The NCA’s role is to protect the public by disrupting and bringing to justice those serious and organised criminals who present the highest risk to the UK.
Any processing of personal information about you is carried out in accordance with the United Kingdom General Data Protection Regulation 2016 (UK GDPR) and the Data Protection Act 2018 (DPA). Under the UK GDPR and the DPA, we are required to explain what information we hold about you, why we hold information about you, how we use that information and whether we will share that information with anyone else.
Personal data is any data that can be used to identify a living individual, on its own or in combination with other available information. References to names, identification numbers and location data are all personal data.
Special categories of personal data includes details of racial or ethnic origin, political opinions, religious, philosophical or similar beliefs, trade union membership, physical or mental health, sexual life, commission of criminal offences and/or involvement in criminal proceedings.
Processing means anything we do with the data and includes collecting, storing, and sharing it.
This Privacy Notice explains how the NCA processes personal data relating to members of the public lawfully. It also outlines the steps we take to ensure that personal data is protected and describes the rights individuals have in relation to the data we process.
1. Data Controller
The Director General is the Controller for any personal data processed by the NCA.
2. Data Protection Officer
3. How to get in touch
4. What information do we collect about you?
The personal data we collect and use will include personal data and special category personal data (also referred to as sensitive processing).
Types of personal data we process may include information such as:
- Personal details such as name and address
- Sound recordings and visual images
- Financial details
- Intelligence material
- Complaint, incident and accident details
- Employment details
- Online identifiers such as IP addresses
Special category personal data (also referred to as sensitive processing) may include personal data revealing:
- Racial or ethnic origin
- Political opinions
- Religious, cultural or philosophical beliefs
- Trade union membership
- Physical or mental health
- Sex life or orientation
- Genetic or biometric data
- Criminal conviction and/or involvement in criminal proceedings
The NCA will only use the minimum amount of relevant personal information necessary to carry out a particular activity.
5. Where do we obtain data from?
We collect personal data from a range of sources in the exercise of our functions. For example, we may collect data for our investigations, from partner agencies, via direct reporting from the public and from information that is publicly available. We may also collect personal data through your interactions with us such as via online portals.
We also process personal data that is collected in the course of our administrative functions. For example, staff administration, recruitment, procurement, property management, advertising and media.
6. Whose personal data do we handle?
In order to carry out our functions, we process information relating to a wide variety of individuals. These may include:
- People convicted of an offence
- People suspected of committing an offence
- Complainants, correspondents and enquirers
- Consultants and other professional experts
- Commercial partners
We also process data relating to existing and former members of staff.
Information is likely to be held in various forms, including electronically in emails and in the NCA’s electronic filing system and databases as well as in paper-based records. It may also be held in other electronic forms such as CCTV.
7. Why do we use personal data?
The NCA processes personal data for law enforcement purposes as defined in Section 31 Data Protection Act 2018. These are for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
We achieve this through our command areas such as border policing, economic crime, and CEOP, the National Cyber Crime Unit and specialist capability teams. This enables us to tackle serious and organised crime, strengthen our borders, fight fraud and cyber-crime, and protect children and young people from sexual abuse and exploitation. We also process data for the purposes of safeguarding National Security, including National Security Vetting for NCA staff.
The legal basis for processing law enforcement data, in the vast majority of cases, is that it is necessary for the performance of NCA functions. Alternatively, on rare occasions we may ask for your consent. More details about consent are set out in paragraph 8. The NCA’s functions are set out in Section 1 Crime and Courts Act 2013.
The NCA’s functions include:
- The crime reduction function
- The criminal intelligence function
- The other functions set out in the Crime and Courts Act 2013 and other legislation, including safeguarding and Proceeds of Crime Act 2002.
We will only use personal information when the law allows us to and where it is necessary and proportionate to do so.
We may also process data for non-law enforcement purposes such as when we recruit and vet potential employees, for staff administration, managing media relations, research and when we provide educational programmes and support including media products such as podcasts or briefings to inform the public about the work of the NCA. Where we process data for non-law enforcement purposes, the processing is likely to be based on the following grounds:
- It is necessary for performing a contract;
- It is necessary to comply with a legal obligation;
- It is in the public interest to do so;
- It is for official purposes;
- We (or someone else) has a legitimate interest to do so, and it is necessary and balanced against your own interests, rights and freedoms
- It is necessary to use your personal information to protect your vital interests (or someone else's vital interests).
- You have given your consent for the processing of your personal data. More details are set out in paragraph 8.
Where we process special categories of personal data, or undertake sensitive processing, we will do so in accordance with the specific conditions of processing set out in the UK GDPR and the Data Protection Act 2018. It is likely that we will rely on the following conditions:
- Where we have your explicit consent
- Where it is necessary to carry out obligations or rights in relation to employment laws
- Where it concerns a medical diagnosis, or the medical assessment of your working capacity
- Where the data has already been made public by you
- Safeguarding of children and individuals at risk, and protecting the vital interests of you or another
- Where it is necessary for the purpose or in connection with any legal proceedings, legal advice or establishing, exercising or defending legal rights
- Where it is necessary for archiving purposes in the public interest, historical research or statistical purposes
- Where it is for the purposes of the exercise of the NCA’s functions and it is in the substantial public interest
- Where it is necessary for the administration of the systems of courts and of law enforcement, or the exercise of a function that the NCA is required to carry out by law.
In addition to processing data relating to criminal convictions and alleged criminal behaviour for the purposes of law enforcement, we may also collect and process that data for our administrative functions, such as recruitment. We will only use information relating to criminal convictions or alleged criminal behaviour when the law allows us to do so. This can arise when it is necessary for us to comply with the law, or where it is in the substantial public interest for us to exercise our functions.
8. Asking for your consent to process personal data
On rare occasions, where the most appropriate condition for processing data is consent, the NCA may ask for your explicit consent in order to lawfully process your data. This will only happen in specific and limited circumstances and won’t usually be relevant to law enforcement processing. When we do ask for your consent, we will explain clearly what we are asking for and how we will use it.
Consent must be freely given, specific and informed and there must be a genuine choice about offering your data. Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
When we ask for your consent, we will tell you how we will process your data, how long we will keep it for and the steps we will take to delete it. We will also outline the steps we will take if you decide to withdraw consent.
There may be occasions where we will ask for your consent to request medical records or other information where access to the information is necessary as part of an investigation involving you. It is important to understand that, in these circumstances, once the records are released to the NCA, they will be securely retained, and processed to the extent that is necessary for the purposes of any arrangement, and/or as obliged by law.
9. How long do we keep personal data?
The NCA will retain your personal data in line with the requirements of data protection legislation, CPIA, MoPI and other legislative requirements, taking into account factors such as the content and sensitivity of the data, the purposes for which the data is processed, and any business requirements. We will securely dispose of your data when it is no longer necessary to retain it.
10. Who will we share data with?
The NCA is able to share data under the Crime and Courts Act 2013. For example, it may be necessary to share data with other law enforcement agencies, both nationally and internationally, and with partner agencies working on crime reduction and prevention initiatives. These agencies may include:
- UK police forces
- Border Force
- His Majesty’s Revenue and Customs
- British Transport Police
- The Serious Fraud Office
We may also share data with a range of other bodies such as the press and media, service providers, current, past and prospective employers, voluntary sector organisations, financial institutions and regulatory bodies, other government departments and similar bodies, courts and tribunals and your legal representatives.
We will also disclose personal information to other bodies or individuals when required to do so by law.
The NCA takes steps to ensure that any disclosure of personal data, however obtained, complies with the provisions of the Data Protection Act 2018 and UK GDPR. This includes ensuring that any disclosures are necessary and proportionate, and that necessary safeguards are in place.
Some of the bodies or individuals to whom we may disclose personal data are situated outside of the United Kingdom. If we do transfer personal data outside of the UK, including any subsequent sharing of this data, we will ensure that the conditions laid down in Data Protection Legislation are complied with.
11. How do we keep your data secure?
Your personal data will be processed securely. We have put in place appropriate technical and security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions.
12. Your rights as a data subject:
Under the UK GDPR and Data Protection Act 2018 you have a number of rights that you can exercise in relation to the data we process about you. Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a subject access request). This enables you to receive a copy of the personal information we hold about you and check that we are lawfully processing it and that it is accurate.
Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no lawful reason for us to continue to process it.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Please note that when your data is being processed for law enforcement purposes some of the rights listed above may be restricted where it is a legitimate and proportionate measure to avoid obstructing an investigation or procedure, to avoid prejudicing our law enforcement purpose, to protect public or national security or to protect the rights and freedoms of others. If a restriction is necessary, we will inform you unless to do would prejudice the purpose of the restriction.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.
We sometimes need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Further information about these rights can be found within the Data Protection Act 2018 and on the Information Commissioner’s Office website: www.ico.org.uk
Statutory Disclosure Team
PO Box 58345
13. Complaints and further queries:
The NCA tries to meet the highest standards when processing personal data. We take complaints very seriously. If you have any concerns about the way that we have handled your personal data please bring it to our attention via the following means:
You are also able to submit complaints to the Information Commissioner’s Office. Details on how to contact them based on the nature of your concern are available at https://ico.org.uk/concerns/
The ICO can be contacted via:
The Information Commissioner’s Office,
Telephone: 0303 123 1113
14. Further information about this privacy notice
We keep our privacy notice under regular review. If we plan to use personal data in a different way than we have outlined then we will update our privacy notice before we start any new processing.
From time to time, we may also publish additional privacy information relating to particular activities such as recruitment. This may be provided on an individual basis or published on the NCA website (www.nationalcrimeagency.gov.uk).
This privacy notice is available in other languages and formats such as hard copy on request.
NCA Young Persons Privacy Notice
You can also download our NCA Young Persons Privacy Notice. Please note this is a young person’s version of the NCA’s main Public Privacy Notice.
This note is about how the NCA uses and looks after the information we have about you. This is because everyone has a right to know what the NCA does with their information.
NCA website cookies
- measure how you use the website so it can be updated and improved based on your needs
- remember the notifications you've seen so that we don't show them to you again
The website uses Google Analytics which sets 4 cookies to collect information about the pages you have visited on this website, how you got to the site and what you click on while visiting the site. We do this to help make sure the site is meeting the needs of its users and to help us make improvements. You can opt out of Google Analytics.
The website also sets a new cookie for each visit to the website which is deleted when the user closes the browser. Find out more about how to manage cookies.
We don't collect or store personal information (e.g. name or address) so this information can't be used to identify who you are.