If we ask you for personal information we will hold a record of why we are asking and why the information is necessary to do our work.
We use the term ‘privacy notice’ to describe all the privacy information that we make available or provide to people when we collect information about them. Our privacy information is made up of:
When we collect and process information about you we do so according to UK data protection law. This means we will be fair and transparent about the data we collect and we will keep your information safe. Our main processing activities that use personal data are:
These are explained in more detail in our Privacy Information Notes.
The London Fire Commissioner (LFC) is the head of the London Fire Brigade and is the Fire and Rescue Authority for London. The LFC is a data controller for personal data and has notified the Information Commissioner (the UK regulator for data protection) of this. Our main address is: London Fire Brigade, 169 Union Street, London SE1 0LL. The main contact number is 020 8555 1200.
Our details have been registered with the Information Commissioners Office (ICO) and our register number is Z7122455. The ICO’s register can be viewed online at http://ico.org.uk.
Our Data Protection Officer (DPO) is the LFB Head of Information Governance who has day-to-day responsibility for data protection and information governance issues. The DPO can be contacted via the address or phone number above, or by:
Our legal basis for processing your personal data will depend on the specific activity we are undertaking. Generally speaking we process personal data for the reasons set out below. In only a very few situations will we ask for your consent for us to use your data as typically we have legal duties or powers then enable us to process personal data to undertake our functions as a fire and rescue service. It will however, often be the case that you will be giving us personal information voluntarily and with your cooperation, but we will process that information on the basis of our duties and powers rather than because you have given your consent.
Our main processing conditions can be described as:
As a fire and rescue authority, we have many duties and powers that describe our core functions and give us legal powers to undertake those functions. Those functions include, for example;
We also have general powers (FRSA2004, Sec 5a) that enables us to do anything we consider appropriate for the purposes of the carrying-out of any of our functions or anything that is incidental to our functional purposes. This will include a power to collect, process and share personal and sensitive personal data so long as the processing is necessary for the purpose we are collecting it.
During our work to enforce and regulate fire safety law, some of the personal data we collect and process will be for law enforcement purposes (as outlined in Part 3 of the Data Protection Act 2018), which cover data processed in connection with the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
Our legal basis for processing law enforcement data is that it is necessary for the performance of our functions. Our primary law enforcement functions relate to enforcement of the Regulatory Reform (Fire Safety) Order 2005 in accordance with Article 25 of the order which includes taking decisions to issue notices or to prosecute where offences have been committed and prosecution is considered to be in the public interest.
Data protection law recognises that there are some types of personal data that are particularly sensitive and should prohibited unless the processing is absolutely necessary. This special category of data includes data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
When it is necessary for us to process any of the special category data, it will usually be because;
You will often have a choice about what services you receive from us, but when we collect your personal information for that service – one of our main processing activities – we will collect and retain your information because we have another duty or obligation to do so that does not require your consent. We are a public authority and we recognise that our position means that you are unlikely to be able to freely give your consent for the services we provide.
When you give us your information on the basis that you give us your consent to use it (and not because of another processing obligation we have), then you can withdraw that consent at any time. If you wish to withdraw your consent for us to use your personal data then you should contact our Data Protection Officer (see above). You should provide as much information as possible about the information you supplied, when it was given and the circumstances it was given in.
If, prior to the 25 May 2018, we have asked for, or have been given your permission to use your data and called this “consent” it is unlikely that this consent meets the standard required for GDPR. We are however confident that our continued use of your data is still permitted under data protection law where it falls within another legal basis, for example because it is contractual, we have a legal obligation or it is necessary for a public task. This will affect your rights (see below) and you may no longer have the right to stop us processing the information by withdrawing your previously given permission (described at the time as consent). If you have a concern about this change in processing, please contact the Data Protection Officer.
Our record of processing activities (ROPA) is the Brigade's inventory of the personal data processing and provides an overview of what the Brigade is doing with personal data. You can view the ROPA here. The recording obligation is stated by article 30 of the GDPR/Data Protection Act. It is a tool to help to help us comply with the Regulation.
We describe the type of personal data we collect and hold by referring to “categories of personal data”. The table below gives examples of the types of information that we process.
|
Category |
Example of data included in the category |
|---|---|
|
Personal details |
Titles, names, previous names, nick-names, aliases, address, postcode, telephone numbers, email addresses, social media user names, personal websites addresses, signature, emergency contacts, family history, marital status, dependants, next of kin, language skills |
|
Personal features |
Age, date of birth, gender, height, weight, body measurements, eye/hair/skin colour, identifying marks, images - photo/video/audio |
|
ID Numbers |
National insurance number, passport number, driving licence number, social security number, national health number. [Note: this category may include facsimile copies of original documents containing the identifier] |
|
Work details |
Pay number, job titles, work addresses, employers name, work contact numbers, work email address, call sign, work social media user names, grade, role, rank, start date, end date, camp out base, work history, computer and communications monitoring information, lone-worker location, vehicle number plate, pager number, leave and absence, proof of right to work, building access records, |
|
Financial details |
Salary, payroll records, bank details, pension, tax, allowances, state benefits, property ownership, compensation payments |
|
Education |
Qualification, establishment, establishment address, |
|
Narrative data |
Biography, CV, situational description, occupational experiences, behavioural characteristics, professional membership, personal references, performance evaluations, discipline or grievances, geodemographic segmentation data. |
|
Special category data |
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation |
|
Criminal offence data |
Information relating to criminal offences (alleged or proven) or personal data held with the intention of bringing about a criminal prosecution. |
During our work, we may refer to information, including personal data, that is available on publicly accessible sources. These sources will include information made available by other public bodies, regulators and enforcing authorities (for example public registers) as well as information posted on social media, other websites and news media.
We may use information that is publicly available to inform our decisions about our work with you. That may include our dealings with you during the performance of a contract (as a supplier, a data processor or an employee) or how we provide our emergency response and other services to you, either at the time or in our planning and preparations (for example, if we are made aware of people who are at a higher risk of being involved in a fire we may try to make contact to offer prevention and safety advice).
To fulfil our responsibilities and functions as a fire and rescue authority, it will be necessary for us to share some or all of your personal data with other organisations. When we share data we will be doing so knowing that we have legal basis to do so and that it is necessary for that purpose.
In general terms, we will only share information with another organisation where;
The categories of organisations who we might share personal data with are shown in the table below.
|
Category |
Example of recipients included in the category |
|---|---|
|
Emergency Services |
Fire and Rescue, Police, Ambulance, Armed forces, Coast Guard, Category 1 and 2 Responders, Utility providers, Emergency care and safeguarding Charities |
|
Local authorities |
Education, Social Care, Housing, Environmental Health, Youth Service, GLA, London Assembly |
|
Health providers |
GP, Health professional, Health board or trust, National Health Service and bodies |
|
Government agencies |
Home Office, MOD, HMRC |
|
Legal services |
Solicitors, Law courts, Public Inquires and Inquests |
|
Regulators |
HSE, Pension Regulator, Safety Committees, Auditors |
|
Employers & Businesses |
Outside employers, Registered childcare provider, External trainers, NFCC, registered charities, |
|
Appropriate adults |
Parent, carer, family member, guardian, teacher, LFB volunteer |
|
Contractors & suppliers (“Data processors”) |
Data processors are third parties who process personal data on our behalf. |
Data processors
Data processors are third parties who process personal data on our behalf. These are typically the suppliers and contractors we use to provide us with good and services under contract. Occasionally, those contractors will provide services direct to you on our behalf. Examples of contractors who are our data processes include those that provide us with; recruitment support, IT systems, IT developers and engineers, telecom services, security systems, occupational health and staff wellbeing services.
We have contracts in place with all of our contracts who are also our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Transfers to third countries or international organisation
We do not transfer your data outside of the UK as part of our day-to-day work. However, as IT providers become more global and IT services are provided ‘in the cloud’ we know that some of the data we hold is hosted on computer servers that are outside of the UK or of the European Union.
When our data processors store data outside of the area where UK GDPR applies then the security of this information will be covered by the terms of our contract with them (or them with us). You can be assured that when this happens that you will have the same degree of protection in respect of your personal information as thought was held within the UK or the area of the European Union.
You will often have a choice about what services you receive from us, but when we collect your personal information for that service we will collect and retain your information because we have another duty or obligation to do so that does not require your consent.
If you don’t provide certain information when requested, we may not be able to provide you with our services (for example providing you with a fire alarm and advice) or perform the contract we have entered into with you (for example if you are an employee). We may also be prevented from putting you in touch with other organisations and services that can provide you with help, support, advice and care.
We would encourage you to provide us with the data we need to do our job, but if you have any concerns about providing your personal information when asked, please discuss those concerns with us. If you are not already in contact with a member of our staff then you can discuss those concerns with our Data Protection Officer.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. With the exception of some of our recruitment and staff management processes, we won’t make decisions about you that will have a significant impact on you based solely on automated decision-making. If we use automated decision making it will be because it is necessary to perform the contract with you and we will have taken appropriate measures to safeguard your rights.
We have a records management strategy that determines how long we keep records and information. This includes records with personal data. As a public body we need to keep records to help us plan and deliver our services, to show how we have made decisions, to prepare and defend legal claims and to maintain a historical archive of the work of the London Fire Brigade.
When deciding how long to keep information, we need to consider a number of things. These include:
Very rarely will a retention period be a set time from a fixed point, as many of our records management decisions are driven by an action or an event. For example, the records management associated with signed contracts will be triggered by the event of the contact coming to an end (eg contract end date plus 12 years).
Where we are holding records that contain personal data, we will have a reason and purpose to hold on to that information. If at any time you believe we are holding records for longer than necessary, you may have the right to ask us to erase that record. If you are concerned about how long we are keeping your information, then you should contact our Data Protection Officer and give them the reasons for your concern and they will investigate the matter
When we use your personal data, you have rights about how that information is processed. Those rights include how you can access the information we hold, and how, in some situations, you can stop us from processing the information or have it corrected or deleted.
Under certain circumstances, you have the right to:
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
If you would like to exercise any of your data protection rights, you should contact the Data Protection Officer using the details listed earlier in this Notice.
If you are unhappy with the way that your personal data has been used or any other aspect of how we have processed your information then please let us know. In the first instance you should contact our DPO who can investigate the matter for you and take any action that is necessary.
You also have the right to raise your concern with the Information Commissioner. Details of how to make a complaint to the ICO are on their website at http://.ico.org.uk or you can write to them at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.