This notice is provided in accordance with data protection legislation which incorporates the General Data Protection Regulations (GDPR) and has been created following the guidance issued by the Information Commissioner’s Office and in consideration of additional guidance material generated by the Home Office.
This notice sets out how those statutory obligations relating to the management of personal data will be addressed by the Surveillance Camera Commissioner (SCC) and the Surveillance Camera Commissioner Team (SCCT).
There are various elements of legislative requirements which have relevance to the management of personal data. Primarily these are the Data Protection Act 2018, GDPR, EU Law Enforcement Directives. For the purposes of this document they will be collectively referred to as ‘data protection legislation’.
Information will be provided in the language in which it is held or in such other language that is legally required. Where there is a legal requirement for the SCC to translate any information, it will do so within reasonable timescales. Obligations under disability and discrimination legislation and any other legislation to provide information in other forms and formats will be addressed when providing information in accordance with this scheme.
Who we are and what we do
The Surveillance Camera Commissioner (SCC) is appointed by and independent of government pursuant of Section 34(1) Protection of Freedoms Act 2012 (PoFA). He regulates the use of surveillance camera systems which are overtly operated in public places by relevant authorities in England and Wales and encourages all operators of surveillance camera systems to adopt the provisions of the Surveillance Camera Code of Practice which is issued by the Secretary of State. As an Arms Length Body (ALB) to the Home Office the Commissioner isa data controller who determines the purposes and means of processing personal data by his team within the parameters permissible by Home Office policies as it is Home Office systems which are used for the processing of personal information.
The SCC team (SCCT) is made up of four members of staff who are employed by the Home Office. They are data processors and are responsible for processing personal data on behalf of the controller (the SCC) within the parameters permissible by Home Office policies as it is Home Office systems which are used for the processing of personal information.
More information about the role of the SCC and his team is provided on the SCC website.
The SCC only uses Home Office systems in connection with the management of personal data and therefore the provisions of Home Office policy apply and are subject of direction and oversight by the Home Office DPO. Whereas the SCC regulatory function is a statutory responsibility which is independent of government and the Home Office, his communications and responsibilities are administered by a dedicated Home Office team using Home Office systems. Accordingly therefore the management of personal data using these systems is entirely a Home Office responsibility.
To assist the Home Office DPO, the SCCT have identified a Data Protection Lead Officer who will act as the key point of contact with the Home Office DPO in respect of all responsibilities which arise in respect of data protection legislation responsibilities.
The Data Protection Lead Officer is as follows:
Head of Policy and Support
Surveillance Camera Commissioner
Correspondence can be by post to:
The Surveillance Camera Commissioner
The Home Office
2 Marsham Street
Data Protection Officer
Since Personal Data processed by the ASC is done by Home Office Officials within the Science Secretariat we work closely with the Home Office Data Protection Officer. The Science Secretariat also has trained Data Protection Practitioners within the team.
The contact details of the Home Office Data Protection Officer:
Office of the DPO
2 Marsham Street
What data do we collect?
The following personal data is managed by the SCC/SCCT:
- personal data received in emails, letters and other communication/telecommunication from members of the public and external stakeholders
- personal data received and stored on Home Office allocated mobile communication devices
- personal data received from internal Home Office stakeholders including HR data
What we do with your data?
The SCC/SCCT performs a statutory role under the provisions of the Protection of Freedoms Act 2012 and therefore has a responsibility to record information received, to demonstrate legitimacy and transparency of the functions he undertakes in support of the public interest.
We will record and store your personal information in secure circumstances and thereafter ensure that we retain your data for no longer than is necessary. We will not share your personal data without first seeking and securing your informed consent unless there is a basis in law and a legitimate reason for us to do otherwise in connection with the business and responsibilities of the SCC.
All electronic based information which is received by SCC/SCCT is recorded and retained on Home Office systems. Emails and communications data are stored on secure Home Office electronic systems which are password protected and subject to internal review processes in consideration of our retention policy (see below).
Hard copy documentation is recorded and retained in secure storage and subject to internal review processes in consideration of our retention policy (see below).
What is our lawful basis for the processing of your data?
The role of SCC is created by virtue of Section 34(1) of the Protection of Freedoms Act 2012 (PoFA). The statutory responsibilities of the SCC arise from Section 34(2), 35(1) PoFA and Chapter 5 of the Surveillance Camera Code of Practice (SC Code). The SC Code is issued by the Secretary of State in accordance with Section 29 PoFA. The SCC has a responsibility to record information received, and to process it and retain it where to do so is necessary for him to discharge his statutory functions so as to demonstrate legitimacy and transparency of those functions he undertakes in support of the public interest.
‘Public Task’ is therefore the relevant lawful basis for the SCC processing personal data under the terms of data protection legislation.
The SCC has no involvement with processing operations that constitute automated decision making.
The SCC does not process ’special category material’.
We process your personal data to enable the SCC to effectively discharge his responsibilities. We will retain it securely only for as long as is necessary for the purposes for which it was collected, and will retain it no longer than the retention periods set out below.
We may share your data within the Home Office, with other regulators, with law enforcement and with others stakeholders but only in circumstances where it is necessary to do so for the lawful, diligent and expeditious undertaking of the Commissioner’s functions.
We will only share your data otherwise than in accordance with the above with your freely given and informed consent.
The table below sets out the types of personal data obtained by the SCC and his team, and the retention periods for such data:
|Formal letters and other written correspondence to and from SCC and SCC team
||Maximum of 4 years to accord with the duration of the SCC’s term of Commission plus one year. This is because matters will be of relevance to a statutory undertaking, public interest or matters in connection with which the SCC may be held to account and the extra year takes in to account the potential for a successor to be appointed and ensure continuity as necessary.
|Correspondence/communications data to and from SCC mailbox to public and external bodies/stakeholders.
||Maximum period of 12 months. This is because the SCC has to address, account for or otherwise make reference to matters which are communicated to him, some of which may be over a protracted period and involve a duty to retain records. An audit trail of a period no longer than this period is important in demonstrating transparency and integrity as an important matter of public confidence.
|Internal emails /communications data within Home Office.
||12 months – These are high volume messages which facilitate the administration of the SCC and support functions and occasionally include HR data. The rationale as above equally applies given that all members of SCC/SCCT hold public office.
|Expenses information from expenses claims from stakeholders
||Held for a period of 2 years. Details of stakeholder expenses claims made under Home Office rules following attendance at meetings/other legitimate purposes are processed by the science secretariat and held for 2 years to allow for appropriate auditing of Home Office accounts.
There will inevitably be exceptions to the above which out of necessity may arise from a legal responsibility or significant public interest.
Unless subject to an exemption under data protection legislation, you have the following rights in respect of your personal data:
- the right to request a copy of the personal data which the SCC and his team hold about you, and where possible, to transmit that data directly to another data controller
- the right to request the rectification of personal data which the SCC and his team hold about you
- the right to withdraw your consent to data processing where your consent has been specifically sought and obtained
- the right to request restrictions on further processing of your personal data
Such requests should be made to the Head of Policy and Support by email to the following address: firstname.lastname@example.org
Alternatively, requests may be made by post to:
The Surveillance Camera Commissioner
The Home Office
2 Marsham Street
You also have the right to complain to the Information Commissioner’s Office (ICO) if you are dissatisfied with the manner in which your personal data has been handled.
You can contact the ICO on 0303 123 1113 or via email by accessing the following link in their website https://www.ico.org.uk/global/contact-us/email/.
Alternatively, you can write to the ICO at:
The Information Commissioner's Office