Notice

Processing of special categories of personal data and criminal offence data: National Security and Investment Act (Appropriate Policy Document)

Updated 27 November 2023

As part of the Cabinet Office’s statutory and corporate functions, our lawful basis for processing special category and criminal convictions data under UK GDPR are set out in Schedule 1, Data Protection Act 2018, see below.

Special category data

Special category data is defined as personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Appropriate Policy Document

Some of the Schedule 1 conditions for processing special category and criminal offence data require Cabinet Office to have an Appropriate Policy Document (APD) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.

In addition, it provides some further information about our processing of special category and criminal offence data where a policy document is not a specific requirement. The information supplements the Privacy Notice.

Conditions for processing special category and criminal offence data

Schedule 1 conditions for processing

Special category data and Criminal convictions data

Cabinet Office processes special category data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

a. Statutory and government purposes (para 6, schedule 1, DPA 2018)

The NSI Act:

  • establishes a requirement for qualifying entities operating in 17 sensitive areas of the economy to seek authorisation for specific types of acquisitions
  • creates a voluntary notification system to encourage notifications from parties who consider that their acquisitions may raise national security concerns (where the business in question is not one of those automatically required to notify)
  • enables the Secretary of State in the Cabinet Office (“the Secretary of State”) to ‘call in’ statutorily defined acquisitions or other events to undertake a national security assessment (whether or not they have been notified to the government)
  • creates the power to apply remedies to address risks to national security
  • creates sanctions for non-compliance with the Act
  • provides clear routes for parties to challenge decisions in the courts

The NSI Act is operated by the Investment Security Unit (ISU) in the Cabinet Office. The ISU is responsible for centrally coordinating a cross-Government process to scrutinise investments with potential national security threats and provide balanced advice on such investments to the Secretary of State.

Processing of personal data by Cabinet Office in this context is for the purposes of substantial public interest and is necessary for the exercise of a function of the Crown, a Minister of the Crown or a government department (see DPA 2018, Part 2, Schedule 1).

b. Preventing or detecting unlawful acts (para 10, schedule 1, DPA 2018)

Processing of personal data by Cabinet Office in this context is where it is necessary for the purposes of the prevention or detection of an unlawful act, which must be carried out without the consent of the data subject so as not to prejudice those purposes and is necessary for reasons of substantial public interest.

Examples include where Cabinet Office processes information for the purpose of reducing risks to the national security of the United Kingdom. This can include implementing civil and/or criminal penalties against companies who do not comply with their legal obligation under the NSI Act.

c. Protecting the public against dishonesty etc (para 11, schedule 1, DPA 2018)

For example: where Cabinet Office needs to process Criminal Offence/Special category data to protect members of the public from malpractice, unfitness, incompetence or mismanagement in the administration of a body or organisation, and obtaining consent would prejudice the exercise of the protective function. This could include taking enforcement action against a company for non-compliance of the NSI Act or an order against the company.

d. Regulatory requirements relating to unlawful acts and dishonesty (para 12, schedule 1, DPA 2018)

For example: where Cabinet Office needs to process Criminal Offence/Special Category data to comply with a requirement which involves taking steps to establish whether a company has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct. This could include non-compliance of an order.

e. Preventing fraud (para 14, schedule 1, DPA 2018) 

For example: where Cabinet Office needs to disclose personal data to an anti-fraud organisation such as the Financial Conduct Authority.

f. Suspicion of terrorist financing or money laundering (para 15, schedule 1, DPA 2018)

For example: where Cabinet Office needs to disclose personal data to law enforcement agencies.

Processing which requires an Appropriate Policy Document

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, require an Appropriate Policy Document (APD) (see Schedule 1 paragraph 5).

This Appropriate Policy Document demonstrates that the processing of special category and criminal offence data based on these specific Schedule 1 conditions is compliant with the requirements of the UK GDPR Article 5 principles.

Description of data processed

Processing by Cabinet Office for reasons of substantial public interest relates to the data it receives or obtains to fulfil its statutory function as a government department responsible for implementing and operating the NSI Act. This may be evidence provided to Cabinet Office through mandatory notifications, voluntary notifications or retrospective validations, or as part of a complaint or i information the department gathers for its investigations. Further information about this processing can be found in our Privacy Notice.

Cabinet Office also maintains a record of its processing activities in accordance with Article 30 of the UK GDPR.

Procedures for ensuring compliance with the principles

Accountability principle

Cabinet Office has put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • the appointment of a Data Protection Officer who reports directly to our highest management level
  • taking a ‘data protection by design and default’ approach to our activities
  • keeping and maintaining documentation of our processing activities
  • adopting and implementing data protection policies and ensuring we have agreements in place with any Data Processors, Independent or Joint Data Controllers
  • implementing appropriate security measures in relation to the personal data we process
  • carrying out a Data Protection Impact Assessment
  • regularly reviewing our accountability measures and updating or amending them when required

Principle (a): Lawfulness, Fairness and Transparency

Processing personal data must be lawful, fair and transparent. The processing of special category and criminal convictions data is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1 of the Data Protection Act 2018.

Cabinet Office provides clear and transparent information about why we process personal data including our lawful basis for processing in our  National Security and Investment Act 2021 privacy notice and this policy document.

Our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on Cabinet Office as the government department responsible for implementing and operating the NSI Act.

Principle (b): Purpose Limitation

Cabinet Office processes personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our functions as a government department, where it is necessary for preventing or detecting unlawful acts, complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, preventing or detecting unlawful acts, preventing fraud or for disclosure to elected representatives.

Cabinet Office is authorised by law to process personal data for these purposes. Cabinet Office may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.

If we are sharing data with another controller, an agreement will be in place to document that they are authorised by law to process the data for their purpose.

We will not process personal data for purposes incompatible with the original purpose it was collected for.

Principle (c): Data Minimisation

Cabinet Office collects personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.

Principle (d): Accuracy

Where Cabinet Office becomes aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, Cabinet Office will take every reasonable step to ensure that data is erased or rectified without delay. If Cabinet Office decides not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply, we will document our decision.

Principle (e): Storage Limitation

Cabinet Office will retain information processed for 10 years from closure of the matter unless there is a legitimate reason to retain it for longer.

Principle (f): Integrity and Confidentiality (Security)

Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.

Retention and erasure policies

Personal data obtained for the purposes listed above will be retained by the ISU for up to 10 years. In certain circumstances, we may need to keep some records for longer periods of time. This might include, for example, situations where cases lead to further investigations, where the information could be relevant to ongoing or future NSI cases including compliance and enforcement, or where it is needed for ongoing or prospective legal proceedings. In some circumstances we will anonymise your personal information so that it can no longer be associated with you. When this happens, the information will be used without further notice to you. 

All Right to be forgotten / Right of Erasure requests will be processed in accordance with Cabinet Office’s statutory obligations under the UK GDPR and DPA 2018.

APD review date

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases. This policy will be reviewed annually or revised more frequently if necessary.

Additional special category processing

Cabinet Office processes special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. Cabinet Office provides clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and staff privacy notice.