You can use the translation service powered by Microsoft Azure to translate NFRS pages into a variety of other languages.

Please note:

This will refresh the page.

Translations cannot be guaranteed as exact and may include incorrect or inappropriate language. We cannot control the quality or accuracy of the Microsoft service.

In an emergency call 999
For general enquiries call 01158388100
Monday - Friday -

POL 3004 - Data Protection Policy


Mandatory for all NFRS staff


This policy sets out the Nottinghamshire Fire and Rescue Service (NFRS) commitment to treat personal data legally and with respect, and to comply with the Data Protection Act 2018, including the General Data Protection Regulation and the Law Enforcement Directive.

Security classification: Official
Document type: Policy
Author: Information Governance and Data Protection Officer
Department: Strategic Support
Approved by: Strategic Support Manager
Assessments done: EIA - Not applicable 26/05/2023

Version Date Modified by Changes
2.6 26/05/2023 Information Governance Manager Amended format with new template and added additional details to 1.1, 2.1, 2.3. Added 1.2, 3.2 and 3.3
2.5 01/01/2021 Information Governance Manager Check & adding detail for 2.1, roles in 5.
2.4 01/10/2020 Information Governance Manager 5.4, 5.5, 5.7 updated for job titles.
2.3 06/12/2018 Information Governance Manager Minor changes to first two bullets in 2.2 to clarify meaning
2.2 04/09/2018 Information Governance Manager Updating job role for SIRO (5.4, 5.5, 5.7)
2.1 19/06/2018 Information Governance Manager Minor update on behalf of IGM, to include Data Protection Act (2018) and GDPR
2.0 26/10/2017 Information Governance Manager Replaces POL 3004 v1.5 to include GDPR

1. Key information

1.1 Introduction

This Policy establishes a framework for ensuring that Nottinghamshire Fire and Rescue (NFRS) meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18).

It shall cover the development, management, and processing of all personal data within the NFRS including processing carried out by joint controllers, contractors, and processors.

The NFRS will demonstrate its compliance with the accountability principle and be able to evidence our compliance with the data protection principles and make sure that we do not put individuals at risk because of processing their personal data.

Failure to adhere to this policy can result in a breach of legislation, reputational damage, or financial implications due to fines. The NFRS will meet our obligations, by putting into place appropriate and effective measures to make sure we comply with data protection law.

1.2 Application

This Policy applies to all personnel within the NFRS. 1.3 Policy Statement. The NFRS values the correct use of personal information as critical to successful operations and in keeping the confidence of the public, employees, and stakeholders. NFRS is committed to comply with the requirements of the Data Protection Act 2018 (including part 3 covering the Law Enforcement Directive for fire safety enforcement and fire investigation when on behalf of Police), and the UK General Data Protection Regulation (GDPR), to ensure the Service complies with both the law and good practice to:

  • Process personal data in compliance with data protection principles
  • Respect individuals’ rights
  • Be open and honest with individuals whose data we hold
  • Provide training and support for staff who handle personal data
  • Notify the Information Commissioner as needed

The NFRS will achieve these aims through a proportionate approach using:

  • Policies and procedures covering ICT security, information sharing, physical security, individual’s rights, how long we keep personal data (retention)
  • Monitoring compliance with legal requirements and our policies and procedures
  • Maintaining an information asset register for personal data held by NFRS
  • Training for staff every two years, with awareness activity in the other year
  • Using data privacy impact assessments for significant new, or changed, use of personal data
  • Including data protection responsibilities in job descriptions
  • Appropriate controls, for example, restricting door access for specific areas, limiting access to certain files and records to only the staff that need them
  • Information notices to the public and staff about how their information is used
  • Using information sharing agreements with partners who we share personal information with
  • Using relevant contract terms with suppliers who process personal information on our behalf
  • Having designated roles and responsibilities, including Senior Information Risk Officer, Data Protection Officer, and Information Asset owners
  • Registration with the Information Commissioner
  • Notifying the Information Commissioner of any reportable personal data breaches if they happen.

The NFRS will processes special category personal data when needed for:

  • Safeguarding children and vulnerable adults (substantial public interest, Sch1 p18 DPA 2018)
  • Fire safety advice to vulnerable individuals in the communities we serve (statutory duty from s6 Fire and Rescue Services Act 2004; Sch1 p6 DPA 2018)
  • Occupational Health service to staff (Sch1 p2 DPA 2018)
  • Employer duties to staff (Sch1 p8, 9, 14, 16, 17, 21, 24 DPA 2018)
  • Fire safety enforcement, and fire investigation on behalf of Police (Pt3 DPA 2018)

2. Primary information

2.1 Definitions

  • Anonymisation: Refers to techniques that transforms information that identifies individuals rendering it unidentifiable. anonymous information is information that does not relate to an identified or identifiable individual (and the law does not apply to it)
  • Controller: The organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The Controller is responsible for compliance with the DPA and GDPR
  • Data Protection Act 2018: UK legislation that covers the use of personal data by any organisation
  • Data Protection Impact Assessment (DPIA): A DPIA is a process designed to help systematically analyse, identify, and minimise the data protection risks of a project or plan. It is a key part of our accountability obligations under the UK GDPR, and when done properly helps us assess and demonstrate how we comply with all of your data protection obligations.
  • Data Subject: An individual who is the subject of the personal data.
  • Data Subject Right’s: Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18) creates certain rights relating to the Data Subjects and their personal data and how it is processed.
  • Information Commissioner’s Office (ICO): Appointed by the Crown to supervise the legislations both of the Data Protection and Freedom of Information Act. Has significant enforcement powers including significant monetary penalties, powers of inspection and power to order an organization take actions equivalent in law to a court order.
  • Law Enforcement Directive: The Data Protection Act 2018 includes the Law Enforcement Directive (EU2016/680) for use of personal data for purposes of law enforcement.
  • Legal Basis: Covers the requirement for a valid reason under Article 6 of the UK GDPR in order to process personal data.
  • Personal Data Breach: Personal data: Any information relating to an identifiable living individual who can be identified from that data or from other data. This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural, or social identity of the individual.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • Processor: Processors act on behalf of, and only on the instructions of, the relevant controller(s) when processing personal data.
  • Processing: Anything that is done with personal data, including collection, storage, use, disclosure, and deletion.
  • Pseudonymisation: Refers to techniques that replace, remove, or transform information that identifies individuals, and keep that information separate but can be reidentified by reintroducing the data. Therefore, it remains personal data and is in scope of data protection law.
  • Special category personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
  • UK General Data Protection Regulation (GDPR): covers use of personal data, excluding law enforcement, and became applied to UK law on the 25th of May 2018.

2.2 Roles and Responsibilities

All NFRS staff are responsible for complying with this policy. They will also be responsible for raising any concerns they have about data protection at NFRS with their line manager or with the NFRS Information Governance Manager (IGM).

Line managers are responsible for ensuring their team are aware of and understand data protection policies and procedures for their work area. This may include additional training.

The Assistant Chief Fire Officer (ACFO) fulfils the Senior Information Risk Owner (SIRO) role at NFRS:

  • Is a senior leadership team member who is familiar with information risks and provides the focus for the management of information risk at that level.
  • Owns the organisation’s information risk and information incident management framework, establishing and maintaining an appropriate risk appetite, ensuring that risks are addressed, managed, and capitalised upon consistently by information asset owners.
  • Leads and fosters a culture that values, protects, and uses information for the success of the organisation and benefit of the public, treating information as a business priority not as purely an ICT issue.
  • Chairs the NFRS Security Steering Group.
  • The NFRS Data Protection Officer reports to the SIRO every quarter at a minimum.

The NFRS Security Steering Group (SSG) reviews NFRS compliance with legal responsibilities for information security, including data protection. The ACFO is Group chair. Members are Heads of Department (Senior Leadership Team), IGM, IT Security Officer and Station Managers for Operational Planning and Resilience. This group meets every quarter.

The IGM fulfills the statutory Data Protection Officer (DPO) role at NFRS to:

  • Inform and advise NFRS about its obligations to comply with the GDPR and other data protection laws.
  • Monitor compliance with the GDPR and other data protection laws, including advising on data protection impact assessments, training staff and conducting internal audits.
  • Be a first point of contact for supervisory authorities (Information Commissioner’s Office) and for individuals (staff and citizens) whose data is processed.
  • Report to the NFRS SIRO and submit annual compliance reports to the Fire Authority.

Information Asset Owners (IAOs) at NFRS are individuals managing the relevant parts of the Service which use personal information:

  • Are a range of roles and ranks who oversee use of particular types of information needed to deliver their part of the Service.
  • Understand what types of information are held for their teams’ purpose, how information is used, including who has access.
  • Have responsibility for risks to information assets they ‘own’, and to provide assurance on the security and use of the assets.

The NFRS do not have a Caldicott Guardian, as the Service doesn’t process enough ‘patient information’ to require this. (NFRS have a clinical governance agreement with East Midlands Ambulance Service.)

2.3 External Standards

  • Data Protection Act 2018.
  • UK General Data Protection Regulation (GDPR).
  • The Law Enforcement Directive (EU2016/680).
  • ISO 27001.
  • Information Commissioner’s Office guidance.
  • Article 29 Working party guidance (GDPR).

3. Support information.

3.1 Related Documents.

  • POL 1009 Risk Management Policy
  • POL 2083 Email Policy
  • POL 2084 Internet Acceptable Use Policy
  • POL 2090 IT Information Security Policy
  • POL 2209 Information Transfer Policy
  • POL 2141 Anti-Malware Policy
  • POL 2108 Clean Desk Policy
  • POL 2143 Info Sec Legal Responsibilities
  • POL 2156 Audits
  • PROC 2087 IT Incident Management Process
  • PROC 2088 IT Major Incident Management Process
  • PROC 2192 Media Disposal Procedure
  • Retention Schedule
  • Information Sharing Agreements that NFRS has signed.
  • Project management templates.

3.2 Review Period Criteria.

This document will be reviewed in line with the Policy Framework Guidance documentation and the determination of the document owner.

This document will be reviewed every two years from the point of the last review date.

3.3 Compliance Statement.

This document has been drafted to comply with the Equality Act 2010 and the Public Sector Equality Duty; Data Protection Act; Freedom of Information Act and the UK General Data Protection Regulation (UK GDPR).