Protecting and respecting your personal information
Your privacy is important to us. This Privacy Notice explains how Derbyshire Constabulary collects, stores, uses, discloses, retains and destroys information about people (their personal data ), and the steps we take to ensure that it is protected. It also describes the rights you have in regard to information we may already hold about you and any further personal information we might collect about you, either from you or from a third party.
The use and disclosure of personal data is governed in the United Kingdom by the Data Protection Act 2018 which is supplemented by the General Data Protection Regulation (GDPR) and incorporates the Law Enforcement Directive (LED). The Chief Constable of Derbyshire Constabulary is registered with the Information Commissioner as a ‘controller’ and is obliged to ensure that Derbyshire Constabulary handles all personal data in accordance with the Data Protection Act and the GDPR.
Derbyshire Constabulary takes its responsibility very seriously and ensures that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the Police Service.
The Constabulary’s Data Protection Officer, Ms A Turner, together with the Data Protection Team provides help and guidance to ensure that the Constabulary applies appropriate standards to protect your personal data. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but it can also include other types of electronically held information such as CCTV images or Body Worn Video images.
You can contact our Data Protection Team or our Data Protection Officer if you have any questions or concerns about how we process your personal data:
Data Protection Team
Telephone: (0300) 1228756
1. Why do we process personal data?
Derbyshire Constabulary collects, stores, uses, discloses and retains personal data for two broad purposes; the Law Enforcement Purposes and to carry out activities to support the Law Enforcement Purposes, something we call General Purposes.
a) The Law Enforcement Purpose (Policing Purpose) which includes:
- The prevention, investigation, detection or prosecution of criminal offences;
- The execution of criminal penalties;
- Safeguarding against and the prevention of threats to public security
- The policing purpose 
b) The provision of services to support the Law Enforcement Purposes (General Purposes) which includes:
- Staff/pension administration, occupational health and welfare;
- Management of public relations, journalism, advertising and media;
- Management of finance, payroll, benefits, accounts, audit, internal review;
- Internal review, accounting and auditing;
- Property management;
- Insurance management;
- Vehicle and transport management;
- Payroll and benefits management;
- Management of complaints;
- Management of information technology systems;
- Legal services;
- Information provision;
- Licensing and registration;
- Pensioner administration;
- Research including surveys; 
- Performance management;
- Sports and recreation;
- System testing and fault resolution;
- Health and safety management
2. Whose personal data do we handle?
In order to carry out the purposes described under Section 1 above Derbyshire Constabulary may collect, store, and disclose (see Section 8 below) and retain personal data relating to a wide variety of individuals including the following:
- Victims of crime
- Witnesses to crime
- People convicted of an offence
- People suspected of committing an offence
- Complainants, correspondents and enquirers;
- Advisers, consultants and other professional experts;
- Current and former staff including volunteers, agents, temporary and casual workers;
- Former and potential members of staff, pensioners and beneficiaries;
- Other individuals necessarily identified in the course of police enquiries and activity
Derbyshire Constabulary will only use appropriate personal information necessary to fulfil a particular purpose or purposes.
3. What types of personal data do we handle?
In order to carry out the purposes described under Section 1 above, Derbyshire Constabulary may collect, use, disclose (see Section 8 below) and retain personal data relating to or consisting of the following:
- Personal details such as name, address and biographical details;
- Family, lifestyle and social circumstances;
- Education and training details;
- Financial details;
- Goods or services provided;
- Racial or ethnic origin;
- Membership of extremist political parties;
- Religious or other beliefs of a similar nature;
- Trade Union membership;
- Physical or mental health or condition;
- Sexual orientation;
- Offences (including alleged offences);
- Criminal proceedings, outcomes and sentences;
- Physical identifiers including DNA, fingerprints and other genetic samples;
- Sound and visual images;
- Licenses or permits held;
- Criminal Intelligence;
- References to manual records or files;
- Information relating to health and safety;
- Complaint, incident and accident details.
Derbyshire Constabulary will only use appropriate personal data necessary to fulfil a particular purpose or purposes.
4. Where do we obtain personal data from?
In order to carry out the purposes described under Section 1 above Derbyshire Constabulary may collect personal data from a wide variety of sources, other than directly from you, including the following:
- Other law enforcement agencies;
- HM Revenue and Customs;
- International law enforcement agencies and bodies;
- Licensing authorities;
- Legal representatives;
- Prosecuting authorities;
- Defence solicitors;
- Security companies;
- Partner agencies involved in crime and disorder strategies;
- Private sector organisations working with the police in anti-crime strategies;
- Voluntary sector organisations;
- Approved organisations and people working with the police;
- Independent Police Complaints Commission;
- Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS);
- Office of the Police and Crime Commissioner (OPCC);
- Central government, governmental agencies and departments;
- Emergency services;
- Relatives, guardians or other persons associated with the individual;
- Current, past or prospective employers of the individual;
- Healthcare, social and welfare advisers or practitioners;
- Education, training establishments and examining bodies;
- Business associates and other professional advisors;
- Employees and agents of Derbyshire Constabulary;
- Suppliers, providers of goods or services;
- Persons making an enquiry or complaint;
- Financial organisations and advisors;
- Credit reference agencies;
- Survey and research organisations;
- Trade, employer associations and professional bodies;
- Local government;
- Voluntary and charitable organisations;
- Ombudsmen and regulatory authorities;
- The media;
- Data Processors working on behalf of Derbyshire Constabulary.
- ANPR (Automatic Number Plate Recognition)
Derbyshire Constabulary may also obtain personal data from other sources such as its own CCTV systems, Body Worn Video footage or correspondence.
5. What is our lawful basis for processing this information?
Derbyshire Constabulary will only use your personal data where we have an appropriate lawful basis for doing so, for example we use your personal data where:
- We need to use the information to comply with our legal obligations;
- We need to use the information for the performance of a task in the public interest;
- We need to use the information to perform a contract with you;
- We need to use the information to comply with law enforcement;
- We need to use the information to protect yours or someone else’s life;
- We have your consent to process the data for a specific purpose.
Where we rely on your consent to process data, you have the right to withdraw this at any time. To withdraw consent please contact the Data Protection Team using the details provided, or as specified on the relevant consent form.
6. How do we process personal data?
In order to achieve the purposes described under Section 1 Derbyshire Constabulary will handle personal data in accordance with the Data Protection Act 2018 and the GDPR.
Where we are processing data for the General Purposes we will ensure that any personal data is:
- Processed lawfully, fairly, in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Where we are processing personal data for Law Enforcement purposes we will ensure that any personal data is:
- “Processed lawfully and fairly;
- Collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with the purpose for which it was originally collected;
- Adequate, relevant and not excessive in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date, and;
- Every reasonable step must be taken to ensure that personal data is accurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay;
- Kept for no longer than is necessary for the purpose for which it is processed. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes;
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).”
7. How long does Derbyshire Constabulary retain personal data?
Derbyshire Constabulary keeps your personal data for as long as is necessary for the particular purpose or purposes for which it is held. Personal data which is placed on the Police National Computer is retained, reviewed and deleted in accordance with the agreed national retention periods which are subject to periodic change.
Other records containing personal data relating to intelligence, digital media, custody, crime, firearms, child abuse investigations, and domestic violence will be retained in accordance with the NPCC endorsed guidance on the Management of Police Information (MoPI) 2006, (this can be found on the College of Policing’s website www.app.college.police.ukExternal Link) and the National Retention and Disposal Schedule which the Constabulary has adopted, (this can be found on the National Police Chief’s Council website www.npcc.police.ukExternal Link).
Derbyshire Constabulary also manages personal data in accordance with our Review, Retain and Disposal Policy.
8. How do we ensure the security of personal data?
Derbyshire Constabulary takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the Data Protection Act 2018, the GDPR and LED relating to security, and seek to comply with the National Police Chiefs Council (NPCC) and relevant parts of the ISO27001 Information Security Standard.
We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
9. Who do we disclose personal data to?
In order to carry out the purposes described under Section 1, above Derbyshire Constabulary may disclose personal data to a wide variety of recipients in any part of the world, including those from whom personal data is obtained (as listed above). Recipients of the data may include:
- Law enforcement agencies (including international agencies)
- businesses (including security companies, and other supplies of goods and services) and other private sector organisations working with the police in anti-crime strategies
- partner agencies working on crime reduction or safeguarding initiatives
- agencies and other third parties concerned with the safeguarding of and investigation relating to international and domestic national security
- local authorities, national and local government departments and agencies (including the Home Office, HM Revenue and Customs, the Serious Fraud Office, the Child Maintenance Service, the National Fraud Initiative, and private safeguarding agencies)
- Police and Crime Commissioners
- legal representatives, prosecuting authorities, courts, prisons, and other partners in the criminal justice arena;
- victim support service providers
- bodies or individuals working on our behalf
- authorities involved in offender management
- ombudsmen, auditors and regulatory authorities
- other bodies or individuals where required under any legislation, rule of law, or court order
- other bodies or individuals where necessary to prevent harm to individuals
- the media.
We may also disclose to other bodies or individuals where necessary to prevent harm to individuals. Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstances, and with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal data are situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we will take proper steps to ensure that it is adequately protected as required by the Data Protection Act 2018.
Derbyshire Constabulary will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the Child Maintenance Service, the National Fraud Initiative, and the Home Office and to the Courts.
Derbyshire Constabulary may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
Our website forms part of the national Digital Public Contact ProgrammeExternal Link. This means all completed online forms are automatically sent to us securely via the Central Police IT Team.
10. What rights do you have about how Derbyshire Constabulary manages your personal data?
The GDPR provides certain rights for individuals however all of these rights do not apply when it comes to Law Enforcement processing, and the applicable rights do not apply in all circumstances. Details of the rights are described below:
The right to be informed – You are entitled to be told how we obtain, use, retain and store your personal data and who we share it with. This is described within this Privacy Notice.
The right of access – Previously a Subject Access request. You can request access, which may be subject to some exemption, to a copy of information that may be held about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can usually make a request for access free of charge.
Details of the application process, known as ‘Right of Access’ can be found on this website.
Alternatively individuals may contact Derbyshire Constabulary by using the contact details provided below; in person; via telephone or social media to make the request, however the preferred method is via the application process.
Data Protection Compliance Unit
Telephone (0300) 1228756
Or email: email@example.com
Rights of access do not apply to the processing of ‘relevant personal data’ , we can limit confirmation that we are processing data and any access to personal data, if necessary and proportionate in order to:
- Avoid obstruction to an official or legal inquiry, investigation or procedure;
- Avoid prejudicing prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties
- Protect public security; or
- Protect the rights and freedoms of others.
Where a limitation is in place the individual must be given an explanation of the reasons, unless providing this information undermines the purpose of imposing the restriction.
The right to rectification – Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. Derbyshire Constabulary can refuse this request where the data is necessary and proportionate or relates to ‘relevant personal data’ i.e. to avoid obstructing an official or legal inquiry, investigation or procedure, or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as detailed above.
The request must be processed within one month, or three months in complex cases. Where a request is refused the individual must be notified and where no action is taken individuals have the right to be informed of how to seek a judicial remedy.
The right to erasure – Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing with the processing
- When the personal data was unlawfully processed
- When the personal data has to be erased in order to comply with a legal obligation
- When the personal data is processed in relation to the offer of information society services to a child
Derbyshire Constabulary can refuse such a request where it is necessary and proportionate or relates to 'relevant personal data', i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as detailed above. The erasure of personal data relating to criminal offences cannot be considered until its full period of retention has been reached (as detailed in the National Retention and Disposal Schedule which has been adopted by Derbyshire Constabulary).
The right to restrict processing – Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect but it is not possible to confirm the accuracy of the data. Derbyshire Constabulary can refuse such a request where it is necessary and proportionate or relates to ‘relevant personal data’, in order to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as described above.
Where a request is received the individual must be informed in writing as to whether Derbyshire Police have granted the request; and if it has been refused, the reasons why.
The right to data portability (not applicable to law enforcement processing) - Under Article 20 of the GDPR, individuals have the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different service. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability. The personal data must be provided in a structured, commonly used and machine readable form. The information must be provided free of charge.
The right to object (not applicable to law enforcement processing) - Under Article 21 of the GDPR, individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), and processing for purposes of scientific research and statistics.
Rights in relation to automated decision making including profiling- Under Article 22 of the GDPR, individuals have the right to object to decisions made about them on the basis of automated processing including profiling, where those decisions have legal or other significant effects. This includes processing where there is no human intervention, for example where automated processes are used to sift recruitment applications.
An individual has the right to withdraw their consent – This does not apply to offenders or suspected offenders as the processing is necessary to perform a task within the public interest without their consent being given. There may however be circumstances in which individuals have given the Constabulary consent to use their information; this can be withdrawn at any time by writing to the Data Protection Officer using the details at section 12 Contact Us at the bottom of this notice, or as specified on the relevant consent form.
Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are or have been adversely affected by the handling of personal data by Derbyshire Constabulary. Individuals may direct their complaint to the Information Commissioner’s Office:
The Information Commissioner’s Office
Telephone: 0303 123 1113
Website: www.ico.org.ukExternal Link
Derbyshire Constabulary may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the force in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above. Derbyshire Constabulary does not place a pre-recorded ‘fair processing notice’ on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.
12. Contact Us
Any individual with concerns over the way that Derbyshire Constabulary handles their personal data or for further details about the information contained within this Privacy Notice may contact the Data Protection Officer (DPO) at the details below:
Data Protection Officer
Tel: 0300 122 8756
Date of last update and changes
 ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms it means any information handled by Derbyshire Constabulary that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.
 Defined by the statutory Code of Practice on the Management of Police Information 2005 as ‘protecting life and property, preserving order, preventing the commission of offences, bringing offenders to justice, and any duty or responsibility of the police arising from common or statute law.’
 Derbyshire Constabulary is required to conduct Customer Satisfaction Surveys to evaluate our performance and effectiveness. We may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the services we are providing to the public. We use the information given to improve our service and wherever we can, Derbyshire Constabulary, like many police forces uses a private company to undertake such surveys on our behalf with strict controls to protect the personal data of those involved.
 Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority. Access to ‘relevant personal data’ is governed by the appropriate legislation covering the disclosure of information in criminal proceedings, such as (in England and Wales) the Criminal Procedure and Investigations Act 1996.