Frequently Asked Questions

Neither the GDPR nor DPA’18 say much about information-sharing. The ICO has published guidance on the subject and strongly advises that organisations that share data on a regular basis draw up an information sharing agreement with each other, to define the methods and purposes of the information sharing and to ensure that if anything goes wrong, it is clear where responsibility lies. However, it is each Data Controller’s obligation to operate in compliance with the law and neither side of the exchange is responsible for the compliance of the other side.

Use of WhatsApp (or similar, peer-to-peer messaging systems) for processing (including sharing) personal data for a business purpose (basically, anything that isn’t just friends and family) requires registration of the group with the ICO, and the ability of the Data Controller to control the data involved; because personal data resides on the mobile devices of members in the WhatsApp group, it is not possible for the Data Controller to exert sufficient control over it – therefore the group cannot comply with the obligations of the law. This is especially important in the case of public agencies such as the police where the police data controller (usually the Chief Constable, who is responsible for the compliance of his/her staff) will be liable under law.

Yes. Most crime reduction schemes process the personal data of ‘subjects of interest’, necessarily without their consent, in which case the Data Controller must have a documented ‘Legitimate Interest Assessment’ which justifies this processing.  For crime reduction schemes this must comprises three elements:

• a clear statement of the rights of the scheme and its members (their ‘Legitimate Interests’)
• Data Protection Impact Assessment(s) defining the impact of processing on the data subjects’ rights and freedoms
• a ‘Balance of Interests Assessment’ which shows that the scheme’s rights outweigh the rights of the data subjects.

For more on how to ensure your scheme (pubwatch, shopwatch or Business Crime Reduction Partnership for example) complies with data protection law, view our free video webinar here.

Data Controllers must:

• Make sure they, or their organisation, are registered on the ICO Register of Fee Payers
• Ensure they, or their organisation process personal data in compliance with the law
• Respond to data breaches and Subject Access Requests in line with the law
• Document the way that they, or their organisation, processes personal data
• Provide full privacy information (often in the form of a ‘Privacy Notice’) to data subjects in line with the law;
• Where they use the service of a Data Processor (for example, where Disc is used, Littoralis is a Data Processor) ensure that there is a Data Processor Contract in existence between them.

Sometimes two independent organisations agree to pool some personal data for one or more shared purposes. For this data and for these purposes, these become ‘Joint Data Controllers’. The law doesn’t require any formal agreement between joint controllers – but they must agree between them, and document, their respective roles in fulfilling their obligations under the DPA/GDPR – for example: which will be responsible for providing privacy information to the relevant data subjects; which will respond to Subject Access Requests; which will respond (at least in the first instance) to enquiries from the Information Commissioners Office.

For more information about Joint Data Controllers visit the ICO website here.

The Data Controller is the organisation or person who decides why personal data is processed, and the ways that it is processed. When you register on the ICO’s Register of Fee Payers you must identify an individual who is responsible for this function to the ICO – the Data Controller. This should be the most senior decision-maker or board of management. Large commercial organisations, and all public agencies, have to appoint a ‘Data Protection Officer’. In any case, the ultimate responsible authority will be the most senior executive (for example a chief executive, Chief Constable or Commissioner), or a board of management.

The law says Data Controllers must document the way they process personal data – and how they ensure the ‘technical’ and ‘organisational’ security of that data. Technical security means the security of automated (usually computerised) processes; organisational security means security procedures which everyone in the organisation must abide by when handling personal data. Disc, for example, provides robust, comprehensive technical security – but the rules that apply to managing personal data before it is put into Disc, and after it is exported from it, comprise the organisational security.

Disc aligns tightly with GDPR’s key concept of ‘data protection by design and default’. But computer systems alone cannot comply with data protection law – only the people and organisations that use them can do that. Disc is a comprehensive crime and offender data management system and it certainly supports Data Controllers’ obligations to comply with the law.

Unless you are a charity and process personal data only for internal purposes, or you process personal data only for domestic purposes (i.e. friends and family) you will almost certainly need to register on the ICO’s Register of Fee Payers. Small and medium-sized organisations can register online at https://ico.org.uk/registration/new for £40year (£35 if you pay by direct debit).

The GDPR is the EU-wide law which protects the Personal Data of EU citizens.  In the UK the GDPR is incorporated into the DPA’18 which covers a wider range of subjects and also defines a number of ‘derogations’ from the GDPR – that is, aspects of data protection which the GDPR allows each individual EU country to define for themselves. Because Disc is always used for some kind of processing of personal data, it has been developed to align tightly with the concept of ‘data protection by design and default’.

It is essential that all members of a  Disc system know the rules of membership – and their responsibilities.

This is not only to ensure they know what is expected from them as members or users, but also, in the event of a data breach caused by a member breaking the rules, to ensure there is clear evidence that they broke the rules in full knowledge that they were doing so, and of the possible consequences.

This is essential to enable a Data Controller to avoid liability for such a data breach.

Yes. Whether you’re setting up an internal banning scheme or an independent one, you should have a Constitution (as well as Rules & Protocols). For more on setting up an exclusion scheme and for a set of useful ‘Model’ documents including Constitution and Rules & Protocols, register here for one of our regular webinars on setting up an Exclusion Scheme.

Schemes may be – and often are – autonomous and independent of any other organisation. This can sometimes means that compliance with DPA/GDPR is simpler and easier to document. Although schemes can be ‘unincorporated associations’ (like clubs), this provides no protection to its members if, for example, the scheme falls foul of the ICO and receives a fine. So it’s always best to incorporate it as a company ‘limited by guarantee’, which requires a Constitution as well as a clearly defined set of Rules & Protocols. For more on setting up an exclusion scheme and for a set of useful ‘Model’ documents including Constitution and Rules & Protocols, register here for one of our regular webinars on setting up an Exclusion Scheme.

Some organisations – such as Shopping Centres, Business Improvement Districts, private crime reduction partnerships, Football Clubs, Retailers etc – may see the benefit of setting up banning schemes – or Exclusion Schemes – to cover their own property. There’s no reason why they can’t do so, but they need to be sure that only relevant and appropriate people in their organisations have access to offenders’ personal data, and that they abide by rules and protocols specific to the banning scheme. The advantages of such a set-up include having a shared Data Controller, cover under the ‘parent’ organisation’s existing insurance policies, and perhaps being accommodated in an office provided by the parent organisation.

Owners (including their staff and contractors) of private property which offer an ‘implicit license to enter’ to the public can be members of Exclusion Schemes. Public agencies cannot exclude people from any premises – private or public – unless they have applied to do so through a formal legal process. Neither can they instruct members of an Exclusion Scheme to do so. So police, councils etc have to be sure to keep a clear arm’s length from Exclusion Scheme’s decisions to ban any individual. However, police and council officers can – and usually do – get involved in, and very actively support, Exclusion Schemes and this can include having access to the information that the scheme exchanges with its members, and sharing their own information with the scheme.

Owners or managers of private property can refuse access to their property, to anyone, for any reason, other than those defined in the Equality Act (gender, ethnicity, religious belief, sexual orientation etc). In the case of shops or licensed premises, this is referred to in law as ‘withdrawing the implicit Licence to enter’. An Exclusion Scheme is where a number of such premises come together to ‘pool’ this right, and apply it according to a shared set of rules, in order to ultimately excluded specific individuals from all their premises, for a specific length of time.

Exclusion Schemes enable members to report incidents of low-level crime and Anti-Social Behaviour in or around their premises and identify the person or persons responsible. If appropriate, the offender(s) may be excluded from all the premises of all the members of the scheme. Schemes like this are effective in encouraging first-time offenders not to re-offend, and keeping repeat offenders out of members’ premises, thus reducing members’ exposure to financial losses in the form of, for example, shoplifting, or the impact of antisocial behaviour on their customers. They can be highly effective, with approximately just 20% of those who receive a first time warning, going on to receive a second-time warning, and only 20% of those who are excluded from premises going on to re-offend.

Littoralis has been in business since 2000, specialising in the development of secure document and content management systems. The company first launched its ‘BCRP Intranet’ product in 2009.  In 2013 the entire system was rewritten and the new product named ‘Disc’.  Littoralis is a ‘Data Processor’ to its customers (who must be registered as Data Controllers with the Information Commissioner’s Office). As a Data Processor, Littoralis must work under a formal Data Processor Contract with its customers, and this is included in Section 4 of Littoralis’ Standard Terms & Conditions.

Littoralis, the company behind Disc, is certified to ISO27001:2013 – the internationally recognised standard that ensures that its operations and its products conform to the highest level of information security standards. Additionally, Disc provides a comprehensive ‘technical security’ environment for its customers. To read more about this, contact enquiries@littoralis.com to request a copy of our document Littoralis & Disc Data Security & Protection Provisions.

The Disc App is free of charge and anyone can download it from the AppStore (for iPhone or iPad) or Google Play (for Android). Just search for ‘Littoralis Disc App’. While anyone can download the App to their smartphone, of course only people who are members of Disc systems can use it to access data.

Disc customers are charged a once-off implementation fee to cover set-up, training support and consultancy on GDPR compliance; thereafter they are charged a monthly license.

There are no additional charges: Disc’s constant upgrades and enhancements are all delivered within the monthly License fee.

Yes, Disc provides a direct-to-police crime reporting system, saving Disc users – and the police – time and money.

All that’s required to implement crime reporting is a ‘101’ police email address to which Disc crime reports will be sent. If crime reporting is enabled in a Disc system, when a user submits a report into Disc about an incident that hasn’t already been reported to police, the user is asked if he or she would like to send a crime report of the incident direct to police.

If so, after the Incident Report has been submitted to the Disc administrator, the details are copied into a Crime Report and the user is asked to provide a few extra pieces of information. The reporter can also use the system to submit an ‘MG11’ (or Witness Statement).

Completed Crime Reports (with or without a Witness Statement) are emailed in PDF format direct, to the police 101 desk for processing. Disc’s direct-to-police crime reporting system should not be used for incidents that require immediate police attendance – always call 999 in these situations.

Many Disc systems include police officers among their members. They benefit from becoming aware of invaluable low-level crime intel, captured by, and shared among, members. For the scheme, police can provide support such as good-quality custody images and police-originated intel. For more on this see our FAQs on ‘Disc and Police’ below.

You can link your Disc system with other Disc systems for cross-Disc publishing and cross-Disc offender-matching. Cross-Disc publishing allows you to instantly copy crime current-awareness content that you add to your own Disc system, into the Disc systems of those with whom you have agreed to set up cross-Disc Publishing. Cross-Disc offender-matching allows you to instantly check if an offender in your Disc system is also known in other Disc systems with whom you have agreed to set up cross-Disc offender-matching, enabling you both to identify a locally-known offender as travelling and therefore prolific. All such links are ‘peer-to-peer’: you can set them up between as many other Disc systems as you like – as long as each of them agree.

• Continuing access to, and full use of, all functionality as defined in the Disc Manuals;
• The Disc ‘Secure Environment’ located ‘in the Cloud’ in the UK, being fully-compliant with the provisions of current data protection law;
• 99.5% Server availability, subject to any necessary and pre-notified maintenance;
• All relevant upgrades or incremental enhancements deemed by Littoralis to be core components of the Disc system;
• Telephone and email support for the Customer’s designated Single Point of Contact available 9:30am to 5:00pm Monday – Friday, with out-of-hours response;
• Participation in annual regional User Group sessions;
• Access to Disc Intelligence at Work – our online customer support and information-sharing portal;
• Quarterly consultative and advisory reviews by Littoralis’ Customer Support Team.

Almost certainly less than you’d expect. The cost of each Disc variant is structured in the same way:

• A once-off set-up charge:
• A monthly Licence:
• Additional training after you’ve gone live, if required, for example if an Administrator leaves and hasn’t trained up his/her successor; additional training delivered online by ‘webinar’ on an agreed hourly mrate.

The set-up cost and monthly Licence vary according to the Disc variant in question. For more information on pricing for your own Disc implementation, contact us at enquries@littoralis.com

If you want to participate in a Disc system, you must be invited to do so by your local  Disc  Administrator.  So first, find out if there is a scheme operating in your area – if you can’t find one, let us know and we’ll try to direct you to the right place.

Your local Administrator will add your email address into his/her Disc system and you’ll receive a ‘Welcome email’, directing you to the Disc self-certification page.  Once you’ve completed that page and confirmed acceptance of the scheme’s rules, you’ll be able to access the scheme’s Disc system.

Disc is delivered to members through the Disc Desktop (a secure, members-only website) or through the Disc smartphone  App.  To download the App go to the AppStore (for iPhone) or Google Playstore (for Android) and search for ‘Littoralis Disc App’.  Load onto your smartphone, open it and follow the on-screen instructions.

As we have explained above, compliance with the Data Protection Act and GDPR is essential for crime reduction schemes. It’s also essential to run your scheme according to recognised Best Practice. If you can prove that this is how your scheme is run, you’re much more likely to win the support and active participation, not only of businesses, but also of police and councils, who can provide invaluable assistance. In 2018, the Home Office-supported National Business Crime Centre published the first National Standards for Business Crime Reduction Schemes (more information can be found on the NBCC website here). This enables schemes to check that they are being run according to these standards and, optionally, to pay for  periodic official certification to that effect.

More and more Police & Crime Commissioners are helping to fund local Business Crime Reduction Schemes, so they are a good place to go for possible start-up funding. Once up and running, schemes can look to generate revenue from members’ subscriptions and from renting radios to the them, if the scheme wants to benefit from a local radio scheme to help with urgent, important incidents etc. Business Improvement Districts are usually keen to support such schemes on behalf of their levy-payers and if there’s a BID in your area, it might be best to speak with them first. If they feel that a scheme can benefit their levy-payers, they may set up – and administer – the scheme themselves, using their existing financial resource.

This depends on several factors. Disc is designed to be very easy and quick to use, and to administer. Smaller schemes can be run by a part-time Administrator, perhaps even working on a voluntary basis a couple of evenings a month. Busier schemes, like Shopwatch or Pubwatch implementations may be able to employ a part-time Administrator paid from members’ subscriptions. Larger schemes often have a designated Disc Administrator, but using Disc is likely to take up only part of their time – leaving more time to keep in close contact with members and manage other activities, including liaising with partners such as police, council etc.

No. It is virtually illegal for individuals (or individual organisations) to share personal data with each other, unless they do so as members of an organisation with a  designated (and registered) Data Controller. The Data Controller is obliged to ensure that no data processing takes place unless it is in compliance with the law – and that requires a person to ensure that this happens. It might be convenient to allow individuals to share personal data with other individuals, outside the control of a responsible Data Controller. But if this happens, unless each participant is registered as a Data Controller in his/her own right, that’s against the law.

Disc for Police is a version of Disc which enables a police force to work with, and support, its local business crime reduction schemes more effectively, efficiently and securely and in tight compliance with Data Protection law. Disc for Police enables police at force level to provide current-awareness information to these local schemes in a more timely and responsive manner; it enables the distribution of urgent, important Alerts more immediately to them, and to their members; it reduces police administration costs by the adoption of online processing and communications; it ensures tight compliance with DPA/GDPR and MOPI within a digital ‘Secure Environment’ for data-sharing and processing; it enables more efficient and effective management of Information Sharing Agreements, including automated periodic re-certification; it provides access to the offender data in each local Disc system throughout the force area (and provides powerful tools to identify potentially prolific and travelling Offenders); and it encourages – and assists – smaller less-compliant local schemes to adopt Best Practice and thus enable more information-sharing with police.

Members of Disc systems are often more likely to report low-level crime and ASB to their Disc Administrator (who can apply an Exclusion to the offender, for example) than to the police (who will often not investigate the incident because it is seen by them to be relatively trivial or there is insufficient evidence to take the offender to court). But the police do want members to report crimes – even the smallest – to them so that they can establish a clear picture of criminality in the area. So in Disc, if the local police agree, the Disc administrator can enable ‘direct police crime reporting’ for members. This means that, where an incident is reported into Disc which has not already been reported as a crime to police, the member is asked if he/she wishes to ‘escalate’ the incident report into a crime report with optional MG11 (Witness Statement). If member opts to do so, the content of the Incident Report is used as the content of the crime report, a small amount of additional information is added and the crime report is sent – with or without the optional MG11 – direct to the police’s ‘101’ email address so that it can be registered by the police, ‘counted’ and assessed to see if it merits further action from the police (for example if a child, or a race-hate crime, was involved etc). The Disc direct-to-police crime reporting system reduces pressure on the police 101 service and enables them to process crime through Disc off-line during slack periods for the 101 service.

Most Disc systems bring local businesses together to collect and share information about local offenders. Individual police officers may be invited to participate, and access that information.

In many cases they are designated as ‘Authors’ enabling them to add current-awareness information into the system and share it with other members. Some of them, additionally, can access the local Disc database of offenders, add incident reports or offender details, add other police officers as members, and access Disc’s useful ‘analytics’.

In every Disc system the Administrator can optionally enable all incident reports – or just selected ones – to be sent direct to a police email address so that, fir example, a community policing team can be aware of incidents which perhaps have not otherwise been reported to the police.