Introduction and scope
We, as part of our statutory, corporate and public task functions, process special category data and criminal convictions data in accordance with the requirements of:
- Article 9 and 10 of the UK General Data Protection Regulation (‘UK GDPR’) and
- Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
Some Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place. This sets out and explains our procedures for securing compliance with the principles in Article 5 UK GDPR, and policies regarding the retention and erasure of such personal data.
This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.
This document should be read alongside our data protection policy.
Special category data is defined at Article 9 UK GDPR as personal data relating to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health; or
- data concerning a natural person’s sex life or sexual orientation
Criminal conviction data is described at Article 10(1) of the UK GDPR as any personal data relating to criminal convictions and offences or related security measures. This is further defined at Section 11(2) of the DPA 2018 as personal data relating to:
- the alleged commission of offences by the data subject; or
- proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing
Scope
This policy applies to:
- all special category and criminal conviction data that we process for the purposes described in this document, regardless of its format
- any individual processing personal data that we hold
Relevant Schedule 1 conditions and data processing
We process personal data, for which an APD is required, under the following Relevant Schedule 1 conditions:
- Part 1, Paragraph 1(1) – employment, social security and social protection. For example:
- to fulfil our legal obligations as an employer
- managing staff sickness absence
- conducting pre-employment checks, including criminal record checks
- recording declarations of political affiliations
- recording trade union membership
- Part 2, Paragraph 6(1) and (2)(a) – statutory and government purposes. For example:
- fulfilling our many obligations under UK law for the provision of public services to the residents of Lincolnshire
- assisting other public bodies to fulfil their obligations through sharing information, such as:
- central government
- health organisations
- law enforcement agencies
-
Part 2, Paragraph 8(1) – equal opportunity or treatment. For example:
- ensuring our compliance with our obligations under the Equality Act 2010.
- to provide equal access to our services.
- Part 2; Paragraph 18(1) – safeguarding of children and individuals at risk. For example:
- protecting children and young people from neglect, physical, mental or emotional harm.
- participating in multi-agency arrangements to support vulnerable adults such as victims of domestic abuse.
-
Part 2, Paragraph 24(1) – disclosure to elected representatives. For example:
- assisting elected representatives such as local government Councillors and Members of Parliament with requests for assistance on behalf of their constituents.
Procedures for ensuring compliance with the principles in Article 5 UK GDPR
We will:
Accountability
Appointment of a data protection officer who reports to our highest management level.
Take a ‘data protection by design and default’ approach to our activities.
Maintain documentation of our processing activities.
Adopt and implement data protection policies. Ensure we have written contracts in place for our processors.
Implement appropriate and reasonable security measures.
Carry out data protection impact assessments for our high-risk processing activities.
Principle (a): lawfulness, fairness and transparency
Ensure personal data is only processed where a lawful basis applies.
Ensure data subjects are not misled about the purposes of any processing.
Provide data subjects with details on how we process their data by publishing privacy notices for all council functions.
Principle (b): purpose limitation
Only collect personal data for specified, explicit and legitimate purposes.
Inform data subjects what those purposes are within privacy notices.
Not use personal data for purposes that are incompatible with the purpose for which it was collected.
Only share data with another controller where it can be evidenced that they are authorised by law to process the data for their purpose.
Principle (c): data minimisation
Only collect personal data necessary for the relevant purposes and ensure that it is not excessive.
Ensure that we erase personal data provided to us or obtained by us, that is not relevant to our stated purposes.
Principle (d): accuracy
Ensure that personal data is accurate and kept up to date where necessary.
Take particular care to ensure accuracy of personal data held.
Take reasonable steps to ensure that data is erased or rectified when it is brought to our attention that personal data is inaccurate or out of date.
Principle (e): storage limitation
Only keep personal data in identifiable form for as long as is necessary.
Determine retention periods based on:
- our legal obligations
- the necessity of the data to our business needs
Make retention schedules publicly available.
Principle (f): integrity and confidentiality (security)
Ensure effective technical and organisational policies and procedures are in place to support secure working practices.
Educate and train staff to handle and process personal data securely.
Ensure specialist staff are available to provide support and guidance.
Ensure appropriate roles are in place to support information risk management.
Retention and erasure of data, further information and review
Our retention and erasure practices are set out in our records management policy.
Further information
We have published a suite of related policies and privacy information on our website.
For further information please contact the DPO and dpo@lincolnshire.gov.uk.
Policy review
This policy shall be reviewed on an annual basis.