Data Processing Agreement
Effective date: 26 May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Regional Exclusion & Crime Observation Network ("Platform Operator", "we", "us") and each participating organisation ("Data Sharer" or "Organisation"). It sets out the terms under which personal data, including special category data and criminal offence data, is processed and shared through the Platform.
Controller-to-controller arrangement
Each participating organisation is an independent data controller. The Platform Operator acts as a data controller for platform operation data and as a data processor only where explicitly stated in this agreement. This DPA governs the controller-to-controller sharing of criminal intelligence data.
1. Definitions
In this DPA, the following terms have the meanings set out below, in addition to those defined in the Terms of Service:
- "Applicable Law" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any successor legislation.
- "Criminal Offence Data" means personal data relating to criminal convictions, offences, or related security measures, as defined in Article 10 UK GDPR and Section 11 DPA 2018.
- "Data Sharer" means a participating organisation that submits data to the Platform for sharing with other authorised organisations.
- "Data Recipient" means a participating organisation that accesses data submitted by another Data Sharer.
- "Platform Data" means all personal data processed through the Platform, including suspect profiles, incident records, vehicle data, and pub watch/ban data.
- "Special Category Data" has the meaning given in Article 9 UK GDPR.
2. Scope and Purpose
2.1 Processing purposes
The Platform processes personal data, including criminal offence data, for the following purposes:
- Crime prevention and detection
- Public safety and protection
- Law enforcement support and investigation
- Retail Watch loss prevention and organised retail crime disruption
- Licensed premises safety and pub watch coordination
- Private security incident management and reporting
2.2 Categories of data subjects
Data subjects whose data may be processed include:
- Individuals suspected of or convicted of criminal offences
- Individuals subject to banning notices from licensed premises
- Individuals associated with recorded incidents
- Vehicle owners and operators linked to criminal activity
- Platform users (Organisation staff with authorised access)
2.3 Categories of personal data
- Identifiers: name, date of birth, aliases
- Physical descriptions: height, build, hair colour, eye colour, ethnicity, gender
- Distinguishing marks: tattoos, scars, piercings
- Photographs and facial images
- Vehicle registration, VIN, make, model, colour
- Incident descriptions, dates, locations, and outcomes
- Banning notice details, conditions, and durations
- Professional contact details of authorised users
3. Roles and Responsibilities
3.1 Each Organisation as Controller
Each Organisation is an independent data controller for the data it submits to and accesses from the Platform. Each Organisation must:
- Identify and document a lawful basis under Article 6 UK GDPR for processing personal data
- Identify and document a condition under Schedule 1 DPA 2018 for processing criminal offence data
- Maintain an appropriate policy document as required by Schedule 1, Part 4, Paragraph 39 DPA 2018
- Ensure that a Data Protection Officer is appointed where required by Article 37 UK GDPR
- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities
- Process data only for the purposes stated in their registration and this DPA
3.2 Platform Operator role
The Platform Operator acts as a data controller for:
- Account and authentication data
- Audit log data
- Platform operational and technical data
The Platform Operator acts as a data processor for:
- Storage and technical processing of Platform Data on behalf of each Data Sharer
- Making Platform Data available to authorised Data Recipients
- Maintaining the technical infrastructure that enables data sharing
3.3 Data sharing obligations
By submitting data to the Platform, each Data Sharer:
- Confirms they have the lawful authority to share that data with other participating organisations
- Confirms the data is accurate and proportionate to the purpose
- Agrees that the data may be accessed by other authorised organisations for the purposes set out in Section 2
- Accepts responsibility for the ongoing accuracy and relevance of their submitted data
4. Security Measures
4.1 Technical measures
The Platform Operator implements the following technical measures:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access control restricting data to authorised users within each Organisation
- Session management with automatic inactivity timeout and maximum session duration
- CSRF protection on all state-changing operations
- Content Security Policy and other security headers
- Comprehensive audit logging of all data access and modifications
- Secure password storage using industry-standard hashing
4.2 Organisational measures
- Manual review and approval of all registration requests
- Access revoked upon organisational accreditation expiry (e.g. SIA licence lapse)
- Regular access reviews and audit log examination
- Staff training on data protection obligations
- Incident response procedures for data breaches
4.3 Organisational obligations
Each Organisation must:
- Ensure all authorised users are trained on data protection obligations and the Terms of Service
- Implement appropriate access controls within their Organisation to limit data access to staff with a legitimate need
- Report any suspected data breach to the Platform Operator within 24 hours of becoming aware
- Conduct regular reviews of user access rights and promptly remove access for departed staff
5. Data Breach Notification
5.1 Platform Operator breaches
If the Platform Operator becomes aware of a personal data breach affecting Platform Data, it will:
- Notify the ICO within 72 hours of becoming aware, where the breach is likely to result in a risk to data subjects' rights and freedoms (Article 33 UK GDPR)
- Notify all affected Organisations without undue delay
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 UK GDPR)
5.2 Organisation breaches
Each Organisation must notify the Platform Operator of any breach involving Platform Data within 24 hours of becoming aware. The Organisation is responsible for its own ICO notification obligations where it acts as an independent controller.
6. Data Retention and Deletion
6.1 Platform Data retention
Data submitted to the Platform is retained in accordance with the following principles:
- Each Organisation is responsible for ensuring that data they submit is retained only for as long as necessary for the purpose for which it was shared
- Criminal intelligence and incident data is retained in line with the Management of Police Information (MoPI) codes of practice or the Organisation's own retention schedule, whichever is applicable
- Audit logs are retained for a minimum of 6 years
6.2 Deletion requests
An Organisation may request deletion of data it has submitted. Deletion requests will be processed within 30 days. Where data has been shared with other authorised organisations, the requesting Organisation is also responsible for notifying those organisations of the deletion.
7. Sub-processors
The Platform Operator currently uses the following categories of sub-processors:
- Hosting infrastructure: server hosting and database management
- Content delivery: static asset caching and delivery
The Platform Operator will notify all Organisations before appointing a new sub-processor or replacing an existing one, allowing Organisations a reasonable period to object.
8. International Transfers
The Platform is hosted within the United Kingdom. No personal data is transferred outside the UK. Should a transfer become necessary, appropriate safeguards as defined in Chapter V of the UK GDPR will be put in place prior to any transfer.
9. Audit and Compliance
- The Platform Operator maintains comprehensive audit logs of all data access and modifications
- Each Organisation may request an audit report relating to their data processing activities on the Platform
- The Platform Operator will cooperate with ICO audits and investigations as required
- Each Organisation is responsible for conducting its own DPIA for its use of the Platform
10. Liability and Indemnity
Each Organisation is liable for the data it submits to the Platform and must ensure it has an appropriate lawful basis for processing. The Platform Operator is not liable for the accuracy, lawfulness, or proportionality of data submitted by participating organisations. Each Organisation indemnifies the Platform Operator against claims arising from that Organisation's unlawful processing of data.
11. Termination
Upon termination of an Organisation's access to the Platform:
- All authorised user accounts for that Organisation will be deactivated
- Data previously submitted by the Organisation remains on the Platform and accessible to other authorised organisations, subject to the terms of this DPA
- The terminated Organisation may request export or deletion of its submitted data in accordance with Section 6
- The Platform Operator will retain audit logs in accordance with Section 6.1
12. Changes to This Agreement
The Platform Operator may update this DPA from time to time. Material changes will be communicated to registered Organisation administrators at least 30 days before taking effect. Continued use of the Platform after changes take effect constitutes acceptance of the revised DPA.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of Scotland, and the parties submit to the exclusive jurisdiction of the Scottish courts. It forms part of the Terms of Service.