Cautionary Contact Register (CCR) privacy notice

Overview

This privacy notice acts to inform you of what will happen if you’ve been added to the London Borough of Bromley (LBB) Cautionary Contact Register (CCR). It will explain some of the reasons you might be added to the CCR, what personal information we will collect and hold, who has access to this information, how long we will hold it for and what your rights are.

There are a variety of reasons that you could be added to the CCR. These reasons include, but are not limited to:

  • Verbal abuse
  • Physical abuse
  • Harassment
  • Environmental risks

These incidents are not limited to your home, and you could be added to the CCR if an incident occurs between yourself and a member of LBB staff in any location, including over the phone, in reception, or in any other setting.

Why we collect your personal information

Under the Health and Safety at Work etc. Act 1974 LBB has a duty of care to its employees and must do what is reasonably practicable to protect their health, safety and welfare. LBB also has a legal duty, under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013, to record and report any incidents of work-related violence.

In the event of an incident that could threaten the health, safety or wellbeing of any LBB employees or could conceivably be considered to be an incident of work-related violence, not limited to physical violence, LBB reserves the right to gather and hold your personal information. This information can then be included on the CCR, in order for LBB to meet the above legislation.

LBB is designated the data controller for any information processed in relation to this activity - this means the council decides how your personal data is lawfully used, for what purpose and assumes accountability for its protection. 

The use and protection of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

The lawful basis for processing your information for the purposes stated in this document are as follows:

General Data Protection Regulation Article 6 (1):

(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;

(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

General Data Protection Regulation Artical 9 (2):

(b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

(d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim

General Data Protection Regulation Article 10:

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

What information we hold

The personal information we hold about you is limited to information necessary to identify you as an individual, in this case your full name, postcode and address. The further information that is stored on the CCR includes:

  • The consequence of being on the CCR
  • The broad reason you are on the CCR
  • Dates related to the incident

Further information about the incident will be stored by Corporate Health and Safety, for a minimum of 3 years, in accordance with the LBB’s data retention policy. This is to protect the information from potential loss and to limit unnecessary access/exposure.

How we collect your information

We will collect information about you from the member of LBB staff who was subject to the incident. This information will then be matched against any of our existing internal records, if appropriate, to confirm your identity with the member of staff and from there you will be added to the CCR.

What we do with your information

Once an incident is reported, the line manager of the member of staff who experienced the incident will assess the risk posed to other members of staff. They will then make a decision on what the outcome of your inclusion on the CCR will be and what guidance will be given to other officers, when contacting you. This guidance may affect:

  • The method by which you are contacted
  • Where/how any meetings with you take place  

Who has access to your information

In order to prevent unauthorised people from seeing this information it will be stored securely, with access restricted to authorised staff.

Authorised staff are only permitted to access individual records on a need to know basis.

Who your information is shared with

Your information will only be shared with authorised LBB staff and relevant contractors and may also be shared with partnership groups including the Police (see section 6).

Your information may also be shared, where we have a legal duty to do so, under UK Data Protection law. For example, we may be obliged to share this information with the police, in the scenario where a crime has been committed and if others would be at risk by this information not being shared.

In the event we do share this information, we do so ensuring the applicable data protection regulations are followed at all times.

How long we hold your information

Corporate Health and Safety will keep the register up to date and review it on a monthly basis, removing personal data after 24 months, or 36 months for physical assault and/or threats of physical assault, from the date of the last incident. For exceptional cases, (for example any incidents of extreme violence or where there have been multiple incidents involving the same person/address), this period may be extended.

LBB reserves the right to hold the information for an extended period, where there is justification for doing so, depending on the severity of the incident.

What your rights are

You have a wide array of legal rights, when it comes to your personal information, under the Data Protection Act and under GDPR.

  • You have the right to make a Subject Access Request (SAR), to find out what information the Council holds on you.
  • You have the right to be informed about the ways the Council may collect your personal information, via privacy notices such as this one.
  • You have the right to rectification, if you think that any information the Council holds on you may be out of date or incorrect.
  • You have the right to erasure of your personal information, unless the Council has a legal obligation to process this, for example under the previously mentioned Health and Safety and RIDDOR regulations.
  • You have the right to restriction of processing of your personal information, unless the Council has a legal obligation to process this, for example under the previously mentioned Health and Safety and RIDDOR regulations.
  • You have the right to not be subject to automated decision-making, for example decisions made by a computer or automatically, but rather by a person and to have that decision explained to you.
  • You have the right to withdraw consent for your data being processed at any time, unless the Council has a legal obligation to process this, for example under the previously mentioned Health and Safety and RIDDOR regulations.

Please note that these rights do not always apply and there are exceptions to any of the rights listed above.

If you would like to get in touch

Contact us with a Complaint

If you would like to make a complaint about the way your data is used by LBB you can contact our Data Protection Officer (DPO) with the details as set out in s10.3.

Contact us for a Subject Access Request (SAR)

If you would like to make a SAR, this should be either emailed or sent by post to our DPO as set out in s10.3. Once we have received and confirmed your request, we will respond within 1 calendar month.

Contact Information

All requests should be directed to the following:

Data Protection Officer

Address: Civic Centre, Westmoreland Road, Bromley BR1 1AS

Email: data.protection@bromley.gov.uk

If after contacting the Data Protection Officer you remain dissatisfied with the way your information has been handled, you have the right to raise a complaint with the Information Commissioner, using the following details:

Contact Information Commissioner

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Email: casework@ico.org.uk