Data Protection FAQS

Q1. What type of individuals do you collect data about?

We collect data for two separate groups of people: members of the BCRP and offenders.

Q2. What is the lawful basis for collecting the information?

For our members the lawful basis is the 'contract' that we have with them by virtue of their membership of the BCRP. For offenders the lawful basis is 'legitimate interest' to protect our members and their property from harm and to prevent crime and disorder. Look at the Privacy Notice [Offenders] at the bottom of the Exclusion Notice page.

Our members give us consent by virtue of asking to be members of the scheme and completing an application form. Offenders do not give consent but we collect their information on the basis of 'legitimate interest'.

Q4. What does 'legitimate interest' mean?

The BCRP has assessed the impact of its processing on offenders’ rights and freedoms, has balanced these with its members’ own rights, and has concluded that its members’ rights prevail over offenders’ rights in this specific matter. This means that the BCRP has a compelling reason to collect data without asking for permission to do so. For the BCRP it is to protect the property of our members and their staff and customers from crime and anti-social behaviour and to exclude from their premises any individuals who are proven threats to their property, staff or customers or disrupt the peaceful enjoyment that their customers expect from the goods and/or services that our members offer.

The BCRP processes Offenders’ personal data for the management of its Exclusion Scheme [see Exclusion Scheme FAQs page] on behalf of its members, to inform members of an offender’s modus operandi, to collate intelligence on criminal activity within the area of the scheme’s operation and to contribute to legal proceedings against offenders where appropriate.

Wherever possible we also try to prevent people from being excluded by writing to them beforehand. For young people we also have a 'Putting it Right' scheme to try to stop them from offending at an early stage and a separate policy on processing their personal data.

Q5. What specific data do you collect about members of the BCRP?

A contact name, the name of the company, the company's address, email address and telephone number.

6. What specific information do you collect about offenders?

Name, date of birth, address [if possible] and other contact details, photographic image and details of any offences against our members. We collect offender's addresses so we can write to them to explain what information we have and what we intend to do with it. For the purposes of identification we might also record their ethnicity. If the offender has a medical condition that means they are prone to violence we may also record this to ensure the safety of our members.

7. Who do you share the information with?

The information on our members is not shared with anyone. The information about offenders may be shared with our members and also statutory agencies e.g. police, Youth Offending Service. Any medical information collected is not generally shared with members but only with those who may need to know e.g. security personnel. We do not share an offender's address with our members except for the purposes of civil recovery proceedings which are very rare.

We may also share offender information with other neighbouring BCRPs and national agencies if there is reason to believe that the offender travels from place to place committing offences.

8. Do you collect information about children?

We do not collect information about anyone younger than 14. We have a separate policy on the collection of children's information between the ages of 14 and 18 with specific safeguards and checks to ensure they are treated fairly.

9. How long do you keep information?

For our members we only keep information they have supplied for as long as they are members of the BCRP.

For offenders we keep the information for 12 months and it may be shared with our members during that period. If no further report is submitted during the 12 months, the offender’s data will be withdrawn from members at the expiry of that period. It will be retained for a further 12 months [6 months for children] in the scheme’s database (which can only be accessed by the Data Controller and authorised personnel) after which time, if no further incidents are reported, it will be irrevocably deleted.

Q10. Can an offender find out what information the BCRP holds about them?

Yes, you can use the form on the 'Contact Us' page or phone or email us. But to protect your privacy we prefer requests to be in writing to Board of Management, PO Box 5398. Brighton BN50 8GQ. We may have to ask you to prove that you really are the person you are asking for information about.

Q11. How does the BCRP treat offenders who are children?

The General Data Protection Regulation [GDPR] does not ban an organisation from relying on legitimate interests as a lawful basis if it is processing children’s personal data. However the GDPR places particular emphasis on the need to protect the interests and fundamental freedoms of data subjects when they are children.

‘Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’

The BCRP recognises Recital 38 which states that children require specific protection with regard to their personal data because they may be less aware of the risks and consequences of the processing, the safeguards that could be put in place to guard against these, and the rights they have. It also recognises Article 21 giving the right of the individual [or in the case of children the parent or guardian] to object to said data processing.

Children are identified as “vulnerable individuals” and deserving of “specific protection” but the GDPR does not prescribe the age at which a person is considered to be a child.

The United Nations Convention on the Rights of the Child requires countries to set a minimum age “below which children shall be presumed not to have the capacity to infringe penal law”. However, once again, the convention does not actually indicate what age level should be set as a minimum. But, when fixing a minimum age, it draws attention to the commentary on the United Nation’s Beijing Rules which state that: “The modern approach would be to consider whether a child can live up to the moral and psychological components of criminal responsibility; that is, whether a child … can be held responsible for essentially antisocial behaviour.”

The age at which a child could not be held criminally responsible is encapsulated in the Latin term doli incapax which has been interpreted to mean 'incapacity of committing an offence'.

Until 1998, the legal presumption (doli incapax) was that children aged under 14 did not know the difference between right and wrong and were therefore incapable of committing an offence. However, in response to the outcry over the Jamie Bulger murder, the doli incapax presumption was abolished by section 34 of the Crime and Disorder Act 1998 and is no longer in operation and in England & Wales 10 years of age is the lower threshold of criminal culpability.

This leaves England and Wales with one of the lowest age levels of criminal responsibility in the world and subject to ongoing criticism by the international community. Even England’s closest neighbours, Scotland and Ireland have a limit of 12 years of age.

In 1995 the UN Child Rights Committee (UNCRC) presented its first report on the UK’s compliance with the international child rights standards that the country had signed in 1989. It included a recommendation that a threshold below the age of 12 is not internationally acceptable, and that 14-16 years would be more in line with UNCRC Article 40 which specifies that States should deal with children in conflict with the law without resorting to judicial proceedings.

In an interview with the Times in March 2010 the Children’s Commissioner Maggie Atkinson called for the age of criminal responsibility to be raised to 12 saying: “The age of criminal responsibility in this country is ten – that’s too low. In some European countries it is 14 ”. This is a view that is supported by the Children’s Commissioner for Scotland who has stated publicly that Scotland should work incrementally towards a minimum age of criminal responsibility of 14 or even 16 years.

1It is the belief of the BCRP that the age of 10, or even 12, is too young to fully understand criminal culpability. Taking into account the age-appropriate rights and freedoms of the child so that their freedom to learn, develop and explore is only restricted when this is proportionate the BCRP has set a minimum age of 14 for the processing of offender data.

You can complain direclty to us using the 'Contact Us' form on this website. You can also complain to the Information Commissioner online at