Processing special category data - the Appropriate Policy

The Royal Borough of Kensington and Chelsea Council’s Appropriate Policy and how it will protect Special Category and Criminal Convictions personal data.

The council is under a legal obligation to consider Equality measures (see the Equality and Diversity page for further information). In addition, the General Data Protection Regulations (GDPR) and Data Protection Act 2018 recognises that organisations are likely to collect information deemed Special Category Data and or Criminal Conviction and Offences data.

Definitions

The GDPR Special Category data covers:

  • Racial or ethnic origin.
  • Political opinions.
  • Religious beliefs or other beliefs of a similar nature.
  • Trade Union membership.
  • Physical or mental health or condition.
  • Sex life and sexual orientation.
  • Genetic data and biometric data.

The GDPR Criminal and Offences Data: or Conviction Data

This covers criminal allegations, proceedings or convictions and security measures. These are likely to centre on: specific employment requirements; fraud investigations; safeguarding issues; the vital interests of the data subject or other individuals. 

Legal basis

Under the GDPR the council has a lawful basis for processing Special Category and Criminal offence data. This refers to requirements under enactment which means that the council is obliged to collect and process this data. Similarly, processing of this type of data is undertaken because there is a substantial public interest in processing this information as set out under the Data Protection Act 2018.

Procedures for securing compliance

Article 5 of the GDPR describes the data protection principles. Below is set out details on how the council will comply with these in relation to the processing of Special Category and Criminal Offence personal data.

Principle 1 – Fair, Lawful and Transparent

Special Category and Conviction Data is processed lawfully, fairly and in a transparent manner in relation to the data subject.

The council will:

  • Only process Special Category and Conviction Data where a lawful basis can be applied, and where processing is otherwise lawful.
  • Process Special Category and Conviction Data fairly; and will ensure that data subjects are not misled about the purposes of any processing.
  • Ensure transparency in its processing of Special Category and Conviction Data to enable individuals to understand and obtain their privacy information.

Principle 2 - Fit for Purpose

Special Category and Conviction Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The council will:

  • Collect Special Category and Conviction Data only for specified, explicit and legitimate purposes, and will inform data subjects what those purposes are in a privacy notice.
  • Not use Special Category and Conviction Data for purposes that are incompatible with the purposes for which it was collected (if we do use Special Category and Conviction Data for a new purpose that is compatible, we will inform the data subject first).

Principle 3 – Data Minimisation (Adequate and Relevant)

Special Category and Conviction Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The council will:

  • Only collect the minimum Special Category and Conviction Data needed for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

Principle 4 – Accuracy

Special Category and Conviction Data is accurate and, where necessary, kept up to date.

The council will:

  • Ensure that Special Category and Conviction Data is accurate, and kept up to date, taking care to do this where the use of this type of information has a significant impact on individuals.

Principle 5 - Data Retention

Special Category and Conviction Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

The council will:

  • Only keep Special Category and Conviction Data in identifiable form. if is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once this data is no longer needed it will be deleted or rendered permanently anonymous.

Principle 6 - Security

Special Category and Conviction Data is processed in a manner that ensures appropriate security of the data including: protection against unauthorised or unlawful processing; against accidental loss, destruction or damage; and by using appropriate technical or organisational measures.

The council will:

  • Ensure that there are appropriate organisational and technical measures in place to protect Special Category and Conviction Data.

Accountability

The council is responsible for and must be able to demonstrate compliance with these 6 principles. Our Data Protection Officer (DPO) is responsible for monitoring the council’s compliance with these principles.

The council will:

  • Ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request.
  • Undertake Data Protection Impact Assessment (DPIA) for any high risk personal data processing, and consult the Information Commissioner if appropriate.
  • Appoint and maintain a Data Protection Officer to provide independent advice and monitoring of all departments’ personal data handling, and that this person has access to report to the highest management level of the department.
  • Maintain and Review internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.
  • Ensure council policies as regard the retention and erasure of personal data are implemented.

The council will:

Ensure that where special category or convictions personal data is processed that:

  • There is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data.
  • Where special category or criminal convictions personal data is no longer required for the purpose for which it was collected it will be deleted or render it permanently anonymous.
  • Data subjects receive privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

Please refer to the council’s Fair Processing Notice setting out how the council handles personal data, and where more advice can be obtained.