Current timestamp: 21/03/2025 17:02:33
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal ActivityLoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Welcome to the NPCC website

Skip to main content

Skip to main navigation

Privacy policy

This privacy notice tells you how the National Police Chiefs’ Council (NPCC) obtains, holds, uses and discloses personal data. It describes the steps we take to ensure data is protected, and your rights to know, see and challenge how your data is used.

It doesn’t contain information about how your local force uses personal data, but you can find similar privacy notices on their websites, with guidance on how to exercise your rights through them.

Who is the Controller of your personal data?

When the NPCC decides why and how personal data is used, it is “controller” of those data and is required to ensure that it handles those data in accordance with the law. The NPCC takes this responsibility very seriously and takes great care to ensure your personal data is processed appropriately to maintain public trust and confidence in the police.

You can contact the NPCC at:

50 Broadway,
London,
SW1H 0BL

[email protected]

You can also contact the NPCC Data Protection Officer direct via [email protected].

What are the UK GDPR and the Data Protection Act?

The use and disclosure of your personal information is governed in the United Kingdom by the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018. The UK GDPR balances your rights and freedoms with the needs and obligations of organisations who use your data, by ensuring greater transparency and accountability for how they use your data. This means we must tell you in general terms how we use your data, and ensure that we have used personal data lawfully. These rules apply when we use your data outside of matters directly related to law enforcement, such as corresponding with you or your elected representatives, working with national and local government departments, using specific cases when discussing national enquiries or incidents, using case studies to develop strategy and policy, and general personnel and finance matters.

The UK Data Protection Act 2018 works with the UK GDPR. It describes how the UK GDPR applies and how the use of personal data not covered by UK GDPR must handle personal data. Part 3 of this Act applies rules very similar to the UK GDPR when the police service use personal data for the following activities:

Why do we process personal information?

The “Policing Purpose” describes the many duties of the police service as follows:

  • protecting life and property,
  • preserving order,
  • preventing the commission of offences,
  • bringing offenders to justice, and
  • any duty or responsibility of the police arising from common or statute law.

The NPCC uses personal data when carrying out our role to coordinate and support the police service in delivering this purpose, and to provide certain central functions necessary for all.

The NPCC carries out the following functions:

  • Coordination of national operations including defining, monitoring and testing force contributions to the Strategic Policing Requirement, and working with the National Crime Agency where appropriate
  • Command of counter terrorism operations and delivery of counter terrorist policing through the national network (the ‘NCTPHQ Collaboration’)
  • Coordination of the national police response to national emergencies and the coordination of the mobilisation of resources across force borders and internationally
  • National operational implementation of standards and policy as set by the College of Policing and Government
  • Work with the College of Policing to develop joint national approaches on criminal justice, value for money, service transformation, information management, performance management and technology
  • Work with the College of Policing in order to develop joint national approaches to staff and human resource issues, including misconduct and discipline, in line with the Chief Officers’ responsibilities as employers.

These functions are carried out through the Chief Constables’ Council (CCC), Coordination Committees, and Portfolio structures.

In support of the NPCC, NPCC Central Office carries out the following functions:

  • Business support on behalf of Chief Officers and NPCC Chair
  • Oversight of NPCC governance processes
  • Maintaining transparency and accountability of the NPCC
  • Programme management of the Annual Delivery Plan
  • Effective and coordinated risk management for the NPCC programme of work
  • Operation of a proactive communications service, ensuring effective internal and external communications
  • Provision of strategic communications and public relations advice to the NPCC Chair and Chief Police Officers,
  • Monitoring parliamentary business and supporting Chief Police Officers in relation to parliamentary Committee appearances, debates, questions and legislation
  • Management and coordination of meetings of the Chief Constables’ Council (CCC), the Audit and Assurance Board (AAB) and other strategic groups
  • Programme, project and administrative systems in support of NPCC work, and
  • Maintaining an effective intranet and website, including use of social media.

NPoCC acts as a central resourcing hub, and carries out the following activities:

  • Support of the operational co-ordination of national operations including informing, monitoring and testing force contributions to the Strategic Policing Requirement working with the National Crime Agency where appropriate;
  • Support the operational co-ordination of the national police response to national emergencies and the co-ordination of the mobilisation of resources across force borders and internationally;
  • Coordination of the police service response and provide representation during COBR;
  • Coordination of the national police response to UK disaster victim identification;
  • Continual assessment of national capacity and capability in relation to the Strategic and National Policing Requirements and maintaining information and data sets relating to policing specialist skills and assets for the benefit of the police service;
  • Co-ordination of a continuous testing and exercising regime to ensure effective mobilisation of national assets in a crisis; and
  • Development of reporting mechanisms with the Home Office and central government crisis management.

What is the legal basis for this processing?

The NPCC draws on the broad range of statutory and common law powers of the police service, through an agreement under s22A of the Police Act 1996.

When undertaking the UK GDPR processing, we do so as part of the public duties and functions of the police service, or in respect of any obligations placed upon it (for example, if ordered by a court or to meet other statutory obligations), and to assist in the administration of justice. We may also use personal data when necessary to enter into and manage contracts, with staff, contractors, and recipients or suppliers of goods and services.

We do not process using tests of legitimate interests when carrying out activity in support of the duties and objectives of the police service, because we are not permitted to do so. Such processing is limited to functions with no direct impact on the public task, and with all of our resources dedicated to this end this leaves limited activities, such as recognising, supporting and praising staff and officers, where such activity is not already described as maintaining morale to make us more effective as public servants.

When supporting the police service in undertaking law enforcement processing, we do so under the broad range of powers which are relevant for conducting a necessary law enforcement purpose such as, but not limited to, the legal frameworks governing how we gather and use data (e.g. the Police and Criminal Evidence Act 1984 and the Criminal Procedure and Investigations Act 1996) and the general powers describing how the police service carries out its duties (e.g. the Police Reform and Social Responsibility Act 2011).

We also use data for statistical and research purposes to assist in delivery of our functions (e.g. measuring the effectiveness of crime prevention strategies, improvements to service delivery).

Granting and withdrawing consent

Due to the nature of our public duties, we will not often use consent as our sole legal basis to process your data, and we ensure it is only used where we do not have an alternative power. In this way we avoid offering an illusion of choice when we must use your data under our other powers.

We will ensure that if we do ask for your consent that we are clear what we would like to do with your data before you grant permission, to make sure your consent is informed and genuine.

We will only ask for consent when you have a genuine choice that you are free to walk away from. If we are using your data by your consent, you have the absolute right to withdraw consent to cease our use of it.

For processing which is not by consent, the UK GDPR and DPA provide you with other rights to see and challenge what is held about you. These are also explained in this notice.

Whose data do we use?

We process personal data when it is necessary to do so to meet the functions above. This may include data concerning:

  • current, former and potential future police staff and officers;
  • volunteers, agents, contractors, temporary and casual workers;
  • suppliers;
  • complainants, correspondents, litigants and enquirers;
  • individuals passing information or having their details passed to the NPCC;
  • relatives, guardians and associates of the individual concerned;
  • advisors, solicitors, legal counsel, consultants and other professional experts;
  • contacts in partner agencies;
  • elected representatives;
  • stakeholders including national, regional and local government, both UK and international;
  • journalists, media contacts and influencers;
  • individuals exercising their rights under the UK GDPR, the Data Protection Act 2018 and Freedom of Information Act 2000.

What type of personal information is it?

The type of personal information we hold will vary depending upon which function it is necessary to use it for. It may include:

  • name, address and contact details;
  • next of kin; family, lifestyle and social circumstances;
  • education and training details; employment details; financial details;
  • goods or services provided to or from;
  • offences and alleged offences;
  • criminal proceedings, outcomes and sentences;
  • measures to protect the public from offending or other behaviour or circumstances which may result in harm;
  • criminal intelligence;
  • photographs, images, and sound;
  • licenses or permits held;
  • references to manual records or files;
  • information relating to safety and health, including accident details;
  • complaint, incident, civil litigation;
  • identity documents and identity numbers;
  • online identifiers, including user names where appropriate.

Where strictly necessary, it will include:

  • racial or ethnic origin;
  • political, religious and philosophical opinions, belief or affiliations (including an absence of such);
  • trade union membership;
  • physical or mental health or condition;
  • sexual life and orientation;
  • gender identity;
  • physical identifiers (biometrics) including DNA, fingerprints and other genetic identifiers;

Your personal information may be held on a computer system or in a hardcopy record such as in a physical file or photograph.

We ensure that there is a clear distinction between information which is fact and that which is opinion.

NPCC will only use the minimum amount of personnel information necessary to carry out a particular activity.

Where do we get personal data from?

The NPCC engages with a wide audience to carry out its functions. When it is necessary to do so for a specific function, we may obtain personal information from a wide variety of sources, including:

  • the police service and other law enforcement agencies, such as the National Crime Agency;
  • national policing units
  • College of Policing
  • central government, governmental departments and agencies;
  • the security and intelligence services (e.g. GCHQ, Secret Intelligence Service, and the Security Service);
  • overseas government agencies and bodies and their respective law enforcement agencies (e.g. foreign government, police and security services);
  • overseas security and intelligence services;
  • international law enforcement agencies (e.g. Interpol and Europol)
  • HM Revenue and Customs;
  • ombudsmen, regulatory and licensing authorities;
  • advisors, solicitors, legal counsel, consultants and other professional experts;
  • prosecuting authorities (e.g. CPS and DPP);
  • the judiciary;
  • the prison service, including prisons and young offender institutions;
  • National Offender Management Service (NOMS) and offender management companies;
  • partner agencies involved in crime and disorder strategies and other crime reduction initiatives;
  • private and voluntary sector organisations working with the police in anti-crime strategies;
  • anti-fraud organisations, public and private sector counter-fraud and crime prevention bodies, including specialist counter fraud functions within larger bodies;
  • approved organisations and people working with the police;
  • Independent Office for Police Conduct (IOPC);
  • Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS);
  • Police and Crime Commissioners (PCCs), Police, Fire and Crime Commissioners (PFCCs) and the Mayor’s Office for Police and Crime (MOPAC);
  • emergency services such as the Fire Brigade, National Health Service or Ambulance;
  • persons making an enquiry or complaint;
  • elected representatives (i.e. MPs and Councillors), on behalf of their constituents or on governmental or parliamentary matters;
  • civil rights groups and other non-governmental, voluntary and charitable organisations representing specific interests;
  • healthcare, social and welfare advisers or practitioners;
  • business associates and other professional advisors;
  • current, past or prospective employers of the individual;
  • education, training establishments and examining bodies;
  • suppliers, providers of goods or services;
  • security companies;
  • financial organisations and advisors;
  • survey and research organisations;
  • trade union, staff associations and professional bodies;
  • journalists, influencers and the media;
  • staff, officers, contractors, data processors and other agents working on behalf of the NPCC or the above bodies and individuals

Any other organisation, body or person with or from whom it is necessary to disclose or obtain personal data to carry out the law enforcement purpose.

NPCC will only collect the data we believe is necessary to meet our task.

With whom do we share personal data?

NPCC will only share data we believe is necessary to meet a lawful task and we will only share it with organisations who have a lawful basis to assist with or carry out that task.

If this test is met, we may share personal data with any of the organisations who supply data to us, as listed above.

Sending personal data overseas - International Transfer

Some of the bodies or individuals to which we may disclose personal information are situated outside of the European Union. Furthermore, we may engage in transfer of data under the international framework of Mutual Legal Assistance treaties, through which the UK has agreed to international cooperation in the investigation and prosecution of criminal offences.

We recognise that some countries with which it is necessary to share data do not always have equivalent laws that protect individuals’ rights and freedoms as extensively as the United Kingdom and Europe. If we do transfer personal data to such countries, we undertake to ensure that there are appropriate safeguards in place to make sure those data are adequately protected as required by our own legislation, and we provide only the data necessary to meet the task. Data is further filtered if legal and cultural differences mean the data subject is at an unacceptable risk of a harm which would not be lawful in the UK (e.g. by discrimination). In special circumstances, a decision to transfer specific data for the law enforcement purpose may be made in the absence of appropriate safeguards.

 

How do we handle your personal information?

We will handle personal information according to the requirements of the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Your personal information held on our systems and in our files is secure. It is accessed by our staff, and contractors working on our behalf, and any outsourced providers in accordance with their contracts and when required to do so for a lawful purpose.

How do we keep your personal information safe?

The NPCC takes the security of all personal information under our control very seriously. We will comply with the relevant parts of the legislation relating to security, and work to comply with the College of Policing Information Assurance authorised practice.

We will ensure that appropriate policy, training, technical and procedural measures are in place. These will include, but are not limited to, ensuring our buildings are secure and protected by adequate physical means. The areas restricted to our police officers and staff are only accessible by those holding the appropriate identification, and who have legitimate reasons for entry. We carry out audits of our buildings’ security to ensure they are secure. Our systems meet appropriate industry and government security standards, and our information is handled in accordance with the Government Secure Classification Policy.

We carry out audits and inspection to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so. We will comply with the standard operating procedures and policies of the Metropolitan Police Service as host force regarding what use may be made of any personal information contained within our systems.

How long do we keep your personal data?

The personal data we hold is subject to the national retention rules set out under the College of Policing Authorised Professional Practice on the Management of Information.

The NPCC keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held, and these data are reviewed in line with the schedule above and delete it when it is no longer needed.

In some cases, a new purpose may require that we keep the data. For example, if data has been collected for an investigation which later forms part of a public inquiry, the public interest will likely be in retaining the data to assist the inquiry.

What happens if there is a data breach data and my data is lost?

The police service uses tried and tested processes to manage incidents, and data breach is no different. If our loss of your data places you at risk of harm, the police service works together to identify those risks and put steps in place to protect you. We will also notify the ICO and take all reasonable steps to let you know of any significant risk to you from our error.

We treat breaches and “near misses” as opportunities to learn. We promote and support a healthy and open breach reporting culture within the police service to better discover and manage the risks we own.

In this way, we seek to maintain the public trust in the police service.

Monitoring of communications

NPCC may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the NPCC in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes we have described. These monitoring activities may include external and internal communications.

What are your Rights under the UK GDPR?

You have the following rights under the UK GDPR. We are required to answer all of these within 30 days, unless they are complex or unless an exemption applies. Please be aware that we may also have grounds to refuse requests which are unfounded or excessive (such as repetitive requests under the same right).

Articles 13 and 14: the right to be informed – know what we do

This places an obligation upon the NPCC to tell you how we obtain your personal information and describe how we will use, retain, store and who we may share it with. We have written this Privacy Notice to explain how we will use your personal information and tell you what your rights are under the legislation.

Article 15: the right of access – see what we hold

You have the right to request access to your personal information free of charge and requires us to provide you with access to it normally within one month of receipt of your request unless an exemption from doing so can be lawfully applied.

Article 16: the right to rectification – let us know if there is an issue

If the personal information NPCC is holding about you is inaccurate or incomplete (i.e. you’d like to add some context) you have the right to request us to correct it, update it or add your comments to those data.

Article 17: the right to erasure – your right to be forgotten

You have the right to ask that your personal information is deleted to prevent continued processing where we have no justification to retain it. A request for erasure may be valid if:

  • your personal information is no longer necessary to meet the lawful basis for which it has been collected and processed;
  • you have withdrawn your consent, and NPCC relied only on that consent for the processing to be lawful;
  • your objection to our processing outweighs the lawful basis we relied upon (in particular, if we have relied on the legitimate interests test), and there is no overriding reason for us to continue processing;
  • your data is being used for direct marketing;
  • your data is being processed unlawfully;
  • there is a legal obligation to delete your data; or
  • you are a child and the processing is in relation to offering information society services to a child.

The right of erasure does not apply if your personal information is being processed by NPCC:

  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for the establishment, exercise or defence of legal claims;
  • to exercise the right of freedom of expression and information;
  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to make it impossible to carry out or seriously impair that processing.

Article 18: the right to restrict processing

Under certain circumstances you have the right to ask us to restrict the processing of your personal information. This may be in cases where:

  • you are contesting the accuracy your information and while we are verifying the accuracy of it
  • your information has been unlawfully processed and you oppose its erasure and have requested a restriction instead;
  • you have objected to us processing your information under article 21(1) and we are considering whether our legitimate grounds override those of yourself;
  • where we no longer require your information but you have re quested we retain it to allow you to establish, exercise or defend a legal claim.

Article 20: the right to data portability – transferring data you’ve provided

The right to data portability allows you to request transfer of data you’ve supplied to one organisation to another, provided they are working using your consent or by a contract with you. It doesn’t apply to data processed for the performance of a public task in the public interest, or in the exercise of official authority, and so this right would not normally apply to data used for the majority of our functions.

Article 21: the right to object – reassessing harm versus benefits

You have the right to object to our use of your data if we rely on a legitimate interests test or a balance of public interests when carrying out our duties. You also have the right to object where your data is processed for scientific and historical research and statistical purposes.

These tests weigh the harm to the public against the benefits of the processing. We recognise that everybody’s circumstances are unique and an otherwise reasonable assessment may cause harm or distress to an individual which we could not have reasonable anticipated. This right helps us to make fair and ethical decisions.

Any objection must be on grounds relating to your particular situation. You can exercise this right most effectively if you let us know what the harm is so that we can decide whether we agree, or whether the purpose is still necessary.

Where we use your personal data for research or statistical purposes necessary for the performance of our public task we are not required to comply with an objection. For example, it may be necessary to use crime data to produce mapping data to identify areas of specific criminality. In these circumstances, any published data will be rendered anonymous to protect you from harm.

Objections to direct marketing are always valid, but we would not expect to engage in this activity.

Article 22: Rights related to automated decision making and profiling

Under the legislation you have the right to contest a decision about you when it is based solely on automated processing (including profiling), and which produces a legal effect or similar significant effect on you.

This right does not apply if the decision is authorised by law, is necessary for a contract with you, or is based on your consent. NPCC is unlikely to carry out automated decision making because our processes involve human interaction and decision making before a significant or legal effect occurs.

In the legislation profiling is described as any form of automated processing of personal data intended to evaluate certain personal aspects about you to predict things about you such as your behaviour, interests, movements or performance at work.

Your rights: law enforcement data

When we use personal data for the law enforcement purpose, the rights you have are similar to the UK GDPR with some important differences. We may be less transparent in what we tell you, but we are required to keep records to demonstrate what we’ve used your data for and why it is necessary to withhold it if we need to.

Please be aware that while the rights are generally similar, there are slight differences, which are as follows:

  • If we agree with your request to make a correction, we will ensure that we’ve told anybody we’ve sent it to and any law enforcement body who may have passed incorrect information to us. Please bear in mind that if we’ve recorded somebody’s opinion about you, it’s unlikely we would treat it as an error in your data, but we would consider whether we had a reason to keep it;
  • We are not required automatically to restrict data from processing if there is a dispute, but we will ensure that your challenge is handled in a way which manages potential harm to you;
  • There is no right to request transfer of your data to another provider;

Law enforcement data: can we refuse your request?

We assess each request individually, and only withhold data where necessary to achieve the following:

  • avoiding obstruction to an official or legal inquiry, investigation or procedure;
  • avoiding prejudice to the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • protecting public security;
  • protecting national security;
  • protecting the rights and freedoms of others.

We’ll also tell you when we’ve used an exemption unless it harms our ability to meet these goals, and we will always remind you of your rights, including your right to ask the ICO to check we’ve used exemptions correctly.

Your rights: Freedom of Information Act 2000

Subject to certain exemptions, you are entitled to ask for information held by public bodies. While the NPCC has been bound by the Act since late 2018, it has always operated an FOI function to promote the transparency of decision making at a national level.

Like requests relating to your personal data, we do use exemptions to withhold some of the data we are asked for. When we refuse a request we will explain why unless doing so interferes with the purpose of the exemption, and we will always remind you of your rights, including your right to ask the ICO to review our decision.

It’s important to remember that if you are requesting your own personal data, you should use your rights under the UK GDPR and the Data Protection Act.

How do you exercise your rights?

Access or challenge local data:

If you’d like to access or challenge data held by specific police forces, please contact that force. Each chief constable is data controller for data collected by their own officers and staff. This includes crime, intelligence, incident and BWV data. You can find links to their websites here: www.police.uk

Access PNC:

If you’d like to access your PNC record, ACRO can assist you: https://www.acro.police.uk/subject_access.aspx

Challenge PNC:

If you’d like to challenge data held on national police system, ACRO can help get your request to the police forces which own those parts of your record: https://www.acro.police.uk/Early_Deletion_of_Biometric_Information.aspx

Access or challenge NPCC data:

If you’d like to exercise your rights for your data held by the NPCC (not including local or PNC data), you can contact the NPCC Data Protection Advisor: [email protected]

Freedom of Information requests

For requests for information from local forces, you can find their FOI contact details by following links from www.police.uk

If you’ve explored the NPCC website and would like to submit a Freedom of Information Request for information relating to the business of NPCC, ACRO or the National Police Units, you can contact the NPCC Freedom of Information Officer: [email protected]

If you want to raise a concern with the Information Commissioner’s Office (ICO)

The ICO is the independent authority responsible within the UK for ensuring we comply with data protection legislation. Further information about the ICO and your rights can be found at ico.org.uk.

You have the right to ask the ICO to investigate a concern you may have with any organisation which is or may be handling your personal data. For example, you may be concerned that your data has been used unlawfully, that it has been withheld from you, or that a controller who has no lawful basis to use your data has not erased it when asked. The ICO has powers to inspect what we hold and decide whether we have acted lawfully or not. They have powers to order remedial action and to enforce the lawful handling of personal data.

If you are dissatisfied with a response from the NPCC, we respectfully ask that you submit your first complaint to us and we will attempt to resolve the problem or explain why we believe our actions are lawful. Your rights are not affected by doing so and you may choose to speak to the ICO at any time.

If we cannot resolve a problem to your satisfaction, we will always remind you that you may take your concerns to the ICO for an independent decision.

The Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire
SK9 5AF

Email: [email protected]

Phone: 0303 123 1113

Changes to our Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in September 2021.

If we plan to use your personal information for a new purpose we will update our privacy notice and communicate the changes before we start any new processing.