Appropriate Policy Document for the Processing of Special Category and Criminal Personal Data for the Law Enforcement Purpose under the Data Protection Act 2018
1.1. The Police and Crime Commissioner has statutory functions set out within the Police Reform and Social Responsibility Act 2011 that requires the processing special category data and criminal offence data.
1.2. This is the ‘Appropriate Policy Document’ that sets out how the Police and Crime Commissioner (PCC) and the Office of the Police and Crime Commissioner (OPCC) will protect special category and criminal conviction personal data in compliance with the Data Protection Act 2018 (DPA 2018).
1.3. The OPCC and the PCC shall be referred to as ‘the OPCC’ or ‘we’ throughout the rest of this policy.
1.4. It explains the procedures for securing compliance with the data protection principles contained within Article 5 of UK GDPR and the policies for the retention and erasure of personal data. Records of processing activities are contained within the OPCC’s Record of Processing Activities, which includes a record of the appropriate condition(s) for processing and the record retention criteria.
1.5. When relying on the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, or the condition for processing employment, social security and social protection data (Schedule 1, Part 1 DPA 2018), it is necessary for an Appropriate Policy Document to be in place when processing a special category of personal data.
1.6. Special category data is defined at UK GDPR (Article 9) as data revealing :
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs
- trade union membership,
- genetic data,
- biometric data, for the purpose of uniquely identifying an individual,
- data concerning health;
- data concerning an individual’s sex life or sexual orientation.
- Processing of such data for law enforcement purposes is described as sensitive processing (Part 3 section 35(8)).
- Article 10 UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
- The OPCC will process special category data about our employees that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union.
- Our processing for reasons of substantial public interest relates to the data we receive or obtain in order to fulfil our statutory functions. For example, this may be information provided to us as part of a complaint against the Chief Constable.
- Information about the processing of personal data carried out by the OPCC is detailed in the OPCC’s Privacy Notice which is available on the OPCC’s website.
2. Compliance with the data protection principles
2.1. The Accountability Principle
2.1.1. The OPCC has put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- The appointment of a Data Protection Officer who reports directly to Chief Officers.
- Taking a ‘data protection by design and default’ approach to activities.
- Maintaining documentation of records of processing activities.
- Applying data protection policies and ensuring written contracts are in place with data processors.
- Implementing appropriate security measures in relation to the personal data processed.
- Carrying out Data Protection Impact Assessments (DPIAs) for high-risk processing.
2.2. Principle 1: Lawfulness, fairness and transparency
2.2.1. Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law. We provide clear and transparent information about why we process personal data including our lawful basis for processing (in compliance with UK GDPR articles 6 and 9) in our privacy notice(s).
2.2.2. Our processing for purposes of substantial public interest is necessary for the exercise of functions conferred on the OPCC pursuant to the Police Reform and Social Responsibility Act 2011.
2.2.3. Our processing for the purposes of employment relates to our obligations as an employer.
2.2.4. We also process special category personal data to comply with other obligations imposed on the OPCC in its capacity as a public authority e.g. the Equality Act.
2.2.5. We process special categories of personal data under the following UK GDPR Articles:
- Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the OPCC or the data subject in connection with employment, social security or social protection.
Examples of our processing include monitoring and managing staff sickness absence and administering benefits such as statutory maternity pay. ii. Article 9(2)(g) – reasons of substantial public interest.
The OPCC is a public authority and has certain powers and obligations pursuant to the Police Reform & Social Responsibility Act 2011. The OPCC for Lancashire is statutorily required to secure the maintenance of the police force for Lancashire and to ensure that the police force is efficient and effective.
Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the carrying out of our role.
Examples of our processing include the information we seek or receive as part of investigating a complaint against the Chief Constable. iii. Article 9(2)(j) – for archiving purposes in the public interest.
The relevant purpose we rely on is Schedule 1 Part 1 paragraph 4 – archiving.
An example of our processing is the transfers we make to the National Archives as part of our obligations as a public body under the Public Records Act 1958.
- Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
Examples of our processing include processing relating to any Police Appeals Tribunal or other litigation.
- Article 9(2)(a) – explicit consent
In the limited circumstances where we may seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
Examples of our processing include staff dietary requirements.
- Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
An example of our processing would be using health information about a member of staff in a medical emergency.
We process criminal offence data under Article 10 of the UK GDPR
Examples of our processing of criminal offence data include pre-employment police vetting checks.
2.3 Principle 2: Purpose limitation
2.3.1. We process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our statutory functions, to comply with obligations under equalities legislation, for responding to requests or for disclosures to elected representatives.
2.3.2. We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.
2.3.3. If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose and where necessary establish an information sharing agreement.
2.3.4. We will not process personal data for purposes incompatible with the original purpose it was collected for.
2.4. Principle 3: Data minimisation
2.4.1. We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it. We have in place a DPIA procedure and conduct DPIAs for high risk processing to ensure that any data that is processed is adequate for fulfilling our statutory requirements but not excessive for our needs.
2.5. Principle 4: Accuracy
2.5.1 . We will ensure as far as possible that the personal data processed are accurate and kept up to date. In some circumstances it may be necessary to retain factually inaccurate information e.g. information provided by a third party which does not represent the true facts.
2.5.2. All staff are made aware of the need for accuracy and are responsible for the accuracy of the personal data they process.
2.5.3. Where possible IT systems will be designed with controls that seek to improve data validation and data quality. Personal data found to be inaccurate will be rectified or erased whenever possible.
2.5.4. If an individual contacts us to question the accuracy of their data we will respond to such requests accordingly.
2.6. Principle 5: Storage Limitation
2.6.1. All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our Records Retention and Disposal Policy. The retention period for data is based on our legal obligations and the necessity of its retention for our business needs. Our retention policy is reviewed regularly and updated when necessary.
2.7. Principle 6: Security
2.7.1. Electronic information is processed within a secure ICT network and we have adopted relevant police force and Lancashire County Council ICT policies and procedures.
2.7.2 . Hard copy information and electronic information is protectively marked in accordance with the government security classification scheme. The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
2.7.3. All our staff and volunteers are required to be police vetted in line with non-police personnel vetting requirements.
2.7.4. Any security incidents involving sensitive data are fully and corporately recorded, investigated and assessed for whether they should be reported to the Information Commissioners Office.
3. Policy Review Date
3.1. This policy will be reviewed annually or revised more frequently if necessary.
4. Additional special category processing
4.1. We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and staff privacy notice (available upon request).
5. Further Information
5.1. For further information about our compliance with data protection law or if you wish to contact our Data Protection Officer, please contact us using the below contact details:
The Data Protection Officer
OPCC for Lancashire
PO Box 100
Email: firstname.lastname@example.org mark for attention of DPO