Privacy at London Fire Brigade

We take your privacy seriously

 If we ask you for personal information we will hold a record of why we are asking and why the information is necessary to do our work.

We use the term ‘privacy notice’ to describe all the privacy information that we make available or provide to people when we collect information about them. Our privacy information is made up of:

Why we use personal information

When we collect and process information about you we do so according to UK data protection law. This means we will be fair and transparent about the data we collect and we will keep your information safe. Our main processing activities that use personal data are:

  • Emergency response – providing an emergency response to fires, and other emergencies and eventualities
  • Fire safety and protection – promoting fire safety and safe living, enforcing fire safety law, and to protect those who are vulnerable to harm
  • Youth activities – working with young people
  • Business administration – maintaining accounts and business records, managing contracts and services, running events and activities, investigating complaints and concerns
  • Employment – recruit, employ, manage, train, promote and retire our staff
  • Research – carrying out research, surveys and to maintain a historical archive
  • Security – using CCTV systems and body worn video devices (BWV) to keep our people and resources safe, and to prevent and detect crime
  • Media – take photographs, video or use other audio visual media
  • Communications – maintaining our website, providing newsletters and information about our services
  • Legal – complying with the law and to support local and national fraud initiatives.

These are explained in more detail in our Privacy Information Notes.

LFB as a Data Controller

The London Fire Commissioner (LFC) is the head of the London Fire Brigade and is the Fire and Rescue Authority for London. The LFC is a data controller for personal data and has notified the Information Commissioner (the UK regulator for data protection) of this. Our main address is: London Fire Brigade, 169 Union Street, London SE1 0LL. The main contact number is 020 8555 1200.

Our details have been registered with the Information Commissioners Office (ICO) and our register number is Z7122455. The ICO’s register can be viewed online at

The Data Protection Officer

Our Data Protection Officer (DPO) is the LFB Head of Information Management who has day-to-day responsibility for data protection and information governance issues. The DPO can be contacted via the address or phone number above, or by:

  • Email to: dataprotectionofficer@london-
  • Telephone: 020 8555 1200 ext 30300 and talk to a member of our Information Access Team
  • Write to: Data Protection Officer, London Fire Brigade, 169 Union Street, London SE1 0LL

Our legal basis for processing

Our legal basis for processing your personal data will depend on the specific activity we are undertaking. Generally speaking we process personal data for the reasons set out below. In only a very few situations will we ask for your consent for us to use your data as typically we have legal duties or powers then enable us to process personal data to undertake our functions as a fire and rescue service. It will however, often be the case that you will be giving us personal information voluntarily and with your cooperation, but we will process that information on the basis of our duties and powers rather than because you have given your consent.

Our main processing conditions can be described as:

  • Contractual – we need the information for the performance of a contract we have with you or that you are preparing to enter into with us.
  • Legal obligation – it is necessary to use the information for compliance with a legal obligation that we must comply with.
  • Vital interests – we are gathering information as part of an operational incident where there is a risk to someone’s life.
  • Public task – the information is necessary for us to carried out a task in the public interest or in the exercise of our functions a fire and rescue authority.

As a fire and rescue authority, we have many duties and powers that describe our core functions and give us legal powers to undertake those functions. Those functions include, for example;

  • Our core functions, as described in the Fire and Rescue Services Act 2004, that require us to give fire safety advice and prevent fires from happening; enable us to respond to fires and to protect life and property; and to enable us to respond to road traffic accidents and other emergencies.
  • A power to respond to other eventualities where there is a situation that may cause or is likely to cause someone to die, be injured or become ill; or that may harm to the environment (including the life and health of plants and animals).
  • Our powers to enforce and regulate fire safety law, such as the Regulatory Reform (Fire Safety) Order 2005.

We also have general powers (FRSA2004, Sec 5a) that enables us to do anything we consider appropriate for the purposes of the carrying-out of any of our functions  or anything that is incidental to our functional purposes. This will include a power to collect, process and share personal and sensitive personal data so long as the processing is necessary for the purpose we are collecting it.

Law enforcement

During our work to enforce and regulate fire safety law, some of the personal data we collect and process will be for law enforcement purposes (as outlined in Part 3 of the Data Protection Act 2018), which cover data processed in connection with the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Our legal basis for processing law enforcement data is that it is necessary for the performance of our functions. Our primary law enforcement functions relate to enforcement of the Regulatory Reform (Fire Safety) Order 2005 in accordance with Article 25 of the order which includes taking decisions to issue notices or to prosecute where offences have been committed and prosecution is considered to be in the public interest.


Special categories of personal data

Data protection law recognises that there are some types of personal data that are particularly sensitive and should prohibited unless the processing is absolutely necessary. This special category of data includes data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

When it is necessary for us to process any of the special category data, it will usually be because;

  • Of your employment with us (if you are an employee)
  • You have already made the information manifestly public
  • It is necessary to protect your vital interests or those of another person where the data subject is physically or legally incapable of giving consent
  • It relates to a legal claim or legal process
  • It is necessary for a task of substantial public interest and the task is within our statutory functions
  • We need to identify and keep under review the equality of opportunity and treatment of different groups of people
  • We are processing criminal offence data in relation to employment, public interest or to fulfil our statutory functions.


You will often have a choice about what services you receive from us, but when we collect your personal information for that service – one of our main processing activities – we will collect and retain your information because we have another duty or obligation to do so that does not require your consent. We are a public authority and we recognise that our position means that you are unlikely to be able to freely give your consent for the services we provide.

When you give us your information on the basis that you give us your consent to use it (and not because of another processing obligation we have), then you can withdraw that consent at any time. If you wish to withdraw your consent for us to use your personal data then you should contact our Data Protection Officer (see above). You should provide as much information as possible about the information you supplied, when it was given and the circumstances it was given in.

If, prior to the 25 May 2018, we have asked for, or have been given your permission to use your data and called this “consent” it is unlikely that this consent meets the standard required for GDPR. We are however confident that our continued use of your data is still permitted under data protection law where it falls within another legal basis, for example because it is contractual, we have a legal obligation or it is necessary for a public task. This will affect your rights (see below) and you may no longer have the right to stop us processing the information by withdrawing your previously given permission (described at the time as consent). If you have a concern about this change in processing, please contact the Data Protection Officer.

The types of information we hold

We describe the type of personal data we collect and hold by referring to “categories of personal data”. The table below gives examples of the types of information that we process.


Example of data included in the category

Personal details

Titles, names, previous names, nick-names, aliases, address, postcode, telephone numbers, email addresses, social media user names, personal websites addresses, signature, emergency contacts, family history, marital status, dependants, next of kin, language skills

Personal features

Age, date of birth, gender, height, weight, body measurements, eye/hair/skin colour, identifying marks, images - photo/video/audio

ID Numbers

National insurance number, passport number, driving licence number, social security number, national health number.

[Note: this category may include facsimile copies of original documents containing the identifier]

Work details

Pay number, job titles, work addresses, employers name, work contact numbers, work email address, call sign, work social media user names, grade, role, rank, start date, end date, camp out base, work history, computer and communications monitoring information, lone-worker location, vehicle number plate, pager number, leave and absence, proof of right to work, building access records,

Financial details

Salary, payroll records, bank details, pension, tax, allowances, state benefits, property ownership, compensation payments


Qualification, establishment, establishment address,

Narrative data

Biography, CV, situational description, occupational experiences, behavioural characteristics, professional membership, personal references, performance evaluations, discipline or grievances,

Special category data

Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

Criminal offence data

Information relating to criminal offences (alleged or proven) or personal data held with the intention of bringing about a criminal prosecution.


Publicly accessible sources

During our work, we may refer to information, including personal data, that is available on publicly accessible sources. These sources will include information made available by other public bodies, regulators and enforcing authorities (for example public registers) as well as information posted on social media, other websites and news media.

We may use information that is publicly available to inform our decisions about our work with you. That may include our dealings with you during the performance of a contract (as a supplier, a data processor or an employee) or how we provide our emergency response and other services to you, either at the time or in our planning and preparations (for example, if we are made aware of people who are at a higher risk of being involved in a fire we may try to make contact to offer prevention and safety advice).


Who we share personal information with

To fulfil our responsibilities and functions as a fire and rescue authority, it will be necessary for us to share some or all of your personal data with other organisations. When we share data we will be doing so knowing that we have legal basis to do so and that it is necessary for that purpose.

In general terms, we will only share information with another organisation where;

  • They are responsible for providing services and care during emergencies
  • They can help to prevent you from dying, or from becoming injured or ill, or prevent harm to the environment
  • The information can be used to prevent or detect crime, including the prevention of fraud
  • The information is necessary for any stage of legal proceedings
  • They are processing data on our behalf and we have contract specifying the details

The categories of organisations  who we might share personal data with are shown in the table below.


Example of recipients included in the category

Emergency Services

Fire and Rescue, Police, Ambulance, Armed forces, Coast Guard, Category 1 and 2 Responders

Local authorities

Education, Social Care, Housing, Environmental Health, Youth Service, GLA, London Assembly

Health providers

GP, Health professional, Health board or trust, National Health Service and bodies

Government agencies

Home Office, MOD, HMRC

Legal services

Solicitors, Law courts, Public Inquires and Inquests


HSE, Pension Regulator, Safety Committees, Auditors

Employers & Businesses

Outside employers, Registered childcare provider, External trainers, NFCC, registered charities,

Appropriate adults

Parent, carer, family member, guardian, teacher, LFB volunteer

Contractors & suppliers (“Data processors”)

Data processors are third parties who process personal data on our behalf.


Data processors

Data processors are third parties who process personal data on our behalf. These are typically the suppliers and contractors we use to provide us with good and services under contract. Occasionally, those contractors will provide services direct to you on our behalf. Examples of contractors who are our data processes include those that provide us with; recruitment support, IT systems, IT developers and engineers, telecom services, security systems, occupational health and staff wellbeing services.

We have contracts in place with all of our contracts who are also our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Transfers to third countries or international organisation

We do not transfer your data outside of the UK as part of our day-to-day work. However, as IT providers become more global and IT services are provided ‘in the cloud’ we know that some of the data we hold is hosted on computer servers that are outside of the UK or of the European Union (where the General Data Protection Regulations apply (GDPR)).

When our data processors store data outside of the area where the GDPR applies then the security of this information will be covered by the terms of our contract with them (or them with us). You can be assured that when this happens that you will have the same degree of protection in respect of your personal information as thought was held within the UK or the area of the European Union.

If you don’t give us the information we need

You will often have a choice about what services you receive from us, but when we collect your personal information for that service we will collect and retain your information because we have another duty or obligation to do so that does not require your consent.

If you don’t provide certain information when requested, we may not be able to provide you with our services (for example providing you with a fire alarm and advice) or perform the contract we have entered into with you (for example if you are an employee). We may also be prevented from putting you in touch with other organisations and services that can provide you with help, support, advice and care.

We would encourage you to provide us with the data we need to do our job, but if you have any concerns about providing your personal information when asked, please discuss those concerns with us. If you are not already in contact with a member of our staff then you can discuss those concerns with our Data Protection Officer. 

Automated decision making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. With the exception of some of our recruitment and staff management processes, we won’t make decisions about you that will have a significant impact on you based solely on automated decision-making. If we use automated decision making it will be because it is necessary to perform the contract with you and we will have taken appropriate measures to safeguard your rights.

How long we keep personal information

We have a records management strategy that determines how long we keep records and information. This includes records with personal data. As a public body we need to keep records to help us plan and deliver our services, to show how we have made decisions, to prepare and defend legal claims and to maintain a historical archive of the work of the London Fire Brigade.

When deciding how long to keep information, we need to consider a number of things. These include:

  • Statutory records required to be kept by law
  • Documents required to assess the performance of a contract (including staff contracts)
  • Records that explain how we deliver our services and who receives them
  • Our obligations to be accountable and to demonstrate good governance
  • Our need to defend legal claims or to take legal action
  • Administration records  required to carry out and record our day to day business
  • Best practice for local government records keeping
  • Our interest in maintaining a public archive of the work of the London Fire Brigade

Very rarely will a retention period be a set time from a fixed point, as many of our records management decisions are driven by an action or an event. For example, the records management associated with signed contracts will be triggered by the event of the contact coming to an end (eg contract end date plus 12 years).

Where we are holding records that contain personal data, we will have a reason and purpose to hold on to that information. If at any time you believe we are holding records for longer than necessary, you may have the right to ask us to erase that record. If you are concerned about how long we are keeping your information, then you should contact our Data Protection Officer and give them the reasons for your concern and they will investigate the matter


Your information rights and how to access the data we hold

When we use your personal data, you have rights about how that information is processed. Those rights include how you can access the information we hold, and how, in some situations,  you can stop us from processing the information or have it corrected or deleted.

Under certain circumstances, you have the right to:

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

You can read more about these rights here –

If you would like to exercise any of your data protection rights, you should contact the Data Protection Officer using the details listed earlier in this Notice.

If you have a concern

If you are unhappy with the way that your personal data has been used or any other aspect of how we have processed your information then please let us know. In the first instance you should contact our DPO who can investigate the matter for you and take any action that is necessary.

You also have the right to raise your concern with the Information Commissioner. Details of how to make a complaint to the ICO are on their website at or you can write to them at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.