Appropriate policy document - processing special category and criminal conviction data

Introduction

We process special category data and criminal convictions data to fulfil our legal, corporate and public duties, following the UK GDPR (Articles 9 and 10) and the Data Protection Act 2018 (Schedule 1).  

Some conditions require us to have an Appropriate Policy Document ('APD') to explain how we comply with data protection principles, retention and erasure of such personal data.

This document outlines our processing and meets the requirements of the DPA 2018 (Schedule 1, Part 4). It should be read alongside our  data protection policy.

Scope

This policy applies to all special category data and criminal conviction data we process, regardless of its format, and t anyone processing personal data on our behalf.

Definitions

Special category data: personal data consisting of information relating to:

• race or ethnicity
• political opinions
• religious beliefs or other beliefs of a similar nature
• trade union membership or affiliation
• biometric and, or genetic data
• physical or mental health
• sex life or sexual orientation

Criminal conviction data: personal data relating to criminal convictions and offences or related security measures.

Conditions for processing

We process personal data, for which an APD is required, under the following relevant Schedule 1 conditions:

• employment purposes: for tasks like managing sickness, pre-employment checks, and recording union membership
• statutory purposes: fulfilling legal obligations and assisting other public bodies
• equal opportunity: complying with equality laws and ensuring equal access to services
• safeguarding: protecting children and vulnerable individuals
• disclosure to elected representatives: assisting local officials with constituent requests

Compliance procedures

To maintain accountability, we will:

• appoint a data protection officer who reports to our highest management level
• take a “data protection by design and default” approach to our activities
• keep records of our processing activities
• ensure contracts are in place with third parties who process personal data on our behalf
• ensure robust security measures are in place
• conduct data protection impact assessments for high-risk processing activities

To ensure personal data is processed lawfully, fairly and transparently, we will:

• only process personal data where there is a valid legal reason
• be clear with individuals about why their data is being processed
• inform individuals about how and why we use their data by providing privacy notices for all council activities

To ensure personal data is only processed for the purpose it was collected, we will:

• collect personal data only for clear and legitimate purposes
• tell individuals what those reasons are in privacy notices
• use personal data for other purposes only if they are compatible with the original reason it was collected
• only share personal data with other organisations if they are legally allowed to process it

To ensure we minimise the personal data we process, we will:

• collect only the personal data needed for the specific purpose and avoid collecting too much
• delete any personal data that is not relevant to our stated purposes

To ensure that we process accurate personal data, we will:

• make sure personal data is accurate and up to date when needed
• pay extra attention to the accuracy of the data we hold
• take action to correct or delete data when we are informed it is inaccurate or outdated

To ensure that we don’t hold personal data for longer than we need to, we will:

• keep personal data only as long as necessary
• set retention periods based on legal requirements and business needs
• make our retention schedules available to the public

To maintain the confidentiality, integrity and availability of personal data, we will:

• implement robust policies and procedures to ensure the secure handling of personal data
• train staff to manage personal data securely
• have experts available to offer support and guidance
• assign the right roles and responsibilities to manage information risk

Retention and erasure