Data protection legislation explained

Personal data is information about living people that can be used to identify that person, for example, your name, date of birth, identification number, address and e-mail address.

Special category data, sometimes called sensitive data is information which can tell someone something about you, for example your racial or ethnic origin, your religious beliefs or political opinion, membership of a trade union, genetic data, biometric data, sex life and sexual orientation.  

All organisations have a legal responsibility to make sure they protect any personal data they hold and do not use it in the wrong way.

The two laws that organisations must follow are the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The GDPR was a regulation which came into force on 25 May 2018 and all countries that were part of the European Union (EU) had to follow, including the UK.

After the UK left the EU, the GDPR is still something that we have to follow, but in a new version known as the UK GDPR.

Read more about the UK GDPR on the Information Commissioner's website and the Data Protection Act 2018 on the governments legislation website.

Humberside Fire and Rescue Service has a data protection policy to make sure our staff understand what they must do to follow data protection legislation.

The UK GDPR includes 6 core principles which tell us how personal data should be used. HFRS must only use personal data in the ways that these principles tell us. We are required to be able to prove that we are following them.

Lawfulness, fairness and transparency

·        Lawful - we must have a specific lawful reason for processing the personal data.

·        Fair - the processing must be fair, ie. used in a way people would reasonably expect and not in a way that might negatively affect them.

·        Transparent - we have to be clear, open and honest about how and why we are using the personal data 

Purpose limitation

We must only collect personal data for specific, clear and valid purpose. We must not use it in any other way that is not compatible with that purpose. However, we may carry out further processing to archive information in a way that will benefit the public, scientific or historical research purposes, or statistical purposes. This is because they are considered compatible with the purpose it was first processed for.

Data minimisation

The personal data must be enough, relevant and limited to what is needed for the purpose it is first processed for.

Accuracy

The personal data we use must be correct and, where needed, kept up to date.

Storage limitation

The personal data must only be kept, in a form that allows individuals to be identified. It must be kept for no longer than is needed for the purpose it was originally collected.

Integrity and confidentiality

Personal data must be kept secure and protected against people accessing it that aren’t allowed to. It must also be protected against being lost, destroyed or damaged.

The Data Protection Act 2018 states that all businesses and organisations that process personal data must register with the Information Commissioners Office (ICO) unless they are exempt.

HFRS is registered with the ICO, our registration number is Z5461052 

Humberside Fire and Rescue Service have a Data Protection Officer (DPO). They are responsible for keeping track of how well we follow the law. They keep us updated and provide advice on how we can carry out our data protection responsibilities. They also give advice on Data Protection Impact Assessments (DPIAs).

The day-to-day management of the Service’s data protection responsibilities is carried out by our Information Governance Team.

To make sure our staff understand the role they play in making sure we follow data protection law, we provide training to all staff.  This is supported by several policies and procedures related to data protection.

You can contact the DPO or our Information Governance Team by:

Email: dataprotection@humbersidefire.gov.uk

Tel: (01482) 565333 

The Service has procedures in place to make sure privacy and data protection issues are considered. They must be considered at the very start of any new project, initiative or procurement or, where we plan to change the way do something.  We make sure people’s personal information is going to be handled with privacy in mind and in line with the law.  This process is often called privacy by design.

To do this, the Service completes Data Protection Impact Assessments (DPIAs). This is a way to identify any risks to personal information.  Every DPIA includes a record of the actions we have taken to remove the identified risks or, reduce their impact to the lowest level possible.

The table below provides details of all the Stage 2 DPIAs completed.

A personal data breach is a breach of security leading to personal data being destroyed, lost, changed. It can also lead to people being able to access the data who are not allowed to either by accident or on purpose.

Personal data is data about living identifiable individuals.

If something does go wrong, the Service has processes and procedures in place to make sure we can deal with it effectively and efficiently.

If you think something has gone wrong or you think there may have been a data protection breach, you should contact the Information Governance Team:

Email: databreach@humbersidefire.gov.uk

Tel: (01482) 565333

If it is appropriate, the Service will notify the Information Commissioners Office (ICO)

The first thing to do is contact the Information Governance Team so we can look into your concern:

Email: dataprotection@humbersidefire.gov.uk

Tel: (01482) 565333

If, following our response, you are still unhappy, you can raise your concern with the ICO.

It is for the ICO to uphold your rights and to take action to make sure we meet our legal responsibilities.  Action taken by the ICO can include financial penalties, enforcement notices, reprimands and other actions, including criminal prosecutions.

For more information about the role of the ICO:

Visit the Information Commissioners Office Website (ICO)

ICO address:

Wycliff House

Water Lane

Wilmslow

Cheshire

SK9 5AF

ICO helpline: 0303 123 1113 or (01625) 545745

Summary of Project:

Humberside Fire and Rescue Service are moving our Occupational Health records management system to a cloud-based system with a London based data centre. We will collect the following information about our staff electronically:

• Full Name
• Date of Birth/Age
• Gender
• Address and Postcode
• E-mail and Telephone
• Health and Medical Status

This allows for a better process for booking appointments, confidential record keeping, data collection, storage and analysis. 

Assurances:

• Access is only given to Occupational Health Staff and is managed by the System Administrator.
• The system will only keep information for a set amount of time.
• An Occupational Health Privacy Notice is published on our website to make sure people understand how their data is used.
• Occupational Health will only share data if informed and specific consent has been given. 

Summary of Project:

Humberside Fire and Rescue Service use drones to monitor incidents. This helps to improve understanding of a situation for Incident Commanders. The footage helps Incident Commanders see anything that might be dangerous. They can then decide what action we should take. We use the footage to improve health and safety, help with debriefs and improve confidence in the way that we work. This can sometimes include images of the public and may be shared with the Police to help with their investigations

Assurances:

• We make sure our Pilots are following the correct procedures.
• We back up all records on an hourly basis on our server to keep it protected and stop us from losing them.
• We delete everything on the SD card at the end of each flight if the images are not needed.
• Only the Chief Pilot is allowed to share footage after discussion with our Corporate Assurance Team.
• We share some images on social media to promote the positive work that the drones do for the service and local communities. All social media content is controlled by corporate communication and trained members of staff.
• All flights are carried out overtly with CCTV signage placed on vehicles. Hi Viz jackets are worn by the drone operator to make sure that the public are aware of the activity.
• We only carry out flights on private land and flight restriction zones with direct permission. Contact will be made by telephone or in person before flights take place to get this permission.

Summary of Project:

Humberside Fire and Rescue Service are upgrading the existing Health and Safety system. We record accidents, near misses, vehicle collisions and attacks on staff at work. This helps us investigate if there is a need to make improvements. A responsible person collects and uploads information about incidents. This may include details of non-fire service staff, if they are involved for legal reasons. 

Information that may be collected include:

• Full name
• Age
• Gender
• Address
• Service number/role
• E-mail
• Phone number
• Image
• Health or social care status
• Injuries

Assurances:

• Only selected managers have access to the system. The system administrator has a tight control over who has access to the system.
• The systems are protected by encryptions, intrusion and monitoring and a firewall.
• We publish a Privacy Notice to tell people how we use their data.
• Staff will share data when relevant laws require them to. The Health and Safety team will assess if they can remove or anonymise any of the data before they share any report. 

Summary of Project:

This is Humberside Fire and Rescue Services main HR system. It is moving to the newest version of the software which is hosted in a United Kingdom data centre. 

We collect the following data from our staff members due to legal requirements:

• Full name
• Date of birth
• Gender
• Address, telephone number, e-mail address
• Payroll number, National Insurance number, Service/Post number
• Race and Ethnicity
• Religious belief
• Sexual orientation
• Health information
• Criminal records
• Sickness, Disciplinary, and Grievance records

 This allows us to continue to effectively and efficiently manage all elements of human resource functions. 

Assurances:

• Only people who need access to the system can and this is managed by the system administrator.
• We publish privacy notices on the website and update them when needed to tell people what data we use, how and why.
• HR staff only share data that helps managers carry out tasks like absence management and disciplinaries.
• The cloud environment reduces the loss of access to data from happening.
• We don't keep this personal information for longer than needed.
• Employees must tell the service about any changes to personal details by submitting a form.
• HR regularly check the information by sending a blank Personal Data Review form to all staff. 

Summary of Project:

We collect and hare the following information about our operational staff:

• Full name
• E-mail address
• Place of work
• Sizing measurements

It is shared with the provider of our personal protective equipment. This helps manage how and when to deliver the replacements and allow our staff to complete their tasks safely and effectively. 

Assurances:

• Data is shared securely and safely.
• There is a standard contact clause of a Framework Agreement in place. 

Summary of Project:

Humberside Fire and Rescue Service have CCTV installed on the outside of their Headquarters buildings and on several fire station buildings around the County. This helps us to review activities around these buildings when needed. This CCTV may capture images of the public as well as staff. 

CCTV for our buildings helps with the following:

• It prevents criminal activity.
• It improves the security of our buildings.
• It improves the security of our employees and visitors.

Assurances:

• Only staff who need access can access it.
• Regular checks are carried out on the system.
• Downloaded images are deleted when each case is completed.
• We record files and when they are deleted.
• Signs around the building let people know that there are cameras in action.
• The Privacy Notice is published on our website to tell people what data we collect, why and what we do with it. 

Summary of Project:

Humberside Fire and Rescue Service have 360-degree CCTV installed on fire engines. This helps us to review activities around these vehicles when needed. This CCTV may capture images of the public as well as staff. 

CCTV on our fire engines helps with the following:

• It improves the security of our fire engines.
• It prevents criminal activity and threatening behaviour towards staff.
• It assists with internal and external investigations and monitors safe systems of work.

Assurances:

• Staff are only given access to what they need which is controlled by the system manager.
• We carry out system checks to make sure that the equipment is working correctly.
• Staff are trained how to use the system and must read the code of practice.
• We only share data is it has been approved.
• Images are only downloaded and viewed when required.
• The system has the functionality to redact images.
• Footage and images are stored in the evidence locker for 30 days unless marked as otherwise.
• Vehicles have signs telling people that recording is taking place.
• We publish Privacy Notices on our website explaining how and why the images are recorded. 

Summary of Project:

Humberside Fire and Rescue Service use Body Worn Cameras. We use these to get more understanding of an incident through the live stream cameras. BWC's help with recording, decision making, sharing risk information, and completing debriefs. They also help to make sure we're working in the way that we should. The National Fire Chiefs Council has asked all UK Fire Services to use BWCs. This is because between 2015 and 2020 there were more than 3,800 attacks on firefighters. Wearing BWCs is expected to prevent attacks and result in less aggression and violence toward staff. We will use them to record this behaviour which may then be used as evidence. We may use them for other purposes such as Business Safety. They would use it to capture evidence when issuing Prohibition and Enforcement Notices. 

Assurances:

• We have a procedure explaining how they should be used.
• Only certain staff can delete footage using system software.
• Staff using the software and cameras complete relevant training.
• Footage cannot be downloaded without permission.
• The system software creates an audit log of all activity with the times that they have happened.
• We may share use of Body Worn Cameras on social media or through local press. This is to show the benefits of BWC for the service and the local community.
• The ability to remove faces and audio is a built-in function is the system software. This makes sure people in the footage can stay anonymous.
• We have a system administrator who will be responsible for giving access to the system. The administrator will also give a different type of access to people based on their role.

Summary of Project:

Humberside Fire and Rescue Service will give employees access to physiotherapy services. These services will provide assessment and treatment with more direct access to health services. The hope is that that staff can return to work sooner than might otherwise be possible. We will give the physiotherapist details of employees referred for physiotherapy. 

These will include: 

• Full Name
• Date of birth
• Service number
• Contact telephone number
• Details of injury/condition

Assurances:

• Only Occupational Health staff have access. The type of access they have depends on their role.
• We publish Privacy Notices to tell each user how their personal data is being used.
• Occupational Health staff will only share data when they have consent from the person that the data is about.
• The system does not allow us to delete records. • We have a system administrator who has tight control over who has access to the system.
• The software used to store health records has a built-in automated retention schedule. This makes sure we don’t keep information for longer than we should.
• The information is only shared between known service providers and our own Occupational Health team.
• HR staff will be trained in how to use the system. We will also ask them to check the records before adding to them particularly where there are similar names on the system.
• Data is shared securely.

Summary of Project:

Humberside Fire and Rescue Service will give employees access to counselling services. This is to support their mental health and wellbeing and create a more productive workforce with a reduction in absence. We will give the counsellor details of an employee referred for counselling. 

These details will include: 

• Name
• Date of birth
• Service number
• Contact telephone number

Assurances:

• We publish Privacy Notices on our website. These explain the process to each user when they request the service.
• Occupational Health staff will only share data if they have consent from the person the data is about.
• The system does not allow us to delete records.
• The system administrator has a tight control over who has access to the system.
• The software has built in automated retention schedules. This makes sure that data is not kept for longer than is needed.
• Information is only shared between the Occupational Health team and known service providers.
• HR staff are trained to use the system. We ask them to check the records before adding to entries particularly where there are similar names on the system

Summary of Project:

Humberside Fire and Rescue Service use Microsoft 365. It is a tool that allows staff to access emails and personal documents anywhere with their own username and password. The username is assigned to them when they start working for HFRS. This will improve accessibility for staff as long as they have internet access. Sharing documents and information has also been made easier with Microsoft365. We require staff names and e-mail addresses to connect them to the Microsoft 365 environment.

Assurances:

• Only people with Humberside fire and rescue Microsoft 365 accounts can access documents.
• Users can only delete records in their own folders. There is a record of all activity that happens in the software.
• The system administrator has a tight control over who has access to the system. The login is controlled through the main network so the moment someone leaves, they cannot access the system.
• Staff must complete data protection training
• The system records all activity that takes place.
• We train staff on how to recognise a request for information, rectification or erasure.
• M365 can block any device or IP address that might cause a security risk or breach.
• If a colleague uploads a document, it is scanned before going onto the cloud platform.
• Colleagues cannot access any internal systems or use the VPN on personal devices.
• Staff should change their passwords every 90 days.
• If a laptop is stolen, we can block this device as well as remove it from the domain and stop this from being logged into. Our tablet devices can also be blocked straight away if lost or stolen. We are also able to track devices.
• Machines have a screen saver initiated after 5 minutes of no activity. We also have a policy that states users are not to leave their devices unattended without locking them.
• After 30 days if a device hasn’t been on the domain or connected to the Anti-Virus software, it will be temporarily blocked from accessing the network. This is until the person who has the device contacts digital services.

Summary of Project:

Humberside Fire and Rescue Service receive information about residents who request assistance with their bin collection. An information sharing agreement exists for this. We will use this data alongside our domestic risk profiling. This is to show when an occupier might have mobility issues and so less able to escape from a fire. We can then offer a Home Fire Safety visit, assess their safety and offer fire safety advice to those who are most at risk under the Fire and Rescue Services Act 2004. 

The data provided to us includes: 

• Full Name
• Address
• Telephone Number

Assurances:

• Access to the original data from each Local Authority is limited to two people in each service.
• Each Local Authority data provider advises people that their information will be passed to the Fire Service. We will then tell them of the purpose during our first contact. We cover this in the Privacy Notice on the website.
• Data transfer agreements are defined within the Sharing Agreements.
• When received, the data is assessed for risk and is then deleted. • Data is stored on one drive which is secured in the cloud and backed up.
• The Privacy Notice is published on the website, is checked and updated regularly.
• We ensure people are advised at first contact of how they have come to be contacted and why. We further advise if any information needs to be shared with any other agencies

Summary of Project:

Humberside fire and rescue service collect prevention and protection data. We collect this from members of the public when they ask for our services. Data is also collected during the service and when we give safety advice and equipment. The system is split over 3 parts: risk, prevention and protection. Services are linked to each one.

Prevention: 

• Safe and well visits
• Reducing arson
• Vulnerable adult visits
• Children playing with fire
• Advice/engagement and talks Information is collected about the individual risks of the occupier and lifestyle choices related to fire prevention e.g., smoker status and limited mobility.

Protection: 

• Building inspections
• Fire safety audits
• Building regulations
• Prohibitions
• Enforcements
• Consultations Information about how commercial buildings are performing against fire protection regulations is collected. 

Operational risk: 

• Firefighter risk inspections
• Heritage risk inspection
• Environmental risk inspections Information about risks found in domestic and commercial buildings is collected. 

This allows us to assess the individual for risk and then mitigate the risk helping us to keep individuals safe from fire. This work also allows us to keep our staff safe by collating known risks in premises.

Assurances:

• Only staff with permission are given access to the system with their own log ins. Staff will have different types of access depending on their role.
• Privacy Notices are published on the website. These tell people what information is being collected and why.
• Data will only be shared with partners included in our data sharing agreement.
• Staff must complete data protection training. We thoroughly investigate any breaches and create an action plan to prevent future occurrences.
• Encryption is used on all mobile devices. ICT can remotely ‘wipe’ device contents if the device is reported as lost.

Summary of Project:

Humberside Fire and Rescue Service are required to hold DBS checks. The level of check is dependent on the type of activity the member of staff will be involved in. This is following changes to the Rehabilitation of Offenders Act (Exemptions) Order 1975. We will use Essex County Council to process the applications on behalf of HFRS. This allows our HR team to determine suitability for employment or the specific role. 

Individuals provide us with the following information which allows us to complete the check:

• Full name
• Date of birth/age
• Gender
• Address
• E-mail

Assurances:

• Only people who need to access the system can access it. They do this with a unique log in that provides different types of access depending on their role.
• Information is not kept for longer than is needed.
• The Privacy Notice is published on the website. This explains how and why your data is used. There is also a policy published providing full information about the process.
• HR are only advised when there is a disclosure, and they contact the person to discuss.
• HR staff are trained in the use of our systems. They are also asked to check the records before adding entries, particularly where there are similar names on the system.
• The system has a built-in record of all activity on the system.

Summary of Project:

Humberside Fire and Rescue Services have an Organisational Development (OD) team. They collect data for all staff members. We collect this through an online Personal Development Review (PDR) questionnaire. The PDR includes personal information and discussions around development and training needs. All the information is shared between the manager and staff member by email. The training information is sent to a Microsoft Dashboard. The OD and Training team then use it to produce the services Training Needs Analysis (TNA). This is to make sure that staff training needs can be met. It also makes sure that their welfare is discussed with their line manager . This supports the delivery of the service

Assurances:

• Guidance on how to follow the process is given to managers.
• Access to the systems is given based on a person’s role with their own log in.
• Only certain members of staff can delete records. All activity is recorded on the system.
• The system is backed up regularly so will always be available.
• We publish Privacy Notices on the website to tell people how their data is being used. We review this every year.
• Staff accounts are set up carefully when people have the same or similar names. Changes to line management are updated on the system. This is done quickly to make sure that automatic e-mails go the right person.
• The individuals review the information before the final copy is added to the file.

Summary of Project:

Humberside Fire and Rescue Service (HFRS) work in partnership with East Riding of Yorkshire Council (ERYC) Sensory Team. We work together to identify individuals with hearing difficulties and may not be able to react to a standard smoke alarm. This increases the risk of the individual being harmed in a fire. The alarms are supplied by ERYC. HFRS will, if the individual requests, fit a sensory alarm in their property. If we or ERYC identify a need, details of the individual are shared with the other partner. This is so that they can carry out an assessment focused on their area of expertise and give appropriate guidance and support. This will improve outcomes for individuals and reduce the risk to individuals sooner. 

We collect the following data to help us complete this activity from ERYC or the individual themselves: 

• Full name
• Address and Postcode
• Phone number
• Status of hearing

Assurances:

• Access is restricted to Prevention Staff and is different depending on their role.
• We publish Privacy Notices on our website that explain how and why we process personal data.
• Only some members of staff can delete records. All activity is recorded on the system.
• There are back-ups of the system in place to stop us from losing data.
• The spreadsheet is password protected. It is sent from the service to specific known e-mail addresses.
• Prevention staff are trained in how to use the system. They are asked to check the records before adding anything particularly where there are similar names on the system.

Summary of Project:

Humberside Fire and Rescue Service provide a Fire Service Cadet scheme to children aged 13 to 16 in each of the 4 districts. It supports young people in our communities and increase their skills, goals and confidence. It educates young people on fire, water and road safety and the role of the fire service. It offers insight into being a firefighter and teaches many different life skills. We run this with the national award scheme so that we can make sure it is delivered to a high quality. The National Fire Chiefs Council (NFCC) encourage this scheme to promote Cadets. This is because it results in excellent social and economic outcomes. Individuals and leaders will record progress and activities on the secure Fire Cadet Manager web site. 

The participants, parents or carers will provide us with the following personal information: 

• Full name
• Date of birth/age
• Address and postcode
• E-mail
• Phone number
• Image
• Race or ethnic origin
• Health or social care status

Assurances:

• We explain to fire cadets at first contact how and why their data is used. This is also explained on our published Privacy Notice on our website.
• The system records all activity. This includes any attempts to reidentify or pseudonymise the personal data.
• Members can log on to the system to check that their data is correct and up to date.
• The system has strong security measures to protect the data held in it. This includes the option for two factor authentication.
• The system uses two data centres with a third back-up location.
• HFRS do not keep information longer than needed.
• An Equality Impact Assessment has been completed and is reviewed every two years.
• The Project Lead will manage access for the users and members.
• All staff complete data protection training. Any breaches are investigated thoroughly with an action plan created to prevent it from happening again.

Summary of Project:

Humberside Fire and Rescue Service receive the name and address of individuals who receive medical aids. This may create a higher risk to fire fighters and people who live in the same property if a fire happens. We have a legal duty to provide correct and up-to-date information to crews about risks when they are attending an incident.

We receive data from different organisations contracted by the NHS. We add the information to our risk information system and enter it into CFRMIS. This generates the offer of a Home Fire Safety Visit.

Assurances:

• Only people who need access can access the system.
• The information we receive includes which properties have had equipment removed to make sure our data is correct and up to date.
• Privacy notices are published onto our website which tell people what information we collect, why, and what we do with it.
• There is a built-in record of the activity on the system.
• Staff complete data protection training and personal data breaches are investigated thoroughly to prevent them from happening again.