Appropriate Policy Document

The GDPR requires special conditions to be met for processing “special categories” of personal data and criminal convictions data. Articles 9 and 10 of the GDPR prohibit the processing of such data unless the special conditions, set out in Articles 9(2) and 10 respectively, are met.

When processing special category in addition to identifying a basis for the processing you are also required to identify a special condition to enable the processing to take place. These are set out within Articles 9 (2) and 10 of the General Data Protection Regulation, the conditions include:

• for employment, social security and social protection purposes
• for substantial public interest purposes
• for health and social care purposes
• for public health purposes
• for archiving, research and statistics purposes.

It is likely that the conditions within substantial public interest and relating to criminal conviction data will be the most relevant within the Council.

This is the ‘appropriate policy document’ for Ashfield District Council (the Council) that sets out how we will protect special category data.

It meets the requirement within Schedule 1 of the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary.

The specific conditions under which data may be processed are set out at paragraphs 1-28 of schedule 1 to the Data Protection Act 2018. A list of the most relevant conditions (substantial public interest & criminal conviction conditions) are attached to the end of this document for information. Advice MUST be sought from the Legal department wherever special category data is to be processed to ensure compliance with this document and appropriate selection of a special condition.

Article 5 of the General Data Protection Regulation sets out the data protection principles. These are our procedures for ensuring that we comply with them.

1.1 Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The Council will:

• ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
• only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
• ensure that data subjects receive full privacy information so that any processing of personal data is transparent

1.2 Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The Council will:

• only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
• not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

1.3 Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The Council will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

1.4 Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

The Council will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

1.5 Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

The Council will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

1.6 Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Council will ensure that there appropriate organisational and technical measures in place to protect personal data.

The controller shall be responsible for, and be able to demonstrate compliance with these principles.

We will:

• ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
• carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
• ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the departments’ personal data handling, and that this person has access to report to the highest management level of the department
• have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.

We will ensure, where special category or criminal convictions personal data is processed, that:

• there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
• where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
• data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

If you wish to contact our Data Protection Officer, you can do so:

• by writing to 
  Data Protection Officer
  Ashfield District Council
  Ashfield District Council
  Urban Road
  Kirkby in Ashfield
  Nottinghamshire
  NG17 8DA
• By email: DPO@ashfield.gov.uk
• By telephone: 01623 457004

Statutory and government purposes

Processing necessary for the exercise of a function conferred on a person by enactment or the exercise of a function of the Crown, a Minister or a government department.

Administration of Justice and parliamentary purposes

Processing necessary for the administration of justice or the exercise of a function of Parliament.

Equality of opportunity or treatment

Processing necessary for identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with the view to enabling such equality to be promoted or maintained. It only applies to particular types of special category data, and the Bill sets out in a table the type of review which can be conducted. For example, data concerning sexual orientation can only be processed for reviewing equality of opportunity or treatment of people of different sexual orientation.

Racial and ethnic diversity at senior levels of organisations

Preventing or detecting unlawful acts

Processing necessary to prevent or detect an unlawful act (including an unlawful failure to act).

Protecting the public against dishonesty etc

Processing necessary to protect the public against: dishonesty, malpractice or other serious improper conduct, unfitness or incompetence, mismanagement in the administration of a body or association; or failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etc

Preventing fraud

Processing for the purposes of preventing fraud.

Suspicion of terrorist financing and money laundering

Processing necessary for certain disclosures made under the Terrorism Act 2000 and Proceeds of Crime Act 2002.

Support for individuals with a particular disability or medical condition

Counselling etc

Processing necessary for the provision of confidential counselling, advice or support services.

Safeguarding of children and of individuals at risk

Safeguarding of economic well-being of certain individuals

Insurance

Processing necessary for an insurance purpose, and which is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health.

Occupational pensions

Processing necessary for the purpose of making a determination in connection with eligibility for benefits payable under, an occupational pension scheme.

Political parties

Processing of political opinions data is necessary for the political activities of a person or organisation registered under the Political Parties, Elections and Referendums Act 2000.

Elected representatives responding to requests

Allows an elected representative to process data where necessary (in connection with the discharge of the elected representative’s functions) for the purpose of taking action in response to a request from an individual.

Disclosure to elected representative

Processing which consists of the disclosure of personal data to an elected representative by a data controller necessary for the purpose of responding to a communication from the representative (in relation to a request the representative has received from an individual).

Informing elected representatives about prisoners

Processing for the purpose of informing a member of the House of Commons or a member of the Scottish Parliament about a prisoner.

Publication of legal judgments

Processing which is necessary for the purpose of publishing a judgment or other decision of a court or tribunal.

Consent Processing

With the consent of the data subject.

Protecting individual’s vital interests

Processing of criminal convictions data necessary in the vital interests of an individual.

Processing by not-for-profit bodies

Processing in the course of legitimate activities pursued by a not-for-profit body with a political, philosophical, religious or trade union aim where the processing relates to members, former members or persons with regular contact with the body.

Personal data in the public domain

Processing where personal data is manifestly made public by a data subject.

Legal claims

Processing is necessary for purpose of: (i) any legal proceedings; (ii) obtaining legal advice; or (iii) establishing, exercising or defending legal rights.

Extension of certain conditions under Schedule 1, Part 2

Allows processing of criminal convictions data, where processing would meet a condition in Schedule 1, Part 2 except for the fact it must satisfy the substantial public interest test, provided the controller has an appropriate policy document in place and meets the additional safeguards in Part 4.

Extension of insurance conditions

Should the processing of personal data not reveal racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, then this extension allows processing where it would otherwise meet the insurance condition in Schedule 1, Part 2, or the condition relating to the extension of certain conditions under Schedule 1, Part 2 stated above (when processing criminal convictions