Call us on

0300 020 3000 Contact
Contact

Privacy notice

Last updated

21 Nov 2024

This Privacy Notice outlines the COPFS’ reasons for processing your personal data.

This notice sets out the standards you can expect when COPFS hold your personal and sensitive category data, as well as other privacy information which we are obliged to provide.

Why we process personal data

COPFS is Scotland’s sole prosecution service and we receive reports of possible crimes from Police Service of Scotland and other reporting agencies to investigate and decide what action to take, including whether to prosecute someone and seizing the proceeds of crime. COPFS also consider deaths that require further explanation and investigate allegations of criminal conduct against police officers.

COPFS plays a pivotal part in the justice system, working with others to make Scotland safe from crime, disorder and danger. We take into account the diverse needs of victims, witnesses, communities and the rights of those accused of crime and aim to provide services that meet the information needs of victims, witnesses and next-of-kin, in co-operation with other agencies.

We require to process personal data in order to prosecute criminal cases. The majority of the personal data we hold is passed to us by Police Scotland in order to determine whether or not to prosecute. In general, personal data is held by COPFS about accused persons, victims, witnesses and others involved in the criminal justice process within criminal case files.

In certain cases, we process personal data within criminal case files for non-law enforcement purposes such as managing media relations, audit purposes and to improve casework quality, work with scrutiny bodies and demonstrate transparency around decision making.

We will only process personal data when it is lawful to do so and where it is necessary and proportionate.

Personal data processed by COPFS in relation to criminal cases

As part of the reports we receive from Police Scotland and other agencies, we require to collate all personal details of accused person(s), victims and witnesses and professional witnesses to fully understand the alleged offence, the full circumstances surrounding same and to communicate decisions.

Furthermore, COPFS also process categories of sensitive category data if they are relevant and relate directly to a criminal case – this may come in the form of evidence i.e. medical records, fingerprints, DNA, mobile phone or social media content or CCTV footage. As well as through reports received, personal and sensitive information may also be provided to us by yourself or your representative (legal or otherwise).

Within criminal case files this is likely to include, but not be limited to, racial or ethnic origin, physical or mental health information and sexual orientation.

Given the nature of our purpose, we will always process criminal offence data in our cases.

You can find examples of the type of data we may process at Annex A at the end of this notice.

Legal basis for processing personal data

Law enforcement purposes

COPFS mainly process personal, sensitive and criminal offence data for law enforcement purposes under Part 3 of the Data Protection Act 2018 (DPA 2018). This includes for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

General processing

In certain circumstances, COPFS will share information which was initially for a law enforcement purpose with selected third parties for non-law enforcement purposes under Part 2 DPA 2018.This may include providing information to regulatory organisations to assist with their investigations to safeguard the public, processing relating to civil litigation or compensation, consideration of fatal accident inquiries, or to provide details of vulnerable witnesses to support agencies.

You can find the legal provisions we rely upon for processing at Annexes B and C at the end of this notice.

How we process personal data

COPFS are committed to ensuring that the data processed within our case management systems is secure and protected, keeping in line with our security and records management policies.

In dealing with your personal information, we will also:

  • value the personal information entrusted to us and make sure we respect that trust;
  • abide by the law when it comes to handling personal information;
  • consider the privacy risks when we are planning to use or hold personal information in new ways, such as when introducing new systems;
  • provide training to staff who handle personal information and respond appropriately if personal information is not used or protected properly.

To ensure we keep your information reliable and up to date, we ask you to:

  • provide accurate information
  • tell us as soon as possible if there are any changes to the information we hold about you, such as a new address, telephone number, email address or name change.

Whilst personal data received is generally processed to assist in the prosecution of crime or other legal decision making, it may also be disclosed to other appropriate person(s) or organisations as noted within this policy. Any information which is to be shared is reviewed prior and only given to those with a legitimate need to access.

COPFS may share your personal data with the following third-party organisations for the purposes listed:

  • Police Service of Scotland and other enforcement agencies
  • Solicitors acting for an accused person
  • Self-representing accused
  • Scottish Courts and Tribunal Service (SCTS)
  • Scottish Police Authority (SPA)
  • Government and Regulatory bodies such as the Scottish Public Services Ombudsman (SPSO), the Information Commissioner’s Office (ICO), the Scottish Information Commissioner’s Office, the Scottish Legal Complaints Commission (SLCC), Scottish Social Services Council (SSSC) General Medical Council (GMC), The General Teaching Council (GTC), Disclosure Scotland, Disclosure and Barring Service
  • The Law Society of Scotland, the Scottish Legal Aid Board
  • Police Investigations and Review Commissioner (PIRC)
  • Scottish Childrens Reporter Agency (SCRA)
  • The National Probation Service, Scottish Prison Service, Parole Board for Scotland, Scottish Government, the State Hospital, NHS Scotland, the Armed Forces, Care Inspectorate
  • Local Authorities - including justice social work, or partner agencies who manage a range of community justice interventions to address the underlying causes of alleged offending and prevent further offending
  • Organisations providing support services to victims or witnesses
  • Overseas authorities (in respect of cases where a mutual legal assistance request needs to be made in a case)
  • Other organisations and businesses who provide services to us such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions

Please note, this list is not exhaustive and there may be sharing beyond these agencies after careful assessment as to whether sharing is necessary and justified.

Furthermore, where we determine that it is in your vital interests to do so, we will share your personal data and personal sensitive data with the emergency services including the Police Service of Scotland and/or the Scottish Ambulance Service in order to establish your safety or the safety of others.

Transferring of your personal and sensitive data

COPFS are based in Scotland, but sometimes your personal and sensitive data information may be transferred outside the European Economic Area (EEA). If we require to do so, we’ll make sure that suitable safeguards are in place, for example ensuring that the recipient is another judicial or law enforcement authority, by conducting due diligence before transfer, use of appropriate contractual terms and through use of secure electronic transfer.

Automated decision making

We do not make automated decisions about the investigation and prosecution of crime or the investigation of deaths.

Retention of your personal data

The COPFS Records Management Manual is published on our website and outlines the retention periods for material held within criminal cases. COPFS will adhere to this retention and disposal policy unless a legal obligation - for example a statutory inquiry - requires us to keep the data for longer.

As noted within said manual, COPFS transfers material of enduring value to The National Archives of Scotland for archiving purposes.

How to exercise your DPA 2018 rights

The rights of data subjects are very similar under Part 2 (GDPR) and Part 3 (LEP) of the DPA, but there are a few that only apply to Part 2 specifically.

Rights of the data subject for each regime are as noted below:

Part 2 and Part 3

  • Access – copies of your personal data we hold on you and information on how this is processed. You can make what is called a subject access request to us through the link on our website: Request personal data.
  • Rectification - i.e. correction of inaccurate personal date. Any inaccurate personal data must be rectified without undue delay, and in any event within one month.
  • Erasure (aka right to be forgotten) - e. removal of personal data;
  • Restriction of processing - i.e. limit the further processing of data we hold;
  • Automated decision making - i.e. not to be subject to a decision based solely on automated processing.

Part 2 only:

  • Right of data portability - i.e. to receive the personal data we hold and have it transferred to another Data Controller;
  • Object - i.e. to object to us using personal data about you

It should be noted that any such request will be considered on a case-by-case basis and there are exemptions that may be applied, typically in relation to criminal case data.

To exercise any of these rights you can write to us at the Information Governance Unit using the details provided below.

Information Governance Unit,
Crown Office,
25 Chambers Street,
Edinburgh,
EH1 1LA

You can also email dataprotectionofficerdpo@copfs.gov.uk 

Making a complaint to COPFS

If you wish to make a complaint about the way your personal data has been handled, you can write to:

COPFS Data Protection Officer (DPO)
Information Governance Unit
Crown Office,
25 Chambers Street,
Edinburgh, EH1 1LA.

You can also email dataincidents@copfs.gov.uk

You are also able to telephone our Enquiry Point on 0300 020 3000.

Making a complaint to the Information Commissioner (ICO)

For independent advice about the Data Protection Act 2018 or to escalate your data complaint having received a response from us, you have the right to contact the Information Commissioner’s Office (ICO). The ICO enforces data protection laws if we refuse to carry out your request, or in relation to the decisions we made. The ICO can be contacted at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: casework@ico.org.uk

Changes to this privacy notice

We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice whenever you revisit our website.

Last updated: 27 August 2024

Other published privacy statements

This page relates to use of your personal data in connection with the investigation and prosecution of crime and the investigation of deaths. 

We have published a separate privacy notice for job applicants which you can access here. 

  1. Privacy notice: Job applicants

We have also published a separate privacy notice for the Civil Recovery Unit which works with other law enforcement agencies to identify and recover the proceeds of crime.

  1. Privacy notice: Civil Recovery Unit

Annex A – Categories of personal data processed

Personal data refers to information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.

Personal data that we’ll process, if relevant, includes:

  • your personal and contact details, such as title, full name, contact details and contact details history
  • whether you've instructed a solicitor and the solicitors contact details
  • your date of birth, gender and/or age
  • your nationality
  • your employment status
  • your financial details
  • your protected characteristics in terms of the Equalities Act 2010
  • family members, including bereaved nearest relatives (next of kin)
  • forms of identification to enable us to verify your identity if you make a request for your own personal data (known as a Subject Access Request)
  • records of your contact with us including face to face meetings, telephone calls, emails and written correspondence
  • information we obtained from third parties (allegations of crimes) including criminal reports submitted to us from the police and other reporting agencies and death reports submitted to us from the police
  • all evidential material obtained by reporting agencies including witness statements, records from relevant authorities (including medical, social work, school and housing); forensic reports, autopsy reports and analysis reports by the Scottish Police Authority (SPA) that may contain your personal data.
  • sound and visual images of you captured in photographs or CCTV or mobile phones
  • criminal records information of accused or victims and witnesses
  • details of the alleged crime and its impact
  • Victims Right to Review – emails or applications from victim and or witnesses
  • records of the outcome in your case

We may also process other types of your personal data referred to as “sensitive personal data” and this relates to or reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Annex B - Deta Legal Basis for Processing

Section 35 of the DPA 2018, states the following:

  1. The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
  2. The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either
    1. the data subject has given consent to the processing for that purpose, or
    2. the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

COPFS relies upon 35(2)(b) - we do not rely upon consent for processing data of this nature.

Section 35(3) states:

In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).

Subsection 5 provides the case we rely upon for the processing of this data:

Section 35(5):

The second case is where –

  1. the processing is strictly necessary for the law enforcement purpose,
  2. the processing meets at least one of the conditions in Schedule 8, and
  3. at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

The processing within our case management systems is strictly necessary for the COPFS to effectively conduct criminal prosecutions.

The relevant conditions in schedule 8 of the DPA 2018 are:

  1. For statutory purposes where COPFS is processing data through exercising powers under the Prosecution of Offences Act 1985, Proceeds of Crime Act 2002 (to conduct cases that involve the proceeds of crime) or any other relevant law, and where case teams ensure processing is necessary for reasons of substantial public interest
  2. For the Administration of Justice
  3. For the Safeguarding of children and of individuals at risk where COPFS is processing data of victims, witnesses or other individuals connected to in prosecutions who are under 18 or are considered vulnerable or at risk. COPFS ensure that processing is necessary for to effectively conduct prosecutions and fulfil our statutory function and handle consent in line with the Victims’ Code of Practice.
  4. For Archiving purposes where data is contained within files that meet the criteria of ‘enduring value’ defined by COPFS Records Management Manual and Retention Schedule and will therefore be transferred to The National Archives of Scotland (NRS) under the Public Records Act 2011. COPFS will make decisions as to the archiving of data under the guidance of the Keeper of Public Records Scotland.

Annex C - Processing law enforcement data for non law enforcement purposes

Article 6 subsection 1 of the UK GDPR sets out the following lawful bases we rely upon for processing personal data for this purpose:

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual, particularly where the individual is a child.

Where COPFS relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of individuals and has concluded that they are not.

In addition, where the processing for any of the non-law enforcement purposes is sensitive processing, COPFS processes data under the following article 9(2) conditions of the UK GDPR:

  • Where we have your explicit consent this will be appropriately documented, and you will be able to ‘opt out’ at any time.
  • Where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Where processing is necessary for reasons of substantial public interest.

In order for COPFS to process special category data for reasons of substantial public interest, the processing must meet one of the conditions set out in Part 2, Schedule 1.

The condition(s) COPFS relies on in Schedule 1 will depend on the context of the data processing concerned.

Related items