Police CyberAlarm Tool Privacy Policy

The purpose of this document is to provide information about how Police CyberAlarm uses personal data.

It is not possible and/or would involve disproportionate effort for controllers to individually notify each individual whose personal data may be processed using this tool.

Member organisations which sign up to Police CyberAlarm are required to provide information to data subjects as to how their personal data will be used, and may be transferred to law enforcement agencies as part of their membership of Police CyberAlarm.

In addition, law enforcement entities which utilise Police CyberAlarm make their respective privacy policies available on their own websites.

Nevertheless, on behalf of each of the law enforcement entities which utilise Police CyberAlarm, the National Police Chiefs’ Council (NPCC) provides the following additional information concerning the processing of personal data specifically in connection with Police CyberAlarm.

1. Controller

Police CyberAlarm is a tool made available by the NPCC for police forces throughout the United Kingdom to sign up to and to offer to businesses and other organisations within their force area that wish to become member organisations.

When an entity decides why and how personal data is used, it is a “controller” of those data and is required to ensure that it handles those data in accordance with the law. The relevant data controller in respect of personal data once transferred by the member organisation is the Police Force in whose force area the relevant member organisation is registered.

However, for the ease of data subjects, any communication or request relating to the programme may be directed to the NPCC on behalf of the relevant controller.

Our contact details are as follows:
National Police Chiefs' Council
10 Victoria Street
London
SW1H 0NN
info@npcc.pnn.police.uk

The NPCC’s Data Protection Officer may be contacted using the following contact details:
ACRO
PO BOX 481
Fareham
PO14 9FS
United Kingdom
npcc.data.protection@cru.pnn.police.uk

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance either using the contact webform on this site or using the contact details above.

2. Categories of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data from which identifying information has been removed (anonymous data).

The personal data collected and processed in connection with the deployment of the Police CyberAlarm tool will include personal data, and criminal conviction and offence data (i.e. personal data relating to the alleged commission of offences by the data subject) and may include special category personal data (which may be inferred).

Personal data collected from member organisations will be comprised of:

  • online identifiers:
    • IP address;
    • Device name
    • Device ID
    • Source/Sender email address
    • Recipient email address
    • Message subject
    • Mail ID
    • Attachment name
    • Source domain name
    • Source IP address
    • Destination IP address
    • Country code
    • Username; and
    • Timezone
  • Conduct data, i.e. information relating to the conduct which led to it being identified as suspicious activity.

Data pertaining to suspicious firewall activity will be collated, analysed and may be matched against other data sources. Where an investigation is launched into suspicious firewall activity, further personal data may be sought and collected, which may include special category data, and this will take place in accordance with the relevant law enforcement agency’s own privacy policy.

  • geolocation data relating to the source of suspicious activity, comprising: 2 letter continent code, 2 letter country code, country name, city or area of a city, postal code, latitude and longitude of approximate location, percentage confidence in location data;
  • Connection data relating to the source of suspicious activity: connection type, organisation to which IP address is registered, whether TOR or a VPN is used, and if so which; and,
  • Harm score and resolvability score.
Where an investigation is launched into suspicious activity, further personal data may be sought and collected, which may include special category data, and/or further data matching may occur, including against existing law enforcement records, and this will take place in accordance with the relevant law enforcement agency’s own privacy policy.

3. Purpose and legal basis for processing

The processing of personal data for these purposes is authorised on the basis that it is necessary for the fulfilment of tasks carried out for the law enforcement purposes by the relevant controllers and, in relative to sensitive processing, is strictly necessary for the exercise of statutory or other functions (including as set out in the Police and Criminal Evidence Act 1984 and the Police Act 1996, The Police Reform Act 2002 and other enactments conferring powers or duties), is for reasons of substantial public interest and the relevant controller has an appropriate policy document is in place.

These functions include:

  • protecting life and property;
  • preserving order;
  • preventing the commission of offences;
  • bringing offenders to justice; and,
  • any duty or responsibility arising from common or statute law.
4. Source(s) of personal data

Member organisations will be the primary sources of personal data collected in connection with Police CyberAlarm.

In addition, public domain and other third party resources will be utilised to augment the personal data obtained from member organisations.

Police Forces may obtain personal data from other Police Forces and law enforcement agencies, third parties, and from the public domain.

5. Recipient(s) of personal data

We may share your personal data with the parties set out below in connection with the law enforcement purposes detailed above:

  • Member organisations;
  • UK Police Forces and the National Police Chiefs’ Council;
  • Other law enforcement and intelligence entities, such as the National Crime Agency and the National Cyber Security Centre;
  • Our third party service providers; and,
  • Our professional advisers.
6. Relevant international transfers

Personal data is not routinely transferred outside the UK in connection with Police CyberAlarm.

7. Data retention

Personal data initially identified as constituting suspicious firewall activity is analysed and, if it is not verified as being suspicious, will be deleted within 24 hours. If personal data is verified as being suspicious but is not correlated with further suspicious firewall activity, it will be deleted after 9 months at the latest.

Personal data extracted from Police CyberAlarm will be retained in line with the relevant controller’s retention policy and in accordance with the Management of Police Information, taking into account the type, content and sensitivity of the data, related records, the purposes for which the personal data is processed, and any legal or business requirements. Personal data will be retained for as long as necessary for the particular purpose or purposes for which it is held.

8. Legal rights

You have the right, with some exceptions, to ask us to inform you whether or not your personal data is being processed in the context of Police CyberAlarm and to provide you with certain information relating to the processing of your personal data and a copy of any personal data we hold about you.

If the information we hold about you is inaccurate, you can notify us and ask us to correct or supplement it.

If you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is investigated.

In some circumstances you can ask us to erase your personal data, if we are under a legal obligation to erase it or if our processing would infringe certain provisions of the Data Protection Act 2018.

To exercise these rights, we need to be suitably satisfied of your identity and so may request that you provide identification documents or confirm other details we may hold about you.

You can exercise these rights by contacting the NPCC’s Data Protection Officer at the above address. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests without undue delay and in any event within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you are not happy with our response, you can contact the Information Commissioner's Office: https://ico.org.uk.

We keep this information under regular review. This version was last updated in March 2022.