Data Sharing Agreement (DSA) between the Joint Controllers of data processed using the Law Enforcement Data Service (LEDS) and NHS Counter Fraud Authority

Data Sharing Agreement (DSA) between the Joint Controllers of data processed using the Law Enforcement Data Service (LEDS) and NHS Counter Fraud Authority

Version: 1.0

Introduction

This Data Sharing Agreement (DSA) between each of the LEDS Joint Controllers and NHS Counter Fraud Authority (NHSCFA), hereafter termed ‘Parties’, was developed to help facilitate data sharing between those Parties for the purposes set out under Section 2.

The intention is that this national DSA eliminates the need for each of the represented LEDS Joint Controllers to establish their own individual DSA with NHS Counter Fraud Authority for this sharing initiative.

Appendix B sets out the defined terms used in this DSA. These are capitalised within the DSA.

The Parties agree to by bound by the terms and conditions of this DSA.

Lead Signatories

The Parties have identified their respective Lead Signatories. These individuals are their strategic business leads who have verified their authority to enter into DSAs on behalf of the organisations they are representing in this agreement and confirmed the necessity of data sharing under this initiative.

The DSA contains a signatory section at Section 15 confirming the Parties acknowledge and accept the requirements placed upon them by this DSA.

Data Sharing Leads

Prior to the commencement of data sharing, the LEDS Joint Controllers and the other Party will each identify a Data Sharing Lead to oversee or develop and maintain the practical arrangements for data sharing under this DSA and will communicate details of their Data Sharing Leads to one another.

Sharing

The Parties agree that for the purposes of this DSA the term ‘sharing’ data means providing or disclosing data including personal data to another Party by any means and/or the receiving or collection of data including personal data from another Party by any means.

In some instances, all the Parties may share data with one another; in some cases a single Party may share data with one other Party, but not share data with any other Parties or Party. Signing up to the DSA does not oblige any Party to share data.

Controllership

Under this initiative data sharing between the Parties is considered to be on a Joint Controller-to-Controller basis:

  • The LEDS Joint Controllers listed in Appendix A
  • NHS Counter Fraud Authority, as a separate Controller

Why the Parties have agreed to share data (the purpose)

LEDS Joint Controllers

The LEDS Joint Controllers have jointly identified the following specific purpose(s) for sharing data under this DSA, where sharing is necessary to achieve these purposes:

Law Enforcement Purposes

Under Part 3 of the Data Protection Act 2018, for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public safety. The LEDS Joint Controllers recognise it is necessary to share data with NHS Counter Fraud Authority in order to support NHS Counter Fraud Authority’s law enforcement powers, functions and duties as set out in the National Health Service Act 2006, The NHS Counter Fraud Authority (Establishment, Constitution, and Staff and Other Transfer Provisions) Order 2017, and NHSCFA directions as issued by the Secretary of State.

Other Party

NHS Counter Fraud Authority has identified the following specific purpose(s) for sharing data under this DSA with the LEDS Joint Controllers and for receiving data under this DSA:

Law Enforcement Purposes

Under Part 3 of the Data Protection Act 2018, for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public safety. NHS Counter Fraud Authority requires the data shared by the LEDS Joint Controllers in order to discharge its powers, functions and duties as set out in the National Health Service Act 2006, The NHS Counter Fraud Authority (Establishment, Constitution, and Staff and Other Transfer Provisions) Order 2017, and NHSCFA directions as issued by the Secretary of State.

It acknowledges the requirement to make available to the LEDS Joint Controllers details of its processing activities using LEDS in order for the obligations around national auditing of the system to be discharged.

Specifics of data shared

Appendix C and Appendix D provide details of the data shared by the respective parties under this DSA, along with any specific conditions on further processing.

How the sharing can be legally justified

The Parties agree that the lawful bases for sharing data by the LEDS Joint Controllers are as set out in Appendix E.

The Parties agree that Appendix E may be updated from time to time as is necessary without the requirement to update the remaining parts of this DSA.

Data Protection Compliance

The Parties agree that the Providing Party will share data with the Data Recipient in accordance with the laws of the Providing Party’s jurisdiction.

The Parties agree that the Data Recipient will, on receipt of the shared personal data, process that data in accordance with the laws of the Data Recipient’s jurisdiction.

The Parties recognise that, dependent on their status and the purpose of the processing, that some sharing may be for Law Enforcement Purposes while some may be for General Purposes.

The Parties accept that in terms of Data Protection Legislation they are individual Controllers in their own right in relation to the Personal Data stored by them on LEDS and shared under this DSA, and remain so when that data is accessed by and disclosed to another Party, but at that point the Data Recipient will assume Controllership of their copy of the Personal Data disclosed to them.

The Parties recognise that the purposes for sharing Personal Data will be specified and made explicit in their privacy policies or data protection policies and their privacy notices (or fair processing notices or data protection notices). They agree to meet any related requirements arising from the Data Protection Legislation.

The Parties accept that they will never use any Personal Data shared for a purpose that conflicts with or is not compatible with the purpose(s) for which it was shared unless the law allows that to occur.

The Parties accept the requirements under Data Protection Legislation to maintain respective records of processing activities (RoPA) and agree that this DSA shall be included in such records.

The Parties assert that they have considered their obligations arising from the Data Protection Legislation and determined that in principle their sharing of Personal Data under this DSA is in compliance with Data Protection Legislation.

The Parties accept that they must have in place an audit regime that is adequate to demonstrate compliance with the terms and conditions of this DSA.

NHS Counter Fraud Authority agrees to comply with the principles of the Code of Practice for PNC and LEDS.

The Data Sharing Process

Data will be shared on an ad-hoc basis, both ways, facilitated by NHS Counter Fraud Authority having direct access to the LEDS system, in order to query data that is made available by the LEDS Joint Controllers.

The Parties agree to share, where lawful to do so, relevant, and proportionate data necessary for the purpose of the sharing. They agree to ensure individuals involved in the sharing are appropriately trained to make data-sharing decisions to meet this requirement.

Data Quality

The Parties acknowledge that they have a general duty to ensure that Personal Data is accurate, separate to the requirement to take steps where an individual exercises the right to rectification.

The Parties therefore agree:

  • To have systems in place to identify any Personal Data that is inaccurate as to any matter of fact.
  • If any Party discovers that Personal Data is inaccurate as to any matter of fact, that Party will ensure that the data is made accurate.

How shared data may be used

The Parties agree that any data shared under the processes described in this DSA will be used or handled in accordance with the terms set out in this DSA.

Access to data made available by the LEDS Joint Controllers and subsequent processing by NHS Counter Fraud Authority is limited to that which is necessary for NHS Counter Fraud Authority to discharge its duties in identifying, investigating and preventing fraud and other economic crime within the NHS and the wider health group under the powers, functions and duties as set out in the National Health Service Act 2006, The NHS Counter Fraud Authority (Establishment, Constitution, and Staff and Other Transfer Provisions) Order 2017, and NHSCFA directions as issued by the Secretary of State, specifically:

NHS Counter Fraud Authority Investigations allocated to the National Investigations Service

  • Checking of previous convictions for those under investigation.
  • Checking for violence markers for suspects/witnesses to be interviewed.
  • Checking vehicle ownership details in connection with vehicles associated with investigations.
  • Checking for any criminal record before deciding on whether prosecution or other legal action is appropriate.
  • Internal integrity professional standards investigations instigated by NHSCFA Quality and Compliance Manager.
  • Researching information / intelligence received in the Central Intelligence Unit.

NHS Counter Fraud Authority Allegations

  • Allegations and reports received by the Information and Intelligence Unit
  • Researching information / intelligence received in the Central Intelligence Unit.
  • Uniquely identifying subjects in accordance with the Management of Police Information.

Any persons with direct access to LEDS to access Personal Data shared by the LEDS Joint Controllers under this DSA must be cleared to a minimum of Non-Police Personnel Vetting Level 2 (NPPV2). Those auditing access to LEDS must have National Security Vetting Security Clearance (SC) and Non-Police Personnel Vetting Level 3 (NPPV3). No other vetting regimes are acceptable as substitutes for any roles, and NPPV levels stated are the full versions. Clearance levels must be maintained and reviewed in the event of any changes to relevant circumstances.

Where required, the Providing Party will advise where a temporary or permanent restriction on further processing or disclosure is needed. Consideration can also be given to informing the Providing Party of any intention of further processing or disclosure where a restriction had not been notified at the time the data was initially shared.

Information Security

The Parties agree to put in place appropriate physical, technical and organisational measures to protect any data provided to them under this DSA.

The Parties accept the requirement to ensure that any personnel are able to access only the shared Personal Data necessary for their role and that they are appropriately trained so that they understand their responsibilities in relation to Personal Data and Data Protection Legislation.

The Parties agree to maintain a high standard of operational security by having and adhering to proper security policies, including physical security policies; IT security policies and business continuity policies.

The Parties agree to protect the physical security of the shared data. This means they will, as a minimum:

  • Ensure their organisation controls physical access to its premises
  • Ensure visitors to the premises either use only specific areas, or are required to wear visible visitor passes at all times whilst in the premises
  • Ensure proper physical control of printers and photocopiers so that Personal Data is not left lying on printers/photocopiers
  • Ensure secure disposal of printed materials, so that materials intended for disposal do not remain accessible. This may mean having locked confidential waste bins situated next to printers/photocopiers and in other strategic locations in the premises
  • Ensure that old computers, printers and other electronic equipment are disposed of safely and that all Personal Data is irretrievably deleted from any memory before disposal

The Parties agree to protect the electronic security of the shared data. This means they will, as a minimum:

  • Ensure their organisation has a strong password policy that is adhered to by all personnel. This should include requiring a sufficiently complex password which is never kept with the device. The policy should require the password to be used until users are told to change that password; prevent reuse of passwords over a number of systems and prevent sharing of password among staff members
  • Ensure their organisation installs security patches on electronic devices (including ensuring all operating systems’ updates are installed in line with best practice)
  • Ensure personnel are given access only to the electronic systems that they need to have. Senior staff may not necessarily need greater access than junior staff. Access rights should be continuously monitored and reassessed when staff members change their work
  • Ensure that any Wi-Fi connections are secure and that any guest Wi-Fi is on a segregated system, so that guests cannot access other systems from that Wi-Fi
  • Ensure that any data that is transferred, either within or outside the United Kingdom, is transferred securely, in line with best practice
  • Ensure that their organisation complies with the best practice of cyber security such as that detailed by the National Cyber Security Centre

The Parties agree to have contracts and systems in place to ensure that any contractors or subcontractors managing any aspect of information security or processing Personal Data as a processor on behalf of a Party, are fully aware of and abide by the security requirements set out in this DSA.

The Parties subject to the Government Security Classifications (GSC) policy agree to apply that policy to any information shared under this DSA.

The Parties agree to have robust data breach reporting policies in place, and adhere to them, so that all Personal Data Breaches are reported immediately to personnel responsible for managing Personal Data Breaches when such breaches become apparent. Further, all Parties accept that:

  • If it is established that a Personal Data Breach has occurred involving shared data, the Party making the discovery shall immediately assess the extent to which other Parties may by impacted by the breach and inform in writing any impacted Party of the details within a reasonable timescale, 24 hours where possible. Any notification to the LEDS Joint Controllers must be made via the Home Office Service Desk, via the details provided in the LEDS Service Charter.
  • Following this, any Party who has suffered a Personal Data Breach shall comply with the requirements of the relevant Data Protection Legislation to: investigate the cause of the Data Breach and establish the impact; where appropriate, take any necessary action in accordance with its legal responsibilities, including (where appropriate) notification to the relevant Supervisory Authority; and take appropriate steps to mitigate the cause and avoid any repetition.
  • Personal Data Breaches that reach the threshold for reporting to a Supervisory Authority should trigger an exceptional review of this DSA to determine whether changes are required to mitigate any enduring risks arising from the data breach.

International Transfers

The LEDS Joint Controllers agree that Personal Data will only be transferred under this DSA from the UK where such transfers are in compliance with Chapter 5 of the DPA and/or Chapter V of the UK GDPR.

It is a specific condition that any Personal Data that is the subject of an international transfer under this DSA, where the LEDS Joint Controllers are the Providing Party, is not to be further transferred to a third country or international organisation, other than one within another Crown Dependency or within Gibraltar, without the authorisation of the Providing Party.

Retention

The Parties accept that they must only store shared data in a form that identifies individuals for as long as is necessary for the purposes for which they are processing the Personal Data.

The Parties also agree that they must each have and implement comprehensive retention schedules, which set out the minimum necessary period of storage for different categories of Personal Data, which are determined taking into account:

  • The types of Personal Data processed (organised, for example, by function);
  • The purposes for processing the Personal Data;
  • Why each type of Personal Data should be retained;
  • Any relevant industry standards or guidance;
  • Any relevant legal obligations to retain Personal Data for specific periods of time.

The Parties agree to have systems in place to adhere to the periods in their retention schedules and to review their retention schedules regularly. They will train their personnel so that they are empowered to comply with their retention schedules.

The Parties agree that where a Party is disbanded or otherwise dissolved the Parties will ensure that the shared Personal Data held by it is disposed of securely and confidentially. Alternatively, where the Party is replaced by a successor organisation, it will ensure that the Personal Data held by it is properly transferred to its successor organisation, subject to the successor organisation becoming a signatory to this DSA. If the successor does not wish to become a signatory to this DSA, the Personal Data will be disposed of securely and confidentially.

Subject Rights

The Parties agree that:

Data Subjects have rights in respect of their Personal Data, and where relevant all parties to this DSA must comply. Where a Party is the recipient of a Subject Rights Application it is that Party’s responsibility to lawfully comply with that request in accordance with the Data Protection Legislation and the terms of this DSA.

Parties will ensure that they have effective procedures for dealing with Subject Rights Applications and complaints from individuals in relation to the use and disclosure of Personal Data. All Parties who are party to this DSA must provide cooperation and assistance to each other in order to resolve any Subject Rights Application or complaint involving shared data.

Parties may be unaware of the harm that could arise from the disclosure of Personal Data originally obtained from another Party sought via a Data Protection right of access request e.g., prejudice to an ongoing police or safeguarding investigation or harm to the health of the data subject or another person. Consequently, in order to understand the sensitivity of such data, the recipient Party will notify the Providing Party as soon as possible, and in any case prior to the disclosure of the data. This will allow the potential implications of responding to the request to be fully assessed and acted upon.

The same approach will be adopted for Freedom of Information Act requests received by the Police and any other Party which falls under the scope of that Act (or equivalent legislation applicable to the jurisdiction relevant to the Party).

Training & Advice

The Parties agree:

To provide all those involved with sharing data under this DSA with sufficient training and guidance to enable them to comply with this DSA. This may include the creation of operational instructions and a Party-specific decision-making model to assist sharing decisions.

If individuals are uncertain as to what Personal Data can or cannot be shared under this DSA, then they will escalate the query to their line management or in exceptional circumstances to their Data Protection Officer or equivalent individual in their organisation.

Administration of the DSA

The Parties agree:

That this DSA will come into effect on the date stated in the Summary Sheet on page 2 of this DSA.

That they may withdraw from the DSA upon giving 30 days’ written notice to the two Lead Signatories who will cascade notice of that withdrawal to the remaining Parties. A Party who withdraws must continue to comply with the relevant terms of this DSA in respect of any data that the Party has obtained under those terms.

That the Lead Signatories may review the DSA at any time. They must review the DSA when considering any proposed change to the data sharing or in the event of a Personal Data Breach that impacts any of the other Parties. Any review will consider whether the DSA is still useful and fit for purpose, identify any emerging issues, and determine whether the DSA should be allowed to continue or whether to terminate it. The decision of the Lead Signatories to continue or terminate the DSA, and the reasons, will be recorded. In the event of a decision to terminate, all Parties will be advised of this by the Lead Signatories.

That this DSA may be made available unredacted to the public in compliance with the Freedom of Information Act 2000 in its entirety.

Governing Law and Jurisdiction

This DSA and any issues, disputes or claims (whether contractual or non-contractual) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England and Wales.

The Parties agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) that arises out of or in connection with this DSA or its subject matter or formation.

Appendix A: LEDS Joint Controller Parties

The persons and organisations listed below are Parties to this DSA and are Joint Controllers as set out in the Law Enforcement Data Service (LEDS) Joint Controllership Agreement (JCA).

(i) The Chief Officers of the following police forces

  • Avon & Somerset Constabulary
  • Bedfordshire Police
  • British Transport Police
  • Cambridgeshire Constabulary
  • Cheshire Constabulary
  • City of London Police
  • Civil Nuclear Constabulary
  • Cleveland Police
  • Cumbria Constabulary
  • Derbyshire Constabulary
  • Devon & Cornwall Police
  • Dorset Police
  • Durham Constabulary
  • Dyfed-Powys Police
  • Essex Police
  • Gloucestershire Constabulary
  • Greater Manchester Police
  • Gwent Police
  • Hampshire and Isle of Wight Constabulary
  • Hertfordshire Constabulary
  • Humberside Police
  • Kent Police
  • Lancashire Constabulary
  • Leicestershire Constabulary
  • Lincolnshire Police
  • Merseyside Police
  • Metropolitan Police Service
  • Ministry of Defence Police
  • Norfolk Constabulary
  • North Wales Police
  • North Yorkshire Police
  • Northamptonshire Police
  • Northumbria Police
  • Nottinghamshire Police
  • Police Service of Northern Ireland
  • Police Service of Scotland
  • South Wales Police
  • South Yorkshire Police
  • Staffordshire Police
  • Suffolk Constabulary
  • Surrey Police
  • Sussex Police
  • Thames Valley Police
  • Warwickshire Police
  • West Mercia Police
  • West Midlands Police
  • West Yorkshire Police
  • Wiltshire Police

(ii) the National Crime Agency

Appendix B: Defined terms that may be used in this DSA

Ad-Hoc Data Sharing

Sharing information not covered by a Data Sharing Agreement on a one-off basis.

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Criminal Offence Data

Personal Data relating to criminal convictions and offences or related security measures, including criminal activity; allegations; investigations; and proceedings.

Data Protection Legislation

UK - All applicable Data Protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection supervisory body/regulator.

Non-UK - All applicable Data Protection and privacy legislation in force from time to time that applies to Controllers beyond the UK.

DSA

Data Sharing Agreement.

Data Sharing Lead

The point of contact in each Party for developing and maintaining the practical arrangements for data sharing under this DSA.

Data Subject

The individual to whom the data being processed relates and is identified/identifiable by that data.

General Purposes

Any purpose other than a Law Enforcement Purpose.

General Processing

Processing (including sharing) of Personal Data for a General Purpose.

Law Enforcement Purposes

As defined by Section 31 Data Protection Act 2018 - the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Law Enforcement Processing

Processing (including sharing) of Personal Data for a Law Enforcement Purpose.

Lead Signatories

The Parties’ strategic business leads who have confirmed the necessity of data sharing under this initiative.

NPCC

National Police Chiefs’ Council as established under the NPCC Collaboration Agreement.

Parties

As set out on the Summary Page of this DSA.

Personal Data

Any information that relates to a Data Subject, including any information which can be used to identify a Data Subject.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data which has been transmitted or stored or processed.

Personnel

Individuals undertaking data sharing activity for or on behalf of the parties, including: police officers, police staff, clergy, employees, contractors, and volunteers.

Providing Party

The Party who is the organisational source of Personal Data and shares it with one or more other Party. This is the Controller responsible for the initial collection of that data.

Sharing

Providing or disclosing data including Personal Data to another Party by any means and/or the receiving or collection of data including Personal Data from another Party by any means.

Special Category Data

Specific types of Personal Data that require additional care being taken when processing. The categories are:

  • data revealing racial or ethnic origin
  • data revealing political opinions
  • data revealing religious or philosophical beliefs
  • data revealing trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation

For practical purposes the term Special Category Data is used to encompass Personal Data subject to Sensitive Processing as defined in the Data Protection Act 2018.

Subject Rights Application

The exercise by a Data Subject of their rights under the Data Protection Legislation, including the right to:

  • be informed about the collection and the use of their Personal Data
  • access Personal Data and supplementary information
  • have inaccurate Personal Data rectified, or completed if it is incomplete
  • request erasure (to be forgotten) in certain circumstances
  • restrict processing in certain circumstances
  • data portability, which allows the Data Subject to obtain and reuse their Personal Data; for their own purposes across different services
  • object to processing in certain circumstances
  • object to automated decision making and profiling
  • withdraw consent at any time
  • complain to the Information Commissioner or seek judicial remedy

Appendix C: Specifics of data shared with NHS Counter Fraud Authority

Data will be shared by providing access to the following LEDS services:

Person Service

Data relating to the following categories of Data Subject:

  • A person who has been arrested, charged or reported for summons for the commission of, or involvement in, a recordable offence.
  • A person who is wanted for committing a specific offence.
  • A person who is wanted for the non-payment of fines imposed by a Court.
  • A person who has failed to appear at a Court in answer to a charge made against them.
  • A person who is subject of a Court Order.
  • A person who has been reported missing or has been found.
  • A person who has absconded from, or who is subject to recall to, a detention centre, a prison, youth custody or a remand centre etc.
  • A person who has deserted from the Armed Forces.
  • A person whose whereabouts are sought for other police purposes, e.g. as a witness to an incident.
  • A person who has been disqualified from driving a motor vehicle on a road by a Court.
  • A person who has an entry on the National Firearms Licensing Management System.
  • A person who is the subject of operational information which is required to be shared nationally for policing purposes.

Details include:

  • Unique reference numbers
  • Basic details
    • Name and alias names
    • Date of birth and alias dates of birth
    • Place of birth
    • Age
    • Sex, colour and height
    • Observed/perceived ethnicity
    • Accent
    • Nationality
  • Physical appearance
  • Aliases and nicknames
  • Address history
  • Marks, scars and abnormalities
  • Occupations
  • Passport details
  • Information markers
  • Warning signals
  • Wanted reports
  • Missing reports
  • Operational information reports
  • Arrest summons summary
  • Impending prosecutions
  • Disposal history
  • Current bail conditions
  • Custody history
  • Conditional cautions
  • Biometric match
  • Disposal summary
  • Offence summary
  • Photo locations
  • DNA report summary
  • Local references
  • Internal cross references
  • Firearms certificate details
  • Disqualified driver reports
  • Link to others in same charge group
  • Administrative information

This may include Special Category or Sensitive Data, and also data relating to criminal convictions.

Vehicles Service

Data relating to the following category of Data Subject:

  • A person who is or has been the registered keeper of a vehicle

Note that any data provided through the LEDS Vehicles service which originates from the Driver and Vehicle Licensing Agency, the Driver and Vehicle Standards Agency or the Motor Insurers’ Bureau is beyond the scope of this DSA and will need to be subject to an appropriate sharing agreement between NHS Counter Fraud Authority and those data providers, prior to access being provided to the relevant data.

Other data Vehicle Data, within the scope of this DSA, derived from Police National Computer or entered directly into LEDS, includes:

  • Vehicle Registration Mark
  • Previous Vehicle Registration Mark
  • Vehicle Make
  • Vehicle Model
  • Vehicle Engine capacity
  • Vehicle Colours
  • Vehicle Body Type
  • Vehicle Month/Year of first registration
  • VIN and Engine number
  • Name and address of keeper
  • Date when current keeper notified acquisition of vehicle
  • Police Markers
    • Foreign vehicle
    • Police Examination (altered VIN)
    • Stolen
  • DVLA Markers
    • Cherished Transfer
    • Diplomatic Privilege
    • Direct Export
    • Permanently Exported
    • Personal Export
    • Record Query
    • Refer V5
    • Scrapped
    • Statutory Off-Road Notification (SORN)
    • VEL Expired
    • VEL Void
    • V23 Submitted
  • DVLA Markers relating to Change of Keeper
    • As Notified by Police/Local Authority
    • Disposal Notified/Keeper Query
    • In Trade
  • DVLA Markers relating to Keeper Details
    • Current address not known
    • Address outside UK mainland
  • Other Markers
    • Blocked
    • In confidence – Police eyes only
    • Void record
    • VRM on Retention
  • Police Reports
    • Report Owner
    • Report Creator
    • Reference
    • Incident Date(s)
    • Weed date
    • Status
    • Text
    • Type:
      • LOS (LOSt or stolen or obtained by deception)
      • FOU (FOUnd or apparently abandoned or repossessed by a finance company)
      • ACT (ACTion is required when the vehicle is traced)
      • REA (REAction indicating a response to an action request)
      • INF (INFormation about the vehicle, which may or may not be related to crime or criminal activity)
      • SEE (SEEn or checked by the police in particular locations at particular times, which may assist in the investigation of a specific crime or crimes)
      • REM (REMoved into police custody or from one location to another for law enforcement purposes, without the keeper being aware of the new location of the vehicle)
      • RES (REStricted report is used on police owned or other emergency service vehicles only. It is used to record information that might prevent inappropriate action by the police, or to initiate specific action as detailed in the text.
      • COR (CORrection report should be used to input vehicle or keeper details, where they differ from that held on the vehicle record)
      • DES (DEStroyed report should be used to indicate that the vehicle to which it refers has totally burned out and cannot ever be repaired and returned to use)
    • Hazard:
      • Chemical
      • Explosives
      • Occupants potentially dangerous
      • Radiation
    • Weapons
  • Trade Plate Data (where derived from the Police National Computer) includes:
    • Trade plate VRM
    • Vehicle Trade Plate Type
    • Trade Plate Status
    • Trade Plate Expiry Date
    • Trade Plate Indicator
    • Keeper details

Appendix D: Specifics of data shared with the LEDS Joint Controllers

Data will be shared by NHS Counter Fraud Authority through the use of the following LEDS services:

Audit Service

Data relating to each of the following categories of Data Subject:

  • A person who has initiated a Processing transaction
  • A person on whose behalf a Processing transaction has been carried out
  • A person who has been the subject of an information search
  • A person whose Personal Data has been processed for any purpose using a LEDS Service

Details include:

  • Full details of each transaction carried out using each LEDS Service, including the justification for each

Lawful Bases: LEDS Joint Controllers

The LEDS Joint Controllers’ underlying power to share Personal Data is derived from (i) Common Law Policing Purposes which may be summarised as: protecting life and property, preserving order, preventing the commission of offences, and bringing offenders to justice and/or (ii) any duty or responsibility arising from statute or other rule of law including court order and royal prerogative.

In terms of UK Data Protection Legislation where the sharing is for one of the Law Enforcement Purposes the sharing falls under the scope of Part 3 of the Data Protection Act 2018 (DPA) with the LEDS Joint Controllers acting as competent authorities.

Where the sharing is for purposes other than Law Enforcement Purposes (referred to as ‘General Purposes’) the sharing falls under the scope of the UK General Data Protection Regulation (UK GDPR).

Law Enforcement Purposes

Where the LEDS Joint Controllers share or otherwise process Personal Data for one of the Law Enforcement Purposes:

The processing is necessary for the performance of a task carried out for a law enforcement purpose by the police acting as a competent authority (DPA Section 30).

Where sensitive processing is involved, the processing is strictly necessary for a law enforcement purpose, an Appropriate Policy Document exists (DPA Section 42) and one the following DPA Schedule 8 conditions is met:

  • the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law and is necessary for reasons of substantial public interest (DPA, Schedule 8(1))
  • the processing is necessary to protect the vital interests of the data subject or of another individual. (DPA, Schedule 8(3))
  • the processing is necessary to safeguard children and other individuals at risk. (DPA, Schedule 8(4))

General Purposes

Where the Law Enforcement Joint Controllers process Personal Data for General Purposes:

The sharing satisfies one of the following Processing Condition within UK GDPR Article 6(1):

  • (c) processing is necessary for compliance with a legal obligation to which the controller is subject.
  • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where Special Category Data is shared, in addition to a UK GDPR Article 6(1) Processing Condition being met, one of the following UK GDPR Article 9(2) Special Processing Conditions apply:

  • (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  • (e) processing relates to Personal Data which are manifestly made public by the data subject.
  • (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • (g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Where Special Processing Condition (g) is chosen one or more of the following DPA Schedule 1 Part 2 substantial public interest conditions applies:

  • (6) Statutory etc and government purposes – the sharing is necessary for a function conferred on a person by an enactment or rule of law and is necessary for reasons of substantial public interest.
  • (7) Administration of justice – the sharing is necessary for the administration of justice.
  • (10) Preventing or detecting unlawful acts – the sharing is necessary for the purposes of the prevention or detection of an unlawful act; must be carried out without the consent of the data subject so as not to prejudice those purposes; and is necessary for reasons of substantial public interest.
  • (11) Protecting the public against dishonesty etc – the sharing is intended to protect members of the public against either dishonesty, malpractice or other seriously improper conduct, or unfitness or incompetence, or mismanagement in the administration of a body or association, or failures in services provided by a body or association; and must be carried out without the consent of the data subject so as not to prejudice those purposes; and is necessary for reasons of substantial public interest.
  • (12) Regulatory requirements relating to unlawful acts and dishonesty etc – the sharing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct; in the circumstances, the Police cannot reasonably be expected to obtain the consent of the data subject to the processing; and is necessary for reasons of substantial public interest.
  • (18) Safeguarding of children and of individuals at risk – the sharing is necessary for the purposes of protecting an individual aged under 18 or 18 or over at risk from neglect or physical, mental or emotional harm, or protecting their physical, mental or emotional well-being; must be carried out without the consent of the data subject; and is necessary for reasons of substantial public interest.

Where a condition in DPA Schedule 1 Part 1 or 2 is used an Appropriate Policy Document has been created and maintained by the NPCC in accordance with DPA Schedule 1 Part 4.

Where Criminal Offence Data is processed a compliance with UK GDPR Article 10 is also achieved, an Appropriate Policy Document has been created and maintained by the NPCC in accordance with DPA Schedule 1 Part 4, the processing is authorised by law as a clear and foreseeable application of a common law task, function or power, a statutory provision, or statutory guidance, and one of the following DPA Schedule 1 Part 1, 2 or 3, conditions is met:

  • (6) Statutory etc and government purposes – the sharing is necessary for a function conferred on a person by an enactment or rule of law and is necessary for reasons of substantial public interest.
  • (7) Administration of justice– the sharing is necessary for the administration of justice.
  • (10) Preventing or detecting unlawful acts – the sharing is necessary for the purposes of the prevention or detection of an unlawful act; must be carried out without the consent of the data subject so as not to prejudice those purposes; and is necessary for reasons of substantial public interest.
  • (11) Protecting the public against dishonesty etc – the sharing is intended to protect members of the public against either dishonesty, malpractice or other seriously improper conduct, or unfitness or incompetence, or mismanagement in the administration of a body or association, or failures in services provided by a body or association; and must be carried out without the consent of the data subject so as not to prejudice those purposes; and is necessary for reasons of substantial public interest.
  • (12) Regulatory requirements relating to unlawful acts and dishonesty etc – the sharing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct; in the circumstances, the Police cannot reasonably be expected to obtain the consent of the data subject to the processing; and is necessary for reasons of substantial public interest.
  • (18) Safeguarding of children and of individuals at risk – the sharing is necessary for the purposes of protecting an individual aged under 18 or 18 or over at risk from neglect or physical, mental or emotional harm, or protecting their physical, mental or emotional well-being; must be carried out without the consent of the data subject; and is necessary for reasons of substantial public interest.

The Substantial Public Interest conditions required by the UK GDPR and Data Protection Act 2018 are met by the aims and objectives listed in Section 2 of this DSA.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close