involved are explained in our Records Management Policy.
What are your rights?
Right of access
You have the right to confirmation as to whether or not we are processing your personal data and to be given information on how we use the data, what type of data we have, who we will share it or have shared it with, how long we will keep it for, and what your rights are regarding your data. You can also request to see the personal information we hold about you.
Right to rectification
If you believe that information we hold on you is incorrect, you can request that it is corrected or deleted.
Right to erasure
You can request that we delete the personal information we hold on you if, we no longer require it, you object to us processing it and we have no overriding legitimate grounds for us to retain it, your data has been unlawfully processed, it needs to be erased for legal reasons.
Right to restrict processing
You can request that we temporarily restrict the processing of your personal data if, we are checking the accuracy of your data, our processing is unlawful and you do not want your data erased, we no longer need your data but need to retain it for legal reasons, or you object to us processing it and confirmation is awaited regarding our overriding legitimate grounds to retain it.
Right to withdraw consent
Where we process your personal information for a particular purpose on the basis of your consent you have the right to withdraw that consent. You can inform us of your wish to withdraw consent by contacting us at the address below. The relevant personal data will be destroyed on receipt of the withdrawal of consent unless there is an overriding purpose for continued processing.
Right to data portability
This only applies where the legal basis for us to collect your personal data is consent and where the processing is by automated means, neither of which are relevant to how we process your data. This right is therefore not applicable.
Right to object
If the lawful basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, or it is necessary for the purposes of legitimate interests which we pursue.
Rights in relation to automated decision making and profiling
Where applicable, you have the right to object to your data being subject to automatic decision making and profiling, however the PIRC will not use your data in this manner.
It is important to note that these rights detailed above are not absolute. In some cases, exemptions can apply and we may not be able to provide you with all of the information you are looking for or comply with your request to exercise your rights.
If you have a request regarding your rights or if you want to complain about how we have handled your personal data, you can contact us at:
Phone: 01698 542 900
Post: Police Investigations and Review Commissioner
Hamilton Business Park
If you are not satisfied with our response, or believe that we are processing your data not in accordance with the law, you can complain to the Information Commissioner’s Office at:
Tel: 0303 123 1113
Any complaints about the use of biometric data, and an organisation’s non compliance with the Code of Practice should be made to the Scottish Biometrics Commissioner. They can be contacted as follows:
Scottish Biometrics Commissioner
99 McDonald Road
Tel: 0131 202 1043
(Date of completion of this notice – November 2023)
1 See Schedule 8 of the Data Protection Act 2018.
2 Article 6(1)(f)