Home Affairs Privacy Notice

The DHA is a data controller for the purposes of the Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation). The DHA is registered with the Information Commissioner’s Office as a data controller with registration number R000840.

Keeping people safe in the Isle of Man is our primary aim

If you are in touch with the department, we will collect and keep information about you, like your name, email address, and other relevant information to deal with the reason you contacted us.

Sometimes we also have to share your data with our trusted partners, like colleagues in other government Departments or people who provide services on our behalf. This is to help them help us keep the Island, and its community, safe.

We promise to collect, process, and store and share your data safely, securely and legally. We will also make sure that the other businesses we work with are just as careful with your data.

We use data to keep our Island safe

We can use the details you share with us to help us plan services for the future and identify areas of specific risk. By listening to what our stakeholders tell us, we can make changes, to make things easier and safer where we can.

We use data to plan our services to make them efficient and effective

We use the data we collect to inform planned developments in respect of community safety and safeguarding Island residents. We use this in partnership with others to help us keep the cost of community safety as affordable as possible.

Who is responsible for your data

The Department is made up of 5 services:

  • The Chief Executive’s Office
  • The Prison and Probation Service
  • The Fire and Rescue Service
  • The Communications Division
  • Emergency Planning and Civil Defence Service

Please note that for data protection and Freedom of Information requests, the Isle of Man Constabulary is independent from this Department and has a separate registration with the Information Commissioner. You should direct your enquiries to the Isle of Man Constabulary DPO-Police@gov.im if this is what your enquiry relates to.

Depending on the nature of your contact with the Department, your data may be held by one of more of our services. Each part of the organisation will have a responsibility for its process and security.

Services within the Department have Law enforcement responsibilities and are competent authorities to process data for these purposes, which are to prevent, investigate, prosecute or punish criminal acts. The processing of law enforcement data and also what information can and cannot be disclosed by the Department is covered in the EU Law Enforcement Directive, as applied to the Isle of Man under the Data Protection (Application of LED) Order 2018 and related regulations.

What legal basis we use to process your personal data

We will only process your personal data if a lawful basis exists. We may rely on:

  • Your consent – if we rely on your consent to process your data you may withdraw your consent at any time by contacting the Data Protection Officer.  In some cases, law enforcement processing, this may not be possible.
  • The need to meet a the legal obligation in carrying out statutory government functions
  • The need to meet a request you have made for information or a service
  • The need to prevent or investigate suspected or actual violations of law
  • The need to protect public interest
  • The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999.

Personal data we collect about you

It is usual that we will collect personal information about you so that we can contact you in future. This is likely to be name and address and, depending on the nature of your contact with the department, it may also include Date of Birth, National Insurance number and other identifiers. However we will only collect data that is pertinent to the service you are seeking and nothing else. 

Under data protection law in the Isle of Man, certain types of data are identified as special categories of data, these are sensitive categories such as genetic, biometric, racial and ethnic data or trade union membership and political and religious views. 

We would only process data in these categories in the following circumstances:

  • You have given explicit consent;
  • It is necessary for carrying out our obligations in the field of employment, social security and social protection law;
  • Necessary in respect of vital interests - where you are unable to give explicit consent;
  • Necessary for the purposes of occupational medicine; and
  • Necessary for the reason of public health.

How we use your personal data

We will use your information:

  • to meet our legal obligation in carrying out statutory government functions in providing effective services for the safety, protection and security of island residents;
  • to respond and coordinate emergency responses;
  • to deal with questions inquiries or complaints that you refer to the Department with the aim;
  • to administer public sector employment applications and human resources functions;
  • to vet and administer DBS requests;
  • for security purposes, such as CCTV footage or swipe card access records
  • to manage Freedom of Information requests; 
  • to inform you of events or developments in our service provision which may be of interest to you;
  • to issue emergency warnings;
  • to deal with applications submitted to the department for licences and other authorities that are legal functions of the department; and
  • for any other specific purpose as listed below and in line with our public functions.

Suspicious Email Reporting Service (SERS)

The Department of Home Affairs (DHA) (‘the controller), through the Office of Cyber Security & Information Assurance (OCSIA), is offering a Suspicious Email Reporting Service (SERS). The SERS will allow Isle of Man residents and businesses to forward any emails they consider to be suspicious to SERS@OCSIA.IM where they will be reviewed and form part of the intelligence used by the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) to disrupt criminal activity.

How and why we process your personal information

We collect and process information, including personal information, to provide an effective and efficient service;

  • To allow suspicious emails to be reported
  • Protecting Isle of Man residents and businesses from potential criminal activity
  • To support the NCSC and the NCA in their attempts to disrupt criminal activity

We use your personal data in line with the rules set out in the Data Protection (Application of GDPR) Order 2018 and the related implementing regulations for the following reasons:

  • To allow this office to communicate with you
  • Identify the sources of suspicious emails
  • Work with partner agencies, NCSC/NCA to disrupt criminal activity
  • Assist law enforcement agencies
  • Monitor and improve our service
  • Conduct research/collate statistics for publication and/or for the purposes of policy formulation

Our legal basis for processing your information

As reporting to SERS is voluntary, our legal basis for processing your personal information is based on your consent for us to do so.

You may withdraw your consent at any time by contacting the Office of Cyber-Security & Information Assurance (OCSIA) by email ocsia@gov.im or telephone +44 1624 685557

Types of personal information we collect about you

Depending on how you interact with us, we may process different information about you. There is no requirement to provide us with any personal information.

By virtue of this service, we will record your email address, however, further personal information may be included in the contents of the suspicious email submission. This may include:

Category of informationExamples
Personal details Name, email address, telephone number, address
Personal identification information Date of birth, nationality, gender
Other information Partial bank details

Information we collect automatically

Information about you may be recorded automatically by the email system such as your IP address.

How long do we keep your personal information?

We will only keep your information for the minimum time necessary to process your suspicious email submission.

Where further investigation is required we will only keep your personal information for as long as it is required to complete the investigation.

Where possible, your personal information will be redacted and deleted from any communication received. This includes cases where further investigation is required.

How we keep your personal information secure

The security and confidentiality of your information is very important to us.

We will ensure that:

  • Safeguards are in place to make sure your personal information is kept securely.
  • Only authorised staff are able to view your information.
  • Assurances are acquired from the service provider storing your information is in line with the ISO 27001 standard.
  • We comply with the requirements of the Information Commissioner.

Who we share personal data with

Your suspicious email submission will be shared with the UK National Cyber Security Centre (NCSC).

Where legally obliged to do so, your personal information will be shared with law enforcement for the purposes of the prevention and detection of crime.

Will this privacy notice change?

This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent if we still hold your data. If any significant change is made to this Privacy Notice we will provide a prominent notice on the following webpage, www.gov.im/sers so that you can review the updated Privacy Notice.

Isle of Man Government Notification System

Purpose

The Department of Home Affairs has worked in conjunction with other Government agencies to ensure an efficient and effective planned response to protect the population of the Isle of Man in the event of actual or potential civil emergencies or risks to safety, and wider national security threats.

Within the Department, one of the roles of the Emergency Planning Unit includes alerting members of the public to any emerging or imminent incidents or developments as soon as possible.

Examples of data usage

Contacting individuals who have opted in to the service, before, during and after major incidents including pandemics, severe weather, terror attacks and other natural or man-made disasters that pose a threat to life or the safety of the population of the Isle of Man.

Data source

The processing relates to personal data which has been made available by the data subject by opting-in the Isle of Man Government Notification System (“Everbridge”).

Where personal data has not been obtained from the data subject; those were obtained by us from public sources and other public authorities under your instructions.

Lawful basis of processing

The legal basis upon which we may process personal data is that the processing is necessary both:

  • in order to protect the vital interests of the data subject or of another natural person; and
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Recipients

Personal data may be shared where necessary and proportionate with other public bodies. Depending upon the nature of the crisis, incident or event, and where necessary and proportionate, we might also on rare occasions need to share personal data with private or third sector recipients.

Your personal data may be stored within the IOM, UK or European Union however we may occasionally transfer personal data outside the European Union to a country without an adequacy decision where this is necessary for important reasons of public interest.

Retention

Personal data will be deleted by the data subject when opting out or when no longer needed for the purpose for which it was collected and.

Automated Processing

In relation to the use of data covered by this notice, the Department of Home Affairs does not make decisions which produce legal effects concerning the data subject based on automated processing, including profiling.

Retention of personal data

We will only hold your personal data for as long as we need to. Depending on why the information is held the time we hold it for differs. The details of this are included in our retention policy which can be provided to you on request.

Security of your personal data

We are committed to taking positive steps to make sure that we use technology, or procedures in our Department which protect your personal information. We protect the information against unauthorised or unlawful processing and against accidental loss, destruction or damage to that information.

We will ensure that:

  • Safeguards are in place to make sure your personal information is kept securely;
  • Only authorised staff are able to view your information;
  • Assurances are acquired from the service provider storing your information is in line with the ISO 27001 standard; and
  • We comply with the requirements of the Information Commissioner.

Your rights

You have the following rights in relation to your personal information:

  • Right to be informed about the personal information we collect, how this is being used, and to or from whom we share any details with.
  • Right to access the personal information we hold about you by making a ‘subject access request’. If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone, or we can email this to you where you have given us an email address.
  • Right to request the correction of personal data we hold about you if you think it is incorrect.
  • Right to request erasure of your personal data.
  • Right to object to processing and the right to restriction of processing in some circumstances.
  • Right to request portability, where you have supplied information to us, and you wish to transfer that information to another organisation or service provider.
  • Right to withdraw your consent at any time.

To exercise any of the rights mentioned, or if you have any questions relating to your rights, please contact the Data Protection Officer at DPO-DHA@gov.im

If you are requesting access to your data, you may find our subject access request guidance and application form useful.

Contacting the DHA Data Protection Officer

For any Data Protection related question and enquiry you can contact the Data Protection Officer at the following address:

The Department of Home Affairs HQ
Tromode Road
Douglas
IM2 5PA

 Email: DPO-DHA@gov.im

Complaints

If you are unhappy with the way we deal with your personal information you can submit a complaint to the DHA Data Protection Officer who will work with you to resolve any issues.

The Department of Home Affairs HQ
Tromode Road
Douglas
IM2 5PA

 Email: DPO-DHA@gov.im

You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Manx Data Protection Legislation. Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.

Privacy notice in relation to Freedom of Information requests

Isle of Man Freedom of Information Act 2015 (“FOIA”)

The Freedom of Information Act 2015 (FOIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority.  This is subject to certain exemptions and practical refusal reasons.

You can find out more information on the FOIA including how to make a request to us here: Isle of Man Government - Freedom of Information and you can also use this link to view previous requests and their responses.

We are the controller for the personal data you provide to us when making a FOI request to the Department of Home Affairs. 

Legal basis for processing your information

We need your personal information (such as your name and contact details) to process and respond to you about your FOI request. In some cases, we may ask for proof of identification, and proof of residency, so that we can comply with the FOIA.

We must have a legal basis (a lawful reason) to process your personal data, which is submitted by you when you make a FOI request. The legal basis for processing your information when you make a request is that it is necessary for us to comply with the law (FOIA), or that it is necessary for us to perform a public task in the public interest. This is set out in Articles 6(1)(c) and (e) of the Schedule to the Data Protection (Application of GDPR) Order 2018 – this legislation is sometimes called “the Applied GDPR”). 

Sharing information

FOI requests have to be submitted on a form prescribed by the Chief Executive Officer (Isle of Man Government) in order to be valid and accepted under the FOIA.  You can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).

When we process FOI requests made using the Online Services Portal on the Isle of Man Government website, a system called iCasework is used to process your request. The iCasework system is provided by a company called Civica UK Limited. This system stores information such as: 

  • Your name
  • Your address
  • Your telephone and email address
  • Your company name, if you are requesting information on behalf of an organisation
  • Your request – we do not recommend putting any personal information into your request, if you are not sure what to include in your request, please contact us on dhaicaseworkfoi@gov.im for assistance.
  • If requested proof of residency from you 

Civica UK Limited act as a Processor on behalf of all the Public Authorities. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage FOI requests and to transfer this information to the relevant public authority. The information you provide to Civica UK Limited will be kept secure and confidential. 

Access to your information is limited to authorised staff members within our Department. The Department of Home Affairs (DHA), through the Office of Cyber Security & Information Assurance (OCSIA), has been contracted by the Public Authorities to manage system administration on their behalf. 

If you are unhappy with the response to your Freedom of Information request

If you are dissatisfied with the response to your request for information, or the way your request was handled, you have the right to request the public authority to undertake a review.

If you are still unhappy following the review, you can complain about your request to the Information Commissioner’s Office. https://www.inforights.im/complaint-handling/how-to-make-a-complaint-to-the-information-commissioner/. In this case the Public Authority to whom you have submitted your request will need to share information, such as emails we have sent or received from you with them so that the Information Commissioner can investigate the complaint. 

Storing your information

Your personal information will be held in iCasework for 12 months after the Public Authority has closed your request, or if you requested a review of your request, your personal information will be held in iCasework for 36 months after the Public Authority has closed your request.

After this time, the request will remain on the iCasework system, but all your personal information you provided at the time of the request will be deleted. 

Your rights

The Applied GDPR (data protection legislation) provides you as a data subject with some rights to be informed of the processing of your personal data, including the right to access that data and information about the purposes for processing. 

This includes a right to correct (rectify) any information a public authority holds, or to restrict it in certain circumstances. 

As the public authority is processing your data in order to comply with its legal obligations, certain of the data protection rights do not apply, including the right to have your data deleted (erasure), transferred to another provider, the right to object to the processing, and be informed about automated decision making.  When using the iCasework site or dealing with FOI requests, a Public Authority does not make automated decisions or profile your data. 

Data Protection Officer

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-DHA@gov.im

Phone: +44 1624 687017

In writing to: 

Data Protection Officer
Department of Home Affairs
Headquarters Building
Tromode Road
Douglas
Isle of Man
IM2 5PA

Details of rights under the data protection legislation can be found in our general privacy notice at: /about-the-government/departments/home-affairs/home-affairs-privacy-notice/.

If you have submitted a request to another Public Authority (including the Isle of Man Constabulary, the Chief Constable being a separate controller), you should review the privacy information for that Public Authority

Additional information

Isle of Man Government Freedom of Information Freedom of Information Act 2015 - legislation

Information Commissioner’s Office – Freedom of Information guidance page