UK GDPR Appropriate Data Policy – Processing Special Categories of Data
Contents
- 1. Policy Statement
- 2. Scope
- 3. What is Special Category Data
- 4. What the legislation says
- 5. Meeting a Schedule 1 condition
- 6. Processing Special Category Data for Law Enforcement Purposes
- 7. Appropriate Policy Document and Additional Safeguards
- 8. Retention of Appropriate Policy Document
- 9. Record of Processing
- 10. Agents, partners organisations and contractors
- 11. Useful contacts
Department responsible: Corporate Information Governance Team
Document release: January 2023
1. Policy Statement
1.1 In order for the City of Bradford MDC ('the Council') to carry out its statutory and public functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation ('GDPR') and Schedule 1 of the Data Protection Act 2018 ('DPA 2018').
1.2 This policy applies when the Council is processing special category data when relying on the requirements listed in Parts 1, 2 and 3 of Schedule 1 of the Data Protection Act 2018. This policy sets out the safeguards, which are required to secure compliance with the UK General Data Protection Regulation and data protection principles, when processing special category data.
1.3 Under DPA 2018 Schedule 1, Part 4, there is a requirement for an Appropriate Policy Document to be in place when processing special category and criminal offence data under certain conditions. This document fulfils that requirement and should be read together with the City of Bradford MDC Data Protection Policy.
1.4 This policy explains our procedures and compliance with the data protection principles in Article 5 GDPR and our policies in relation to retention and erasure of special category data.
1.5 In addition, it provides some further information about our processing of special category and criminal offence data where a policy document is not a specific requirement. The information supplements our general City of Bradford MDC Privacy Notice which can be viewed on the Council website.
2. Scope
2.1 This policy applies to all personal special category/criminal conviction data used, stored or shared by, or with the Council whether in paper or digital form and wherever it is located. It also applies to all special category information processed by the Council on behalf of other organisations.
2.2 Personal data is defined as: 'any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number (for example, social security number) or one or more factors specific to an individual's physical, physiological, mental, economic, cultural or social identity.
2.3. As with the Council Data Protection Policy, this policy applies to all Council employees, seconded staff members, volunteers, third party contractors, temporary staff and employees of other organisations who directly or indirectly support Council services and Elected Members.
2.4. This policy applies to data processing where the Council is a data controller in its own right or is a data controller in relation to a multi-agency data sharing partnership. This policy also applies when the Council is acting as a data processor on behalf of one or more data controllers.
3. What is Special Category Data
Article 9 of GDPR sets out that Special Category Data consists of personal data that includes:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade Union membership,
- Genetic data,
- Biometric data for the purpose of identifying an individual,
- Health or data about an individual's physical or mental condition,
- Data concerning a person's sex life or sexual orientation.
Special category data does not include personal data relating to criminal convictions and offences. This information is now treated differently under data protection legislation.
4. What the legislation says
Article 9(1) of GDPR states that processing of Special Category Data is prohibited, unless a specific condition from Article 9(2) can be met. These conditions are:
- 9(2)(a) The data subject has given explicit consent to the processing,
- 9(2)(b) Processing is necessary in the field of employment and social security and social protection law
- 9(2)(c) Processing is necessary in order to protect vital interests of the data subject or another data subject
- 9(2)(d) Processing is necessary for the legitimate activities of a not-for-profit body
- 9(2)(e) Processing relates to personal data which are manifestly made public by the data subject
- 9(2)(f) Processing is necessary for legal claims
- 9(2)(g) Processing is necessary for reasons of substantial public interest
- 9(2)(h) Processing is necessary for the provision and/or management of health and/or social care systems
- 9(2)(i) Processing is necessary for reasons of public interest in the area of public health
- 9(2)(j) Processing is necessary for archiving purposes in the public interest
Sections 10(1-3) of the DPA 2018 makes it clear that where conditions
- 9(2)(b) (employment, social security and social protection),
- 9(2)(h) (health and social care),
- 9(2)(i) (public health), and
- 9(2)(j) (archiving, research and statistics),
are relied upon then a condition from Part 1 of Schedule 1 of DPA 2018 must also be met.
If condition
- 9(2)(g) (substantial public interest)
is relied upon then a condition from Part 2 of Schedule 1 of the DPA 2018 must also be met.
5. Meeting a Schedule 1 condition
Parts 1 and 2 of Schedule 1 of DPA 2018 provide a number of separate conditions to meet the requirement set out by Section 10 of the Act. Below are examples of where the Council processes Special Category Data and the Schedule 1 conditions that are most appropriate for that processing.
Note: These conditions only cover the lawfulness aspect of the first principle. Any processing of personal data using one of these conditions should still consider the fairness, transparency, adequacy and security of the processing.
Example: | Schedule 1, Part 1 or 2 condition(s): |
---|---|
Recruitment; undertaking pre-employment checks; HR investigations; change in personal circumstances | Part 1(1)(1)(a) – with obligations in connection with employment, or; Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment. |
Adult and Children Social care and/or Safeguarding | Part 1(1)(1)(a) – with obligations in connection with social security or social protection, or; Part 1(2)(1) – necessary for health or social care purposes, or; Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment; or; Part 2(18)(a) – necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm. |
Equalities Monitoring | Part 2(8) – necessary for the purposes of equality of opportunity, or; Part 2(9) – necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation, or; Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment. |
Public Health | Part 1(2)(1) – necessary for health or social care purposes, or; Part 1(3) – necessary for the reasons of public interest in the area of public health, or; Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment. |
Disclosure to elected representatives responding to requests from constituents | Part 2(24) – the processing consists of the disclosure of personal data to an elected representative or person acting under their authority. |
Disclosure as part of a Data Subject Access request. | Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment. |
Archiving, statistical or historical research | Part 1(4) – necessary for archiving, statistical or historical research purposes that are in the public interest (and in accordance with Article 89). |
Preventing fraud or disclosing information to an anti-fraud organisation | Part 2(14)(a) – necessary for the purposes of preventing fraud or a particular kind of fraud. |
Disclosure as part of a request from the Police or another authority to support with investigations | Part 2(10)(a) – necessary for the purposes of the prevention of detection of an unlawful act, or; Part 2(6)(2)(a) – the exercise of a function conferred on a person by an enactment. |
6. Processing Special Category Data for Law Enforcement Purposes
Section 31 of the Data Protection Act 2018 says that law enforcement purposes are “the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
Where the Council processes Special Category Data for law enforcement purposes further conditions are required under Schedule 8 of the Data Protection Act 2018 as listed below.
- I. Statutory purposes.
- II. Administration of justice.
- III. Protecting individual's vital interests.
- IV. Safeguarding of children and of individuals at risk.
- V. Personal data already in the public domain.
- VI. Legal claims.
- VII. Judicial acts.
- VIII. Preventing fraud.
- IX. Archiving etc.
7. Appropriate Policy Document and Additional Safeguards
Schedule 1, Part 4, of the DPA 2018 requires the Council to create and maintain an Appropriate Policy Document and keep a Record of Processing Activities in relation to processing of Special Category Data.
Appropriate Policy Document
The following statements explain how the Council meets the requirements of the Principles from Article 5 of the GDPR in connection with the processing of Special Category Data.
Principle 1 – Lawful, fair and transparent
The Council will:
- Ensure that Special Category Data is only processed where a lawful basis applies.
- Ensure that processing does not take place unless the reason for processing is derived from a lawful basis from Article 9 of GDPR (see Section 3) and if necessary a Schedule 1 condition from DPA 2018/Schedule 8 and it does not infringe data protection legislation or any other law.
- Only process personal data fairly and ensure that data subjects are not misled about the purposes of any processing.
- Ensure that data subjects receive full privacy information about the processing, unless an exemption applies.
- Complete a Data Protection Impact Assessment (DPIA) for any high risk processing involving the use of Special Category Data. The assessment should be completed by the relevant project lead and signed off by the DPO.
Principle 2 – Purpose limitation
The Council will:
- Only process personal data for specific and explicit purposes which will be included within the relevant Privacy Notice unless an exemption applies.
- Not use personal data for purposes that are incompatible with the purposes for which it was collected, unless required by law. The Council will inform data subjects of this change unless a relevant exemption applies or is required by law not to disclose the new purpose.
- Where a Council service wishes to use personal data for a different purpose they should consult the Corporate Information Governance Team for advice.
Principle 3 – Data minimisation
The Council will ensure that Special Category Data processed by the Council shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Principle 4 – Accuracy
The Council will:
- Ensure that Special Category Data is accurate and where necessary kept up to date.
- Ensure personal data based on a personal assessment and opinion (including intelligence) is distinguished from that which is based on fact.
Principle 5 – Storage Limitation
All Special Category Data will be retained in accordance with the Council's Records Retention and Disposal Schedules.
Principle 6 – Security
Special Category Data must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The Council's Information Security Policy sets out the security requirements.
The Council has a wide range of technical and procedural controls in place, in order to protect the Special Category Data it processes. These controls are overseen by the Council's Information Assurance Board; Senior Information Risk Owner (SIRO) and Assistant Director of Information Technology, supported by a network of Information Asset Owners across individual departments.
These controls include, but are not limited to:
- Mandatory data protection and information security training for all staff.
- Mandatory acceptance of Data Protection, Information Security and IT Access policies by all staff.
- Encryption of data in transit (ie. Galaxkey secure email) where appropriate.
- Appropriate levels of encryption, firewalls and business continuity arrangements for corporate servers holding personal data.
- Contracts with processors and suppliers that contain appropriate UK GDPR and data protection clauses.
- Controlled access for systems holding Special Category Data.
- Data protection by design processes and culture to ensure information security has been considered and implemented, via Data Protection Impact Assessment where appropriate, prior to the processing of personal data.
- ID badges to control access to council buildings.
- An established Data Security Incident reporting procedure, in order to mitigate risk and ensure the Council complies with its legal obligations where potential breaches may have occurred.
Principle 7 – Accountability
The Council must be responsible for and demonstrate compliance with these principles.
The Council will:
- Ensure that records are kept of all processing activities involving Special Category Data
- Ensure that project leads will complete a Data Protection Impact Assessment for any processing involving the use of Special Category Data.
The Council has appointed a Data Protection Officer whose role is to provide independent advice on data protection to the council, and to monitor compliance with relevant Data Protection legislation.
8. Retention of Appropriate Policy Document
- The policy document will be retained for the length of the processing of Special Category Data plus six months
- The Council will make the policy available upon request and without charge.
9. Record of Processing
The Council maintains a Record of Processing Activities within the information asset register for each service. The information within the information asset registers includes
- Which processing conditions are relied upon,
- How the processing satisfies Articles 6 and 9 of GDPR and where necessary Schedule 8 of the DPA 2018.
- The retention periods for data.
IAOs are accountable for ensuring that the Information Asset Register is kept accurate and up to date.
10. Agents, partners organisations and contractors
Personal data must be processed in accordance with the principles of data protection law and this policy. This policy applies to:
- all permanent and temporary employees of the Council
- any individual including contractors, volunteers and others who work on behalf of the Council
- all apprentice/ work experience and other students
- Elected Members
11. Useful contacts
Corporate Information Governance Team Data Protection Officer via dpo@bradford.gov.uk
Information Commissioner's Office via www.ico.org.uk