Privacy Policy (April 2024)
Cambridgeshire Fire and Rescue Service (CFRS) collects and uses your data in order to carry out our public duties. As a Fire and Rescue Service we deliver a number of services:
- Providing fire and emergency services under the Fire Services Act 2004
- Enforcing Fire Safety under the Regulatory Reform (Fire Safety) Order 2005
- Managing our employees under current employment laws.
To provide these services properly we need information about our service users, employees and other contacts.
This privacy notice is designed to give you a clear explanation of our data processing policies. Please note, we periodically review this notice and it may be amended in future to reflect any changes in our services, the law or our organisation.
This policy refers to several different privacy notices that cover various areas of activity. These are included in the relevant sections below, but for ease these are also listed below:
- CCTV - PDF document
- Combined Fire Control (CFC) - PDF document
- Insurance Liability Claims - PDF document
- Photographs and Video - PDF document
- Recruitment - PDF document
- Safe and Well visits - PDF document
- Visitors to CFRS - PDF document
CFRS is committed to protecting your personal data and sensitive information by:
- Complying with both law and good practice
- Respecting individuals’ rights and complying with requests where possible and in line with legislative guidelines
- Being open and honest with individuals whose data is processed
- Processing your personal data fairly and in ways you would reasonably expect us to
- Using lawful conditions such as your consent to process personal data and other lawful basis where we cannot obtain your consent, or when it is not required by us
- Providing training and support for employees who handle personal data, so that they can act confidently and consistently to reduce the risk of data breaches
- Ensuring retention and disposal of personal data is adhered to
- Implementing appropriate technical and organisational security measures to safeguard personal data
- Ensuring personal data is not transferred or processed outside of the European Economic Area without suitable safeguards and adequate protection being in place
- Ensuring the quality of personal data processed by the Fire and Rescue Service.
As a Data Controller we have a legal requirement to make sure you know what we intend to do with your information and who it will be shared with. Any personal information you provide will be processed in accordance with the Data Protection Act (DPA) (2018) and UK General Data Protection Regulation (UK GDPR).
All employees or volunteers who have access to your personal data or are associated with the handling of that data are trained and obliged to keep your data confidential and CFRS has appropriate procedures in place for the unlikely event of your information being misused.
Why do we collect information about you?
We need to collect and hold information about you, in order to:
- Deliver public services relating to fire and rescue services and fire safety
- Confirm your identity to provide some services
- Contact you by post, email or telephone
- Understand your needs to provide the services that you request
- Obtain your opinion about our services
- Help us understand how we are performing our public duty to the communities we serve and identify how our services may need to evolve
- Allow us to undertake statutory functions efficiently and effectively.
The data we may collect about you
To deliver our services effectively, we may need to collect and process personal data about you. We collect data using:
- Online forms
- Telephone calls (including 999 calls)
- Personal contact including visits
- Letters and forms
- Emails
- Video conferencing
- Photographs/video footage.
To process Information Governance related communications including:
- Complaints
- Concerns – Non Fire Safety / Fire Safety
- Compliments
- General enquiries
- Data protection Subject Access Requests (SAR)
- Data Protection third party SARs
- Freedom of Information Act (FOIA) requests
- Environmental Information Regulations (EIR) requests
- Insurance/liability claims
View our Insurance/Liability Claims privacy notice
We collect and use different kinds of information in our emergency Combined Fire Control (CFC) Room, including for receiving 999 calls, responding to an emergency and managing our Service. We collect:
- Incident details, including location
- Names and contact numbers of people who ring to report an emergency or other type of call
- Names and contact numbers of people who we need to work with from other emergency services and organisations
- Details about casualties and their health
- What services have been provided and to who
- Audio recording of all calls including 999 calls and radio messages sent from and to our vehicles
- Information about buildings that might affect how we respond to an emergency, for example, stored flammable goods.
View our Combined Fire Control privacy notice.
For advising on fire risks at home:
- Personal details – for example, name, age, address
- Contact information
- Physical or mental health details
- Lifestyle and social circumstances relating to fire risk or other high risks
- Opinions and decisions on fire safety
- What services have been provided and to who.
To identify community fire risks:
- Locations of fire related incidents
- Addresses of fire related risks, for example, occupiers over 65, or threats of arson.
To deliver community safety events and messages to the public that promote our services:
- Personal details – for example, name, age, address
- Contact information
- Photographs.
For business fire safety advice and enforcement action:
- Names and addresses
- Contact information
- Licenses, certificates held
- Opinions and decisions on fire safety.
Video images and audio recordings are termed ‘moving images’, we capture:
- Building mounted CCTV cameras recording video
- Vehicle mounted CCTV cameras recording video on fire engines.
View our CCTV and Dashcams Privacy Notice.
- Vehicle mounted ‘dashcam’ video recording in cars
- Body worn video cameras on people for specialist functions
- Video cameras and audio recording in meeting rooms.
We also capture static images, photographs and process them as personal data.
View our full privacy notice in relation to photographs, video and audio.
We do not perform any covert surveillance of any type; covert surveillance is that carried out in a manner calculated to ensure that subjects of it are unaware it is, or may be taking place. All buildings and fire appliances where CCTV are fitted display awareness signs.
For the management and monitoring of our employees from time of recruitment to end of Service:
- Recruitment and selection
- Health, safety and welfare
- The administration of salary, wage, pension, sickness, maternity, travel / subsistence payments and any other monies
- Training and development requirements, including Service exercises
- Employee relations. Such as human resource planning, conduct, equal opportunities, employee consultation, appraisals, disciplinary and grievance issues
- The monitoring of vehicle use and employee driving habits
- The operational, day-to-day management and administration of employees by line managers
- For access control to our premises, car parks and other automated equipment/systems.
To check our services meet legal duties, including for diversity and equality of opportunity:
- Age group
- Gender identity and re-assignment
- Marriage and Civil Partnerships
- Pregnancy and maternity
- Disability
- Racial or ethnic origin
- Religious or other beliefs
- Sexual orientation.
We will not:
- Sell or rent your data to third parties
- Share your data with third parties for marketing purposes.
Website and Cookies
Google: _utma, _utmb, _utmc and _utmz
CFRS uses cookies for Google Analytics to collect information about how visitors use our website. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
CFRS will not use cookies to collect personally identifiable information about you. This statement covers CFRS at www.cambsfire.gov.uk only. Links within this site to other websites are not covered by this policy.
If you wish to restrict or block the cookies which are set by Cambridgeshire Fire and Rescue Service, or indeed any other website, you can do this through your browser settings. The Help function within your browser should tell you how. Alternatively, you may wish to visit www.aboutcookies.org which contains a comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual. Please be aware that restricting cookies will have no impact on the functionality of this website.
Who might we get your personal information from?
- Your family members, employer or representative
- Your landlord
- Other public bodies such as the police, ambulance service, local councils and the NHS
- Charities and support services who you have given permission to share your information for fire safety reasons
- Other organisations such as companies who you have given permission to share your information for security or key holding purposes.
How do we lawfully protect your information?
CFRS has due regard to the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) 2016 and any subsequent data protection legislation. To process your data, we need to ensure we meet at least one of the six lawful reasons set out in Article 6 of the GDPR.
There are six available lawful bases for processing, which basis is most appropriate to use will depend upon our purpose and relationship with the individual. At least one of these must apply whenever we process your personal data:
Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Note: This cannot apply if we are processing data to perform our official tasks.)
When we process special category data (sensitive personal data) we identify both a lawful basis for general processing and an additional condition for processing this type of data. Special category data is:
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical beliefs
- personal data revealing trade union membership
- genetic data
- biometric data (where used for identification purposes)
- data concerning health
- data concerning a person’s sex life and
- data concerning a person’s sexual orientation.
As a Public Authority; our reasons will typically be because we must process your data to meet a legal obligation or do that we can carry out one of our designated public tasks as a fire and rescue service.
At least one of these must apply whenever we process your special category personal data:
- Explicit consent
- Employment, social security and social protection (if authorised by law)
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research and statistics (with a basis in law).
Do we share your information?
When necessary, your personal data will also be provided to companies who carry out some services or functions on behalf of CFRS (“data processors”). We may also share your personal information with others including (but not limited to):
- Other emergency services so we can respond to incidents
- Other commercial, military or civil organisations
- Public utility services, for example to cut off a gas supply in an emergency
- Commercial and charitable organisations who provide us with goods and Services
- Local councils, if we have serious concerns about your wider safety that a local council can help with
- Welfare organisations, if you agree to your information being shared unless in a ‘life or death’ situation or where you are at risk of significant harm
- Central government, for example anonymised information about our activities used for national fire statistics
- Courts and law enforcement, prosecuting authorities, solicitors
- Insurance companies and loss adjusters where they are authorised to act on your behalf following an incident at your property
- Our insurers and appointed legal executives in defence of legal claims made against us whether they be Public Liability, Employer Liability or related to our Information Governance
- The Department for Work and Pensions, other local authorities, Her Majesty’s Revenue and Customs (HMRC), and the Police for criminal matters
- His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) during our external audit process
- National Fraud Initiative to prevent or detect financial fraud or crime.
To find out more about the data collection requirements placed on us by the Home Office (for example; regarding incidents and prevention work) go to: https://www.gov.uk/government/collections/fire-statistics.
In certain circumstances CFRS may disclose your personal information if required to do so by law or in the good faith belief that such action is necessary to:
- Conform to the edicts of the law or comply with legal process served on CFRS
- Protect and defend the rights or property of CFRS
- Act under exigent circumstances (an emergency situation requiring swift action to prevent imminent danger to life or serious damage to property, or to forestall the imminent escape of a suspect, or destruction of evidence) to protect the personal safety of users of CFRS, or the public.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.
We will not share your information with any third parties for the purposes of direct marketing.
How do we keep your data safe?
We are committed to keeping your personal data safe. Our aim is not to be intrusive, and we will only ask you for the information that is necessary for us to complete the task for which it is collected. We have physical, electronic and organisational procedures to protect and safely use the information that we hold about you. These include:
- Secure work areas
- Information security training for our employees
- Access controls on information systems
- Encryption of personal data
- Testing and checking security controls
- Checking privacy when we change how we use or store personal information
- Written contracts with companies we use for storing information.
The information you provide can be held in a variety of systems and formats. This can include but is not limited to information held in Cambridgeshire Fire and Rescue Service data management systems, written correspondence, emails, photographs, audio recordings and video recordings, including CCTV and aerial drone footage.
Where we use more sensitive data, like health information, we protect this information with extra controls. We also use anonymised data wherever we can, so individuals can't be identified.
How long will you keep my data?
We will not keep your information longer than it is needed or where the law states how long this should be kept and we will dispose of paper records or delete any electronic personal information securely.
We are always reviewing and adding to our processing records, so for up to date information please contact our Data Protection Officer who will be able to share our personal data retention schedules with you, email: DPO@cambsfire.gov.uk.
What are my rights?
In general, you have the right to request that CFRS:
- Provides a copy of your personal information
- Corrects any errors in your personal information and restrict processing of your personal data until completed
- Considers your objection to the processing of your personal data and depending on the service and legal basis stops all or some of that processing. “Processing” means the collecting, storing, amending, disclosing, sharing and destruction of your data
- Erases your personal information, depending on the service and legal basis
- Withdraws your consent if consent is used as the legal basis for the service
- Informs of automated decision making, including profiling for the service (we do not currently have any such processes to support the delivery of our public services)
Where possible we will try to meet your request but we may need to hold, retain or process information to comply with a legal duty.
How do I exercise my rights?
We are required by law to have a designated Data Protection Officer (DPO). If you wish to exercise any of the rights described above, have a query on how personal data is handled within our organisation or just want further information and advice you can contact our DPO using the following contact details:
Address:
Data Protection Officer
Cambridgeshire Fire and Rescue Service
Hinchingbrooke Cottage
Brampton Road
Huntingdon
Cambridgeshire
PE29 2NA
Email: DPO@cambsfire.gov.uk
Phone: 01480 444500
Subject Access Request form
If you would like a copy of, or a description of, the personal data we hold that relates to you, please ask in writing, by letter, or email. You can use our Subject Access Request (SAR) form in PDF format below, which you can download, fill in and send to us. Please be as specific as possible about the information you want.
Subject Access Request (SAR) form - PDF format
We will reply with your information within one month of receipt, or from the day on which we have the necessary information to confirm your identity. There are some lawful restrictions on information we send you, for example, other people’s personal information.
You may be entitled to correction, restriction, objection, and erasure of your personal information depending on the service and legal basis. Please send your request: Post: Subject Access Request, Data Protection Officer, Cambridgeshire Fire and Rescue Service, Hinchingbrooke Cottage, Brampton Road, Huntingdon, Cambridgeshire, PE29 2NA. Email: dpo@cambsfire.gov.uk.
For more information on your rights under the GDPR see https://ico.org.uk/for-the-public/
Who do I contact if I am not satisfied?
In the first instance you can make a complaint to us. Please see the Contact Us section on our website.
You can complain to or seek advice from the Information Commissioner’s Office (ICO) (www.ico.org.uk):
Address:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Keeping This Notice Up To Date
We will continually review and update this Privacy Notice and those Notices relating to specific areas of our functions to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the date at the top of this notice.