Skip to main content

Privacy Policy

Title: Privacy Policy
Policy Owner: Chief Executive
Policy Writer: Executive Officer
Policy Number: 27
Effective Date: 25.08.2018
Review Date: 01.04.2024
Version: Version 2.0 (Updated 1.4.2020)


This Policy explains how the Police and Crime Commissioner (PCC) obtains, holds, uses and discloses information about individuals and the steps taken to ensure that information is protected.

Our Statement

“The Police and Crime Commissioner is committed to protecting your privacy and processing your personal data in accordance with the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR). Our Privacy Policy will provide you with reassurance and information on how we protect and process personal information”.

What do we do?

The PCC is elected by the public of North Wales, their main responsibilities are:-

  • To set the policing priorities for North Wales Police
  • To decide on the budget for North Wales Police
  • To hold the Chief Constable to account, and to
  • Listen and respond to the public’s views on policing

In carrying out their duties the PCC and his support staff will inevitably gather and maintain personal information. The PCC is committed to protecting people’s privacy and ensuring their Rights under data protection legislation are upheld therefore personal information will be processed only in accordance with this Policy.


The current legislation in the UK is the Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulation (GDPR)

The PCC is bound by the DPA 2018 and GDPR.

Please note that individuals have many rights in how we process information, see Your Rights.

Data Controller

The Chief Executive of the Office of the PCC is registered with the Information Commissioner’s Office as the Data Controller. The contact details are noted below.

1. What personal information do we collect?

In order to carry out their duties the PCC may obtain, use and disclose personal information relating to or consisting of the following:

  • Personal details such as name and, address
  • Family, lifestyle and social circumstances
  • Education and training details
  • Employment details
  • Financial details
  • Goods or services provided
  • Political opinions
  • Business and financial interests
  • Trade union membership
  • Physical or mental health or condition
  • Complaint, incident and accident details
  • Offences (including alleged offences)
  • Criminal proceedings, outcomes and sentences
  • Sound and visual images
  • Criminal intelligence
  • References to manual records or files
  • Information relating to health and safety
  • Employment monitoring questionnaires for equality and diversity purposes will ask for details of race, ethnicity, gender, sexual orientation, marital status, age, disability, chronic illness, religion or beliefs.

2. Why we collect this information

We collect information in order to provide a service to the public in accordance with our policies, procedures and the PCC’s statutory duties.

This service will include:

  • Management of complaints and queries
  • Recruitment
  • Staff administration, occupational health and welfare
  • Management of public relations, journalism, advertising and media
  • Management of finance
  • Internal reviews, accounting and auditing
  • Training
  • Estate management
  • Insurance management
  • Vehicle and transport management
  • Payroll and benefits management
  • Vetting
  • Management of information technology systems
  • HR management
  • Legal services
  • Information provision
  • Licensing and registration
  • Pensions administration
  • Performance management
  • Procurement
  • Planning
  • Security
  • Health and safety management

3. Who provides us with personal information

Personal information may be provided by:-

  • Persons making an enquiry or complaint
  • Individuals themselves
  • Applicants for job vacancies
  • Referees of applicants for vacancies
  • Relatives, guardians or other persons associated with the individual
  • Other Police & Crime Commissioners
  • North Wales Police and other law enforcement agencies
  • HM Revenue and Customs
  • International law enforcement agencies and bodies
  • Legal representatives
  • Local Authority, Assembly and Parliamentary representatives
  • Assembly Members and Members of Parliament
  • Partner agencies involved in crime and disorder strategies
  • Private sector organisations working with the police in anti-crime strategies
  • Voluntary sector organisations
  • Approved organisations and people working with the police and PCC
  • Independent Office of Police Conduct (IOPC)
  • Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS)
  • External and Internal Auditors
  • Central government, governmental agencies and departments
  • Local government
  • Emergency services
  • Current, past or prospective employers of the individual
  • Healthcare, social and welfare advisers or practitioners
  • Education/training establishments and examining bodies
  • Business associates and other professional advisors
  • Employees and agents of the Force
  • Suppliers, providers of goods or services
  • Financial organisations and advisors
  • Credit reference agencies
  • Survey and research organisations
  • Trade/employer associations and professional bodies
  • Voluntary and charitable organisations
  • Ombudsmen and regulatory authorities
  • The media
  • Data processors working on behalf for the Police and on behalf of the PCC
  • Commissioned service providers

4. Lawful bases for processing

There are six lawful bases for processing; these are Consent, Contract, Legal obligation, Vital interests, Public Task and Legitimate interests.

Legal Basis Will be applied in these situations
Consent The individual has given clear consent for us to process their personal data for a specific purpose. Parental consent will be sought for all individuals under the age of 13, who have not reached their 13th birthday. A separate Privacy Notice specifically for children will be provided. Individuals have a right to withdraw consent at any stage, see Your Rights.
Contract Processing of information is necessary for a contract that the PCC may have with an individual, or because they have asked the PCC to take specific steps before entering into a contract.
Legal obligation The processing is necessary for the PCC to comply with the law (not including contractual obligations).
Vital interests The processing is necessary to protect someone’s life.
Public Task The processing is necessary for the PCC to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. If you have freely provided us with personal information for a specific purpose, our lawful basis for processing is that of a Public Task.
Legitimate interests The processing is necessary for legitimate reasons or the legitimate interests of a third party unless there is good reason to protect the individual’s personal data which overrides those legitimate interests. This does not apply to a public authority processing data to perform your official tasks.

Our aim is not to delay the process of processing information, but if we cannot identify a lawful basis for processing your information we will have to contact you to obtain your Consent (or Parental Consent in the case of children under the age of 13) which may cause a slight delay.

5. How we handle personal information

Personal information will be processed fairly and lawfully with appropriate justification. We will strive to ensure that any personal information used by or on behalf of the PCC is of the highest quality in terms of accuracy, relevance, adequacy and proportionality (it is not

excessive), is kept up-to-date as required, is protected appropriately, and is, reviewed, retained and securely destroyed when no longer required. See Your Rights.

6. How we secure it

The PCC takes the security of all personal information very seriously. The PCC will comply with the relevant parts of the DPA and GDPR relating to security. The PCC will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect all manual and electronic information systems from data loss and misuse, and permit access to them only when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal information contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.

Our website and computer systems are protected by certified firewalls in order to protect your personal information from access by unauthorised persons and against unlawful processing. The website uses the latest technology and is backed up regularly. All outgoing and incoming emails are scanned for viruses.

7. Who might we share information with

The Office of the PCC is closely linked to North Wales Police and we have a shared service agreement and information sharing agreement in place. For us to achieve our duties we may need to share personal information with them. If we do not identify a legitimate basis to share your information we will seek your consent before doing so.

We will share some information without your consent only to report or prevent a crime, prevent fraud or if required by law.

With regard to complaints received, regulations allows for information to be referred to the appropriate authority. If a complaint is received by the Office of the Police and Crime Commissioner but the appropriate authority is the Chief Constable, the information will be immediately referred to the Chief Constable.

The Police and Crime Commissioner and the Independent Office for Police Conduct are the Relevant Review Bodies for police complaints. Requests for Reviews by the Police and Crime Commissioner will be referred to an independent consultant for their consideration.

8. How long do we keep hold of information

We keep personal information in line with our Retention and Destruction Policy. This means that we will, after a specified period destroy personal information contained in paper format or electronically.

In certain circumstances, we have a statutory obligation to keep personal information for a minimum period of time, for example financial information is retained for up to 7 years for taxation purposes.

9. Marketing

We would like to send you information about news and information of ours that we think you might like through our newsletter. Our newsletter is produced inhouse and distributed via our Outlook email system. As such, when you sign up to our newsletter, personal data in the form of your email address is stored securely on our systems

If you have agreed to receive marketing, you may always opt out at a later date.

You have the right at any time to stop the Office of Police and Crime Commissioner from contacting you for marketing purposes or giving your data to partner companies.

If you no longer wish to be contacted for marketing purposes, please click here.

10. Cookies

Cookies are used for collecting specific user information from our website; this collects only enough information for us to see which pages are most viewed. Overall, cookies help us provide a better website, by enabling us to monitor which pages are useful and which are not.

Our Cookie Policy on our website explains how you can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. Declining cookies may prevent you from taking full advantage of the website.

This statement covers only the PCC website and does not apply to other websites linked from our site. The PCC is not responsible for the content, performance, accuracy, privacy of external websites that may be linked from its site, although we endeavour to provide links only to reputable organisations. The views expressed on external sites and on any social networking services do not necessarily represent the views of, or endorsement by the PCC.

11. Your Rights

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. We will provide individuals with information including: our purposes for processing personal data, our retention periods for that personal data, and who it will be shared with. All the information relating to processing data is contained in this Policy. We will ensure that this Policy is easily available to individuals that access our website, attend our offices or contact us by mail or email.

The right to access

Individuals have a right to confirmation that their data is being processed, access to their information and other supplementary information contained in this Policy.

Accessing personal data in this way is known as making a 'subject access request'. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Requests to access information should be made to the Data Controller, please see contact details below. We will respond to these requests within one calendar month.

The right to rectification

Individuals have the right for inaccurate personal data to be rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. We will respond to these requests within one calendar month, although in certain circumstances we do have the right to refuse a request for rectification.

The right to erasure or the right to be forgotten

Individuals have a right to have their personal data erased. Individuals can make a request for erasure verbally or in writing. We will respond to these requests within one calendar month. The right is not absolute and applies only in certain circumstances.

The right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and applies only in certain circumstances. When processing is restricted, you are permitted to store the personal data, but may not use it.

An individual can make a request for restriction verbally or in writing. We will respond to these requests within one calendar month.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

An individual can make a request to transmit their personal data directly to another Data Controller without hindrance, if this is feasible, we will do this but we will have to consider the technical feasibility of transmission on a request by request basis.The right to object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • *direct marketing (including profiling); and
  • *processing for purposes of scientific/historical research and statistics.

If an individual objects to their data being used, we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

(*The PCC does not engage in direct marketing nor process data for scientific/historical research and statistics).

Rights in relation to automated decision making and profiling

The PCC does not carry out any automated decision-making or profiling. If he were to do so he would carry out a Data Protection Impact Assessment and revise this Privacy Policy accordingly.

12. How to complain or contact us

The Chief Executive of the Office of the PCC is registered with the Information Commissioner as the Data Controller.

 Name and Address: Data Controller Office of the Police and Crime Commissioner Police Headquarters Glan y Don Colwyn Bay
Telephone: 01492 805486
Website: www.nwpcc.CYMRU

13. Information Commissioner’s Office

If you have any concerns over the way the PCC has handled personal information the Data Controller can be contacted:

Name and Address: Information Commissioner’s Office – Wales 2nd Floor, Churchill House Churchill Way Cardiff CF10 2HH
Telephone: 0303 123 1113 or 029 2067 8400