Forget about our streets:  it’s inside our corner-shops and take-aways that criminals are running riot.

In July Priti Patel commanded a crack-down on abuse and violence in the retail sector.  But there’s a crucial gap in her chain of command – a gap that only local retailers themselves can fill.

Talk about Best Practice Guides, exhortations to report more crimes, ‘strengthening and making full use of’ existing laws, improving data-sharing between businesses and urging police to ‘underscore the importance’ of close working with local businesses – it’s all been said, and even done, before.

Saying things, and even doing things, doesn’t always produce the desired results. Converting this kind of top-down rhetoric into effective action means motivating and mobilising real-life retailers and licensees to participate in active crime-reduction.

You’d have thought that was a no-brainer: after all these are the people who stand to benefit most. And you’d have thought that Priti Patel, born and bred into independent retailing, would ‘get it’ better than most.

But there are many problems in converting good words and actions into good results. Just because Westminster commands it, doesn’t mean that 43 territorial police forces will obey and anytime soon.  Even if police show willing, it’s unlikely they’ll make ‘full use of existing laws’ to address the problem: high volume, low-value offences rank very low in their priorities – and probably rightly so. Spending between £5,000 and £10,000 of scarce policing and (even scarcer) criminal justice resources on progressing a shoplifting offence, or even low level ‘violence’ in retail premises, to a successful conclusion in the criminal courts, is, frankly, a criminal waste of money.

Enabling retailers to self manage low-level crime to fill the ‘policing gap’

There is an answer. Local retailers and licensees, working together in Business Crime Reduction Partnerships (BCRPs) or Business Improvement Districts (BIDs) is the way forward. By enabling them to self-manage low-level crime in their own premises and local communities, they can – and do – play an essential role in ‘filling the policing gap’.

More and more police forces around the country are working with such partnerships and schemes. It’s a win-win-win deal:

• the local businesses achieve real (and provable) reductions in shoplifting and violent ASB
• police fulfil their duty to prevent and detect crime by supporting them (at virtually zero cost)
• the wider community benefits by identifying early-stage offenders and nudging them back onto the straight and narrow.

The British Retail Consortium, representing the interests of the largest retailers in the UK, has long called for ‘the need for an improved police response’. This is still sadly lacking.  If they, and the home secretary, are serious about reducing retail crime they need to spend more time with local BCRPs and BIDs that operate exclusion or banning schemes.  They’ll see that it is here, at grassroots, where the action is, and where good things happen. And for a lot less investment.

Only by harnessing the motivation – and self-interest – of smaller owner/manager retail businesses, through schemes like these, will Westminster, police and major retailers really close the policing gap.  It’s time for Priti Patel to educate her government on the need for grassroots engagement to get real results in low-level crime reduction.

Find out more about how Disc helps BID’s and Watch Groups reduce low-level retail crime.

Right now, barely 10% of licenced premises are open.  No one knows when Britain’s leisure industry will be back to work – but there’s no doubt it won’t ever be quite the same.

Even before Coronavirus, a pub was closing every 12 hours across the UK.  So adapting to the ‘new normal’ is only one challenge that faces publicans in the years ahead.

When lockdown is lifted many licensed premises will remain closed: much of the sector was financially under-resourced at the best of times and Coronavirus will have called last orders on many. Those that survive will look inevitably to reduce essential costs to the minimum, and identify and jettison non-essential ones altogether.

Where will this leave Pubwatch schemes? 

Many Pubwatch schemes are relatively informal groups of licensees who share information about local troublemakers and, where appropriate, exclude them from their premises. Few charge member subscriptions: hopefully their future will be relatively secure in the cash-strapped future.

Larger Pubwatches, however, tend to be supported by subscriptions, and these will undoubtedly be under pressure as members look to reduce non-essential overheads.  Many depend on a single member to manage the Pubwatch’s affairs:  maybe he or she will be among those that don’t resume trading when the lockdown is eventually lifted in full.  It isn’t always easy to find a replacement willing to step up in their place.  Too often Pubwatch schemes simply fade away when a key ‘mover and shaker’ decides to hand in their empties for good.

Yet Pubwatches provide an invaluable service, and not just to their members. Keeping troublemakers away benefits not only pubs but the wider communities in which they are located.  Police and licensing authorities work closely with Pubwatches not only so that pubs maintain good order but also that young offenders can be identified at an early stage.  Pubwatches provide invaluable opportunities to encourage youngsters to improve their behaviour and, where necessary, to refer them to council’s Early Intervention teams and ultimately, and only where unavoidable, to the police and the criminal justice system.

It’s sad to see pubs close their doors for good – but it’s nothing short of tragic to see Pubwatches closing wholesale around the country. Yet, for as long as Pubwatch schemes are under-resourced, reliant on a single ‘mover and shaker’ member to keep them going, and for receive no direct support from police and councils, that’s what we can expect.

Some police forces and local authorities already provide invaluable support for Pubwatches in their areas –  but most don’t.  True – many Pubwatches are keen to maintain their independence from local policing and licencing authorities. But with Pubwatches under pressure nationwide, police and councils everywhere should explore what they can do to provide support for these groups.

For example, even for the most independently-minded Pubwatch, police and councils can provide access to online management tools like Disc, to make it easier for the Pubwatch to manage its own affairs without any undue reliance on a single ‘mover and shaker’. In doing so, police and councils can also ensure that the Pubwatch operates in compliance with legal obligations, not least of which is GDPR without which they’re understandably unwilling, for example, to share personal data of offenders.

The aim: a win-win deal for all.  The Pubwatch benefits from improved information-sharing, mobile access to galleries of locally banned troublemakers, and legally compliant instant messaging.  The police and council benefit from access to intel about low-level crime and Anti-Social Behaviour and the offenders behind it, as well as access to new ways of instantly and effectively communicating news, Alerts, documents and information about up-coming events etc to licensees across their policing area.

Find out more about Disc for Watch Groups.

Coronavirus has hit public-facing service industries the hardest: tourism, travel, retail and leisure sectors are facing the biggest challenges of all.

Government is doing what it can to keep these industries – and many of the business-to-business companies that support them – on life-support. But smaller – and some larger – Business Crime Reduction Partnerships are facing an existential crisis.

Where they can, BCRP Managers have put themselves on furlough, but government furlough support is set to be reduced.  In addition, with modest financial turnovers, few can borrow sufficient funds through ‘Bounce Back’ loans to keep operational.

Business Crime Reduction Partnerships deliver a crucial role in ‘filling the policing gap’ in communities across the country.  But, when the retail and the hospitality industries return to normal – whatever that turns out to be – many BCRPs will simply have disappeared for good.

The problem, says Andy Sharman (left) of South West Business Crime Centre (SWBCC), is the business model that too many BCRPs rely on.  “Even before Coronavirus, the model was flawed” he says. “These are relatively small organisations entirely dependent on subscriptions from local retailers and licensees, plus whatever they might get from hiring radios.  This modest revenue stream has been threatened by long-term decline in High Street retailing plus cost-cutting by some of the largest retailers. Now Coronavirus means they’re facing a perfect storm.”

According to SWBCC research conducted in the early stages of the Coronavirus shut-down, independent BCRPs are facing a fight for survival. Yet right around the country, high streets and the wider communities around them will continue to need active, and sustainable BCRPs.

The benefits BCRPs can generate are well-known –  and proven –  and Police & Crime Commissioners countrywide have signalled their support for exactly this kind of community-based partnership-working outside the public criminal justice system, recognising their key role in addressing and reducing the kind of low-level crime and ASB that police cannot economically address themselves.

Now, more than ever, is the time for PCCs to step up and provide the modest financial support for struggling BCRPs that can make the difference between their survival and their untimely demise.

“But not just to do more of the same” says Andy Sharman.  “PCCs must demand that recipients of funding demonstrate how they can return to full self-sustainability when the lock-down is finally ended – and that means BCRPs must generate more, and new, organic growth after lock-down. They need to look beyond dwindling subscriptions and radio rentals, to new financial opportunities.

“They need to sell their services more effectively, demonstrating the effectiveness of local exclusion schemes to new potential subscribers.  They need to make sure that message is heard more widely, right across a town, for example, not just in a central shopping area.  They need to recruit new members from new sectors such as public transport, industrial estates, hotels and so on.

“There are opportunities to widen their range of services too. Some have taken over troubled and under-resourced public CCTV systems, for example. My experience is that BCRPs are better at providing such services because they answer direct to local businesses, who obviously stand to benefit most.

“Warden and Ranger services are widely deployed by Business Improvement Districts; again, a BCRP is well-positioned to provide these kinds of services for the benefit of its members.  They provide a high-vis presence to deter low level crime, and they can really help to re-build relationships with police, and work out a way of working more closely together for their mutual benefit. Why not provide a key-holder service too?”

Sharman believes it’s ideas like these that a PCC will look for before providing financial assistance to BCRPs through the next few months or, who knows? even longer. Simply hoping to return to the ‘new normal’ with an old, and flawed, business model is unlikely to be good enough.

Organisations that run exclusion schemes and use Disc for processing personal data must comply with Data Protection law, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA’18). It can be a daunting and confusing area of regulation, but vital to the lawful processing of data and so must be fully understood, and followed.

Here, we de-mystify the GDPR and DPA’18 requirements to help organisations running banning schemes like shopwatches, for example, to understand and meet their obligations.

Who is the Data Controller?

If an organisation processes information that can be used to identify a living person (‘personal data’) for business purposes, then it is a Data Controller and is responsible for complying with the law (see GDPR Articles 24-26, 30-36).

The Data Controller is the organisation or individual that decides the purposes (the ‘why?’) and the means (the ‘how’) of that processing. It must be registered on the UK Information Commissioner’s Office’s (ICO) ‘Register of Fee Payers’ which can be accessed here. For smaller organisations it costs £40 a year or £35 by Direct Debit.

As a Data Controller, the organisation is responsible for ensuring that it abides by the ‘Data Processing Principles’ (GDPR Article 5) which are listed here. These are general principles, but the law obliges Data Controllers to carry out specific tasks which, taken together, go a long way to ensure the organisation’s compliance with them. 

About the Lawful Basis for Processing, Data Subject Access Requests and Data Breaches

The purpose of the GDPR is to provide rights to every living person (‘Data Subject’) wherever GDPR applies (GDPR Articles 12 -23) and to do so, it imposes specific obligations on Data Controllers. 

1) Lawful basis for processing 

Data Controllers can process personal data only once they have identified (and documented) a ‘lawful basis’ for doing so (GDPR Articles 6 and 9). 

There are six types of “lawful basis” for processing, including ‘consent’. However, while consent is the best-known lawful basis, Data Controllers who need to process personal data necessarily without Data Subjects’ consent, may do so under the lawful basis of ‘legitimate interest’ (see ‘Legitimate Interest Assessment’ below).

2) Data Subject Access Requests

Irrespective of which lawful basis is chosen, Data Subjects can require Data Controllers to provide access to (or copies of) all the personal data they hold about them through a ‘Data Subject Access Request’. Controllers must respond to such a request within 30 days (although they may take longer to get the data to them if, for example, the Subject needs to prove who they are). Organisations can’t charge a fee for providing this information. And if Subjects can show that any of the data held is incorrect, they have the right to demand that it is put right.

In most cases, Data Subjects have other rights too – for example, they can oblige a Data Controller to delete all their personal data and to stop collecting it in the future. They can also require the Controller to transfer their data to another organisation. However, as we shall see below, these rights depend on which lawful basis the Controller has chosen for its processing (see Legitimate Interest Assessment below).

3) Data Breach notifications

A data breach is an ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Where a breach represents a ‘material threat’ to the Data Subject’s rights and freedoms, the Controller must notify the ICO and any Data Subjects affected, within 72 hours. It is down to the Controller to decide if a specific breach actually represents a ‘material threat’ to a Subject’s rights and freedom. To ascertain this Controllers can use the ICO’s online assessment tool here.

What Obligatory Documentation Do You Need To Provide?

Data protection law requires Data Controllers to produce, and abide by, specific items of documentation. 

1) Record of Processing Activity 

Data protection law (GDPR Articles 5 and 24) requires that Data Controllers document the way they and their organisation process personal data.  This includes their internal procedures relating to processing personal data, a comprehensive description of precisely what kind of personal data they process, how it is processed and why, and their choice of lawful basis for processing Data Subjects’ personal data.

This document, often called the Record of Processing Activity must also describe the ‘technical’ (think ‘digital’) and ‘organisational’ (think ‘manual, physical’) security provisions for which the Data Controller is responsible. And if it can be shown that there is a legitimate reason to process Subjects’ ‘special category’ data (such as ethnicity) or prior criminal convictions or offences, Controllers must quote the ‘derogations’ in DPA’18 which enable this (Schedule 1 Part 2 (10) and Part 3 (36)).

The Record of Processing Activity does not need to be made public – but if the ICO receives a complaint from a Data Subject (see Privacy Information below), they will ask to see this document to assess internal processes for themselves. More detailed guidance on what a Recored of Processing Activity should look like can be readon the ICO’s webiste here.

2) Privacy Information 

Irrespective of the lawful basis used to justify processing personal data Controllers must inform Data Subjects about every aspect of that processing (GDPR Articles 12 -14): what kind of data is being processed, for what purposes, with whom it may be shared, for how long it may be retained – in short, absolutely everything. This is to ensure compliance with the Controller’s obligation to operate in a transparent way regarding Subjects. This information must also include contact details if Subjects wish to submit a Data Subject Access Request.

Privacy Information must be communicated in ways which are most accessible and convenient to the Data Subject. If it can be provided to Subjects where and when their personal data is recorded, a hard-copy ‘Privacy Notice’ can be given to them.  Where that’s not possible, or where it has been taken from them without their knowledge, organisations must ensure that full privacy information is made as available as possible – for example, displayed on a public website or on a notice board or poster where Subjects can see and read it.

If Data Subjects can show that full privacy information has not been provided to them, or if it’s not as available as reasonably possible, they can complain to the ICO. In this case, organisations run the risk of being fined by the ICO and even, in some cases, separately taken to court by the Subject.

3) Legitimate Interest Assessment 

As a Data Controller, you must specify the lawful basis on which you are processing Data Subjects’ personal data (GDPR Article 5(2)). If it’s believed that the Subjects whose data you wish to process would not consent to your processing their data, but you believe you have a justifiable reason for doing so, then ‘Legitimate Interest’ can be chosen as your lawful basis (GDPR Articles 12/14). If so, a ‘Legitimate Interest Assessment’ must be completed.

There are three elements to a Legitimate Interest Assessment:

• Legitimate Interest Statement – This asserts your organisation’s justification for processing Subjects’ personal data necessarily without their consent. For example, the Data Controller might assert its right to protect its members’ property and the safety and security of their staff and customers from the impact of crime and anti-social behaviour. If members offer a service to the public, it might additionally be asserted that they have a right to ‘withdraw the implicit licence to enter’ their premises – in other words, to ban Subjects from their property. 
• Data Protection Impact Assessment – The second element of the document demonstrates that your organisation has considered the impact on the rights and freedoms of the various types of Data Subjects whose personal data it proposes to process. For example, adults, non-adults (see our separate Factsheet on Young People and Watch Groups), vulnerable people etc. For each type of Data Subject, every possible impact should be identified and, for each, the risk that it represents to the Subjects’ rights and freedoms. This assessment should include the likelihood, as well as the severity, of each impact, and what measures are in place to mitigate them (GDPR Article 35). 
• Balance of Interests Assessment – The last element must show that Controllers have balanced the interests of their organisations (as defined in the Legitimate Interest Statement) against the rights of Data Subjects (as defined in your Data Protection Impact Assessment) and have concluded that the organisation’s rights outweigh those of the Subjects in relation to the specific purposes and uses of the data processing it is proposing. 

Together, these three elements constitute the Legitimate Interest Assessment. It’s not a public document – but if the ICO investigates data processing following a complaint made to it by a Data Subject, Controllers must be able to show this document to justify the use of Legitimate Interest as the lawful basis for processing Subjects’ personal data necessarily without their consent.

4) Data Processor Contract

Data Controllers are held responsible for their employees’ compliance with data protection law (see Rules & Protocols below). But if Data Controllers use an outside organisation or individual to process personal data on their behalf, it is a legal obligation to have in place a formal ‘Data Processor Contract’ (DPC) with them (GDPR Article 28). 

Sometimes, for example, if you want to use Google or Dropbox or a global Cloud service provider to process your data (and just storing data is ‘processing’) you’ll have to agree to their Terms & Conditions which, if you look hard enough, include a Data Processor Contract. 

According to GDPR, Data Processor Contracts must include eight obligatory clauses – read about them here – plus any others that the Controller may want to include.

What Rules & Protocols Do Controllers Need To Be Aware Of?

‘Rules & Protocols’ are not obligatory under, or referred to in, Data Protection law. However, they define the obligations that Data Controllers place on those individuals who may access and use the information for which they are responsible – and are essential. 

The purpose of Rules & Protocols is to make it clear to any individuals that act outside the rules, that they do so without the consent of the Data Controller. In effect, they are acting as Data Controllers in their own right, deciding the purposes and means of processing the data and, as such, they are responsible for their own actions.

Where an employee or member of your organisation breaks the rules, it isn’t enough simply to assert (in court perhaps?) that he or she knew what the rules were, and intentionally broke them. Organisations may still be held ‘vicariously responsible’ (and liable to prosecution and fines, etc.). 

To avoid this, Data Controllers must ensure that all individuals who have access to your data not only certify that they have read, understood and agreed to abide by your Rules & Protocols but, for example, are regularly reminded of their obligations. You should also be able to show that sufficient technical (think digital) and organisational (think physical, manual) security measures are in place to make it as hard as possible for your employees or members to break your rules.

Disc Support for Compliance with Data Protection law 

We provide Disc to customers who are Data Controllers in their own right. We are therefore Data Processors on their behalf, in accordance with our own Data Processor Contract. Customers are also welcome to offer us their own DPC if they prefer. 

While our customers are responsible for their compliance with the law, we provide consultancy to assist them in this. Among our services, we provide on-demand webinars on compliance, as well as a full set of ‘Model Documents’ including Record of Processing Activity, Privacy Notices (for Offenders and Members), Legitimate Interest Assessment (including all three necessary elements) and sample Rules & Protocols.

The Disc system itself aligns with the critical concept of ‘data protection by design and default’ as defined by GDPR. Features include (configurable) automated irrevocable personal data deletion periods, obligatory member-certification to (configurable) Rules & Protocols and other ‘must-read documents’ including Privacy Notices, automated periodic ‘forced’ re-certification by members, availability of Privacy Notices on public-facing elements of Disc for offenders, fully documented ‘technical’ security provisions to the highest level of online security certified to ISO27001:2013 standards, built-in GDPR-compliant Instant Messaging system and other vital features.

For more on how business crime reduction schemes can comply with data protection law, watch our free video webinar here.  At the end of the webinar we’ll send you a Guide (PDF format) covering the same subject matter as this blog from which you can download invaluable ‘model documents’ to help you ensure compliance of your own scheme.

Watch Groups like shopwatch schemes or banning schemes, for example, will of course inevitably come into contact with young people and in most cases there is no issue – as long as they comply with the law!

Common law…

Common law entitles any owner or manager of private premises open to the public to ‘withdraw the implicit licence to enter’ the premises from anyone, for any reason. The reason, however, must not have anything to do with ethnicity, gender, marital status, sexual orientation, disability, religious beliefs – or age.

So far so good: a Watch Group can ban a young person from its members’ premises because he or she has been reported for a qualifying incident – as long as it’s not because of their age, or any other of these ‘protected characteristics’.

…and Data Protection law

If a Watch Group needs to process the personal data of young people (which it almost certainly will need to do at some point) it must comply with data protection law, namely GDPR and, in the UK, the Data Protection Act 2018.

GDPR says that if any organisation wants to process the personal data of a young person – defined in the Data Protection Act as under 13 years of age – on the ‘lawful basis’ of consent then they must secure additional consent from someone in a parental or guardian role.

This, however, does not apply to Watch Groups, the vast majority of which do not rely on ‘consent’ as their lawful basis for processing but on ‘legitimate interest’.

Where organisations base their processing of personal data on legitimate interest, GDPR does not apply any specific age-related restrictions to that processing. Instead, it requires that the Data Controller conducts a ‘Legitimate Interest Assessment’ which includes a so-called Data Protection Impact Assessment (DPIA).

Defining the impact of Data Processing on young offenders

It is in the DPIA that the Data Controller must consider the impact on the rights and freedoms of the different types of Data Subjects whose data it processes.

Young people, it’s pretty obvious, are different from ‘adults’. They are likely to be more impressionable, more ‘easily led’, less aware of the consequences of their actions. Therefore, they must be included as a specific ‘type’ of Data Subject in the DPIA, and considered separately.

By the way, it’s up to the Data Controller to decide what “young people” actually means:  over 13?  Over 16? The decision is entirely the Data Controller’s.

The DPIA must identify any threat to the rights and freedoms of each type of Data Subject, and if there is any risk, it must show how the Data Controller mitigates that risk.  In the case of young people, the Controller might require that, where a young person is reported for a qualifying incident, their data will not be shared with members of the Watch Group (as would be the case for ‘adults’).  Instead, the data may simply be retained in their local Disc database and shared only with appropriate people (e.g. parents, school or public agencies such as police or an early intervention team).

Additionally, for example, in the DPIA the Controller might stipulate that the young person is treated as any other offender (i.e. as an ‘adult’) if they are reported for a further or subsequent qualifying incident.

As always, it’s down to the Data Controllers to make up their own minds on this, but whatever the decision, Disc enables the smooth and consistent application of the rules for the Watch Group and exclusion scheme.

For more on how business crime reduction schemes can comply with data protection law, watch our free video webinar here.  At the end of the webinar we’ll send you a Guide (PDF format) covering the same subject matter as this blog from which you can download invaluable ‘model documents’ to help you ensure compliance of your own scheme.

Pubwatch schemes – even the smallest – must comply with data protection law, including the GDPR that came into effect in May 2018.

The law gives data subjects such as offenders more rights and the ICO more powers to investigate and impose hugely increased fines.  It also drives a strong incentive for no-win no-fee solicitors to pursue additional damages on behalf of their clients.

It’s a recipe for one of three outcomes:

1)    more non-compliant (and therefore illegal) pubwatch schemes.

2)    more closures of pubwatch programs which can’t afford the time and money required to ensure compliance.

3)    or bringing more pubwatch schemes into larger ‘umbrella’ groups where compliance is carefully managed and maintained while each pubwatch continues to make its own decisions and retain its independence.

Combining Pubwatch Schemes On Disc To Drive Down More Low Level Crime

It’s a direction that more and more pubwatches are taking: neighbouring pubwatch schemes across, for example, a specific district or metropolitan area continue to operate independently, making their own minds up about exclusions, banning etc, but within an ‘umbrella’ organisation which looks after regulatory issues and compliance.

Our Disc online crime reporting system is increasingly being used to provide that umbrella.  In urban areas and conurbations single Disc systems are being used to support multiple local pubwatches across the Boroughs of Harrow or Wandsworth in London, or in larger towns such as Bath.  But it’s in less urban areas, where smaller pubwatch schemes support clusters of premises in more rural areas, where the trend is most noticeable.

Newbury, Gloucester, Taunton, Yeovil, Hereford, Huntingdon and Workington are just some of the towns which have extended their existing Disc systems to cover smaller, rural pubwatches in outlying areas. Local authorities such as Rhonda Cynon Taff in South Wales, or across the entire county (and police forces area) of Staffordshire, use individual Disc systems to support multiple pubwatch schemes.

Linking them together within a single Disc system brings other essential benefits to participating pubwatches too.  The timely and easy distribution of ‘alerts’ through the system can help licensees protect themselves against counterfeit currency, travelling scammers, stolen goods or fake alcohol sellers. Being aware of individuals banned in one pubwatch helps members of neighbouring pubwatches keep an eye on new faces who may be a source of trouble.

Pubwatch Schemes Which Are Fully Compliant

By combining multiple pubwatch schemes in this way, each benefits from the rock-solid compliance made possible by the unique Disc system – yet each controls its own banning decisions, exclusion schemes and membership, and has online access to their own Mugshot Galleries in the Disc ‘Desktop’ or smartphone App.

Pubwatches and their members can be fiercely independent and no one size of ‘umbrella’ will fit all circumstances. The benefit of Disc is that it’s configurable to match virtually any group, whether it’s multiple pubwatches that have decided to come together to create such a group, or a Business Improvement District that decides to extend its support to pubwatch programmes beyond its own immediate levy-payer area.

Contact us to discuss how to best use Disc across multiple pubwatch locations.