As a member of CHECK OUT, you will become part of a team working towards reducing crime and send out a strong message to those thinking about committing crime in the city centre.
CHECK OUT - Information Sharing Protocol
Introduction
Edinburgh City Centre is a magnet for shoppers and visitors from near and far. It is essential that they can enjoy themselves in a safe environment.
On a daily basis, local repeat offender, first time offenders and organised gangs target businesses in the city centre. CHECK OUT has been created to help protect its members and the community from these threats.
The Objectives are to:
Create a safe environment for those who work, live and visit Edinburgh City Centre
Prevent and detect crime within Edinburgh City Centre
Assist in the apprehension and/or prosecution of offenders
Strengthen the relationships between the police and local businesses
Share information, where relevant, about shoplifters and others suspected of committing criminal acts
Essential Edinburgh and Police Scotland will work with members to protect their business interests and to help prevent and detect crime. Absence of crime is an important indicator of a safe environment.
Purpose
The purpose of this Protocol is to describe and regulate how information about shoplifters, and others suspected of committing criminal acts within the city centre, is shared to assist in making the centre of Edinburgh a safer place for both those who work and live in the city and those who visit it.
Membership
Members will be retailers based in the Essential Edinburgh Business Improvement District (BID), or within the CHECK OUT operational area. Membership for retailers or branches out with these areas is not available.
Each member business will have CHECK OUT website access for staff. It is the responsibility of each member business to ensure only authorised staff members have access to CHECK OUT. On the departure of staff, or on a move to a branch no longer in the Essential Edinburgh BID area, member businesses must notify Essential Edinburgh immediately for access to be removed.
Legislation
To ensure that all partners meet the standards that are set down in the UK General Data Protection Regulations (UK GDPR) and to ensure the protection of Human Rights, all partners must ensure that their own UK GDPR registration is up to date with one of the six bases for lawful processing of data – to include the use of CCTV for the prevention and detection of crime and the fact that information about shoplifters etc, including images, will be shared with partners for the prevention and detection of crime. Fair processing notices will also have to be changed to reflect partnership working. All processing of data must be compliant with the Data Protection Bill.
It is also important to ensure that each partner ensures the accuracy of information, keeps it secure and ensures that it is not kept longer than is necessary, or is removed within 31 days of receipt.
Process
When a suspicious or criminal act occurs at a member’s premises, contact the police as soon as reasonably practicable. This will allow the police to investigate the matter fully.
The member will distribute information about the incident, along with any relevant CCTV images, through an alert created on the CHECK OUT website.
This information will allow partners to take precautionary steps to prevent a similar crime/incident happening on their premises.
Should another partner recognise a person/s they should inform Police Scotland on 101 as soon as possible. The member should then log-in to the CHECK OUT website and “comment” on the initial alert with as much detail as possible.
Relationship with Police Scotland
Members will report suspicious or criminal acts as described above.
Police Scotland will, when appropriate, share with relevant members statistical analysis about hotspots etc.
Shops will also be given feedback on successes, and names will be supplied to the relevant members, when appropriate, after the conclusion of the criminal proceedings.
Management of Information Alerts and Updates
Essential Edinburgh will ensure that alerts and updates are reviewed every week to ensure that information remains relevant and as accurate as possible. This process will be audited to ensure that a database is not created inadvertently. All alerts and updates will be deleted after 31 days.
The only exception to this process is information about an ongoing series of related incidents.
All members of CHECK OUT are encouraged to manage the information that they receive in a similar manner.
Breaches of Security
All known or suspected breaches of security in relation to any information shared under this protocol - such as misuse or abuse of the system, misuse or abuse of information shared, unauthorised processing of information, unauthorised disclosure of information, are to be reported to the respective organisations’ Information Security Officer, Data Protection Officer or equivalent. Once notified of a breach of security an investigation will take place to identify, where possible, who carried out the breach, what information has been compromised, whether the integrity of the system has been compromised etc.
Where any breach of security may amount to criminal activity, this must be reported to Police Scotland who will investigate the matter and, where appropriate, report the circumstances to the Procurator Fiscal.
Where relevant or necessary, member organisations are to be informed of any breach and provided with sufficient details which will enable them to retain assurance in the confidentiality, integrity and availability of the information and the processes supporting information exchange, and to undertake their own risk assessments.
Access to Information
Access to information gathered as part of any of these processes is available under subject access rights, as described in UK GDPR. Where access is requested, advice must be sought from the organisation’s Data Protection Officer.
Where a request has been received and a member holds any information that originated from another member, or where a member is considering the disclosure of information that may impact on another member, it is recommended that the originator of the information is consulted prior to any disclosure. The ultimate decision as to whether to disclose the information lies with the partner agency; however, the originator of the information should be given the opportunity to ensure that Data Protection exemptions are suitably applied.
Complaints from data subjects, or their representatives, about information shared through CHECK OUT will be investigated first by the organisation receiving the complaint, although action that affects CHECK OUT will not be taken without the consent of all relevant parties.
Complaints
Complaints other than those relating to personal data, for example about any shared procedure or operation, will also be dealt with by the business or organisation that received the complaint. However, again, it is good practice to notify the relevant member(s), of the complaint.
Indemnity
In relation to the provision of information in accordance with this protocol, members will undertake to indemnify each other against any liability, which may be incurred by the following acts or omissions:
A request for information for purposes other than those meeting the terms of this protocol.
Use of the information for purposes other than those specified in this protocol.
Disclosure of information to a third party except insofar as it is strictly necessary for the purpose of any legal proceedings outlined in this protocol.
The onus will be on each party to the protocol to ensure that information is protected from unauthorised disclosure.
Review
This protocol will be reviewed annually. However, all members should be notified of any substantial proposed change to procedure and the necessary changes to the protocol be made.
