Privacy Notice - PIRC Investigations - Part 2
Using Your Personal Data – PIRC Investigations
General Processing under Part 2 Data Protection Act 2018 and GDPR
Who we are
The Police Investigations and Review Commissioner (PIRC) is appointed by Scottish Ministers under the Police, Public Order and Criminal Justice (Scotland) Act 2006 (2006 Act) as amended (the 2006 Act). The role of the PIRC is to provide independent oversight of policing bodies in Scotland; investigating incidents involving the police and reviewing the way the police handle complaints from the public.
About this notice
This notice explains how your personal data (also referred to as ‘personal information’) will be dealt with (processed) by the Police Investigations and Review Commissioner (PIRC) and your rights in relation to that processing. The PIRC is known as the ‘controller’ of the personal data we collect.
Data protection law in the United Kingdom (UK) is governed by the Data Protection Act 2018 (DPA), the UK General Data Protection Regulation (UK GDPR) and the Law Enforcement Directive (LED). Part 2 of the DPA covers general processing under the UK GDPR. Part 3 of the DPA covers law enforcement processing under the LED. For PIRC investigations not for a law enforcement purpose – such as misconduct investigations1 – processing will be under Part 2.
This notice covers information processed non-law enforcement purposes and provides you details of:
- what is personal data
- why we need your personal data
- what is our lawful basis is for processing
- the types of personal data we hold
- what we do with your personal data
- who we will share your personal data with
- the length of time we will keep your personal data.
What is personal data
Personal data is information that can identify you, for example, name, address, date of birth.
Special category personal data
There is an additional category of personal data called ‘special category personal data’. This is information which relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health data, sex life or sexual orientation.
Why we need your personal data
The PIRC conducts investigations into alleged gross misconduct and misconduct of Police Scotland officers limited to Assistant Chief Constable and above, under the Police Service of Scotland (Senior Officers) (Conduct) Regulations 2013. We collect information, including personal data, under Part 2 DPA to carry out our functions under this legislation.
There may be situations where we collect information, including personal data, under Part 2 DPA to carry out our assessment and investigation functions under Police Public Order and Criminal Justice (Scotland) Act 2006, and The Police Investigations and Review Commissioner (Investigations Procedure, Serious Incidents and Specified Weapons) Regulations 2013. This may include investigations into deaths in custody or deaths following police contact.
What is our lawful basis for processing
PIRC must have a legal basis for processing your personal and special category data. The legal bases, that may be relied upon are listed below:
- Article 6 (1)(c) necessary to comply with a legal obligation. PIRC would require to comply with Court Orders to provide your personal data to others.
- Article 6 (1)(d) necessary to protect the vital interests of yourself or another, in extreme circumstances PIRC may have to release personal data to protect your interests or the interests of others, for example, medical emergencies.
- Article 6 (1)(e) necessary for the performance of a task carried in the public interest or in the exercise of official authority. Part of PIRC’s function is to maintain public confidence in the police complaints system and provide effective oversight: this activity in a public interest including your interest and the interest of others.
- Article 6(1)(f) ‘legitimate interests’ is generally the interest of PIRC for example, undertaking surveys to improve the service provided to the public.
Where special category data such as health information is processed a legal basis for this will be within Article 9 of UK GDPR or Schedule 1 of the Data Protection Act 2018 (check this in special category policy). Examples included:
- Article 9(1)(a) processing “special categories” of data where you have given explicit consent.
- Article 9(1)(g) processing “special categories” of data where necessary for reasons of substantial public interest.
- Article 9(1)(f) processing “special categories” of data in connection with legal claims.
- Article 9(2)(g) processing "special categories" of data in the substantial public interest.
The types of personal data we hold
The types of personal data we process may include information such as:
- personal details such as name, address, date of birth
- sound and visual images, such as CCTV or mobile phone footage
- complaint details
- financial details
- policing material (including alleged or actual offending information and information and /or intelligence from policing systems)
- information provided by victims or witnesses.
We may also hold sensitive personal data and/or biometric data of the type described above.
In order to carry out our investigative functions, we process information relating to a variety of individuals including:
- victims and / or family members
- people suspected of committing, or who have committed, an offence
- police officers and police staff
- consultants and other professional experts.
What we do with it
We use personal data to conduct our investigations and we may use it when we report our findings to the SPA. In some cases, we may report our findings to the relevant policing body and the COPFS. We will hold personal information securely whether in paper or electronic format.
We may share information with another public bodies or another policing body operating in Scotland. However, we will only do this where it is necessary for us to carry out our investigations and reporting function, or, to allow the public body concerned to carry out its own function.
We may disclose personal information in exceptional circumstances. For example, where we are required by law to do so or where the health and safety of you or others is at risk.
We may use your information for statistical, research, training and development purposes. In these circumstances the processing is necessary for us to pursue our legitimate interests2. Information will not be used for these purposes where this would interfere with your fundamental rights. Processing these circumstances will be undertaken in terms of Part 2 of the DPA.
We may also ask you to complete an equality monitoring questionnaire. This is an optional questionnaire used for statistical purposes and to inform and allow us to meet our obligations in terms of the Public Sector Equality Duty and will not have an impact on the investigative process in any way. Processing these circumstances will also be undertaken in terms of Part 2 of the DPA.
The outcome of our investigation may be published on our website at pirc.scot. It may also be featured in a press release. Reports and press releases are anonymised and will not contain your name. In most cases they will not contain information that could identify you or any other person involved in the investigation. In very limited cases, where you may be identified, we can discuss your particular privacy needs with you.
How long we keep it
We will hold your information for no longer than is necessary. The timescales involved are explained in our Records Management Policy.
What are your rights?
Right of access
You have the right to confirmation as to whether or not we are processing your personal data and to be given information on how we use the data, what type of data we have, who we will share it or have shared it with, how long we will keep it for, and what your rights are regarding your data. You can also request to see the personal information we hold about you.
Right to rectification
If you believe that information we hold on you is incorrect, you can request that it is corrected or deleted.
Right to erasure
You can request that we delete the personal information we hold on you if, we no longer require it, you object to us processing it and we have no overriding legitimate grounds for us to retain it, your data has been unlawfully processed, it needs to be erased for legal reasons.
Right to withdraw consent
Where we process your personal information for a particular purpose on the basis of your consent you have the right to withdraw that consent. You can inform us of your wish to withdraw consent by contacting us at the address below. The relevant personal data will be destroyed on receipt of the withdrawal of consent unless there is an overriding purpose for continued processing.
Right to restrict processing
You can request that we temporarily restrict the processing of your personal data if, we are checking the accuracy of your data, our processing is unlawful and you do not want your data erased, we no longer need your data but need to retain it for legal reasons, or you object to us processing it and confirmation is awaited regarding our overriding legitimate grounds to retain it.
Right to data portability
This only applies where the legal basis for us to collect your personal data is consent and where the processing is by automated means, neither of which are relevant to how we process your data. This right is therefore not applicable.
Right to object
If the lawful basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, or, it is necessary for the purposes of legitimate interests which we pursue.
Rights in relation to automated decision making and profiling
Where applicable, you have the right to object to your data being subject to automatic decision making and profiling, however the PIRC will not use your data in this manner.
It is important to note that these rights detailed above are not absolute. In some cases exemptions can apply and we may not be able to provide you with all of the information you are looking for or comply with your request to exercise your rights.
If you have a request regarding your rights or if you want to complain about how we have handled your personal data, you can contact us at email@example.com or using the details on this website.
If you are not satisfied with our response, or believe that we are processing your data not in accordance with the law, you can complain to the Information Commissioner’s Office at:
Tel: 0303 123 1113
Any complaints about the use of biometric data, and an organisation’s non compliance with the Code of Practice should be made to the Scottish Biometrics Commissioner. They can be contacted as follows:
Scottish Biometrics Commissioner
99 McDonald Road
Tel: 0131 202 1043
(Date of completion of this notice – November 2023)
1 The Police Service of Scotland (Senior Officers) Conduct Regulations 2013, Regulation 9.
2 Article 6(1)(f)