Appropriate Policy Document
- Definition of Special Category & Criminal Offence Data
- Description of Data Processed
- Schedule 1 Condition for Processing
- Compliance with the Principles
- Retention & Disposal
- Review Date
- Additional Special Category Processing
When processing personal data, we will comply with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and any associated legislation.
As part of Pembrokeshire County Council’s (the Council) statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the United Kingdom General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act (DPA) 2018.
This Appropriate Policy Document sets out how the Council will protect the special category and criminal offence data which it processes where all of the following conditions are met
- we (data controller) are processing personal data which is the subject of Articles 9 or 10 of UK GDPR.
- we (data controller) are processing the personal data in reliance of a condition listed in Parts 1, 2 or 3 of Schedule 1 of the DPA 2018 which requires the controller to have an Appropriate Policy Document in place when the processing is carried out.
Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.
This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.
In addition, it provides some further information about our processing of special category and criminal offence data where a policy document is not a specific requirement. The information supplements our privacy statement and service specific privacy notices.
Special Category Data
Special category data is defined by Article 9 of UK GDPR as personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
Criminal Offence Data
Article 10 of UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
The type of personal data the Council collects will depend on the specific service being provided, but may include data such as name, contact details, and financial details. Where appropriate, the Council may also need to collect special category and/or criminal conviction data.
As a public authority, the Council is required by law to protect the public funds it administers. The Auditor General is responsible for carrying out data matching exercises (as part of the National Fraud Initiative) under its powers under the Public Audit (Wales) Act 2004. As part of this, the Council is required to provide particular sets of data to assist in the prevention and detection of fraud.
The Council’s service specific privacy notices give more information about the kind of information we hold and what it is used for. We also maintain a record of our processing activities in accordance with Article 30 of the UK GDPR.
We process special category and criminal offence data for the following purposes in Part 1 of Schedule 1:
- Paragraph 1(1) employment, social security and social protection.
- Paragraph 2(1) health or social care purposes
- Paragraph 3(1) Public health
We process special category and criminal offence data for the following purposes in Part 2 of Schedule 1:
- Paragraph 6(1) and (2)(a) statutory etc and government purposes
- Paragraph 8(1) equality of opportunity or treatment
- Paragraph 10(1) preventing or detecting unlawful acts
- Paragraph 12(1) and (2) regulatory requirements relating to unlawful acts and dishonesty
- Paragraph 16(1) support for individuals with a particular disability or medical condition
- Paragraph 18(1) safeguarding of children and of individuals at risk
Processing may also be for other purposes depending on the context.
The Council are responsible for, and must be able to demonstrate compliance with, the principles.
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a data protection officer who reports directly to our highest management level
- having appropriate policies (Data Protection Policy, IT Security Policy, Records Management Policy, Council Retention & Disposal Schedule) and ensuring we have written contracts in place with our data processors
- maintaining records of our processing activities (ROPAs)
- providing all employees with regular data protection and information security training
- implementing appropriate security measures in relation to the personal data we process
- taking a ‘data protection by design and default’ approach to our activities and carrying out data protection impact assessments for projects which involve personal data and that are likely to result in a high risk to individuals interests (consulting the ICO if appropriate)
- having a Data Protection Compliance Plan in place
Principle (a): lawfulness, fairness and transparency
We have identified a lawful basis, and Schedule 1 condition for processing special category data where relevant, for all our processing. These are documented in our records of processing activities (ROPAs). We provide clear and transparent privacy information to customers within the service specific privacy notices. We process personal data fairly and we ensure that data subjects are not misled about the purposes of any processing.
Principle (b): purpose limitation
We have clearly identified our purposes for processing and inform data subjects what those purposes are via the privacy information we provide on our service specific privacy notices. We will not process personal data for purposes incompatible with the original purpose it was collected for.
When we share special category data, sensitive data or criminal offence data with another controller or processor, we will ensure that there is an appropriate lawful basis and that there is an appropriate data sharing/processing agreement where necessary.
Principle (c): data minimisation
We only collect special category and criminal offence data necessary and proportionate for our specified purposes. We will delete data that is not relevant to the purposes and any data that is no longer required in accordance with the Council Retention & Disposal Schedule.
Principle (d): accuracy
The data we hold will be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to make sure that data is erased or rectified without delay.
If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply, we will document our decision.
Challenges to the accuracy of data and rights to rectification are overseen by the small corporate data protection team to ensure they are dealt with in accordance with the legislation and Information Commissioner’s Office guidance.
Principle (e): storage limitation
The Council retains special category and criminal offence data for no longer than is necessary for the purposes for which the personal data is processed, and in accordance with the Council Retention & Disposal Schedule.
The retention periods for data are based on our legal obligations and the necessity of its retention for our business needs. At the end of the retention period, information is reviewed (including consideration of any historical value/public interest for archiving purposes) and disposed of if no longer required.
Principle (f): integrity and confidentiality
An IT Security Policy and Data Protection Policy are in place. We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals.
We have strict security standards, and all our employees who process personal data receive regular training about how to keep information safe. We limit access to your personal information to those who have a business or legal need to access it.
Our electronic systems and physical storage have appropriate access controls applied.
Personal data is retained and disposed of in line with the Council Retention & Disposal Schedule. When disposing of information, the Council makes sure this is carried out securely.
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be periodically reviewed and updated.
We process special category data in other instances where it is not a requirement to keep an Appropriate Policy Document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our service specific privacy notices.