As part of our statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
Special category data is defined at Article 9 GDPR as personal data revealing:
Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
Schedule 1 of the DPA 2018 provides conditions for processing special category and criminal offence data and some of these conditions require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles relating to the processing of personal data in Article 5 of the GDPR and policies regarding the retention and erasure of such personal data.
Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018 and is the subject of a separate document.
We process special categories of personal data under the following GDPR Articles:
In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
We also process criminal offence data under Article 10 of the GDPR.
Article 5 of the GDPR sets out the data protection principles. These are our procedures for ensuring that we comply with them.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.
Personal data shall be accurate and, where necessary, kept up to date.
We will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs.
(See paragraph 4 below.) Our retention schedule is reviewed regularly and updated when necessary.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will ensure that there appropriate organisational and technical measures in place to protect personal data for example:
The GDPR states that the data controller must be responsible for, and be able to demonstrate, compliance with these principles. Our Senior Information Risk Officer and Caldicott Guardians (for social care personal data) are responsible for ensuring that the department is compliant with these principles.
We will ensure, where special category personal data or criminal offences data are processed, that:
To work out the right retention period for personal data, we consider the following matters:
Once services are no longer required from us by a person, we will retain and securely destroy their personal information in accordance with our data retention schedule.
For further information about our compliance with data protection law, please contact us by:
Alternatively, if you wish to contact our Data Protection Officer, you may do so by: