Appropriate Policy Document: Special Category Personal Data and Criminal Offence Data
Updated 27 March 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/rural-payments-agency-data-protection-policy/appropriate-policy-document-special-category-personal-data-and-criminal-offence-data
1. Policy summary
The Rural Payments Agency (RPA) will comply with the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and any associated law when processing personal data.
This Appropriate Policy Document (APD) details the safeguards we have in place for processing special category data and criminal offence data. It has been developed so we meet the requirements for an APD under DPA 2018 (Schedule 1 Part 4). The safeguards are in accordance with the requirements of the UK GDPR (Articles 9 and 10) and the DPA 2018 (Schedule 1).
Our processing of special category and criminal offence data for law enforcement purposes is carried out by us in our capacity as a competent authority of the DPA 2018 (Part 3). Further information is in the appropriate policy document for sensitive processing for law enforcement purposes.
You can find more information about our data protection policy and procedures, including the kind of data we hold and what it’s used for, in our privacy notices and Personal Information Charter.
2. Special category data
Special category data is defined by the UK GDPR (Article 9) as personal data which reveals a data subject’s:
-
race or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
genetic data
-
biometric identification
-
health
-
sexual life, sexual orientation, or both
3. Criminal offence data
The UK GDPR (Article 10) covers processing of criminal convictions and offences, or related security measures. The DPA 2018 (Section 11(2)) provides that criminal offence data includes information about:
- the alleged commission of offences
- related proceedings
- sentencing
4. Conditions for processing special category and criminal offence data
We process special categories of personal data under the following UK GDPR Articles.
4.1 Article 9(2)(a) – explicit consent
Where we need consent, we make sure that it is:
- unambiguous
- for one or more purposes
- specific
- given by a positive action
- recorded and refreshed, such as when requesting health data from customers to assess the health impact of our operations
4.2 Article 9(2)(b) - employment or social protection
Where processing data is required by law for employment, social security, or social protection purposes, either for us or the data subject. For example, processing staff sickness absences, and register of interest declarations.
4.3 Article 9(2)(c) - vital interests
Where processing is necessary to protect the vital interests of the data subject or of another natural person, such as how our processing would use an employee’s health data in a medical emergency.
4.4 Article 9(2)(f) - legal claims
For establishing, exercising or defending legal claims, such as data processing relating to any employment tribunal or other litigation.
4.5 Article 9(2)(g) - substantial public interest
We process special category data as part of our statutory and corporate functions which are of substantial public interest, such as the data we seek or receive as part of investigating a complaint.
Reasons of substantial public interest, for example, where we are responsible for implementing Defra policies to improve and protect the environment.
4.6 Article 9(2)(j) - archiving, research and statistics
For archiving, research and statistics in the public interest with Schedule 1 Part 1 paragraph 4. Such as the data transfers we may make to The National Archives or other legal places of deposit as part of our obligation under the Public Records Act 1958.
4.7 Article 10 - processing of personal data relating to criminal convictions and offences
We process criminal offence data under the UK GDPR (Article 10) as we are an exercising official authority as set out in the DPA 2018 (Section 8). The type of data processed under this article is pre-employment checks and declarations by an employee or apprentice in line with contractual obligations.
5. Conditions for processing (Schedule 1)
All processing is for the first listed purpose and might also be for others, depending on the context. We process special category data for the following purposes in Part 1 Schedule 1:
-
paragraph 1 – employment, social security, and social protection
-
paragraph 4 – research, archiving, scientific, historical, or statistical purposes carried out in accordance with Article 89(1) and is in the public interest
We process special category data for the following purposes in Part 2 Schedule 1:
-
paragraph 6 – statutory and government purposes
-
paragraph 7 – administration of justice and parliamentary purposes
-
paragraph 8 – equality of opportunity or treatment
-
paragraph 10 – preventing or detecting unlawful acts
-
paragraph 12 – regulatory requirements relating to unlawful acts and dishonesty
-
paragraph 24 – disclosure to elected representatives
5.1 Criminal offence data processing purposes
We process criminal offence data for the following purposes in Parts 1 and 2 of Schedule 1:
-
paragraph 1 – employment, social security, and social protection
-
paragraph 6 – statutory and government purposes
6. Data protection principles
We comply with the personal data processing principles under the UK GDPR (Article 5) as described below.
6.1 Principle 1 – 5(a) – lawfulness, fairness and transparency
To ensure personal data is processed lawfully, fairly and transparently, we will process personal data:
-
where there is a lawful basis to do so, and where processing is otherwise lawful
-
fairly, ensuring data subjects are not misled about the purposes of any processing
6.2 Principle 2 – 5(b) – purpose limitation
We will only collect personal data for specified, explicit and legitimate purposes and we will not process it in a way that is incompatible with the purposes for which it was collected. We will inform data subjects:
-
what the collection purposes are in a privacy notice
-
if we use personal data for a new purpose that is compatible with a new or updated privacy notice
6.3 Principle 3 – 5(c) – data minimisation
Personal data shall be adequate, relevant, and limited to what is necessary for the purposes it is needed for. We will:
-
only collect the minimum personal data
-
ensure data collected is adequate and relevant
6.4 Principle 4 – 5(d) – accuracy
Personal data will be accurate and, where necessary, kept up to date. We will:
-
take particular care where our use of the personal data has a significant impact on individuals
-
make sure that personal data is deleted or corrected without delay if we become aware that it is inaccurate or out of date
-
document our decision if we do not delete or correct inaccurate information, for example when processing the data in line with regulations means these rights do not apply
6.5 Principle 5 – 5(e) – storage limitation
We will not keep personal data which identifies data subjects for longer than is necessary. We will:
-
only keep personal data in identifiable form for the purposes it was collected, or where we have a legal obligation to do so
-
delete, put beyond use, or permanently anonymise personal data once we no longer need it
6.6 Principle 6 – 5(f) – integrity and confidentiality (and security)
We will process and store personal data securely, protecting it against unauthorised or unlawful processing, and accidental loss, destruction, or damage. We will:
-
ensure that there are appropriate technical and organisational measures in place to protect personal data
-
adhere to Defra’s strict security standards and procedures
-
regularly train employees, and third parties who process personal data on our behalf, on how to keep data safe
-
limit access to personal data to those employees or third parties who have a business or legal need to access it
7. Accountability principle
We have put in place appropriate technical and organisational measures to meet accountability requirements. These include:
-
setting up an Information Governance Model which is managed by the Data Protection Practitioner who reports to both RPA’s Security Risk Owner (SRO) and Defra’s Data Protection Officer (DPO)
-
taking a ‘data protection by design and by default’ approach to all our data protection activities
-
maintaining documents of our processing activities
-
adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
-
implementing appropriate security measures in relation to the personal data we process
-
carrying out data protection impact assessments for our high-risk processing
-
regularly reviewing our accountability measures and update or amend them when required
8. Retention and erasure
We have strict security safeguards in place to protect special category data and criminal offence data. Administrative, physical, and technical safeguards protect personal data against:
- unlawful processing
- unauthorised processing
- accidental loss or damage
We will ensure when special category data or criminal offence data is processed that the processing is recorded. The record will set out, where possible, a suitable timeframe to safely and permanently delete the different data categories in line with our retention schedule.
9. Publishing, reviewing and monitoring
Publication date: April 2024
Version: 2.0
Author: Data Protection & Governance (DP&G)
Review period: Every 2 years
This APD is scheduled to be reviewed during April 2026 unless significant developments in either RPA or the law mean that the review be brought forward. This APD will be stored where we process personal data and kept for a period of at least 6 months after such processing stops.
Compliance with the policy will be monitored by the Data Protection Practitioner and the SRO reporting to Executive Team and the Audit and Risk Assurance Committee as required.
10. Recommended further reading
Read this policy together with the following documents:
-
RPA Data Protection Policy
-
Appropriate Policy Document: Sensitive Processing for Law Enforcement Purposes
You can find these documents on the Data Protection Policy page. You may also be interested in RPA’s Personal Information Charter.