Freedom of information request
In the public interest, please could you provide me with the following information:
- How many Data Protection Complaints has the OPCC received, separated by year.
1a. Please provide the specific classification and / or category for each complaint (e.g., Unauthorised Disclosure, Loss of Data, Inaccuracy/Falsification, Failure to Respond to Rights Requests, Consent Violation etc).
1b. How many of these complaints concerned (to any degree) the Police Complaint Review Process and / or data and information being shared with this ‘Sancus’? - How many Data Protection breaches have occurred within the OPCC, separated by year.
2a. What were the nature of these breaches? Please specify if they were self-reported to the ICO and provide the specific classification and category of each breach.
2b. How many of these breaches concerned (to any degree) the Police Complaint Review Process and / or data and information being shared with this ‘Sancus’? - How many Data Protection complaints has the PCC / OPCC refused to respond to, separated by year (you’ve refused to respond to 3 of my Data Protection complaints in 2025/2026, for example, but have refused to justify the refusal).
3a. What was the recorded reasons for each of the refusals to respond? - Where can I find the OPCC’s ‘Annual Data Protection Report’ for previous years?
4a. Please provide copies of all Data Protection Breach Assessments (redacting any information that could identify the victim). - Please provide to me copies of any ‘Audits’ conducted regarding a) Data Protection (any and all) and b) the Police Complaint Review Process (any and all).
- Please provide the ‘Record of Processing Activities’ (ROPA), the specific ‘Legal Basis for Processing’ document, or any other document for that matter, that supposedly authorises the PCC / OPCC to transfer police complaint data to ‘Sancus’ in the ABSENCE of a submitted Review Application or Consent.
Office of the Police and Crime Commissioner rresponse
As per Section 1(1) of the Freedom of Information Act, the Office of the Police and Crime Commissioner can confirm it does hold some of the information you have requested.
I have responded to each of your questions below:
1. Please see table below.
1a. Please see table below.
1b. Please see table below.
| Year | 1. Data Protection Complaints | 1a. Category | 1b. Concerns Complaints Review Process |
| 2020/21 | nil | N/A | N/A |
| 2021/22 | nil | N/A | N/A |
| 2022/23 | nil | N/A | N/A |
| 2023/24 | nil | N/A | N/A |
| 2024/25 | nil | N/A | N/A |
| 2025/26 | Ref 1 | Sharing of personal data | 1 |
| 2025/26 | Ref 2 | Sharing of personal data | 1 |
2. Please see table below.
2a. Please see table below.
2b. Please see table below.
| Year | 2. Data Protection Breaches | 2a. Specification Classification-Category of Breach | 2a. Report to ICO | 2b. Concerns Complaints Review Process |
| 2020/21 | nil | N/A | N/A | N/A |
| 2021/22 | nil | N/A | N/A | N/A |
| 2022/23 | Ref 1 | Unauthorised Disclosure | No | N/A |
| 2022/23 | Ref 2 | Unauthorised Disclosure | No | N/A |
| 2023/24 | Ref 3 | Unauthorised Disclosure | No | N/A |
| 2023/24 | Ref 1 | Unauthorised Disclosure | No | N/A |
| 2024/25 | Ref 2 | Unauthorised Disclosure | No | N/A |
| 2024/25 | Ref 1 | Unauthorised Disclosure | No | N/A |
| 2024/25 | Ref 2 | Unauthorised Disclosure | No | N/A |
| 2024/25 | Ref 4 | Unauthorised Disclosure | No | N/A |
| 2025/26 | Ref 1 | Unauthorised Disclosure | No | N/A |
| 2025/26 | Ref 2 | Unauthorised Disclosure | No | N/A |
| 2025/26 | Ref 3 | Unauthorised Disclosure | No | N/A |
*Please note the above table only includes identified breaches following assessment
3. Nil
3a. N/A
4. OPCC’s Annual Data Protection Report for 2024-2025 can be found as a listed agenda item at the Joint Independent Audit Committee Meeting dated 25th September 2025 – Audits – Cleveland Police and Crime Commissioner.
This was the first time an annual report was delivered, the next report covering 2025-2026 will be available in September 2026.
4a. Information in relation to data breach assessments has been declined under Section 40(2) of the Freedom of Information Act 2000 as it compromises personal data about a third party. As per Information Commissioners Office (ICO) Guidance information is considered personal information (or personal data) if an individual can be identified, either directly or indirectly, through that information, even if it is simply a combination of key facts. Disclosing this information would contravene the data protection principles under UK GDPR and the Data Protection Act 2018. As Section 40(2) is an absolute exemption, there is no requirement to a public interest test.
5a and 5b. Please see attached copies of the below reports.
RSM Audit – Subject Access Requests – July 2020
RSM Audit – Complaints – September 2021
RSM Audit – GDPR – November 2022
RSM Audit – Complaints – October 2024
RSM Audit – Data Protection – January 2025
6. Please find attached the OPCC ROPA. The specific legal basis for the processing and sharing of personal data is set out in Article 6 on the basis the processing is necessary for the performance of a public task and the processing is necessary for the OPCC to comply with the law – in this instance the Complaints and Conduct Regulations (2020).