Appropriate Policy Document – processing special category and criminal conviction data

Procedures for ensuring compliance with the principles in Article 5 UK GDPR

We will: 

Accountability

Appointment of a data protection officer who reports to our highest management level.

Take a ‘data protection by design and default’ approach to our activities.

Maintain documentation of our processing activities.

Adopt and implement data protection policies.  Ensure we have written contracts in place for our processors.

Implement appropriate and reasonable security measures.

Carry out data protection impact assessments for our high-risk processing activities. 

Principle (a): lawfulness, fairness and transparency

Ensure personal data is only processed where a lawful basis applies.

Ensure data subjects are not misled about the purposes of any processing. 

Provide data subjects with details on how we process their data by publishing privacy notices for all council functions. 

Principle (b): purpose limitation

Only collect personal data for specified, explicit and legitimate purposes.

Inform data subjects what those purposes are within privacy notices. 

Not use personal data for purposes that are incompatible with the purpose for which it was collected.

Only share data with another controller where it can be evidenced that they are authorised by law to process the data for their purpose.

Principle (c): data minimisation

Only collect personal data necessary for the relevant purposes and ensure that it is not excessive.

Ensure that we erase  personal data provided to us or obtained by us, that is not relevant to our stated purposes. 

Principle (d): accuracy

Ensure that personal data is accurate and kept up to date where necessary. 

Take particular care to ensure accuracy of personal data held. 

Take reasonable steps to ensure that data is erased or rectified when it is brought to our attention that personal data is inaccurate or out of date. 

Principle (e): storage limitation

Only keep personal data in identifiable form for as long as is necessary.

Determine retention periods based on:

  • our legal obligations
  • the necessity of the data to our business needs

Make retention schedules publicly available.

Principle (f): integrity and confidentiality (security) 

Ensure effective technical and organisational policies and procedures are in place to support secure working practices. 

Educate and train staff to handle and process personal data securely.

Ensure specialist staff are available to provide support and guidance.

Ensure appropriate roles are in place to support information risk management.