Member Organisation Terms and Conditions

THESE TERMS AND CONDITIONS are made on the date that the Member Organisation provides all required information to enable the Police CyberAlarm service and accepts these Terms and Conditions via the website: https://cyberalarm.police.ukThe National Police Chief’s Council’s (NPCC), Cyber Crime Portfolio, held by the City of London Police (CoLP), are the hosts of the Police CyberAlarm (hereinafter referred to as the “NPCC”)

The Members;


The companies, organisations or other entities registered, including Managed Service Providers (MSP) or Nominated Third Parties to receive Police CyberAlarm (hereinafter referred to as the “Member or Member Organisation”), each a “Party” and, together, the “Parties”.

1. Background

1.1. The Police CyberAlarm monitors the logs of traffic seen by a Member’s connection to the internet; identifying and providing regular reports of suspicious and suspected malicious activity, enabling Member’s to minimise their vulnerabilities and risks. The Police CyberAlarm is managed by the NPCC Cyber Crime Team.



1.2. Members of Police CyberAlarm will become part of the wider UK cyber defence network, sharing collected data, as defined in Schedule 1, with law enforcement agencies, for analysis at local, regional and national levels; identifying trends, reacting to emerging threats, preventing criminal activity, protecting organisations and detecting, pursuing and prosecuting cyber criminals.

2. Applicable Terms


2.1. The terms at clauses 1 – 14 apply to all Members, by accepting these terms, the Member agrees to adhere to these terms as amended from time to time by the NPCC. 

3. Definitions

3.1. The following words and phrases used in these Terms and Conditions (T&C) shall have the following meanings, except where the context otherwise requires.



3.1.1. The expressions Data, Controller, Data Subject, Processor, Processing, Personal Data, Personal Data Breach, and Pseudonymisation have the same meaning as in Article 4 of the UK GDPR.



3.1.2. Data Protection Legislation means (i) the UK GDPR, the Law Enforcement Directive (LED) and any applicable national implementing Laws as amended from time to time (ii) the Data Protection Act 2018 to the extent that it relates to processing of personal data and privacy and (iii) all applicable Law about the processing of personal data and privacy.



3.1.3. Special Categories of Personal Data has the same meaning as in Article 9 of the UK GDPR.

3.1.4. Criminal Conviction and Offence Data has the same meaning as in section 11 Data Protection Act 2018.



3.1.5. UK GDPR has the meaning set out at section 3(10) Data Protection Act 2018.



3.1.6. LED means the Law Enforcement Directive (Directive (EU) 2016/680).



3.1.7. Data Loss Event means any event that results, or may result, in unauthorised access to Personal Data processed pursuant to these T&Cs, and/or actual or potential loss and/or destruction of Personal Data in breach of these T&Cs, including any Personal Data Breach.



3.1.8. Data Subject Request means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access or control their personal data.



3.1.9. Police Data means any Data including Personal Data, Special Categories of Personal Data and Criminal Conviction and Offence Data, collected by the NPCC and processed by it as identified in these T&Cs.



3.1.10. Police CyberAlarm Reports means the reports issued by or on behalf of the NPCC to the Member.



3.1.11. The Terms and Conditions (T&Cs) means these T&Cs together with its schedules and all other documents attached to or referred to as forming part of these T&Cs, including information submitted by the Member, when registering and accepting the terms and conditions therein.



3.1.12. Protective Measures means appropriate technical and organisational measures to protect the security, and in particular the confidentiality, integrity and availability of Personal Data, which may include: encryption, hashing, pseudonymising and encrypting Personal Data, ensuring availability and resilience of systems and services, the availability of and access, a timely restoration post-incident, and regularly assessing and evaluating the effectiveness of such measures adopted.



3.1.13. Law means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, Statute, Statutory Instrument, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Parties are bound to comply.



3.1.14. Confidential Information means all Police Data, Police CyberAlarm Reports, Police CyberAlarm user credentials and access codes, and any other information identified by the Parties as being confidential in nature and which is not legitimately in the public domain.



3.1.15. Police CyberAlarm means the services made available by the NPCC to the Member, pursuant to these T&Cs which may comprise of one or more of the following services (which may be amended from time to time) which the Member may elect to receive one or more of as part of the registration and as detailed in the confirmation: (i); the analysis of network based anti-virus log data; (ii) the analysis of network based intrusion detection log data; (iii) the analysis of network based spam logs; (iv) the analysis of external network traffic (firewall) logs; (v) the analysis of web server logs; (vi) the analysis of content delivery network logs; and (vii) the provision of reporting to Members regarding the vulnerability scanning and analysis undertaken in relation to the services elected to be received by the Member (the Police CyberAlarm Reports). Vulnerability scanning of the Member’s external facing networks, website and applications will take place after the registration process. 


3.1.16. Member Data means Data, including Personal Data, Special Categories of Personal Data and Criminal Conviction and Offence Data, collected by the Member, as a Data Controller, known or unknown and which the Member makes available for sharing with the NPCC for the purpose of Police CyberAlarm.



3.1.17. Intellectual Property Rights means patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, Confidential Information (including knowhow and trade secrets) and all other intellectual property rights relating to Police CyberAlarm, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.



3.1.18. Member Badge means the Police CyberAlarm branding which the Member is authorised to utilise in accordance with these T&Cs.



3.1.19. Police CyberAlarm website means and/or any Police CyberAlarm user portal.



3.1.20. Suspicious and Suspected Malicious Activity means network traffic which is blocked by the member organisation’s firewall and network security devices. This is meta data of inbound external traffic which has not been whitelisted by the Member Organisation. Internal traffic is identified based upon commonly reserved IP ranges, unless otherwise specified by the Member Organisation.



3.1.21. Managed Service Provider (MSP) means an organisation responsible for managing and delivering services to another organisation, used to manage or deliver information technology services like infrastructure, security, networking and applications. This may also include staffing, payroll, customer engagement and vendor management.



3.1.22 Nominated Third Party means a designated individual or entity that is authorised to act on behalf of another party in various contexts, such as legal, financial, or contractual arrangements.

4. Provision of Police CyberAlarm

4.1. The NPCC grants the Member the non-exclusive and non-transferable right to access and use Police CyberAlarm, subject to the terms of these T&Cs.



4.2. Police CyberAlarm is made available to the Member or Member Organisation “as available” and “as is” without warranty of any kind, express or implied, including but not limited to warranties of availability, performance, merchantability, fitness for a particular purpose, accuracy, omissions, completeness, currency, uninterrupted service and delays. Without limitation, the NPCC does not guarantee the identification of any or all security vulnerabilities that may be present on a Member’s network, nor does it guarantee the reporting of any such vulnerabilities to the Member, nor does it guarantee the timeliness of any reporting.



4.3. The NPCC excludes all implied conditions, warranties, representations or other terms that may apply in connection with Police CyberAlarm.



4.4. Police CyberAlarm may be modified from time to time, including by adding or deleting features and functionality, or temporarily or permanently withdrawn from service without notice to Members. Any additional services may only be provided to the Member where the Member agrees to the receipt of such services and any associated data sharing.



4.5. The Member shall be solely responsible for configuring its information technology systems, network, devices, computer programmes and platform for use with Police CyberAlarm and the NPCC accepts no liability in connection with the Member’s inability or failure to so configure.



4.6. The Member is solely responsible for ensuring that its use of Police CyberAlarm and its processing of its own Member Data, including the collection, storage and transfer of Member Data to the NPCC, complies with all applicable Law including, but not limited to, the Data Protection Legislation.



4.7. The Member is and shall remain solely responsible for maintaining the security and integrity of its own systems, network and devices, and remedying any vulnerabilities identified by Police CyberAlarm.



4.8. The Member is responsible for ensuring that all log in information issued to it by or on behalf of the NPCC in connection with Police CyberAlarm, including username, password and access code, are kept secure and confidential. The Member will promptly inform the NPCC in the event of any confidentiality breach or unauthorised use of any Police CyberAlarm user credentials or access codes.



4.9. Without prejudice to any other rights or remedies to which the NPCC may be entitled, under these T&Cs or at common law, the NPCC reserves the right to disable and/or withdraw the Member’s Police CyberAlarm user credentials or access codes to Police CyberAlarm without notice, in the event that it believes that the Member has failed to comply with any provisions of these T&Cs, in accordance with clause 5.8.



4.10. The Member must not and must ensure that its directors, officers, employees, servants and agents do not:



4.10.1. attempt to undermine the security or integrity of Police CyberAlarm’s systems, networks, devices or the Police Data;



4.10.2. use, or misuse, Police CyberAlarm in a manner which may impair its functionality, or that of the systems, network and devices used to deliver Police CyberAlarm, or the ability of other Members to use Police CyberAlarm;



4.10.3. attempt to gain access to Police CyberAlarm, its systems, network, devices, and any Police Data or other information transferred to or stored as part of Police CyberAlarm in any manner, other than as expressly authorised in these T&Cs;


4.10.4. attack Police CyberAlarm, its systems, network and devices, via a denial-of-service attack or a distributed denial-of service attack;



4.10.5. attempt to modify, copy, adapt, reproduce, disassemble, decompile or reverse engineer any code relating to Police CyberAlarm or any other part of Police CyberAlarm except as is strictly necessary for normal operation during the Term;



4.10.6. sell, resell, license, sublicense, distribute or otherwise make available Police CyberAlarm to any third party.



4.11. The Member authorises the NPCC and/or its representatives to install Police CyberAlarm and its constituent parts on the Member’s network, systems and devices and/or those of any relevant service provider in any form howsoever comprising hardware, software or otherwise, and/or warrants that it has procured such authorisation from any relevant service provider, and grants access to such programs and data as are necessary for the delivery of Police CyberAlarm.

5. Formation of the T&Cs, Commencement, Term and Termination

5.1. The Member enters into these T&Cs by registering its details, selecting the elements of Police CyberAlarm to receive and accepting these terms and conditions via the Police CyberAlarm website.



5.2. Where an individual enters into these T&Cs, on behalf of a company or other entity, that individual warrants and represents that they have the requisite authority to enter into these T&Cs on behalf of the Member and to bind the Member or Member Organisation to its terms.



5.3. these T&Cs shall commence upon acceptance by or on behalf of the Member or Member Organisation and shall operate until either Party wishes to exit from these T&Cs.



5.4. If there is any conflict or ambiguity between the terms of these T&Cs, a term contained in these T&Cs shall have priority.



5.5. The NPCC shall be entitled, on not less than thirty (30) days’ written notice to the Member or Member Organisation, to vary these terms and conditions, including to take account of any changes to the delivery of Police CyberAlarm.



5.6. In the event that the Member wishes to exit from these T&Cs, the Member shall uninstall the relevant software from their system, which shall cease the sharing of further Personal Data pursuant to these T&Cs.



5.7. The NPCC shall be entitled to terminate these T&Cs at any time for any reason, and shall do so by removing the Member’s access to Police CyberAlarm and ceasing to collect any further Personal Data pursuant to these T&Cs.



5.8 The NPCC shall monitor use by Members or Member Organisation’s of the Police CyberAlarm service. Should a Member or Member Organisation not make use of the Police CyberAlarm service for an uninterrupted period over more than 12 months, the NPCC reserves the right to terminate that Member or Member Organisation’s membership. NPCC shall also delete all Member Data.



5.9. Clauses 4.10 (Provision), 6.12 (Data Protection), 6.13 (Data Protection), 7.1 (Confidentiality), and 9.1 (IPR) shall survive the termination of these T&Cs.

6. Data Protection

6.1. The processing of any Personal Data for the purpose shall be in accordance with the obligations imposed upon the Parties to these T&Cs by the Data Protection Legislation, the Human Rights Act 1998 and other applicable Law.



6.2. The Parties declare that the processing of Personal Data in the context of these T&Cs is necessary and proportionate having regard to the purpose(s) of the processing, which are effectively safeguarding against and the prevention of threats to public security and enforce the law, including; the prevention, investigation, identification, detection and/or prosecution of criminal offences or the execution of criminal penalties, and in particular cyber crime (‘the Purpose’), which could not be achieved without recourse to the processing of Personal Data.



6.3. The Member will share with the NPCC such Member Data, as are relevant to the Police CyberAlarm services, requested of the Member at the point of registration. The details of the types of Personal Data processed in connection with the Police CyberAlarm services may include; person name, organisation name, postal address and registration number, email address, telephone number, role, user credentials and password, IP address, Third Party name and organisation, as well as usage data and passcode.



6.4. The NPCC will share with the Member such Police Data as are relevant to the analysis and reporting to the Member, particularly where the Member Data provided to the NPCC, as described at clause 6.3, is relevant with regards to the service, security and prevention of criminal acts.



6.5. The NPCC will share with the Member such Police Data as are relevant to the service, security and prevention of criminal acts that may protect the Member. The details of the types of Personal Data processed in connection with the Police CyberAlarm services may include; IP addresses, IP hosts, IP owners, domains visited, sender email addresses, sender handles, recipient email addresses, email subjects, email attachments, mail ID, location data, internet service providers, connection types, device names, device ID, conduct data, time zones, user agent, webpage sought, event ID, request type, and conduct harm score and conduct resolvability.



6.6. The Parties undertake to comply with the provisions of the Data Protection Legislation in connection with the processing of Personal Data in the context of these T&Cs, at all times during its Term.



6.7. Without prejudice to the generality of clause 6.5, the Member warrants and represents:



6.7.1. that the Purpose is consistent with the original purpose(s) of the data collection;



6.7.2. that it has legitimate grounds under the Data Protection Legislation for the Processing of Personal Data as envisaged by these T&Cs and the right to share the Member Data with the NPCC for the Purpose;



6.7.3. that its lawful basis for processing Personal Data in the context of these T&Cs is that it is necessary for the purposes of its legitimate interests and those of policing, the NPCC and society at large, and that such interests are not overridden by the interests or fundamental rights and freedoms of any affected Data Subject which require the protection of Personal Data;



6.7.4. that its lawful basis for processing Personal Data comprising of any criminal offending Data in the context of these T&Cs is that it is necessary for the purposes of the prevention or detection of an unlawful act, which must be carried out without the consent of the data subject so as not to prejudice those purposes, and is necessary for reasons of substantial public interest and involves the disclosure of Personal Data to a Competent Authority within the meaning of the Data Protection Legislation, under Schedule 7 of the Data Protection Act 2018;



6.7.5. that it shall, in respect of Member Data to be shared pursuant to these T&Cs, ensure that it makes available clear and sufficient information to Data Subjects as required by the Law, including the Data Protection Legislation; and,



6.7.6. that it shall, in respect of Personal Data submitted by the Member to the NPCC in the course of registering to receive Police CyberAlarm, promptly provide to any of its directors, officers, employees, agents, consultants, contractors or other individuals affected by the processing of such Personal Data the Police CyberAlarm Privacy Policy as published on the Police CyberAlarm website.



6.8. The NPCC warrants and represents that:



6.8.1. its lawful basis for the Processing of Personal Data in the context of these T&Cs is that it is processing for the law enforcement purposes and the processing is necessary for the performance of a task carried out for the law enforcement purposes;



6.8.2. it shall only process Personal Data in the context of these T&Cs for the law enforcement purposes, unless any other Processing is authorised by Law;



6.8.3. it shall, in respect of Personal Data to be shared pursuant to these T&Cs, ensure that it makes available clear and sufficient information to Data Subjects as required by the Data Protection Legislation; and,



6.8.4. it shall take Protective Measures in relation to Personal Data, and in particular shall ensure that Personal Data transferred by the Member to the NPCC is securely transferred; encrypted at rest and transmitted.



6.9. The Parties acknowledge and declare that the sharing of Personal Data from the Member to the NPCC in the context of Police CyberAlarm involves a transfer of data from the Member, as a Controller to the NPCC, as a Controller.



6.10. The Parties acknowledge and agree that:

6.10.1. the Member shall be the Controller in respect of, and shall be solely responsible for, the processing by the Member of Personal Data and for the lawfulness of its disclosure of Member Data to the NPCC, as well as in connection with the Member’s processing of any Personal Data contained within Police CyberAlarm Reports, provided to the Member; and,

6.10.2. the NPCC shall be the Controller in respect of, and shall be solely responsible for, its processing of Police Data, including any data sharing by the NPCC.



6.11. Nothing in these T&Cs is intended to, or shall be deemed to, establish any joint Controller arrangement between the Parties.



6.12. The Parties shall each notify any particulars as may be appropriate to the Information Commissioner, or such other regulatory body, as required by the Data Protection Legislation. Each Party declares that it has at the date of entering into these T&Cs and shall maintain throughout the Term such valid registrations and/or has paid such fees as are required by to the Information Commissioner or such other regulatory body which, at the time data sharing is expected to commence, shall reflect data sharing pursuant to these T&Cs, unless an exemption applies.



6.13. The Parties each agree to promptly provide to the other such assistance as is reasonably required to enable the other Party to comply with its obligations under the Data Protection Legislation in relation to these T&Cs.



6.14. The Parties each agree to promptly notify the other in the event that:



6.14.1. It receives any communication from the Information Commissioner or any other regulatory authority;



6.14.2. It receives a Data Subject Request or any other request, complaint, communication, threatened claim or claim relating to either Party’s obligations under the Data Protection Legislation; and/or,



6.14.3. It is obliged to rectify, erase or restrict personal data which has been disclosed to the other Party.



6.15. The Parties’ respective obligations to notify the other under clause 6.13, shall include the provision to the other Party of full details and copies of the complaint, communication or request, and the prompt provision of such further information in phases, as details become available, and such assistance as may reasonably be required in responding to any communication from the Information Commissioner or other regulatory authority or third party.



6.16. In each instance identified at clause 6.13, the Parties shall afford the other the opportunity to make written representations regarding the timing and content of any response, and shall consider such written representations in good faith prior to responding to the relevant Data Subject, the Information Commissioner, other regulatory authority or third party.



6.17. The Parties agree to take account of any guidance issued by the Information Commissioner or any other regulatory authority relevant to their obligations under these T&Cs. The NPCC may unilaterally, update or review these terms and conditions in furtherance of new compliance directives issued by the Information Commissioner, any other relevant regulatory body or other Law.



6.18. The NPCC, or such other person acting on behalf of the NPCC, shall undertake periodic reviews of the processing of Personal Data, pursuant to these T&Cs to ensure its ongoing compliance with the Data Protection Legislation and other Law.

7. Confidentiality

7.1. The Parties undertake that it shall not at any time use or disclose to any person the other Party’s Confidential Information, except as permitted by this clause 7.



7.2. The Parties may disclose the other Party’s Confidential Information:



7.2.1. to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of carrying out the Party’s obligations under these T&Cs. Each Party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other Party’s Confidential Information are made aware of its confidential nature and comply with this clause 7; and



7.2.2. as may be required by Law, a court of competent jurisdiction or any law enforcement agency, governmental or regulatory authority, in which case the Discloser shall immediately notify the other Party in writing of any such requirement for disclosure of the Confidential Information, in order to allow the Discloser to make representations to the person or body imposing the requirement.



7.3. The restriction contained in clause 7.1 shall cease to apply to any Confidential Information which may come into the public domain otherwise than through unauthorised disclosure by the Parties to these T&Cs, their officers, employees, servants or agents.

8. Assignment and Other Dealings

8.1. The Member shall not assign, transfer, mortgage, charge, sub-license, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under these T&Cs without the prior written consent of the NPCC.



8.2. The NPCC may at any time assign, transfer, mortgage, charge or deal in any other manner with any or all of its rights and/or obligations under these T&Cs, provided that the NPCC gives written notice to the Member.



8.3. Notwithstanding clause 7.1, the NPCC when assigning any or all of its rights under this clause of these T&Cs, may disclose to a proposed assignee, any information in its possession that relates to these T&Cs or its subject matter, the negotiations relating to it and the Member which it is reasonably necessary to disclose for the purposes of the proposed assignment.



8.4. The NPCC may subcontract or delegate in any manner any or all of its obligations under these T&Cs to any third party.



8.5. The Member shall, at the NPCC’s request, execute any agreements or other instruments (including any supplement or amendment to these T&Cs) which may be required in order to give effect to or perfect any assignment, transfer, mortgage, charge or other dealing referred to in clause 8.2.

9. Intellectual Property Rights

9.1. The Member acknowledges and agrees that all Intellectual Property Rights (IPR) in or relating to Police CyberAlarm, including in the logo, website, services, system, and any documentation or Police Data relating to Police CyberAlarm, including Police CyberAlarm Reports, are and shall remain the property of the NPCC and/or its licensors.



9.2. The NPCC hereby grants to the Member within the jurisdiction for the Term, and subject to, and in accordance with, the conditions of these T&Cs, a non-exclusive licence to copy, publish, distribute, transmit and adapt the information contained within any Police CyberAlarm Report, solely for the Member’s internal use. 



9.3. The NPCC grants the Member or Member Organisation, or shall procure the direct grant to the Member or Member Organisation of; a fully paid-up, worldwide, non-exclusive, royalty-free licence to copy, reproduce and to publish on the Member or Member Organisation’s own website and/or in its own marketing materials the Member Badge for the purpose of receiving and using the Membership benefits, solely during the Term of, and subject to, and in accordance with, the conditions of these T&Cs.



9.4. The Parties will indemnify and keep indemnified each other, in full, against any sums awarded by a court, and other claims, causes of action, and demands arising out of or in connection with any infringement of a third party’s Intellectual Property Rights arising out of, or in connection with, the receipt or use of the Member or Police Data.



9.5. The Parties shall immediately notify the other in writing, giving full particulars if any of the following matters come to their attention; any actual, suspected or threatened infringement; any claim made or threatened infringement of the rights of any third party; any other form of attack, charge or claim of the Intellectual Property Rights.



9.6. In respect of any of the matters listed in clause 9.5; the NPCC shall, at its absolute discretion, decide what action to take, and the NPCC shall have exclusive control over, and conduct of, all communications, claims, negotiations, and proceedings, provided that the NPCC considers and defends any IPRs claim diligently, using competent counsel and in such a way as not to bring the reputation of the Indemnified Party into unjustified disrepute, save that the NPCC may settle any threatened or issued claim (after giving prior written notice of the terms of settlement (to the extent legally possible) to the Member on a confidential and privileged basis, but without obtaining the Member’s consent) if the NPCC reasonably believes that failure to settle the threatened or issued claim would be prejudicial to it in any material respect;



9.6.1. the Member shall not make any admissions, other than to the NPCC, on a confidential and legally privileged basis and shall provide the NPCC with all assistance that it may reasonably require in the conduct of any communications, claims or proceedings;



9.6.2. the Member shall make aware, and reasonably and appropriately assist the NPCC for the purpose of assessing any threatened or issued claim;



9.6.3. subject to the Member providing security to the NPCC, to the NPCC’s reasonable satisfaction against any claim, liability, costs, expenses, damages or losses that may be incurred, and subject always to clause 9.6.1, the NPCC may agree to take such action as the Member may reasonably request to avoid, dispute, compromise or defend the any threatened or issued claim.



9.7. Nothing in this clause 9 shall restrict or limit the Parties’ general obligation at law to mitigate a loss it may suffer or incur as a result of an event that may give rise to a claim under the indemnity.



9.8. The Member shall:



9.8.1. only make use of the IPR for the purposes and in the manner authorised in these T&Cs; and



9.8.2. comply with all regulations and practices in force or use in the Territory to safeguard the IPR of the NPCC and/or its licensors.



9.9. The Member shall not do or omit to do anything to diminish the IPR of the NPCC or its licensors, nor assist any other person to do so, whether directly or indirectly.



9.10. The Member acknowledges and agrees that the exercise of the licence granted to the Member under these T&Cs is subject to all applicable laws, enactments, regulations and other similar instruments in the Territory, and the Member understands and agrees that it shall at all times be solely liable and responsible for such due observance and performance.

10. Limitation of Liability

10.1. Neither Party excludes or limits liability to the other Party for:



10.1.1. death or personal injury caused by its negligence, or that of its employees, agents or sub-contractors; 



10.1.2. bribery, fraud or fraudulent misrepresentation by it or its employees;



10.1.3. breach of any obligations implied by section 2 of the Supply of Goods and Services Act 1982; or,

10.1.4. any other matter which, by Law, may not be excluded or limited.



10.2. Subject to clause 10.1, neither Party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:



10.2.1. Any loss of or damage to (whether direct or indirect) revenue, profits, sales or business, business opportunities, revenue, turnover, reputation or goodwill;



10.2.2. Loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time);



10.2.3. Any other consequential loss;



10.2.4. Any loss or liability (whether direct or indirect) under or in relation to any other contract.



10.3. Subject to clauses 9 (IRP) and 10.1, the NPCC shall not be liable in contract, tort (including negligence), breach of statutory duty or otherwise for any loss or damage of whatsoever kind and howsoever arising in connection with the installation, operation or removal of Police CyberAlarm, including the loss of use or corruption of software, data or information, or the provision of, failure to provide, or reliance on Police CyberAlarm Reports provided to the Member as a consequence of the use of Police CyberAlarm.



10.4. Neither Party may benefit from the limitations and exclusions set out in this clause 10 in respect of any liability arising from its deliberate default. Nor may either Party benefit from any indemnity in these T&Cs to the extent that a claim under it results from the Indemnified Party’s negligence or wilful misconduct.



10.5. The limitations and exclusions of the Parties’ liabilities shall not be affected by:



10.5.1. payment of an uncapped liability;



10.5.2. amounts awarded or agreed to be paid under clause 9 (IPR); and



10.5.3. amounts awarded by a court or arbitrator, using their procedural or statutory powers in respect of costs of proceedings or interest for late payment.



10.6. Unless the Member notifies the NPCC that it intends to make a claim in respect of an event within the Notice Period, the NPCC shall have no liability for that event. The Notice Period for an event shall start on the day on which the Member became, or ought reasonably to have become, aware of the event having occurred and shall expire three months from that date. The notice must be in writing, be sent by recorded delivery to the NPCC, and must identify the event and the grounds for the claim in reasonable detail.



10.7. The Parties acknowledge and agree that the limitations and exclusions contained in this clause 10 are commercially reasonable in the light of the nature of these T&Cs, the identity of the Parties and all the relevant circumstances relating to provision of Police CyberAlarm.

11. Disputes

11.1. In the event of any dispute or difference between the Parties arising out of these T&Cs, the representatives of the Parties to the dispute or difference shall, within 20 days of receipt of a written request from any party to the dispute, meet in an effort to resolve the dispute or difference in good faith.



11.2. The Parties may, with the help of The Centre for Effective Dispute Resolution, seek to resolve disputes between them by alternative dispute resolution. If the Parties fail to agree within 56 days of the initiation of the alternative dispute resolution procedure, then the Parties shall be at liberty to commence litigation.

12. Miscellaneous

12.1. Where the NPCC receives a request for information under the provisions of the Freedom of Information Act 2000, in respect of Data provided by or relating to a specific Member, the NPCC may contact the Member to ascertain whether the Member wishes to claim any exemption and to obtain information to support any such claim. The NPCC shall be entitled to determine, in its sole discretion, the response to the request.



12.2. These T&Cs, and any dispute or claim (including noncontractual disputes or claims) arising out of or in connection with it or its subject matter or formation, shall be governed by, and construed in accordance with the law of England and Wales.



12.3. The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these T&Cs or its subject matter or formation.



12.4. These T&Cs constitutes the entire agreement between the Parties as regards the subject matter hereof and supersedes all prior oral or written agreements regarding such subject matter.



12.5. If any provision of these T&Cs is held by a Court of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the remaining provisions of these T&Cs, which shall remain in full force and effect.



12.6. Nothing in these T&Cs is intended to, or shall be deemed to, establish any partnership or joint venture between the Parties or authorise any Party to make or enter into any commitments for or on behalf of any other Party.

13. Interpretation

13.1. The conditions shall not affect the construction or interpretation of these T&Cs.



13.2. The word ‘including’ shall mean, including without limitation or prejudice, to the generality of any description, definition, term or phrase preceding that word, and the word ‘include’ and its derivatives shall be construed accordingly.

SCHEDULE 1 – Types of Personal Data Processed

Personal data, or personal information, means any information about an individual from which that person can be identified. The personal data collected and processed in connection with the deployment of the Police CyberAlarm tool will include personal data, and criminal conviction and offence data (i.e. personal data relating to the alleged commission of offences by the data subject) and may include special category personal data (which may be inferred).


The types of personal data collected from member organisations will be comprised of: 

  • online identifiers:
    • IP address;
    • Device name
    • Device ID
    • Source/Sender email address
    • Recipient email address
    • Message subject
    • Mail ID
    • Attachment name
    • Source domain name
    • Source IP address
    • Destination IP address
    • Country code
    • Username; and
    • Timezone
  • Conduct data, i.e. information relating to the conduct which led to it being identified as suspicious activity.
  • Data pertaining to suspicious firewall activity will be collated, analysed and may be matched against other data sources. Where an investigation is launched into suspicious firewall activity, further personal data may be sought and collected, which may include special category data, and this will take place in accordance with the relevant law enforcement agency’s own privacy policy.
  • geolocation data relating to the source of suspicious activity, comprising: two (2) letter continent code, two (2) letter country code, country name, city or area of a city, postal code, latitude and longitude of approximate location, percentage confidence in location data;
  • Connection data relating to the source of suspicious activity: connection type, organisation to which IP address is registered, whether TOR or a VPN is used, and if so which; and,
Harm score and resolvability score.

Where an investigation is launched into suspicious activity, further personal data may be sought and collected, which may include special category data, and/or further data matching may occur, including against existing law enforcement records, and this will take place in accordance with the relevant law enforcement agency’s own privacy policy.