Schedule 1 of the Data Protection Act 2018 requires that organisations have an Appropriate Policy Document in place for when processing special category or criminal data for specific purposes.
This document serves as the Appropriate Policy Document for Norwich City Council.
The processing of special category data is undertaken in line with the following articles of the GDPR:
- Article 9(2)(a) explicit consent
- Article 9(2)(b) employment, social security and social protection
- Article 9(2)(c) vital interests of a data subject
- Article 9(2)(f) the establishment, exercise of defence of legal claims
- Article 9(2)(g) substantial public interest
- Article 9(2)(h) the assessment of the working capacity of an employee
- Article 9(2)(j) archiving in the public interest
The council processes special category data both to fulfil our obligations as an employer and as part of our statutory duties as a Tier 2 local authority.
The council processes special category data about our employees that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union. Further information about this processing can be found in our Human Resources privacy notice.
Our processing for reasons of substantial public interest relates to the data we receive or obtain in order to fulfil our statutory function as a Local Authority. This includes information about our tenants and service users. Further information about this processing can be found in our service specific privacy notices.
We process criminal offence data under Article 10 of the GDPR. The council’s processing of criminal offence data includes pre-employment checks and declarations by an employee in line with contractual obligations.
Schedule 1 - conditions for processing
The council processes special category data for the following purposes as listed in Schedule 1:
- Paragraph 1(1) employment, social security and social protection
- Paragraph 2(2)(b) the assessment of the working capacity of an employee
- Paragraph 6(1) and 6(2)(a) statutory, etc. purposes
- Paragraph 10(1) preventing or detecting unlawful acts
- Paragraph 11(1) and 11(2) protecting the public against dishonesty
- Paragraph 12(1) and 11(2) regulatory requirements relating to unlawful acts and dishonesty
- Paragraph 24(1) and 24(2) disclosure to elected representatives
The council processes criminal offence data for the following purposes as listed in Schedule 1:
- Paragraph 1 – employment, social security and social protection
- Paragraph 6(2)(a) – statutory, etc. purposes
Procedures for ensuring compliance with the principles
Article 5 of the UK General Data Protection Regulation sets out the key data protection principles. These are the council’s procedures for ensuring that we comply with them.
The council has in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a Data Protection Officer who reports to our Senior Leadership Team.
- the adoption of a ‘data protection by design and default’ approach.
- documenting and maintaining records of our processing activities.
- the implementation of data protection policies
- ensuring the council has written contracts in place with our data processors.
- implementing appropriate security measures in our processing activities.
- undertaking data protection impact assessments for high-risk processing.
The council routinely reviews our accountability measures and update them as required.
Principle (a): lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and meets at least one of the conditions in Schedule 1 or with the data subject’s consent.
The council provides clear and transparent information about why we process personal data including our lawful basis for processing in our service privacy notices, staff privacy notice and this Appropriate Policy Document.
Principle (b): purpose limitation
The council processes personal data for specific purposes and does not process such data for any purpose incompatible with the original purpose for which it was collected for.
Principle (c): data minimisation
The council processes personal data necessary for the relevant purposes and strives to ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to, or obtained by, the council but is not relevant to our stated purposes, we will erase it.
Principle (d): accuracy
Where the council becomes aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take reasonable steps to ensure that it is erased or rectified without delay.
If the council decides not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Principle (e): storage limitation
Personal data processed by the council is retained for the periods set out in our Retention Schedule. The retention periods are determined based on our legal obligations and business needs.
Our Retention Schedule is reviewed annually and updated when necessary.
Principle (f): integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The council will ensure that there are appropriate organisational and technical measures in place to protect personal data.
Appropriate Policy Document review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually and updated when necessary. The last review of this policy occurred on September 2021.