Use of your Personal Data in connection with the investigation and prosecution of crime and the investigations of deaths
The Crown Office and Procurator Fiscal Service (COPFS) is Scotland’s prosecution service. We receive reports about crimes from the police and other reporting agencies and then decide what action to take, including whether to prosecute someone and seizing the proceeds of crime. We also look into deaths that need further explanation and investigate allegations of criminal conduct against police officers.
COPFS plays a pivotal part in the justice system, working with others to make Scotland safe from crime, disorder and danger. We take into account the diverse needs of victims, witnesses, communities and the rights of those accused of crime and aim to provide services that meet the information needs of victims, witnesses and next-of-kin, in co-operation with other agencies.
The Crown Office and Procurator Fiscal Service (COPFS) and our Data Protection Officer
We are COPFS (including the Law Officers, the Crown Agent, and all Procurators Fiscal and other employees), Crown Office, 25 Chambers Street, Edinburgh, EH1 1LA. We are a data controller of your personal data referred to below.
Legal Basis for processing personal data for law enforcement purposes
We mainly process personal and sensitive data for law enforcement purposes. Law enforcement purposes mean for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
This processing will fall under part 3 of the Data Protection Act 2018.
Legal Basis for processing personal data within criminal cases for non-law enforcement purposes
In certain circumstances, we will share information, which was initially for a law enforcement purpose with selected third parties for non-law enforcement purposes, for example:
- General Medial Council, The General Teaching Council for Scotland related to the regulation of professional conduct.
- Criminal Injuries Compensation Authority
The above list is not exhaustive and may vary on a case-by-case basis.
In these circumstances the processing will fall under the UK GDPR and the Data Protection Act 2018 (DPA 2018).
We have a dedicated data protection officer (“DPO”). You can contact the DPO by writing to the above address marking it for the attention of the DPO, or by email: DataProtectionOfficerDPO@copfs.gov.uk
What kinds of personal data about you do we process?
Personal data that we’ll process, if relevant, includes:
- your personal and contact details, such as title, full name, contact details and contact details history
- whether you've instructed a solicitor and the solicitors contact details
- your date of birth, gender and/or age
- your nationality
- your employment status
- your financial details
- your protected characteristics in terms of the Equalities Act 2010
- family members, including bereaved nearest relatives (next of kin)
- forms of identification to enable us to verify your identity if you make a request for your own personal data (known as a Subject Access Request)
- records of your contact with us including face to face meetings, telephone calls, emails and written correspondence
- information we obtained from third parties (allegations of crimes) including criminal reports submitted to us from the police and other reporting agencies and death reports submitted to us from the police;
- all evidential material obtained by reporting agencies including witness statements, records from relevant authorities (including medical, social work, school and housing); forensic reports, autopsy reports and analysis reports by the Scottish Police Authority (SPA) that may contain your personal data.
- sound and visual images of you captured in photographs or CCTV or mobile phones
- criminal records information of accused or victims and witnesses
- details of the alleged crime and its impact
- Victims Rights to review – emails or applications from victim and or witnesses
- records of the outcome in your case
We may also process other types of your personal data referred to as “sensitive personal data” and this relates to or reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
What is the source of your personal and sensitive data?
We’ll collect personal information from the following general sources:
- from you directly and any information from family members
- from the police and other reporting agencies when they submit reports to us
- from your legal representative or other named representative acting on your behalf
- from analysis of evidence seized by the police or other reporting agencies, including fingerprints, DNA, and mobile telephone content
- from information provided to the police or other reporting agency, for example in terms of CCTV or dashcam footage
What do we use your personal and personal sensitive data for?
- to investigate reported crime
- to consider the appropriate prosecutorial action against an accused
- to refer a case to a local authority for them to consider suitability for and then, where appropriate deliver alternatives to prosecution such as diversion or fiscal work orders
- to conduct all criminal prosecutions in Scotland
- as evidence in a case if you are an accused, victim or witness
- to investigate deaths (bereaved nearest relatives and witnesses)
- to investigate complaints against the police
- where we determine that it is in your vital interests to do so, we will share your personal data and personal sensitive data with the emergency services including the Police Service of Scotland and/or the Scottish Ambulance Service in order to establish your safety or the safety of others
- to improve your experience of our service
- to monitor and to keep records of our communications with you and our staff.
- for management and auditing of our business operations including accounting
- to comply with legal and regulatory obligations, requirements and guidance, particularly our obligation to disclose material information to the accused or their solicitor
What are the legal grounds for our processing of your personal and personal sensitive data (including when we share it with others)?
We rely on the following legal grounds to use your personal and sensitive data:
- our public task includes processing of personal data necessary for the administration of justice and the exercise of a function of the Crown
- our legal obligations, such as the disclosure of information to your legal representative in the course of preparation of your defence, disclosure of information to third party agencies such as police, social services etc., disclosure of information to expert witnesses, doctors, psychiatrists, the completion of subject access requests etc
- vital interests
- the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
- your consent where you have contacted us regarding a general enquiry which is more appropriately answered by a third-party organisation, we will ask you if we may forward this information on to another authority on your behalf who may in a position to assist you
- to prevent criminal activity, fraud and money laundering
When do we share your personal and sensitive data with other organisations?
We may share data with the following third parties for the purposes listed above including:
- the Police Service of Scotland and other enforcement agencies
- solicitors acting for the accused
- the accused when they are not represented by a solicitor
- the Scottish Courts and Tribunal Service (SCTS)
- governmental and regulatory bodies such as the Scottish Public Services Ombudsman (SPSO), the Information Commissioner’s Office, the Scottish Information Commissioner’s Office, the Scottish Legal Complaints Commission( SLCC), Scottish Social Services Council (SSSC) General Medical Council (GMC), The General Teaching Council (GTC), Disclosure Scotland, Disclosure and Barring Service
- the Law Society of Scotland, the Scottish Legal Aid Board
- Police Investigations and Review Commissioner
- Scottish Childrens Reporter Agency (SCRA)
- the National Probation Service, Scottish Prison Service, Parole Board for Scotland, Scottish Government, the State Hospital, NHS Scotland, the Armed Forces, Care Inspectorate
- Local Authorities - including justice social work, or partner agencies who manage a range of community justice interventions to address the underlaying causes of alleged offending and prevent further offending
- organisations providing support services to victims or witnesses
- overseas authorities (in respect of cases where a Mutual Legal Assistance request needs to be made in a case)
- other organisations and businesses who provide services to us such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions
How and when can you withdraw your consent?
Most of the grounds on which we process personal and sensitive data are referred to in paragraph 4 above and we do not require your consent. Should we rely upon your consent to process personal data, you can withdraw this at any time by contacting us by email: DataIncidents@copfs.gov.uk
Is your personal and sensitive data transferred outside the UK or the EEA?
We are based in Scotland, but sometimes your personal and sensitive data information may be transferred outside the European Economic Area. If we do so, we’ll make sure that suitable safeguards are in place, for example ensuring that the recipient is another judicial or law enforcement authority, by conducting due diligence before transfer and through use of secure electronic transfer.
What should you do if your personal and sensitive data changes?
You should tell us so that we can update our records. The contact details will be on correspondence that we send to you during the course of our involvement with you. We’ll then update our records where appropriate.
Do you have to provide personal and sensitive data to us?
Most of the personal data we hold is for the processing of law enforcement activities and do not require your consent. In circumstances where consent is required, we may be unable to fulfil our obligations if you do not provide certain information to us.
Do we do any monitoring involving processing of your personal and sensitive data?
In this section, monitoring means any: listening to recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person face to face meetings and other communications.
We may monitor where permitted by law and we’ll do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, and for quality control and staff training purposes. This information may be shared within COPFS and with third parties, for the purposes described above.
What about automated decision making?
We do not make automated decisions about the investigation and prosecution of crime and the investigation of deaths.
For how long is your personal and sensitive data retained by us?
Unless we explain otherwise to you, we’ll hold your personal data information based on the following criteria:
- for as long as we have reasonable business needs to retain it
- retention periods in line with legal, regulatory requirements and our Records Retention Policy. This can be found in our Records Management Manual on our website
What are your rights under data protection laws?
Here is a list of the rights that all individuals have under data protection laws. They don’t apply in all circumstances. If you wish to use any of them, we’ll explain at that time if they are engaged or not. The right to be informed about the processing of your personal and sensitive data is through the Privacy Notice.
- the right of access; to a copy of your personal data we hold on you and to obtain information about how we process it, although there are exceptions to this. You can make what is called a subject access request to us. We have published further details on how to make a subject access request on our website: Request personal data.
- the right to rectification; the right to have your personal and sensitive data corrected if it is inaccurate and to have incomplete personal and sensitive data completed. Any inaccurate personal data must be rectified without undue delay, and in any event within one month.
- the right to erase processing; to delete or remove of your personal data where there is no valid reason for its continued handling. This is known as the right to erasure or the right to be forgotten. We will only delete information when it is no longer necessary for us to process the data, and each request will be considered on a case-by-case basis.
- the right to restrict (limit) processing; this is only in certain circumstances and each request will be considered on a case-by-case basis.
- the right not to be subject to automated decision-making, which has a legal effect or otherwise significantly affects you. COPFS does not make prosecutorial decisions based on automatic decision making.
To exercise any of these rights you can write to us at the Information Governance Unit, Crown Office, 25 Chambers Street, Edinburgh, EH1 1LA or by email: email@example.com
What if you wish to make a Complaint to COPFS or Information Commissioner
If you wish to make a complaint about the way your personal data has been handled, please put this in writing to:
COPFS Data Protection Officer
Information Governance Unit
25 Chambers Street,
Edinburgh, EH1 1LA.
You can also email firstname.lastname@example.org
You have the right to complain to the Information Commissioner’s Office, which enforces data protection laws if we refuse to carry out your request, or in relation to the decisions we made. The Information Commissioner’s Office can be contacted at:
Changes to this privacy notice
We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice whenever you revisit our website.
If you have any questions about this privacy notice, or if you wish to exercise your rights or contact the DPO, you can write to us at:
Information Governance Unit,
25 Chambers Street,
or email: email@example.com
Last updated: 21 September 2023
Other published privacy statements
This page relates to use of your personal data in connection with the investigation and prosecution of crime and the investigation of deaths.
We have published a separate privacy notice for job applicants which you can access here.
We have also published a separate privacy notice for the Civil Recovery Unit which works with other law enforcement agencies to identify and recover the proceeds of crime.