Notice

Processing of special categories of personal data and criminal offence: COVID-19 loan schemes (Appropriate Policy Document)

Updated 3 July 2023

As part of the Department for Business and Trade (DBT) statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

Special category data

Special category data is defined at Article 9 UK GDPR as personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

Article 10 UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Appropriate Policy Document

Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.

In addition, it provides some further information about our processing of special category and criminal offence data where a policy document is not a specific requirement. The information supplements our privacy notice.

Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information please see our Appropriate Policy Document for law enforcement sensitive processing.

Conditions for processing special category and criminal offence data

We process special categories of personal data under the following UK GDPR Articles:

i. Article 9(2)(g) - reasons of substantial public interest

a. Statutory etc and government purposes

The Department for Business and Trade is the Loan Guarantor for the COVID-19 Loan Schemes being delivered by the British Business Bank (BBB).

As a government department and Loan Guarantor we have responsibility under the loan schemes. We collect personal data from BBB who provide us with information on all the loan applications where an accredited lender has offered finance to a business under one of the COVID-19 loan schemes.

Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the exercise of a function of the Crown, a Minister of the Crown or a government department (see DPA 2018, Part 2, Schedule 1).

Examples of our processing include the information we seek or receive as part of our role in administering the scheme and protecting risks to the taxpayer through civil enforcement, litigation and debt recovery.

We also receive and may publish diversity information about Future Fund companies that have obtained investment.

b. Preventing or detecting unlawful acts

Our processing of personal data in this context is where it is necessary for the purposes of the prevention or detection of an unlawful act, which must be carried out without the consent of the data subject so as not to prejudice those purposes and is necessary for reasons of substantial public interest.

Examples include where DBT processes information for the purposes pursuing civil litigation and enforcement, such as account freezing orders and forfeiture of seized cash.

c. Preventing fraud - Data sharing with a specified anti-fraud organisation

DBT will disclose information where it is necessary for the purposes of preventing fraud, as a member of a specified anti-fraud organisation or otherwise, in accordance with any arrangements made with such an organisation (DPA, Part 2, Schedule 1).

An ‘anti-fraud organisation’ has the same meaning as in section 68 of the Serious Crime Act 2007. A specified anti-fraud organisation enables or facilitates the sharing of information for the prevention of fraud and is specified by an order made by the Secretary of State. Disclosures of information from a public authority to a specified anti-fraud organisation are subject to a code of practice and this, along with a full list of specified anti-fraud organisation we may share information with, can be found on the Home Office Data sharing for the prevention of fraud: code of practice.

ii. Article 9(2)(j) – for archiving purposes in the public interest

The relevant purpose we rely on is Schedule 1 Part 1 paragraph 4 – archiving.

An example of our processing is the transfers we make to the National Archives as part of our obligations under the Public Records Act 1958.

iii. Article 9(2)(f) – for the establishment, exercise or defence of legal claims

Examples of our processing include processing relating to any civil litigation undertaken in respect of loan recovery or other litigation.

iv. Article 9(2)(a) – explicit consent

In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.

v. Criminal offence data

We process criminal offence data under Article 10 of the UK GDPR.

Processing which requires an Appropriate Policy Document

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, require an Appropriate Policy Document (APD) (see Schedule 1 paragraph 5).

This Appropriate Policy Document demonstrates that the processing of special category and criminal offence data based on these specific Schedule 1 conditions is compliant with the requirements of the UK GDPR Article 5 principles.

Description of data processed

Our processing for reasons of substantial public interest relates to the data we receive or obtain to fulfil our statutory function as a government department and guarantor of the loans scheme. This may be evidence provided to us as part of a complaint or intelligence information we gather for our investigations. Further information about this processing can be found in our privacy notice.

We also maintain a record of our processing activities in accordance with Article 30 of the UK GDPR.

Schedule 1 conditions for processing

Special category data

We process special category data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • Paragraph 6(1) and (2)(a) Statutory and government purposes
  • Paragraph 8(1) Equality of opportunity or treatment
  • Paragraph 10(1) Preventing or detecting unlawful acts
  • Paragraph 12(1) and (2) Regulatory requirements relating to unlawful acts and dishonesty
  • Paragraph 14(1) and (2) Preventing fraud
  • Paragraph 24(1) and (2) Disclosure to elected representatives

Criminal offence data

We process criminal offence data for the following purposes in part 2 of Schedule 1:

  • Paragraph 6(1) and (2)(a) - Statutory and government purposes
  • Paragraph 10(1) - Preventing or detecting unlawful acts
  • Paragraph 12 - Regulatory requirements relating to unlawful acts and dishonesty
  • Paragraph 14(1) and (2) - Preventing fraud
  • Paragraph 24(1) and (2) - Disclosure to elected representatives.
  • Paragraph 32 - Personal data in the public domain
  • Paragraph 33 -Legal claims
  • Paragraph 36 - Substantial public interest

Procedures for ensuring compliance with the principles

Accountability principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • the appointment of a data protection officer who reports directly to our highest management level
  • taking a ‘data protection by design and default’ approach to our activities
  • maintaining documentation of our processing activities
  • adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
  • implementing appropriate security measures in relation to the personal data we process
  • carrying out data protection impact assessments for our high-risk processing

We regularly review our accountability measures and update or amend them when required

Principle (a): lawfulness, fairness and transparency

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.

We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and this policy document.

Our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on DBT as government department and its role as Guarantor for the COVID-19 Loan Schemes.

Principle (b): purpose limitation

We process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our functions as a government department, where it is necessary for preventing or detecting unlawful acts, complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, preventing or detecting unlawful acts, preventing fraud or for disclosure to elected representatives.

We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.

We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

We will not process personal data for purposes incompatible with the original purpose it was collected for.

Principle (c): data minimisation

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.

Principle (d): accuracy

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply, we will document our decision.

Principle (e): storage limitation

All special category data processed by us for the purpose substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our retention schedule. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary.

Principle (f): integrity and confidentiality (security)

Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.

Retention and erasure policies

Our retention and erasure practices are set out in our retention schedule.

APD review date

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed annually or revised more frequently if necessary.

Additional special category processing

We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and staff privacy notice.