Legitimate Interest Statement
(Under provisions of the General Data Protection Regulation)

The Safer Medway Partnership (SMP) shall process personal information (information that can identify an individual), for the purpose of protecting its members, their staff and property from low-level crime and anti-social behaviour which is in the public interest.

The SMP shall process this information under Article 6(1) of the General Data Protection regulations as they have a public interest in doing so and is for the legitimate interest of the data controller. In each case, this is to prevent and detect crime as well as to protect the members, their staff, property and the public from low-level crime and anti-social behaviour.

The SMP shall collect, store, analyse, collate and share with members and Kent Police; such information for the purposes of preventing and detecting low level crime and anti-social behaviour, serving exclusion notices, Community Protection Warnings and Notices under the Anti-Social Behaviour, Crime and Policing Act 2014.

The information shall be limited to names, addresses, date of birth, images and criminal and anti-social behaviour reports regarding individuals in and around member’s properties. 

We shall also keep a record of a subject’s ethnicity. In terms of the keeping of ethnicity records, this is required as a main identifying feature. It is classed under the General Data Protection Regulation as ‘Special category data’ and needs separate explanation. 

Under the Data Protection Bill Part 2 (Substantial Public Interest Conditions), data such as ethnicity can be held for a number of reasons. In the case of the SMP, we hold the information for the reasons held above and under Part 2 section 8 – Preventing or detecting unlawful acts and section 9 – Protecting the public against dishonesty etc. 

The processing of data is necessary to prevent and detect crime and anti-social behaviour, thereby protecting members’, their staff and property. This information is essential for the effective management of this Business Crime Partnership (SMP). The partnership only works within the boundaries of Medway Council. Data is only shared with the members who have all signed Data Protection agreements and with the police under an information sharing agreement. Our neighbouring Business Crime Partnership data processing managers are also members of the SMP. This allows us to share data for the same reasons of preventing and detecting crime in their areas and vice versa, when offenders from Medway travel to commit crime and anti-social behaviour. (They have the same statutory controls as the SMP).

The SMP shall also hold members details, including their name, e-mail address, postal address and telephone number. This is to enable communication with the members by the SMP.
 
Data Management & Processing Policy
(Under provisions of the General Data Protection Regulation)
 
Technical & Organisation system:
The Safer Medway Partnership utilises an electronic system managed by Whyte Studio, 40 Ardent Road, Whitfield, Dover, Kent, CT16 2GH.   
 Access to the SMP site is strictly controlled to members who have signed Data Protection agreements and who have been briefed about security, risk assessments and their liabilities under the law concerning data protection.

No paper records are provided to users and members by the Data Processor. As such they can only access the system via their password. 

What we do:

The manager of the system and Data Manager is John Brice, CSU, Medway Police Station, Purser Way, Gillingham, Kent, ME7 1NE. 07768-717545.

The purpose of the processing of the data held is to for protecting its members, their staff and property from low-level crime and anti-social behaviour which is in the public interest.

Data Subjects: The data of those held on the system shall be offenders and vulnerable people who are involved in low level crime and anti-social behaviour.

We shall hold details of their name, address, date of birth, ethnicity (under special category data) and information about incidents they have been involved in.

Recipients of the data include all members of the SMP, Kent Police under a legal Information Sharing Agreement and neighbouring Business Crime Partnership Data Processors who are also handling similar systems in adjoining towns. 

Data Retention: We shall retain data for as long as a subject is ‘active’ in our locality. 

However, data over two years old will be deleted under yearly audits e.g. even if a subject is active, any incidents over 2 years previously shall be deleted. 

If a subject only comes to notice once and no further reports are received, they shall be deleted after 18 months.

Images of unidentified offenders shall be deleted after 2 years.

Information regarding vulnerable persons shall be held for the same time period as above.

Information concerning persons under 14 shall not be retained unless there is a significant public interest and the agreement is obtained from the police and the SMP board.

Information regarding persons under 18 shall be retained if they are active but this shall be deleted if they have not come to notice for more than 12 months. 

The above limits are to ensure that data is kept no longer than necessary to prevent and detect offending against members, their staff and property. Once it can be assumed they are no longer of interest and not involved in such behaviour locally, their records shall be deleted. 

Technical & Organisation security measures:
Technical security information regarding the data system can be obtained from Whyte Studio, 40 Ardent Road, Whitfield, Dover, Kent, CT16 2GH.

Security within the SMP and its members is handled by the Data Processor, who reports directly to the SMP Board. Any security issues are dealt with under the Data Protection Agreement signed by all members and statutory law if necessary.

Under the General Data Protection Regulation, any breach has to be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. 

If a breach is identified, the subject identified in the data breach, shall be informed by the Data Processor if they are not already aware.
 
Data Protection Impact Assessment (1st March 2018)
(Under provisions of the General Data Protection Regulation)
 
This Privacy Impact Assessment has been carried out in accordance with the Information Commissioners Office (ICO) Code of Practice and the provisions of the General Data Protection Regulation (GDPR).

Description of processing operations and purposes:
The SMP gathers information from its members and Kent Police concerning low level criminal activity and anti-social behaviour by subjects in and around member’s properties and staff. 

The information is assessed and a decision taken by the Data Processor with regard to whether it shall be placed on the system and circulated to members via the secure system. We do not compel subjects about themselves, information is provided by members on a voluntary basis. 

The information can be accessed only by members who have signed a Data Protection agreement and who have been briefed about handling this information sensitively and securely. They are aware that a breach of the agreement may result in disciplinary or criminal sanctions. They are also aware that any breach shall be reported to the Information Commissioners Office within 72 hours of the breach being identified. 

Necessity and Proportionality:
Information is only used and disseminated to members that had been deemed to be a proportionate and necessary use of that data to protect members, their staff and property from low-level crime and anti-social behaviour. 

The information shall be limited to names, addresses, date of birth, images and criminal and anti-social behaviour reports regarding individuals in and around the member’s properties. 

We shall also keep a record of a subject’s ethnicity. In terms of the keeping of ethnicity records, this is required as a main identifying feature. It is classed under the General Data Protection Regulation as ‘Special category data’ and needs separate explanation. 

Under the Data Protection Bill Part 2 (Substantial Public Interest Conditions), data such as ethnicity can be held for a number of reasons such as the fact we have a substantial public interest in keeping the data. In the case of the SMP we hold the information for the reasons held above and under Part 2, section 8 – Preventing or detecting unlawful acts and section 9 – Protecting the public against dishonesty etc. 

The information is essential for the effective management of this Business Crime Partnership. The (SMP) partnership only works within the boundaries of Medway Council. Data is only shared with the members who have all signed Data Protection agreements and with the police under an information sharing agreement. Our neighbouring Business Crime Partnership data processing managers are also members of the SMP. This allows us to share data for the same reasons of preventing and detecting crime in their areas and vice versa, when offenders from Medway travel to commit crime and anti-social behaviour. (They have the same statutory controls at the SMP).

We do not collect information about sexuality, political activity, banking, journalistic material or any information concerning a data subject’s health or their treatment. We do not hold details of criminal records; we only hold up to the past 2 year’s data of that individual’s behaviour locally. 

We do not employ any technical device or other technology to obtain this data and we do not use intrusive methods.

The information is such that it will allow the SMP to decide upon exclusion notices, Community Protection warnings and notices in conjunction with the Police and Medway Council. Other than under these notices and warnings, a decision to bar entry to a member’s business is purely for the manager/staff of that business. They can however, utilise the data recorded to support their decision, but the decision is theirs alone.

Risk to data subject:
The main risk to the data subject is that their details and activities become widely known because ‘someone’ within the membership divulges the data to a non-member. 

The risk of someone identifying a data subject because of unauthorised disclosure, can lead to an individual subject being further identified in the media, social media or in a face to face situation. 

Most of the subjects are very active criminally and are already well-known as such by many people in the locality. However, there is a risk that some relatively unknown data subjects may be identified and this may cause them adverse problems with their family, friends and neighbours. 

Risk to SMP and members:
A breach of Data protection would bring adverse publicity to the scheme and the member involved. Medway Council, due to its close association, may also suffer adverse publicity. A breach may also lead to a prosecution and heavy fine by the Information Commissioners Office.

Measures to address the risk:
All members have signed agreements to protect the subject data and we have posted the details on our system of all subscribing members. This allows members to identify other members who they can discuss subject data with, without breaching privacy and data protections agreements. This reduces the risk of inadvertent disclosure to non-members.

Once a member has processed the data and passed it to the Data Manager, the member shall delete all such information from their records or systems. The information shall be held on the SMP intelligence system only.

The information if sent by e-mail shall be sent to a secure e-mail address. This is at this time is: john@safermedway.com

The information is checked at processing to ensure that the data is correct to prevent incorrect recording. Provided the information is reviewed and analysed before being entered into the system and circulated, then the risk is reduced considerably. 

The privacy risks have been approved by the Board of the SMP. The Data Processor responsible for in-put of data is answerable to the Board.
Any breach of Data Protection is the responsibility of the person divulging that data to a non-member. They have each signed an agreement accepting the regulations and the fact that they can be held accountable both locally and statutorily for any breach. 

In terms of the risk to vulnerable persons and persons under the age of 18 years, the risk is the same as those above. If such a disclosure occurs, the parents/guardians or next of kin of those involved shall be informed as soon as possible. Consideration shall also be given to informing the police if it is deemed necessary for public protection reasons. 

All members are regularly required to re-sign the data protection agreement electronically and the Data Manager holds a signed hard copy for each member as well. They are periodically reminded of their responsibilities and liabilities under the act.

In terms of the Information technology, this is managed by Whyte Studio at 40 Ardent Road, Whitfield, Dover, Kent, CT16 2GH. They manage the security of the system and have technical support and facilities commensurate with the systems needs and that of the General Data Protection Regulations. In addition to managing the SMP system, they managed several similar systems across the county.
 
Balance of Interests Assessment
(Under the provisions of the General Data Protection Regulation)

The SMP balances the legitimate interests of the scheme against the impact on a subject. 

A data subject may not reasonably expect the SMP to use their personal data in the manner in which it does; and as such their interest would over-ride the interests of the SMP and its members. 

However, offenders and suspected offenders have no right to commit crime and anti-social behaviour. The need to protect members, their staff and business property is a legitimate interest as far as the General Data Protection Regulation is concerned. 

As such the impact upon the individual data subject is such that this balances the interests of both parties. The SMP scheme collates information that is only used and disseminated to members, that has been deemed to be a proportionate and necessary use of that data to protect members; their staff and property from low-level crime and anti-social behaviour. 

The information shall be limited to names, addresses, date of birth, images and criminal and anti-social behaviour reports regarding individuals in and around the member’s properties. 

We shall also keep a record of a subject’s ethnicity. In terms of the keeping of ethnicity records, this is required as a main identifying feature. It is classed under the General Data Protection Regulation as ‘Special category data’ and needs separate explanation. 

Under the Data Protection Bill Part 2 (Substantial Public Interest Conditions), data such as ethnicity and criminal record information can be held for a number of reasons. In the case of the SMP we hold the information for the following reasons: It is necessary for reasons of ‘substantial public interest’ on the basis of law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide measures to safe guard the rights of the data subject. In addition, under Part 2, section 8 – Preventing or detecting unlawful acts and section 9 – Protecting the public against dishonesty etc. 

The information is essential for the effective management of this (SMP) Business Crime Partnership. The partnership only works within the boundaries of Medway Council. Data is only shared with the members who have all signed Data Protection agreements and with the police under an information sharing agreement. Our neighbouring Business Crime Partnership data processing managers are also members of the SMP. This allows us to share data for the same reasons of preventing and detecting crime in their areas and vice versa, when offenders from Medway travel to commit crime and anti-social behaviour. (They have the same statutory controls as the SMP).

We do not collect information about sexuality, political activity, banking, journalistic material or any information concerning a data subject’s health or their treatment. We do not hold details of criminal records; we only hold up to the past 2 year’s data of that individual’s behaviour locally. 

The main risk to the data subject is that their details and activities become widely known because ‘someone’ within the membership divulges the data to a non-member. 

The risk of someone identifying a data subject because of unauthorised disclosure, can lead to an individual subject being further identified in the media, social media or in a face to face situation. 

Most of the subjects are very active criminally and are already well-known as such by many people in the locality. However, there is a risk that some relatively unknown data subjects may be identified and this may cause them adverse problems with their family, friends and neighbours. 

Measures to address the risk:
All members have signed agreements to protect the subject data and we have posted the details on the password protected system of all subscribing members. This allows members to identify other members who they can discuss subject data with, without breaching privacy and data protections agreements. This reduces the risk of inadvertent disclosure to non-members.

Information is checked at processing to ensure that the data is correct to prevent incorrect recording of data. Provided the information is reviewed and analysed before being entered into the system and circulated, then the risk is reduced considerably. 

The privacy risks have been approved by the Board of the SMP. The Data Processor responsible for in-put of data is answerable to the SMP Board.
Privacy Notice (Fair Processing Notice)
(Under the provisions of the General Data Protection Regulation)

The SMP gives notice of the following Privacy and fair processing notice:
 
What we collect:
We collect information relating to persons committing or suspected of committing low level crime and anti-social behaviour in Medway, Kent.
The information shall be limited to names, addresses, dates of birth, images and criminal and anti-social behaviour reports regarding individuals in and around the member’s properties. We shall also keep a record of a subject’s ethnicity. In terms of the keeping of ethnicity records, this is required as a main identifying feature. It is classed under the General Data Protection Regulation as ‘Special category data’ and needs separate explanation. Under the Data Protection Bill Part 2 (Substantial Public Interest Conditions), data such as ethnicity can be held for a number of reasons. 

Why we collect data & who we share it with:
In the case of the SMP, we hold the information for the following reasons: It is necessary for reasons of ‘substantial public interest’ on the basis of law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide measures to safe guard the rights of the data subject. In addition, under Part 2, section 8 – Preventing or detecting unlawful acts and section 9 – Protecting the public against dishonesty etc. 
 
Information is processed and maintained on a lawful basis under the General Data Protection Regulation and Data Protection Bill. As such the impact upon the individual data subject is such that this balances the interests of both parties. The SMP scheme collates information that is only used and disseminated to members, that has been deemed to be a proportionate and necessary use of that data to protect members; their staff and property from low-level crime and anti-social behaviour. 

Data Retention, how long is it kept?
We shall retain data for as long as a subject is ‘active’ in our locality. 
 
System management & security:
Technical security information regarding the data system can be obtained from Whyte Studio, 40 Ardent Road, Whitfield, Dover, Kent, CT16 2GH.

Security within the SMP and its members is handled by the Data Processor, who reports directly to the Board. Any security issues are dealt with under the Data Protection Agreement signed by all members and statutory law if necessary.

Under the General Data Protection Regulation, any breach has to be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. 

If a breach is identified, the subject identified in the data breach, shall be informed by the Data Processor if they are not already aware.

Subject access and objections:

Standard Operating Procedures for The Safer Medway Partnership

All documents shall be reviewed on a planned pro-active basis. This shall be at least once a year.

An audit shall take place of the data system at least once a year to remove old files. Details of files removed shall be recorded by the SMP Data Manager.

All subject data access requests shall be responded to and processed within 30 days of their receipt.

The Data Manager shall acknowledge receipt of the request and satisfy him/herself as to the identity of the applicant and may require confirmation in person by facial recognition.

The Data manager shall gather the necessary data, remove anything that refers to a third party’s identity and produce it in a readable format.
They shall then inform the data subject that they can require any corrections if they can demonstrate it is incorrect, unnecessary or disproportionate. 

The whole process shall be documented and filed for 6 years.

Any breach of personnel data, will be reported to the SMP Data Manager as soon as possible upon its discovery. After consultation the matter will be reported to the Information Commissioners Office (ICO) within 72 hours of the breach being discovered.  

The Data subject shall also be informed if there is a high risk to the rights and freedoms of the data subject concerned. 

The Data Processor shall brief the SMP Board in an emergency meeting upon identifying any breach.

The Data Processor shall immediately withdraw the access rights of any member alleged to have breached data protection and privacy. The board unless directed to do otherwise by the ICO; shall consider any further measures and whether the matter should also be reported to the police. 

The SMP shall be registered with the Information Commissioners Office as holding such data. 
 
Data Integrity Statement & Agreement with member
 
The Data Protection Act 1998, is being updated in May 2018 with the General Data Protection Regulations and the Data Protection Bill.

These acts and bills regulate the obtaining, storing, processing and disclosure of personal data about living persons. All such processing must be in compliance with the provisions of these acts of legislation. In the event of non-compliance, the Information Commissioners Office may take enforcement action against anyone breaching the provisions. 

Particular obligations are placed on the partnership of the SMP and its members must comply with the principles of Data Protection and Privacy.

The principles are:
 
  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are processed.
  4. Personal data shall be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under the acts.
  7. Data shall be kept secure. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and accidental loss or destruction of or damage to such personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures adequate levels of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The SMP is an initiative operated by businesses in partnership with the police and other agencies through agreement with each of the members who have agreed to the principles set out in the agreement and protocols. 

The SMP Data Manager is responsible for all matters concerning the management of the partnership. All data shall be processed in accordance with Data Protection law and the General Data Protection Regulation and Data Protection Bill. Disclosure of personal data to members of the SMP shall be approved by the Data Processor/Manager only when relevant to the purposes of the partnership and it is lawful to do so.

Personal data consists of all information relating to a living individual, who can be identified from that information. The Data Subject is the individual the information refers to.

Data means information which:
  1. Is being processed by means of equipment operating automatically in response to instructions given for that purpose.
  2. Is recorded with the intention that it should be processed by means of such equipment.
  3. Is recorded as part of a relevant filing system (SMP Whyte Studio), or with the intention that it should form part of a relevant filing system or
  4. Does not fall within points 1, 2 or 3 above but forms part of an accessible record.

Processing in relation to personal data means obtaining, recording or holding information or data or any operation in relation to data including:
 
  1. Organisation, adaptation or alteration of the information or data.
  2. Retrieval, consultation or use of the information or data.
  3. Disclosure of the information or data by transmission, or otherwise making it available.
  4. Alignment, combination, blocking, erasure o destruction of information or data.

Disclosure of personal data to members of the SMP will relate to:

The prevention and detection of crime, & to protect members, their staff, property and the public from low level crime and anti-social behaviour.
 
Data shall not be disclosed to any non-member of the SMP, unless required to do so by law or by a court order or ruling, regulatory body or tribunal. If any member is required to do so, they must inform the Data processor/Manager as soon as possible.

Data security
Appropriate security measures will be taken to ensure that personal data is kept securely in accordance with (SMP) partnership protocols. Members must prevent unauthorised access to or alteration, disclosure, accidental loss or destruction of such personal data. This may constitute a breach of the act/bill. And may lead to further action.

No images or personal data shall be printed from the secure Disc system.

All information passed to the SMP or other affiliated members, shall be via secure channels. 

In considering passing personal data or information to other members, the member will undertake the following:
The SMP Member’s agreement:
I confirm that I understand the responsibilities relating to the management of personal data/information about living persons contained within this Data Integrity Statement. I undertake to ensure that any information/data to which I have access will be managed according to the Data Protection principles.

I understand that any breach may lead to SMP disciplinary procedures and may lead to investigation by the Information Commissioner’s Office (ICO) and the police. This in turn may lead to prosecution. 

I have received a copy of the Data Integrity Statement and protocols. I understand its contents and agree to operate within these condition, policies and procedures. 

Where ever reasonably possible, when an offender is identified, they shall be informed that their data shall be passed to the SMP to prevent and detect future crime and to protect members, their staff, property and the public from further low-level crime and anti-social behaviour.
I will delete any data including images of persons once I have communicated and sent that material to the data manager at the SMP.


Name…………………………………………………

Store………………………………………………………………. Position………………………………………………………

Signature……………………………………………………………………..Dated……………………………………………..