Personal Data and Data Breaches

Response

1. Can I have your records about sales of personal data from 2023 (01.01.2023) to 2024 (31.12.2024), including trading partners and money earned from transactions?

No information is held in relation to this question; Avon and Somerset Police do not sell personal data.

2. Do you use tracking cookies on your website, and can I have a list of third parties that you share personal data with?

[Clarification received 03 February 2025]:

The tracking cookies are to confirm if you have tracking cookies on your website that collect data from anyone that uses it, and if you do who is this data shared with please?

The information you have requested is already available in the public domain via the following links:

Manage cookies | Avon and Somerset Police

Website Privacy Policy | Avon and Somerset Police

The second link includes details of the types of cookies used and a list of third party providers with which data is shared.

The information therefore falls within the Section 21 exemption of the Freedom of Information Act. Section 21 is an absolute and class-based exemption and as such does not require a harm and public interest test. This serves as a partial refusal notice under section 17(1) of the FOI Act.

3. Have you received any complaints about how you handle personal data? This includes collecting, storing, sharing or selling, as well as wider processing practices. Please can I view records about these complaints for 2023 and 2024?

We have interpreted this question as relating to complaints lodged with our Professional Standards Department (PSD) through our complaints process.

Complaints relating to the collection, storing, sharing or selling of personal data, as well as wider processing practices, would all be categorised as complaints relating to Data Protection matters. We have therefore provided information on all complaints received in the specified timeframe, which PSD have identified as relating to Data Protection.

Please see attached two documents containing a list of complaints meeting the above criteria, for 2023 and 2024.

4. How many subject access requests did you receive in the period 2023-2024, broken down by year? What types of personal data did they typically receive? For example email addresses, home addresses and telephone numbers?

Please see below the number of Subject Access Requests (SARs) received in 2023 and 2024:

2023 – 1555 SARs received

2024 – 1516 SARs received

We do not hold as recorded information an assessment of the types of personal data that a requester will “typically receive” in response to these requests. Outside of our obligations under the Act, I can advise that typically what an individual will receive in response to a SAR is their own personal information contained within our crime recording system, for example call records and incident reports.

5. How many data breaches have you experienced for the past 5 years (broken down by each year)?

Please see below the number of data breaches recorded in each of the last 5 years. This includes ‘Near Misses’ and incidents where it was later determined that a data breach has not occurred (for example, lost paperwork which was recovered). The figures also include cases involving the loss of encrypted devices such as laptops and mobile phones.

Whilst the figures show a continued increase from 2020, this is largely due to work that has been undertaken over this time to raise awareness throughout the organisation around the reporting of data breaches.

2020 – 58

2021 – 174

2022 – 106

2023 – 149

2024 – 222