Home Affairs Privacy Notice

The Department is made up of 5 services:

• The Chief Executive’s Office
• The Prison and Probation Service
• The Fire and Rescue Service
• The Communications Division
• Emergency Planning and Civil Defence Service

Please note that for data protection and Freedom of Information requests, the Isle of Man Constabulary is independent from this Department and has a separate registration with the Information Commissioner. You should direct your enquiries to the Isle of Man Constabulary DPO-Police@gov.im if this is what your enquiry relates to.

Depending on the nature of your contact with the Department, your data may be held by one of more of our services. Each part of the organisation will have a responsibility for its process and security.

Services within the Department have Law enforcement responsibilities and are competent authorities to process data for these purposes, which are to prevent, investigate, prosecute or punish criminal acts. The processing of law enforcement data and also what information can and cannot be disclosed by the Department is covered in the EU Law Enforcement Directive, as applied to the Isle of Man under the Data Protection (Application of LED) Order 2018 and related regulations.

We will only process your personal data if a lawful basis exists. We may rely on:

• Your consent – if we rely on your consent to process your data you may withdraw your consent at any time by contacting the Data Protection Officer.  In some cases, law enforcement processing, this may not be possible.
• The need to meet a the legal obligation in carrying out statutory government functions
• The need to meet a request you have made for information or a service
• The need to prevent or investigate suspected or actual violations of law
• The need to protect public interest
• The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999.

It is usual that we will collect personal information about you so that we can contact you in future. This is likely to be name and address and, depending on the nature of your contact with the department, it may also include Date of Birth, National Insurance number and other identifiers. However we will only collect data that is pertinent to the service you are seeking and nothing else. 

Under data protection law in the Isle of Man, certain types of data are identified as special categories of data, these are sensitive categories such as genetic, biometric, racial and ethnic data or trade union membership and political and religious views. 

We would only process data in these categories in the following circumstances:

• You have given explicit consent;
• It is necessary for carrying out our obligations in the field of employment, social security and social protection law;
• Necessary in respect of vital interests - where you are unable to give explicit consent;
• Necessary for the purposes of occupational medicine; and
• Necessary for the reason of public health.

We will use your information:

• to meet our legal obligation in carrying out statutory government functions in providing effective services for the safety, protection and security of island residents;
• to respond and coordinate emergency responses;
• to deal with questions inquiries or complaints that you refer to the Department with the aim;
• to administer public sector employment applications and human resources functions;
• to vet and administer DBS requests;
• for security purposes, such as CCTV footage or swipe card access records
• to manage Freedom of Information requests; 
• to inform you of events or developments in our service provision which may be of interest to you;
• to issue emergency warnings;
• to deal with applications submitted to the department for licences and other authorities that are legal functions of the department; and
• for any other specific purpose as listed below and in line with our public functions.

The Department of Home Affairs (DHA) (‘the controller), through the Office of Cyber Security & Information Assurance (OCSIA), is offering a Suspicious Email Reporting Service (SERS). The SERS will allow Isle of Man residents and businesses to forward any emails they consider to be suspicious to SERS@OCSIA.IM where they will be reviewed and form part of the intelligence used by the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) to disrupt criminal activity.

How and why we process your personal information

We collect and process information, including personal information, to provide an effective and efficient service;

• To allow suspicious emails to be reported
• Protecting Isle of Man residents and businesses from potential criminal activity
• To support the NCSC and the NCA in their attempts to disrupt criminal activity

We use your personal data in line with the rules set out in the Data Protection (Application of GDPR) Order 2018 and the related implementing regulations for the following reasons:

• To allow this office to communicate with you
• Identify the sources of suspicious emails
• Work with partner agencies, NCSC/NCA to disrupt criminal activity
• Assist law enforcement agencies
• Monitor and improve our service
• Conduct research/collate statistics for publication and/or for the purposes of policy formulation

Our legal basis for processing your information

As reporting to SERS is voluntary, our legal basis for processing your personal information is based on your consent for us to do so.

You may withdraw your consent at any time by contacting the Office of Cyber-Security & Information Assurance (OCSIA) by email ocsia@gov.im or telephone +44 1624 685557

Types of personal information we collect about you

Depending on how you interact with us, we may process different information about you. There is no requirement to provide us with any personal information.

By virtue of this service, we will record your email address, however, further personal information may be included in the contents of the suspicious email submission. This may include:

Information we collect automatically

Information about you may be recorded automatically by the email system such as your IP address.

How long do we keep your personal information?

We will only keep your information for the minimum time necessary to process your suspicious email submission.

Where further investigation is required we will only keep your personal information for as long as it is required to complete the investigation.

Where possible, your personal information will be redacted and deleted from any communication received. This includes cases where further investigation is required.

How we keep your personal information secure

The security and confidentiality of your information is very important to us.

We will ensure that:

• Safeguards are in place to make sure your personal information is kept securely.
• Only authorised staff are able to view your information.
• Assurances are acquired from the service provider storing your information is in line with the ISO 27001 standard.
• We comply with the requirements of the Information Commissioner.

Who we share personal data with

Your suspicious email submission will be shared with the UK National Cyber Security Centre (NCSC).

Where legally obliged to do so, your personal information will be shared with law enforcement for the purposes of the prevention and detection of crime.

Will this privacy notice change?

This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent if we still hold your data. If any significant change is made to this Privacy Notice we will provide a prominent notice on the following webpage, www.gov.im/sers so that you can review the updated Privacy Notice.

Purpose

The Department of Home Affairs has worked in conjunction with other Government agencies to ensure an efficient and effective planned response to protect the population of the Isle of Man in the event of actual or potential civil emergencies or risks to safety, and wider national security threats.

Within the Department, one of the roles of the Emergency Planning Unit includes alerting members of the public to any emerging or imminent incidents or developments as soon as possible.

Examples of data usage

Contacting individuals who have opted in to the service, before, during and after major incidents including pandemics, severe weather, terror attacks and other natural or man-made disasters that pose a threat to life or the safety of the population of the Isle of Man.

Data source

The processing relates to personal data which has been made available by the data subject by opting-in the Isle of Man Government Notification System (“Everbridge”).

Where personal data has not been obtained from the data subject; those were obtained by us from public sources and other public authorities under your instructions.

Lawful basis of processing

The legal basis upon which we may process personal data is that the processing is necessary both:

• in order to protect the vital interests of the data subject or of another natural person; and
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Recipients

Personal data may be shared where necessary and proportionate with other public bodies. Depending upon the nature of the crisis, incident or event, and where necessary and proportionate, we might also on rare occasions need to share personal data with private or third sector recipients.

Your personal data may be stored within the IOM, UK or European Union however we may occasionally transfer personal data outside the European Union to a country without an adequacy decision where this is necessary for important reasons of public interest.

Retention

Personal data will be deleted by the data subject when opting out or when no longer needed for the purpose for which it was collected and.

Automated Processing

In relation to the use of data covered by this notice, the Department of Home Affairs does not make decisions which produce legal effects concerning the data subject based on automated processing, including profiling.

We will only hold your personal data for as long as we need to. Depending on why the information is held the time we hold it for differs. The details of this are included in our retention policy which can be provided to you on request.

We are committed to taking positive steps to make sure that we use technology, or procedures in our Department which protect your personal information. We protect the information against unauthorised or unlawful processing and against accidental loss, destruction or damage to that information.

We will ensure that:

• Safeguards are in place to make sure your personal information is kept securely;
• Only authorised staff are able to view your information;
• Assurances are acquired from the service provider storing your information is in line with the ISO 27001 standard; and
• We comply with the requirements of the Information Commissioner.

You have the following rights in relation to your personal information:

• Right to be informed about the personal information we collect, how this is being used, and to or from whom we share any details with.
• Right to access the personal information we hold about you by making a ‘subject access request’. If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone, or we can email this to you where you have given us an email address.
• Right to request the correction of personal data we hold about you if you think it is incorrect.
• Right to request erasure of your personal data.
• Right to object to processing and the right to restriction of processing in some circumstances.
• Right to request portability, where you have supplied information to us, and you wish to transfer that information to another organisation or service provider.
• Right to withdraw your consent at any time.

To exercise any of the rights mentioned, or if you have any questions relating to your rights, please contact the Data Protection Officer at DPO-DHA@gov.im

For any Data Protection related question and enquiry you can contact the Data Protection Officer at the following address:

The Department of Home Affairs HQ
Tromode Road
Douglas
IM2 5PA

 Email: DPO-DHA@gov.im

If you are unhappy with the way we deal with your personal information you can submit a complaint to the DHA Data Protection Officer who will work with you to resolve any issues.

The Department of Home Affairs HQ
Tromode Road
Douglas
IM2 5PA

 Email: DPO-DHA@gov.im

You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Manx Data Protection Legislation. Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.