Appendix 5. Policy on processing of special categories of personal data and criminal offence data

Introduction

As part of º¬Ðß²ÝÊÓƵ’s statutory and corporate functions, it processes special category data and criminal offence data in accordance with Article 9 and 10 of the GDPR and Schedule 1 of the Data Protection Act 2018 (DPA).

Schedule 1 of the DPA requires the University to put in place an appropriate policy document, setting out our procedures for complying with article 5 of the GDPR, how long it will keep special category data for, and its subsequent erasure once it reaches its retention data.

This document explains our processing and satisfies the requirements of Schedule 1, part 4 of the DPA and supplements the University’s staff and student privacy notices. It satisfies the substantial public interest condition, plus the condition for processing employment, social security, and social protection data where an appropriate policy document is required.

Special category data

Article 9 of the GDPR defines special category data as personal data revealing a person’s:

  • Racial or ethnic origin,
  • Religious or philosophical beliefs,
  • Political opinions,
  • Trade union membership,
  • Genetic data,
  • Biometric data for the purpose of uniquely identifying a natural person,
  • Data concerning health; or
  • Data concerning a natural person’s sex life or sexual orientation

Criminal Conviction data

Article 10 of the GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Conditions for processing special category data

GDPR

We process special categories of personal data under the following GDPR Articles:

Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on º¬Ðß²ÝÊÓƵ or the data subject in connection with employment, social security or social protection. For example, staff sickness absence.

Article 9(2)(g) - reasons of substantial public interest. Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the carrying out of our role. For example, monitoring equality of opportunity or treatment between groups.

Article 9(2)(f) – for the establishment, exercise or defence of legal claims. For example, processing relating to any employment tribunal or other litigation.

Article 9(2)(a) – explicit consent

In circumstances where we seek consent, it is unambiguous and for specified purpose(s), it is given by an affirmative action, and recorded as the condition for processing. For example, staff or student reasonable adjustments.

Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person. For example, processing health data in the event of a medical emergency.

We process criminal offence data under Article 10 of the GDPR. For example, for pre-employment or pre-registration checks and declarations by an employee/student in line with contractual obligations.

DPA 2018

We process special categories of personal data for the following purposes in Part 1 of Schedule 1:

Paragraph 1(1) employment, social security and social protection

We process special category data for the following purpose in Part 2 of Schedule 1:

Paragraph 6(1) and (2)(a) statutory, etc. purposes.

Paragraph 8(1) identifying or keeping under review the existence or absence of equality of opportunity or treatment between specified groups.

Paragraph 10(1) preventing or detecting unlawful acts.

Paragraph 11(1) and (2) protecting the public against dishonesty.

Paragraph 12(1) and (2) regulatory requirements relating to unlawful acts and dishonesty.

Paragraph 24(1) and (2) disclosure to elected representatives.

In Paragraph 8(1) the University must stop processing personal data if the data subject(s) has given notice in writing, requiring the university to stop processing their personal data, the notice gave the University a reasonable period in which to stop processing the data, and that period has ended.

Criminal offence data

We process criminal offence data for the following purposes in parts 1 and 2 of the DPA, Schedule 1:

Paragraph 1 employment, social security and social protection.

Paragraph 6(2)(a) statutory, etc. purposes.

Description of data processed

We process special category data about our staff and students that is necessary to fulfil our obligations as a higher education provider and employer, including information about, health and wellbeing, race and ethnicity, and trade union membership. Further information can be found in the University’s staff and student privacy notices.

We also keep and maintain a record of our processing activities in accordance with article 30 of the GDPR.

Procedures for ensuring compliance with the GDPR principles

The University has put in place appropriate technical and organisational measures (policies, procedures, and processes) to meet the obligations set out in the GDPR and DPA. These include, but are not limited to, the following:

  • The appointment of a data protection officer who reports into the university’s highest management level;
  • An information governance framework built on the principle of ‘data protection by design and default;
  • Carrying out data protection impact assessments for high risk personal data processing;
  • Clear and transparent information about processing personal data in the university’s privacy notices; and
  • Electronic information is processed within the university’s secure network, using systems that have appropriate security and access controls applied.

Retention and erasure policies

Our retention and erasure practices are set out in the University retention schedules.

Appropriate Policy Document

This policy will be retained for the duration of out processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed every two years or revised more frequently if necessary.