Policy paper

Appropriate policy document: special category personal data and criminal offence data

Published 14 June 2023

Applies to England

Scope

When processing personal data, Defra will comply with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and any associated legislation.

This policy document has been developed for Defra to meet the requirement for an Appropriate Policy Document (APD) under of Schedule 1, Part 4 of the DPA 2018. This details the safeguards Defra has put in place when it process special category personal data and criminal offence data in accordance with the requirements of Articles 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018.

Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information please read our appropriate policy document for sensitive processing for law enforcement purposes.

Defra processes special category personal data in other instances where it is not a requirement to keep an APD. Our processing of such data respects the rights and interests of the data subjects. Defra’s personal information charter and privacy notices have more information about Defra’s data protection policy and procedures, including the kind of data we hold and what it is used for.

Special category data

Special category data is defined by the UK GDPR Article 9 as personal data which reveals:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Criminal offence data

The UK GDPR Article 10 covers processing in relation to criminal convictions and offences or related security measures. Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences, related proceedings and sentencing.

Conditions for processing special category and criminal offence data

We process special categories of personal data under the following the UK GDPR Articles:

Article 9(2)(a) – explicit consent

In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by a positive action and is recorded as the condition for processing, such as when requesting health data from customers to assess the health impact of our policies.

Article 9(2)(b) - employment or social protection

Where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on Defra or the data subject in connection with employment, social security or social protection. For example our processing of staff sickness absences and register of interest declarations.

Article 9(2)(c) - vital interests

Where processing is necessary to protect the vital interests of the data subject or of another natural person, such as our processing would be using health data about a member of staff in a medical emergency.

Article 9(2)(f) - legal claims

For the establishment, exercise or defence of legal claims, such as processing relating to any employment tribunal or other litigation.

Article 9(2)(g) - substantial public interest

Reasons of substantial public interest, for example Defra is responsible for improving and protecting the environment. We aim to grow a green economy and sustain thriving rural communities. We also support our world-leading food, farming and fishing industries.

Defra processes special category data in the performance of its statutory and corporate functions which are of substantial public interest, such as the data we seek or receive as part of investigating a complaint.

Article 9(2)(j) - archiving, research and statistics

For archiving, research and statistics in the public interest with Schedule 1 Part 1 paragraph 4, such as the data transfers we make to the National Archives as part of our obligations under the Public Records Act 1958.

Defra process criminal offence data under Article 10 of the UK GDPR as it is exercising official authority within the meaning set out in Section 8 of the DPA 2018, such as pre-employment checks and declarations by an employee in line with contractual obligations.

DPA 2018 Schedule 1 conditions for processing

All processing is for the first listed purpose and might also be for others, depending on the context.

We process special category data for the following purposes in Part 1 Schedule 1:

  • paragraph 1 – employment, social security and social protection
  • paragraph 4 – research, archiving, scientific, historical or statistical purposes carried out in accordance with Article 89(1) and is in the public interest

We process special category data for the following purposes in Part 2 Schedule 1:

  • paragraph 6 – statutory etc and government purposes ie necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown or a government department
  • paragraph 7 – administration of Justice and parliamentary purposes
  • paragraph 8 – equality of opportunity or treatment
  • paragraph 10 – preventing or detecting unlawful acts
  • paragraph 12 – regulatory requirements relating to unlawful acts and dishonesty etc
  • paragraph 24 – disclosure to elected representatives

Criminal offence data – We process criminal offence data for the following purposes in Parts 1 and 2 of Schedule 1:

  • paragraph 1 – employment, social security and social protection
  • paragraph 6 – statutory etc and government purposes ie necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown or a government department

Data protection principles

We comply with the principles relating to processing of personal data under the UK GDPR Article 5 as set out below:

Principle 1 – 5(a) – lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. We will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
  • only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent

Principle 2 – 5(b) – purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. We will:

  • only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
  • not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first

Principle 3 – 5(c) – data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will:

  • only collect the minimum personal data that we need for the purpose(s) for which it is collected
  • ensure that the data we collect is adequate and relevant

Principle 4 – 5(d) – accuracy

Personal data shall be accurate and, where necessary, kept up to date. We will:

  • ensure that personal data is accurate and kept up to date where necessary
  • take particular care to do this where our use of the personal data has a significant impact on individuals
  • take every reasonable step to ensure that data is erased or rectified without delay if we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed

If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

Principle 5 – 5(e) – storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We will:

  • only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so
  • delete put beyond use or rendered permanently anonymous, personal data once we no longer need it

Principle 6 – 5(f) – integrity and confidentiality (security)

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. We will:

  • ensure that there are appropriate organisational and technical measures in place to protect personal data
  • have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep data safe
  • limit access to your personal data to those employees, or third parties who have a business or legal need to access it

Accountability principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • the appointment of a Data Protection Officer who reports directly to our Permanent Secretary
  • taking a ‘data protection by design and default’ approach to our activities
  • maintaining documentation of our processing activities
  • adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
  • implementing appropriate security measures in relation to the personal data we process
  • carrying out data protection impact assessments for our high-risk processing
  • regularly reviewing our accountability measures and update or amend them when required

Retention and erasure policies

We take the security of special category data and criminal offence data very seriously. We have administrative, physical and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage. We will ensure, where special category data or criminal offence data are processed that the processing is recorded, and the record sets out where possible a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our retention schedule.

Review

This policy will be kept under review with an additional formal review undertaken in 2 years. It will be retained where we process special category data and criminal offence data and for a period of at least 6 months after we stop carrying out such processing.