Information Access and Use: Processing Special Category and / or Criminal Convictions and Offences Data
Contents
-
Policy details and part 1
- Policy Details
- Introduction
-
Conditions relating to employment, health, and research etc.
- Employment, social security and social protection
-
Substantial public interest conditions
- Statutory etc. and government purposes
- Equality of opportunity or treatment
- Racial and ethnic diversity at senior levels of the organisation
- Preventing or detecting unlawful acts
- Regulatory requirements relating to unlawful acts and dishonesty etc.
- Preventing fraud
- Counselling etc.
- Safeguarding of children and of individuals at risk
- Safeguarding of economic well-being of certain individuals
- Insurance
- Occupational pensions
- Elected representatives responding to requests / disclosure to elected representatives
-
Part 4
- Security Measures
-
Part 5
- Retention of the data
-
Part 6
- Erasure of the data
-
Part 7
- Further Information
-
Appendix 1 - Policy Application Checklist
- 1. Are you processing personal data about the following?
- 2. Does your processing fall within one of the following purposes?
- 3. Do you have the consent of the data subject for the processing of this personal data?
Policy details and part 1
Policy Details
Item | Details |
---|---|
Version | 1.1 |
Approved by | Information Governance Board |
Lead officer | Information Lawyer (Data Protection Officer) |
Contact | Dataprotection@southampton.gov.uk |
Date last amended | 2nd October 2024 |
Approval date | 26th May 2021 |
Effective date | 23rd June 2021 |
Review date | 2nd October 2025 |
Introduction
- This policy document explains the Council’s processing of special categories of personal data and criminal convictions and offences data where it is processed for the following purposes:
- Employment, social security and social protection
- Statutory etc. and government purposes
- Equality of opportunity or treatment
- Racial and ethnic diversity at senior levels of the organisation
- Preventing or detecting unlawful acts
- Regulatory requirements relating to unlawful acts and dishonesty etc.
- Preventing fraud
- Counselling etc.
- Safeguarding of children and of individuals at risk
- Safeguarding of economic well-being of certain individuals
- Insurance
- Occupational pensions
- Elected representatives responding to requests / disclosure to elected representatives
- To determine whether this policy applies to your processing, refer to the Policy Application Checklist in Appendix 1.
- Irrespective of whether this policy applies, all processing of personal data must be compliant with the data protection principles, and the Council’s suite of Information Governance Policies1.
- When processing special categories of personal data and / or criminal convictions and offences data for these purposes, a condition under Article 9 of the UK General Data Protection Regulation (the GDPR) must be satisfied.
- If the processing for the purposes above is not carried out with the explicit consent of the data subject, the processing must satisfy another condition under Article 9.
- Alternative conditions are:
- Article 9(2)(b) - The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- Article 9(2)(g) - The processing is necessary for reasons of substantial public interest
- If relying on either of these conditions for the above processing, Schedule 1, Part 4 of the Data Protection Act 2018 states that the Council is required to have an appropriate policy document in place.
- This policy document explains:
- the Council’s procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on these conditions; and
- the Council’s policies as regards the retention and erasure of personal data processed in reliance on these conditions, giving an indication of how long such personal data is likely to be retained.
1 - https://staffinfo.southampton.gov.uk/information-governance/policies-and-guidance/default.aspx
Conditions relating to employment, health, and research etc.
Employment, social security and social protection
How the condition for processing is met
Where processing special categories of personal data and / or criminal conviction data for the purpose of employment, social security, and social protection, the Council will be satisfied that the processing is necessary in order for it to perform or exercise its legal obligations (or the data subject’s legal obligations) in connection with employment, social security, or social protection, namely:
- Employment Act 2002
- Equality Act 2010
- Employment Rights Act 1996
- Health and Safety at Work Act 1974
- Working Time Regulations 1998
- Working Time (Amendment) Regulations 2007
- Safeguarding Vulnerable Groups Act 2006
- Rehabilitation of Offenders 1974
- Immigration, Asylum and Nationality Act 2006
- The Fixed-term Employees (Prevention of Less Favourable Treatment) Regulations 2002
- Education and Skill Act 2008
- The Employee Study and Training Regulations 2010
- The Flexible Working Regulations 2014
- Trade Union and Labour Relations (Consolidation) Act
- The Transfer of Undertakings (Protection of Employment) Regulations 2006
- The Collective Redundancies and the Transfer of Undertakings (Protection of Employment) (Amendment) Regulations 1999
The purpose of the processing
- Recruitment
- Pre-employment checks
- Employment offer
- Training and Development
- Change in personal circumstances
- Performance Management
- Industrial Action
- Mergers and Acquisitions
- End of employment
The special categories of personal data and / or criminal conviction data processed for this purpose
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
- Criminal convictions and offences
Substantial public interest conditions
Statutory etc. and government purposes
How the condition for processing is met
Where processing special categories of personal data and / or criminal conviction data in order to carry out its statutory functions, the Council will be satisfied that:
- the processing is necessary for the exercise of that function, which has been conferred on a the Council by an enactment or rule of law; and
- the processing is necessary for reasons of substantial interest.
The Council has many statutory functions, a list of which can be found on the Local Government Association website.
The purpose of the processing
The Council performs many services in line with its statutory functions, a list of which can be found on the Local Government Association website.
The special categories of personal data and / or criminal conviction data processed for this purpose
The nature of the special categories of personal data and / or criminal conviction data processed for each Council service will vary, but it is likely that the Council will process special categories of personal data and / or criminal conviction data relating to the following when performing its statutory functions:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
- criminal convictions and offences
More detailed information about specific services can be found in the Council’s privacy policy.
Equality of opportunity or treatment
How the condition for processing is met
Where processing special categories of personal data and / or criminal conviction data for the purpose of monitoring and reviewing equality opportunities, the Council will be satisfied that:
- the processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained.
Individuals can give notice in writing to the Council requiring them not to process their special categories of personal data and / or criminal conviction data for this purpose, and must give the Council a reasonable period in which to stop processing the data.
The purpose of the processing
The special categories of personal data and / or criminal conviction data will be used to monitor equality for the following groups of people:
- People of different racial or ethnic origins
- People holding different religious or philosophical beliefs
- People with different states of physical or mental health
- People of different sexual orientation
The special categories of personal data and / or criminal conviction data processed for this purpose
- racial or ethnic origin
- religious or philosophical beliefs
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
Racial and ethnic diversity at senior levels of the organisation
How the condition for processing is met
This section only applies to processing necessary to identify suitable individuals to hold senior positions within the Council, due to the substantial public interest associated with this.
Processing in respect of recruitment at other levels of the Council is covered by the provisions in section 2.1.
Where the processing of special categories of personal data and / or criminal conviction data is carried out as part of a process of identifying suitable individuals to hold senior positions within the Council, the Council will be satisfied that:
- the processing is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations; and
- The processing can reasonably be carried out without the consent of the data subject.
The processing will reasonably be carried out without the consent of the data subject only where the Council cannot reasonably be expected to obtain the consent of the data subject, and the Council is not aware of the data subject withholding consent.
The purpose of the processing
The special categories of personal data and / or criminal conviction data will be used to identify suitable individuals to hold the following positions within the Council:
- Chief Executive
- Service Directors
- Anyone who plays a significant role in the making of decisions about how the whole or a substantial part of the Council’s activities are to be managed or organised; or
- Anyone who plays a significant role in the actual managing or organising of the whole or a substantial part of those activities
The special categories of personal data and / or criminal conviction data processed for this purpose
- racial or ethnic origin
Preventing or detecting unlawful acts
How the condition for processing is met
Section 17 of the Crime and Disorder Act 1998 places a duty on the Council to do all it reasonably can to prevent crime and disorder in its area.
Where processing special categories of personal data and / or criminal conviction data for the prevention and detection of crime, the Council will be satisfied that:
- the processing is necessary for those purposes
- the processing must be carried out without the consent of the data subject so as not to prejudice those purposes; and
- the processing is necessary for reasons of substantial public interest.
The purpose of the processing
The Council has a number of functions it can exercise in respect of crime and disorder, including (but not limited to):
- Anti-Social Behaviour
- Community Safety
The special categories of personal data and / or criminal conviction data processed for this purpose
- criminal convictions and offences
Regulatory requirements relating to unlawful acts and dishonesty etc.
How the condition for processing is met
Some of the Council’s functions imposed on them by legislation involve officers taking steps to establish whether another person has committed an unlawful act, or has been involved in dishonesty, malpractice or other seriously improper conduct.
Where the Council processing special categories of personal data and / or criminal conviction data to discharge these functions, it will be satisfied that:
- it is necessary to do so
- in the circumstances, the Council cannot reasonably be expected to obtain the consent of the data subject to the processing; and
- the processing is necessary for reasons of substantial public interest.
The purpose of the processing
The functions that may involve officers taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct include (but are not limited to):
- Trading Standards
- Alcohol and entertainment Licensing
- Animal Licensing
- Businesses and markets licensing
- Food licensing
- Gambling and lottery
- Hazardous materials licensing
- HMO Licensing
- Taxi and private hire licensing
The special categories of personal data and / or criminal conviction data processed for this purpose
- criminal convictions and offences
Preventing fraud
How the condition for processing is met
The Council is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
When processing special categories of personal data and / or criminal conviction data for these purposes, the Council will be satisfied that:
- the processing is necessary for the purposes of preventing fraud or a particular kind of fraud; and
- the disclosure or processing is in accordance with arrangements made by an anti-fraud organisation.
The purpose of the processing
The Cabinet Office appoints the auditor to audit the accounts of this authority, and is responsible for carrying out data matching exercises. The Council participates in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
The special categories of personal data and / or criminal conviction data processed for this purpose
- data concerning health
- criminal convictions and offences
Counselling etc.
How the condition for processing is met
The Council provides services that include the provision of confidential counselling, advice or support. In some situations, the processing of special categories of personal data and / or criminal conviction data cannot be carried out with the consent of the individuals involved, but the Council will only process special categories of personal data and / or criminal conviction data in these circumstances where:
- it is necessary for reasons of substantial public interest
- in the circumstances, consent to the processing cannot be given
- in the circumstances, the Council cannot reasonably be expected to obtain consent; and
- the processing must be carried out without consent because obtaining consent would prejudice the provision of the service
The purpose of the processing
The services offering the provision of confidential counselling, advice or support include (but are not limited to):
- Adoption
- Hospice Care
- Substance Misuse
- Mental Health Services
- Drug and Alcohol Recovery Service
- Employee Assistance
The special categories of personal data and / or criminal conviction data processed for this purpose
- data concerning health
Safeguarding of children and of individuals at risk
How the condition for processing is met
The Children Act 1989 places a duty on local authorities to protect children in their area, and to make enquiries where they have reasonable cause to suspect that a child in their area may be at risk of suffering harm.
The Care Act 2014 sets out a clear legal framework for how local authorities and other parts of the system should protect adults at risk of abuse or neglect.
As such, the Council will processes special categories of personal data and / or criminal conviction data to protect a child (or type of child) or indivudal at risk from neglect or physical, mental or emotional harm, or to protect the physical, mental or emotional well-being of a child (or type of child) or individual at risk. This may have to be done without consent when it is necessary for reasons of substantial public interest, where:
- in the circumstances, consent to the processing cannot be given
- in the circumstances, the Council cannot reasonably be expected to obtain consent
- the processing must be carried out without consent because obtaining consent would prejudice the provision of protection.
When decisions are made to share or withhold information, the service area will record who has been given the information and why.
The purpose of the processing
A child or an individual aged 18 or over is “at risk” if the Council has reasonable cause to suspect that they:
- have needs for care and support
- are experiencing, or at risk of, neglect or physical, mental or emotional harm; and
- as a result of those needs are unable to protect them self against the neglect or harm or the risk of it
The special categories of personal data and / or criminal conviction data will be processed by
- The Multi Agency Safeguarding Hub
- Children Safeguarding Board
- Looked after children teams
- Protection and Court teams
- Adult Social Care Connect
- Adult Safeguarding Board
- Older People and Vulnerable Adults
The special categories of personal data and / or criminal conviction data processed for this purpose
- racial or ethnic origin
- religious or philosophical beliefs
- data concerning health
Safeguarding of economic well-being of certain individuals
How the condition for processing is met
Certain individuals in receipt of Council services will be at economic risk, meaning that they are less able to protect their economic well-being by reason of physical or mental injury, illness or disability.
In protecting the economic well-being of individuals at economic risk, it may be necessary for the Council to process special categories of personal data and / or criminal conviction data without consent, where it is necessary for reasons of substantial public interest, and:
- in the circumstances, consent to the processing cannot be given
- in the circumstances, the Council cannot reasonably be expected to obtain consent
- the processing must be carried out without consent because obtaining consent would prejudice the provision of the protection of the economic well-being
The purpose of the processing
The functions that may involve protecting the economic well-being of individuals at economic risk include (but are not limited to):
- Public Health
- Welfare Rights
- Adult Social Care
- Housing Services
The special categories of personal data and / or criminal conviction data processed for this purpose
- data concerning health
Insurance
How the condition for processing is met
The Council’s Risk Management and Insurance service facilitates and supports service areas in the identification and management of key business risks and includes the management and provision of an insurance claims handling service.
In administering a claim under an insurance contract, or exercising a right, or complying with an obligation, arising in connection with an insurance contract, the Council may process special categories of personal data and / or criminal conviction data. It will only do so without consent, however, when:
- it is necessary for these insurance purposes; and
- is necessary for reasons of substantial public interest.
The purpose of the processing
- Claims for loss or damage to Council property
- Claims for compensation made against the Council by third parties
The special categories of personal data and / or criminal conviction data processed for this purpose
- racial or ethnic origin
- religious or philosophical beliefs
- trade union membership
- genetic data
- data concerning health
Occupational pensions
How the condition for processing is met
Hampshire County Council pension services administer the Local government pension scheme on behalf of the Council.
As part of the scheme, the Council will process special categories of personal data and / or criminal conviction data without consent when:
- It is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, the pension scheme
- The data relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member (or someone who is seeking to become a member) of the scheme
- The processing is not carried out for the purposes of measures or decisions with respect to the data subject; and
- The processing can reasonably be carried out without the consent of the data subject
In doing so, the Council will be satisfied that:
- They cannot reasonably be expected to obtain the consent of the data subject; and
- They are not aware of the data subject withholding consent
The purpose of the processing
- Administering the Local government pension scheme
The special categories of personal data and / or criminal conviction data processed for this purpose
- data concerning health
Elected representatives responding to requests / disclosure to elected representatives
How the condition for processing is met
Council members and elected representatives may have cause to request and receive special categories of personal data and / or criminal conviction data when carrying out their functions.
When requesting the special categories of personal data and / or criminal conviction data, the member will be satisfied that:
- The processing is being carried out in connection with the discharge of their functions;
- The processing is being carried out in response to a request by an individual that the member take action on behalf of the individual; and
- The processing is necessary for the purposes of, or in connection with, the action reasonably taken by the member in response to that request
If the request is made by an individual who is not the data subject (e.g. a relative), the member must obtain the consent of the data subject, unless:
- In the circumstances, consent to the processing cannot be given
- In the circumstances, the member cannot reasonably be expected to obtain consent
- Obtaining consent would prejudice the action taken by the member; or
- The processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably
When disclosing special categories of personal data and / or criminal conviction data, the Council will be satisfied that:
- It is doing so in response to a communication from the member, which was made in response to a request from an individual
- The special categories of personal data and / or criminal conviction data is relevant to the subject matter of that communication; and
- The disclosure is necessary for the purpose of responding to that communication.
If the request is made by an individual who is not the data subject (e.g. a relative), and the member does not have the consent of that individual, the Council will only disclose the special categories of personal data and / or criminal conviction data if they are satisfied that:
- In the circumstances, consent to the processing cannot be given
- In the circumstances, the member cannot reasonably be expected to obtain consent
- Obtaining consent would prejudice the action taken by the member; or
- The processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably
The purpose of the processing
- Dealing with complaints from the residents of their ward
- Addressing their resident’s concerns
The special categories of personal data and / or criminal conviction data processed for this purpose
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
- criminal convictions and offences
Part 4
Security Measures
The Council has a wide range of technical and procedural controls in place, in order to protect the special categories of personal data and / or criminal conviction data it holds and processes.
These controls are overseen by the Council’s Information Governance Board, chaired by the Senior Information Risk Owner, supported by Information Asset Owners and Administrators.
The controls compliant with PSN and PCI. Controls include but are not limited to:
- Mandatory annual Information Governance Training for all staff
- Acceptable use of IT equipment and systems defined in Information Governance Policy
- Role Based Access Controls, limiting Council system users to only access those systems necessary for them to perform their duties
- Identity and Access Management through Human Resources hiring and reference polices
- Strong defences of the Council’s core IT system (e.g. Firewalls, Malware Detection & Defence)
- Encryption of Data in transit where appropriate
- The ability to monitor and / or log digital and user activity into Council systems where appropriate
- Deployment of Information Security Tools (e.g. Data Loss Prevention, Mobile Device Management, Secure External Email)
- Assurance of Council Technical Security Architecture by Independent 3rd party partners
- Annual and ad-hoc IT Health Checks and Penetration Tests by independent CHECK certified test teams; with follow-up treatment of identified vulnerabilities
- Robust procedures for the reporting of any data or potential data breaches.
- Bi-Annual IG Health Checks carried out by Information Asset Administrators
- Regular audits of physical measures and office walkthroughs
- A suite of IG policies in place, which are reviewed on an annual basis
- Mandatory Data Protection Impact Assessments undertaken for all projects
- Full compliance with the Public Service Network (PSN)
Part 5
Retention of the data
The special categories of personal data and / or criminal conviction data will be retained in accordance with the Council’s Records Review and Retention Schedule.
Part 6
Erasure of the data
All special categories of personal data and / or criminal conviction data will be destroyed securely, either using the Council’s confidential waste system, or the appropriate disposal method of electronic records.
Service areas review records throughout the year, to ensure information is securely destroyed in accordance with the retention schedule.
Part 7
Further Information
For more information, or specific guidance, please contact the Governance and Information team by email at:
Appendix 1 - Policy Application Checklist
1. Are you processing personal data about the following?
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
- Criminal convictions or offences data
If Yes, got to question 2.
If No, this policy does not apply.
2. Does your processing fall within one of the following purposes?
- Employment, social security and social protection
- Performaing a statutory task or function
- Review and monitoring of equality opportunites
- Identifying suitable individuals to hold senior positions within the Council
- Preventing or detecting unlawful acts
- Performing regulatory requirements relating to unlawful acts and dishonesty
- Preventing fraud
- Counselling
- Safeguarding of children and of individuals at risk
- Safeguarding of economic well-being of certain individuals
- Insurance
- Occupational pensions
- Elected representatives responding to requests / disclosure to elected representatives
If Yes, got to question 3.
If No, this policy does not apply.
3. Do you have the consent of the data subject for the processing of this personal data?
If Yes, this policy does not apply.
If No, this policy does apply.