Privacy Policy
Effective date: 26 May 2026
This Privacy Policy explains how the Regional Exclusion & Crime Observation Network ("we", "us", "our"), operating under the trading name Recon, collects, uses, discloses, and protects personal data when you use our Platform. It applies to all users, including those registering for access.
Special category and criminal offence data
This Platform processes special category personal data, including criminal offence data, as defined under the UK GDPR and the Data Protection Act 2018. Additional conditions for processing this data are set out in our Data Processing Agreement.
1. Data Controller
Regional Exclusion & Crime Observation Network is the data controller for personal data processed in connection with the operation of the Platform. Participating organisations are independent data controllers for the data they submit and access.
2. Information We Collect
2.1 Account and registration data
When your organisation registers for access, we collect:
- Organisation name, type, registration number, phone, website, and address
- Contact name, email, phone number, and job title of the applicant
- Data Protection Officer contact details
- SIA licence number (for private security organisations)
- Police force or agency name (for law enforcement)
- Stated purpose for accessing the Platform
2.2 Data you submit to the Platform
When authorised users create or update records, the Platform processes:
- Suspect/person data: name, date of birth, physical descriptions, distinguishing marks, photographs, and aliases
- Incident data: incident descriptions, dates, locations, types, status, linked suspects, evidence photographs, and notes
- Vehicle data: registration plates, VIN, make, model, colour, and associated persons or incidents
- Pub watch/ban data: banning notices, conditions, durations, and linked premises
2.3 Technical and usage data
We automatically collect:
- IP address and browser type at registration and login
- Audit log entries: user ID, timestamp, action performed, and record affected
- Session data for authentication and security
3. Lawful Basis for Processing
3.1 Personal data (UK GDPR Article 6)
We process personal data under the following lawful bases:
- Contract (Article 6(1)(b)): to provide the Platform service under the Terms of Service
- Legal obligation (Article 6(1)(c)): to comply with applicable laws and regulatory requirements
- Legitimate interests (Article 6(1)(f)): for platform security, fraud prevention, and service improvement
- Public task (Article 6(1)(e)): where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
3.2 Special category and criminal offence data (UK GDPR Article 9 & DPA 2018 Schedule 1)
Criminal offence data is processed under the following conditions of the Data Protection Act 2018, Schedule 1:
- Part 1, Paragraph 5: processing is necessary for the exercise of a function of the Crown, a Minister of the Crown, or a government department
- Part 1, Paragraph 6: processing is necessary for the exercise of a function conferred on any person by or under an enactment
- Part 2, Paragraph 7: processing is necessary for the exercise of a function designed to protect the public against dishonesty, malpractice, or other seriously improper conduct
- Part 2, Paragraph 10: processing is necessary for the prevention of unlawful acts
- Part 3, Paragraph 18: processing is necessary for a purpose relating to the provision of health or social care
- Part 3, Paragraph 19: processing is necessary for reasons of substantial public interest
Each participating organisation must identify and document the specific Schedule 1 condition(s) relied upon for their processing activities.
4. How We Use Your Data
We use collected data to:
- Provide, maintain, and improve the Platform
- Process registration requests and manage user accounts
- Enable authorised intelligence sharing between participating organisations
- Maintain a complete audit trail of all platform activity
- Detect, prevent, and investigate security incidents or misuse
- Comply with legal obligations and respond to lawful requests from public authorities
5. Data Sharing
5.1 Between participating organisations
The primary purpose of the Platform is to enable data sharing between authorised organisations for crime prevention, detection, and public safety. Data you submit may be visible to other authorised users from participating organisations in accordance with their stated purpose and lawful basis.
5.2 With law enforcement
We may disclose data to law enforcement agencies where required by law, including under the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, or by court order.
5.3 With regulators
We may disclose data to the Information Commissioner's Office (ICO) or other regulators as required by law.
5.4 We do not sell your data
We do not sell, rent, or trade personal data to any third party for commercial purposes.
6. Data Retention
- Account and registration data: retained for the duration of your account, plus 6 years after termination for legal and regulatory compliance
- Criminal intelligence and incident data: retained in accordance with the Management of Police Information (MoPI) codes of practice and your organisation's own retention schedules
- Audit logs: retained for a minimum of 6 years from the date of the recorded action
- Session and technical data: retained for the duration of the session, with IP addresses retained for 12 months for security purposes
7. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access (Article 15): you can request a copy of your personal data
- Right to rectification (Article 16): you can request correction of inaccurate data
- Right to erasure (Article 17): you can request deletion of your data, subject to legal retention requirements
- Right to restriction (Article 18): you can request that we restrict processing of your data
- Right to data portability (Article 20): you can request your data in a structured, machine-readable format
- Right to object (Article 21): you can object to processing based on legitimate interests
Please note that certain rights, particularly the right to erasure, may be restricted where processing is necessary for compliance with a legal obligation, for the exercise of official authority, or for the establishment, exercise, or defence of legal claims.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS) and at rest
- Strict access controls and role-based permissions
- Session management with automatic timeout
- Comprehensive audit logging of all data access
- CSRF protection on all forms
- Security headers (CSP, X-Content-Type-Options, etc.)
- Regular security reviews
9. International Transfers
The Platform is hosted within the United Kingdom. Data is not transferred outside the UK. In the event that a transfer becomes necessary, we will ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.
10. Children's Data
The Platform is not intended for use by individuals under 18. We do not knowingly collect personal data from children. If we become aware that data relating to a child has been submitted, we will take steps to remove it in accordance with applicable law.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or through the Platform. Continued use after changes take effect constitutes acceptance of the revised policy.
12. Contact
For data protection enquiries, please contact your organisation's Data Protection Officer or the Recon support team.
To exercise your rights under the UK GDPR, you may also contact the Information Commissioner's Office at ico.org.uk.