Policy paper

Appropriate Policy Document Special Category Personal Data and Criminal Offence Data

Published 9 May 2024

1. Policy Summary

When processing personal data, the Rural Payments Agency (RPA) will comply with the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and any associated law.

This document has been written for RPA to meet the requirement for an Appropriate Policy Document (APD) under of Schedule 1 Part 4 of the DPA 2018. This details the safeguards RPA has put in place when it processes Special Category Data and criminal offence data in accordance with the requirements of Articles 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018.

Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information refer to our Appropriate Policy Document for Sensitive Processing for Law Enforcement Purposes.

RPA’s Personal Information Charter (POL/DP&G/PIC) and Privacy Notices have more information about RPA’s data protection policy and procedures, including the kind of data we hold and what it is used for.

2. Special Category Data

Special category data is defined by the UK GDPR Article 9 as personal data which reveals a data subject’s:

• race or ethnic origin

• political opinions

• religious or philosophical beliefs

• trade union membership

• genetic data

• biometric data for the purpose of uniquely identifying a natural person

• data concerning health

• data concerning a natural person’s sex life or sexual orientation

3. Criminal Offence Data

The UK GDPR Article 10 covers processing in relation to criminal convictions and offences or related security measures. Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences, related proceedings, and sentencing.

4. Conditions For Processing Special Category and Criminal Offence Data

RPA processes special categories of personal data under the following the UK GDPR Articles.

4.1 Article 9(2)(a) – Explicit Consent

In circumstances where RPA seeks consent, we make sure that the consent is unambiguous and for one or more purposes. We make sure the consent is specific and given by a positive action. We ensure consent is recorded and refreshed as the condition for processing, such as when requesting health data from customers to assess the health impact of our operations.

4.2 Article 9(2)(b) - Employment or Social Protection

Where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on RPA or the data subject in connection with employment, social security, or social protection. For example, our processing of sickness absences raised by our people, and register of interest declarations.

4.3 Article 9(2)(c) - Vital Interests

Where processing is necessary to protect the vital interests of the data subject or of another natural person, such as how our processing would be using health data about one of our people in a medical emergency.

4.4 Article 9(2)(f) - Legal Claims

For the establishment, exercise or defence of legal claims, such as processing relating to any employment tribunal (ET) or other litigation.

4.5 Article 9(2)(g) - Substantial Public Interest

Reasons of substantial public interest, including for example, where RPA is responsible for implementing the Department for Environment, Food and Rural Affairs (Defra) polices to improve and protect the environment. Together with our partner delivery bodies we play our role in growing a green economy and sustaining thriving rural communities.

RPA processes Special Category Data in the performance of its statutory and corporate functions which are of substantial public interest, such as the data we seek or receive as part of investigating a complaint.

4.6 Article 9(2)(j) - Archiving, Research and Statistics

For archiving, research and statistics in the public interest with Schedule 1 Part 1 paragraph 4, such as the data transfers we may make to the National Archives or other legal places of deposit as part of our obligations under the Public Records Act 1958.

4.7 Article 10 - Processing of Personal Data Relating to Criminal Convictions and Offences

RPA processes criminal offence data under Article 10 of the UK GDPR as it is exercising official authority within the meaning set out in Section 8 of the DPA 2018, such as pre-employment checks and declarations by an employee or apprentice in line with contractual obligations.

5. DPA 2018 Schedule 1 Conditions for Processing

All processing is for the first listed purpose and might also be for others, depending on the context. We process special category data for the following purposes in Part 1 Schedule 1:

• Paragraph 1 – employment, social security, and social protection

• Paragraph 4 – research, archiving, scientific, historical, or statistical purposes carried out in accordance with Article 89(1) and is in the public interest

We process special category data for the following purposes in Part 2 Schedule 1:

• Paragraph 6 – Statutory and government purposes, for example, those necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown, or a government department

• Paragraph 7 – Administration of Justice and parliamentary purposes

• Paragraph 8 – Equality of opportunity or treatment

• Paragraph 10 – Preventing or detecting unlawful acts

• Paragraph 12 – Regulatory requirements relating to unlawful acts and dishonesty

• Paragraph 24 – Disclosure to elected representatives

5.1 Criminal Offence Data Processing Purposes

We process criminal offence data for the following purposes in Parts 1 and 2 of Schedule 1:

• Paragraph 1 – Employment, social security, and social protection

• Paragraph 6 – Statutory and government purposes, for example, those necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown, or a government department

6. Data Protection Principles

We comply with the principles relating to processing of personal data under the UK GDPR Article 5 as set out below.

6.1 Principle 1 – 5(a) – Lawfulness, Fairness and Transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. We will:

• ensure that personal data is only processed where a lawful basis applies and where processing is otherwise lawful

• only process personal data fairly and ensure that data subjects are not misled about the purposes of any processing

6.2 Principle 2 – 5(b) – Purpose Limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. A new use case will require a new Privacy Notice. We will:

• only collect personal data for specified, explicit and legitimate purposes and we will inform data subjects what those purposes are in a Privacy Notice

• not use personal data for purposes that are incompatible with the purposes for which it was collected

• inform the data subject if we use personal data for a new purpose that is compatible

6.3 Principle 3 – 5(c) – Data Minimisation

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We will:

• only collect the minimum personal data that we need for the purpose(s) for which it is collected

• ensure that the data we collect is adequate and relevant

6.4 Principle 4 – 5(d) – Accuracy

Personal data shall be accurate and, where necessary, kept up to date. We will:

• ensure that personal data is accurate and kept up to date where necessary

• take particular care to do this where our use of the personal data has a significant impact on individuals

• take every reasonable step to ensure that data is erased or rectified without delay if we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed

• document our decision if we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply

6.5 Principle 5 – 5(e) – Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We will:

• only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so

• delete personal data or put beyond use, for example through end-dating, or render permanently anonymous once we no longer need it

6.6 Principle 6 – 5(f) – Integrity and Confidentiality (Security)

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. We will:

• ensure that there are appropriate technical and organisational measures in place to protect personal data

• follow Defra security standards and procedures and all our staff and other people who process personal data on our behalf receive mandatory training about how to keep data safe

• limit access to your personal data to those employees, or third parties who have a business or legal need to access it

7. Accountability Principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

• the establishment of an Information Governance Model as described in RPA Data Protection Policy (POL/DP&G/RPA). It is managed day-to-day by the Data Protection Lead who reports to both the RPA Security Risk Owner (SRO) and the Defra Data Protection Officer (DPO)

• taking a data protection by design and default approach to our activities

• maintaining documentation of our processing activities

• adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors

• implementing appropriate security measures in relation to the personal data we process

• carrying out data protection impact assessments for our high-risk processing

• regularly reviewing our accountability measures and update or amend them when required

8. Retention and Erasure

We take the security of special category data and criminal offence data very seriously. We have administrative, physical, and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage.

We will ensure, where Special Category Data or criminal offence data is processed that the processing is recorded, and the record sets out where possible a suitable period for the safe and permanent erasure of the different categories of data in accordance with our retention schedule.

9. Publication, Review and Monitoring

Publication date: April 2024

Version: 1.0

Author: Data Protection & Governance (DP&G)

Review period: Every two years

This policy is scheduled to be reviewed again during April 2026 unless significant developments in either the RPA or the law necessitate that this be brought forward. It will be retained where we process personal data for law enforcement purposes and for a period of at least six months after we stop conducting such processing.

Compliance with the policy will be monitored via the Data Protection Lead and the SRO reporting to Executive Team (ET) and the Audit and Risk Assurance Committee (ARAC) as required.

10. Recommended Further Reading

This policy should be read in conjunction with the following documents:

RPA Data Protection Policy

Appropriate Policy Document: Sensitive Processing for Law Enforcement Purposes