McCullough Review Privacy Notice

The Chief Constable of PSNI has appointed the Reviewer and his two assistants (“the Review Team”) to conduct the McCullough Review. Each member of the Review Team is an independent barrister and a data controller registered with the Information Commissioner’s Office. The appointments and the work of the Review Team are pursuant to the Chief Constable’s duties and accountability to the Northern Ireland Policing Board under the Police (Northern Ireland) Act 2000, as amended, including under sections 33A (Provision of Information to the Board), 58 (Annual Report by Chief Constable to Board), 59 (General Duty of Chief Constable to report to the Board) and 76A (Disclosure of information and holding of inquiries). On 5 December 2024 the Northern Ireland Policing Board decided to accept the terms of reference of the McCullough Review as the basis for its request to the Chief Constable pursuant to section 59. The purposes of the Review are set out in its Terms of Reference. It was established in response to concerns raised by persons and groups which attract ‘special status’ under surveillance legislation arising from material disclosed in ongoing Investigatory Powers Tribunal (IPT) proceedings. These concerns, which engage principles of press freedom and legal professional privilege, have been picked up in media comment and reporting, as well as by elected representatives across the political spectrum in Northern Ireland.

The Review Team are bound by the Terms of Reference and the statutory and common law powers pursuant to which the Review was established. However, the Review Team will conduct its work independently and will determine its own approach and methodology. The Review Team will have unrestricted access to PSNI records, material and personnel for the purposes of their reviewing function.

The Review will consider relevant events between 1 January 2011 and 1 November 2024, although this date range may be reconsidered during the course of the Review and for that purpose and/or obtaining proper context and understanding may review events outside that time period. The Review will not extend to any matter relating to ongoing proceedings before the IPT until such proceedings have been finally determined. The Reviewer will, however, have access to all material held by the PSNI, including that relevant to pending IPT proceedings.

The Group of Experts and Stakeholders

A group of experts and stakeholders (“GoES”) has been formed. The membership of the group is set out here. The GoES’ role is to advise and provide direction to the Review, but its members do not make any decisions in relation to it. Members of the GoES will not have access to the personal data processed by the Review Team but will from time to time receive briefings and updates from the Reviewer about his work. Such briefings and updates shall not reveal the identities of people who have contacted the Review (unless expressly authorised to do so by the person who has contacted the Review). The Review Team are required by the Terms of Reference to consult with the Chief Constable and obtain his written consent when disclosing PSNI information to the GoES. In seeking to maximise the openness of the Review, such disclosure might need to be in ‘gisted’ or redacted form for the purposes of protecting legitimate sensitivities, applying a test equivalent to that for public interest immunity in civil proceedings.

Review Questionnaire

Any individual or group that has information relevant to this Review is encouraged to submit a Questionnaire (downloaded from the Review website), to be completed and sent to a secure email address on a confidential basis. Anyone volunteering information to the Review by this means will be fully informed (by means of this privacy statement and any further communications) of the purpose of the processing and their rights in respect of their personal data. The deadline for response to this call for evidence was extended (from 5pm on Friday 18 October 2024) to 5pm on Friday 1 November 2024.

Individuals completing a Questionnaire, or otherwise contacting the Review, are expected to identify themselves to the Review Team but will not be identified any more widely, including to PSNI. After discussion with the GoES, no individual contacting the Review will be identified to them either. Anyone coming under suspicion of wrongdoing will not automatically be entitled to anonymity and will be warned accordingly.

Review Access to PSNI Systems and Information

The Review Team will be afforded full access to PSNI records and serving personnel to facilitate the Review, as reflected by the Terms of Reference. Any former PSNI personnel are permitted and encouraged by the Chief Constable to engage fully with the Review.

Information on PSNI systems will originally have been processed under the PSNI’s policing and law enforcement or for general administrative purposes (PSNI’s full Adult Privacy Notice | PSNI is available by clicking). PSNI will retain control of that data. The Review Team are enabled to lawfully access and process personal data on PSNI systems as such access and processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Chief Constable. Personal Data is defined in Article 4 of the UK General Data Protection Regulation and Article 6(1)(e) states that it is lawful to collect personal data where that is necessary for the performance of a public task or in the exercise of official authority vested in the data controller. Section 8 of the Data Protection Act 2018 provides that the circumstances in which Article 6(1)(e) applies include (but are not limited to) processing of personal data that is necessary for the administration of justice, the exercise of a function conferred on a person by an enactment or rule of law, and the exercise of a function of the Crown, a Minister of the Crown or a government department.

Special categories of personal data are defined in Article 9(1) of the UK GDPR and include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a person’s health, sex life or sexual orientation. The Review Team may lawfully process such data under Article 9(2)(g) UK GDPR, and sections 10(1) and (3) and Part 2 of Schedule 1 of the Data Protection Act 2018, where such processing is necessary for reasons of substantial public interest and subject to the protections provided by UK GDPR and the Data Protection Act 2018.

Review Reporting:

The Reviewer shall issue public-facing reports, including any recommendations made, to the Chief Constable, as required, for publication by the PSNI. In any reports submitted to the Chief Constable for publication, the Reviewer and the Chief Constable shall seek to maximise the openness and transparency of the Reviewer’s findings and recommendations, in so far as consistent with statutory constraints and legitimate sensitivities - subject only to which the Chief Constable shall publish any report promptly. Where the Reviewer cannot make findings or recommendations publicly, he shall provide a Closed report to the Chief Constable.

In so far as any wrongdoing is discovered in the course of the review, any individual or group that is the victim of such wrongdoing shall be informed of by the Chief Constable, in so far as possible in compliance with applicable statutory and common law duties.

The Reviewer, in conducting his review, shall inform the PSNI of any matter which in its opinion should be referred to the Investigatory Powers Commissioner's Office (IPCO).

The Review Team must ensure compliance with data protection principles and are directed by relevant policies and procedures in relation to data protection. The Review Team will ensure data is processed in a specified, legitimate, adequate, accurate, and timely manner with stringent security controls and will only process personal data by lawful means and in line with processing conditions

The Review Team may process an array of information relating to a range of individuals including victims, witnesses, complainants, suspects and offenders, in connection with the Review purposes as well as details of officers/staff who work for or with PSNI. The Review Team may process both personal information and special category information. This information will be held both electronically and in hard copy.

The Review Team may process personal data relating to a wide variety of individuals (data subject); this data can come from a wide variety of sources, including those noted below:

• Data Subject:
  • Responders to the questionnaire including journalists, lawyers etc
  • PSNI personnel including permanent police officers and police staff, volunteers, agents, temporary and casual workers
  • Other individuals necessarily identified in the course of enquiries
  • Former and potential members of staff
  • Advisers, consultants and other professional experts
• Data Source
  • Individuals themselves including witnesses, victims, offenders, suspected offenders and persons making an enquiry or complaint
  • PSNI personnel
  • Private sector organisations working with the police in anti-crime strategies
  • Ombudsmen and regulatory authorities
  • Her Majesty’s Inspectorate of Constabulary
  • The media

The personal data gathered directly by the Review Team from Questionnaires will be under the control of the Review Team. PSNI will retain control of their source data. Personal data will be retained for a long as necessary for the purpose or purposes for which it was collected (i.e. undertaking the Review, the publication of the Review outcomes, and response to any challenge to those Review outcomes) and PSNI data is retained in accord with its Retention and Disposal Schedule (see PSNI Adult Privacy Notice).

The Review Team takes the security of all personal information under its control very seriously. It will comply with legislation relating to data protection and security. It will ensure that appropriate policy, training, technical and procedural measures are in place, to protect manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them

In order to carry out the purposes described under paragraph 1 above the Review Team may disclose personal data to a wide variety of recipients. This will include, but not be limited to: the Chief Constable and other officers of PSNI (subject to the undertakings on confidentiality discussed above), the IPCO, law enforcement agencies, and regulatory oversight bodies etc. The Review Team may also disclose to other bodies or individuals where necessary to prevent harm to individuals. Disclosures of personal data will be made on a case-by-case basis, using the personal data appropriate to a specific purpose and circumstance, and with necessary controls in place.

The Review Team may also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order such as to other professional or regulatory bodies

The Review Team may also disclose personal data on a discretionary basis where it is necessary for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice. Any disclosure of personal information is carefully considered in accordance with legislation, policy, and/or information sharing agreements governing that sharing.

Individuals have various rights enshrined in the Data Protection legislation, these are detailed below. The Review Team and PSNI will process any requests from individuals in relation to these rights; however, where there is a legitimate business purpose for processing this data (see text below) , or an exemption applies, the controller processing the request does not have to give effect to the right. In those circumstances we will communicate this to you and highlight our reliance on the Data Protection legislation for this. By requesting your rights are enacted, we will be required to further process your personal information in order to keep a record of what amendments, if any, have been made and the justification for any decisions made.

5 There may be occasion where individuals will not be entitled to their personal data, for example, to protect the rights of others. More information on exemptions can be found on the ICO’s website - www.ico.gov.uk

The Right to Access

Subject Access is the most commonly exercised right. Individuals can request a copy of their personal data and other information about how the data controller processes your information. Where the data controller withholds some/all of the requested information we will provide details, where possible, around the decision in line with data protection legislation.

The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the data controller has disclosed the personal data in question to third parties, it must inform them of the rectification where possible. It will also inform the individuals about the third parties to whom the data has been disclosed, where appropriate. Where the data controller is not taking action in response to a request for rectification, we will provide details around the decision.

The right to erasure

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances including, if consent is withdrawn, the data was processed unlawfully, compliance with legal obligation, and where processing if no longer necessary for the purpose it was originally collected. There are some specific circumstances where the right to erasure does not apply and the data controller can refuse to deal with a request including, if it is necessary to meet a legal obligation or defend a legal claim.

The right to restrict processing

In certain conditions individuals have a right to request the data controller to ‘block’ or suppress/restrict processing of personal data such as where individuals dispute the accuracy of their information or the processing is no longer needed. Once processing is restricted, the data controller is permitted to store the personal data, but not process it further except on limited grounds such as with individual’s consent or in relation to legal claims. If the data controller has disclosed the personal data in question to third parties, it must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. The data controller must inform individuals before any restriction is lifted.

As above, the Review Team may be required to restrict processing when an individual has contested the accuracy of data or has objected to the processing and these issues are being investigated. Or when the data subject has opposed erasure or requires the data to be retained in order to progress a legal claim.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services, this includes individuals being provided with their data in a commonly used electronic format in order that it can then be easily transferred or ‘ported’ to another data controller as and when required (either by the individual themselves, or the organisation processing). This right only applies to personal data which an individual has provided to the data controller which is processed by automated means; by virtue of the individual’s consent or for the performance of a contract. The right to data portability does not extend to processing of personal information for law-enforcement processing.

The right to object

Individuals have the right to object to processing unless the data controller can demonstrate explicitly how it is linked to the purposes described under paragraph 1 or the processing is for the establishment, exercise or defence of legal claims. Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), and processing for purposes of scientific/historical research and statistics. The right to object does not extend to processing of personal information for law-enforcement processing.

Rights in relation to automated decision making and profiling

Although the Review Team is unlikely to carry out any automated decision-taking or automated profiling that does not involve some human element, an individual has the right to ensure that no decision that would significantly affect them is taken by the team or on its behalf purely using automated decision making software.

Further details on all of the rights within Data Protection legislation can be found on the Information Commissioner’s Office website at www.ico.org.uk. 

Making a request

If a request relates to PSNI controlled data (being such data that is provided to the Review Team by PSNI, or to which PSNI grants the Review Team access) then such requests should be directed to:

• DPO access requests to [email protected]
• Enhanced rights request to [email protected] 

If a request relates to anything received directly by Review Team from data subjects, such as the questionnaire responses, then such requests should be directed to the Review Team at: [email protected]

The systems used by PSNI to store personal data automatically create an audit trail that can be inspected for the purposes of furthering compliance with data protection legislation. Searches conducted by the Review Team will automatically generate such an audit trail. In order to maximise the confidentiality of the Review Team’s work: (i) anonymous nominals have been created for each member of the Review Team, such that it will not be obvious to anyone inspecting such an audit that a particular search was conducted by a member of the Review Team; (ii) the knowledge of the link between those anonymous nominals and members of the Review Team will be restricted to PSNI officers and employees who are necessarily required to have such knowledge (such as members of the IT support team that facilitate access to the system); (iii) no audit of the Review Team’s searches will be conducted except on the express written instruction of the Chief Constable or their Deputy, or otherwise required by law.

If you would like to exercise any of the rights discussed in this document, you can do so by contacting the addresses given above under the heading “Making a request”.

The PSNI has a designated Data Protection Officer (DPO). The DPO is an independent advisor to the PSNI and is responsible for ensuring that PSNI are processing personal data in line with the legislation. Any individual with concerns over the way PSNI handles their personal data may contact their Data Protection Officer at: 

Email: [email protected] 

Any individual with concerns over the way The Review Team handles their personal data may contact the Chambers Director at 1 Crown Office Row, the Chambers from which the members of the Review Team practise: 

Email: [email protected] 

If you remain unhappy about how your request has been handled you have the right to apply directly to the information Commissioner. The Information Commissioner is the independent

regulator responsible for enforcing the legislation and can provide useful information about the legislation’s requirements. Our local Information Commissioner’s address is:

Information Commissioner’s Office

3rd Floor Tel: 028 90278757 

14 Cromac Place

Belfast, BT7 2JB 

Email: [email protected]