Special category data privacy notice for candidates applying for a public appointment role at DBT
Updated 3 September 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/public-appointments-privacy-notice/special-category-data-privacy-notice-for-candidates-applying-for-a-public-appointment-role-at-dbt
This policy explains how the Department for Business and Trade (DBT) processes special category data of candidates applying for public appointment roles.
You can also view the general privacy notice for candidates applying for a public appointment role at DBT.
DBT processes special category data in accordance with Articles 9 and 10 of the General Data Protection Regulation (GDPR) and Schedule 1, Part 2 Equality of opportunity or treatment, Data Protection Act (DPA) 2018.
The special category data DBT processes includes data concerning candidates’:
- racial or ethnic origin
- political opinions
- trade union membership
- health
- sex life or sexual orientation
1. Purpose of processing special category data
We process special category data about candidates that is necessary to fulfil our recruitment and appointment obligations. This includes information about disability, ethnicity or membership of a political party.
This policy document should be read alongside the DBT Public Appointments Privacy Notice.
2. Conditions for processing special category data
We process special categories of data under the following GDPR articles.
2.1 Consent
Article 9(2)(a) Explicit consent
The consent must be given for one or more specified purposes.
2.2 Employment and social protection
Article 9(2)(b)
Where processing is necessary for the purposes of performing or exercising obligations or specific rights of the controller or of the data subjects in the area of employment, social security or social protection and pursuant to authorisation granted by domestic law or collective agreement which safeguards the fundamental rights and the interests of the data subject.
When the processing of special category of personal data is processed under the 9(2)(b) of UK GDPR, section 10 of DPA 2018 provides further requirement to meet the condition set in Article 9(2)(b) above.
These conditions are set under Schedule 1 Part 1 DPA 2018 under paragraphs:
- employment, social security and social protection
- health or social care purposes
2.3 Substantial public interest
Article 9(2)(g)
The processing of special category of personal data is necessary for reasons of substantial public interest. The processing must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
When the processing of special category of personal data is processed under the 9(2)(g) of UK GDPR, section 10 of DPA 2018 provides further requirement to meet the condition set in article 9(2)(g). The condition is set in schedule 1, part 2, paragraph 8, DPA 2018 which says:
Equality of opportunity or treatment
This condition is met if the processing:
- is of a specified category of personal data
- is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
The above is subject to the definition is sub-paragraph 2 of that aforementioned paragraph 8 and subject to the exceptions in sub-paragraphs (3) to (5) of the same paragraph 8.
2.4 Procedures for ensuring compliance with the principles
Accountability principle
To meet the accountability requirements, we have put in place some technical organisational measures including:
- conducting a data protection impact assessment
- implementing appropriate security measures, such as password protecting documents containing personal data and having a double checking process before emailing personal data
- adhering to DBT and Civil Service policies on data protection, including seeking advice from the DBT data protection team
- updating DBT records of processing activity and the information asset register
- ensuring members of the team are up to date with the mandatory data protection training
- conducting information asset audits
These measures are regularly reviewed and updated or amended when required.
Principle (a): lawfulness, fairness and transparency
The processing of personal data must be lawful, fair and transparent.
This internal policy statement and DBT’s published public appointments privacy notice provides clear information about why we processes personal data for applicants of regulated and non-regulated public or direct appointments.
DBT processes personal data to comply with our obligations with regard to recruitment of either public or direct appointees and in adherence of the governance code and code of conduct for board members of public bodies, whichever is applicable.
Principle (b): purpose limitation
DBT only process personal data for a specified, explicit and legitimate purposes. We do not process personal data for purposes incompatible with the purposes for which it is collected.
We process personal data for purposes of public interest which are necessary to fulfil our statutory function in relation to recruitment provided the processing is necessary and proportionate.
We declare in our privacy notices that we may share data with another controller (such as the Cabinet Office) who maintain the public appointments website application system, known as ATS.
We ensure that the use of the ATS platform is covered by the memorandum of understanding between the Cabinet Office and the Department for Business and Trade.
Principle (c): data minimisation
We only collect personal data that is adequate to effectively carry the recruitment process, thereby ensuring that the information we process is necessary and proportionate for our purposes. Where personal data is provided to use or obtained by us, but is not relevant to our stated purposes, we ensure that it is securely deleted from the file.
Principle (d): accuracy
We rely on the information supplied by the data subject and the result of the vetting process conducted by main vetting provider in the UK. We will take all reasonable steps to correct inaccurate personal data.
In addition to that, we will ensure that we are not keeping out of date information, that we will take every reasonable step to erase or amend inaccurate personal information without delay, unless otherwise required by law or regulation to keep the data in its original form
Principle (e): storage limitation
All personal data processed by the team for the purpose of employment or substantial public interest is retained for the periods set out in our retention schedule (see below), unless retained for longer period for archiving purposes.
We have determined the retention period for the data that we hold based on our legal obligations and the necessity of its retention for our business needs.
DBT’s retention schedule is reviewed regularly and updated when necessary.
Principle (f): integrity and confidentiality
Electronic information is processed on a secure network, which have appropriate access controls applied. Hard copy information is processed in line with our security procedures. Documents (either electronic or hard copy) are protectively marked with appropriate security markings such as ‘Official Sensitive: Personal’.
The systems we use to process personal data allow us to erase or update personal data as appropriate and if needed.
3. Retention and erasure policy
| Type of data | Trigger point | Duration | Action |
|---|---|---|---|
| Successful recruitment candidate information (including third party referee details provided by the applicant if provided) | End of appointment | For duration of appointment plus 2 years | Destroy |
| Unsuccessful recruitment candidate information (including third party referee details provided by the applicant if provided) | Last action | 2 years from date successful appointee announced | Destroy |
| Diversity data | Date of appointment announced | If successfully appointed to a role, diversity data will be retained for rolling 5 year period whilst in post and for 5 years after end of appointment term. If unsuccessful in your application, diversity data will be held for 5 years from date the successful appointee is announced | Destroy |
4. Review date of this document
This document will be retained for the duration of our processing. The document will be reviewed annually or more frequently, if necessary.