Schedule 1 of the Data Protection Act 2018 requires that organisations have an Appropriate Policy Document in place for when processing special category or criminal data for specific purposes.
This document serves as the Appropriate Policy Document for Norwich City Services Limited (NCSL).
The processing of special category data is undertaken in line with the following articles of the GDPR:
- Article 9(2)(a) explicit consent
- Article 9(2)(b) employment, social security and social protection
- Article 9(2)(c) vital interests of a data subject
- Article 9(2)(f) the establishment, exercise of defence of legal claims
- Article 9(2)(g) substantial public interest
- Article 9(2)(h) the assessment of the working capacity of an employee
- Article 9(2)(j) archiving in the public interest
NCSL processes special category data and criminal to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union. This is processed in line with the Data Protection Act Schedule 1 Paragraph 1(1).
NCSL also process criminal offence data under Article 10 of the GDPR. Our processing of criminal offence data includes pre-employment checks and declarations by an employee in line with contractual obligations.
Further information about this processing can be found in our Human Resources privacy notice.
Procedures for ensuring compliance with the principles
Article 5 of the UK General Data Protection Regulation sets out the key data protection principles. These are NCSL’s procedures for ensuring that we comply with them.
NCSL has in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a Data Protection Officer who reports to our Senior Leadership Team.
- the adoption of a ‘data protection by design and default’ approach.
- documenting and maintaining records of our processing activities.
- the implementation of data protection policies.
- ensuring NCSL has written contracts in place with our data processors.
- implementing appropriate security measures in our processing activities.
- undertaking data protection impact assessments for high-risk processing.
NCSL routinely reviews our accountability measures and update them as required.
Principle (a): lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and meets at least one of the conditions in Schedule 1 or with the data subject’s consent.
NCSL provides clear and transparent information about why we process personal data including our lawful basis for processing in our service privacy notices, staff privacy notice and this Appropriate Policy Document.
Principle (b): purpose limitation
NCSL processes personal data for specific purposes and does not process such data for any purpose incompatible with the original purpose for which it was collected for.
Principle (c): data minimisation
NCSL processes personal data necessary for the relevant purposes and strives to ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to, or obtained by, NCSL but is not relevant to our stated purposes, we will erase it.
Principle (d): accuracy
Where the NCSL becomes aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take reasonable steps to ensure that it is erased or rectified without delay.
If the NCSL decides not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Principle (e): storage limitation
Personal data processed by NCSL is retained for the periods set out in our Retention Schedule. The retention periods are determined based on our legal obligations and business needs.
Our Retention Schedule is reviewed annually and updated when necessary.
Principle (f): integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The council will ensure that there are appropriate organisational and technical measures in place to protect personal data.
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually and updated when necessary. The last review of this policy occurred in June 2021. The next review of this policy is due May 2022.