1. Introduction
This document has been developed for the London Borough of Sutton (“the Council) to meet the requirement in the Data Protection Act (DPA) 2018 for an appropriate policy document which details the safeguards we have put in place when we process special category data, criminal conviction data, and sensitive data for law enforcement purposes.
This policy covers:
Substantial public interest processing for the council’s statutory and corporate functions
Employment, social security and social protection law for certain benefits and credits functions and processing for HR purposes
Processing for archiving, research and statistical purposes
Law enforcement processing
The council is a public authority with statutory functions and a statutory duty of confidentiality. As part of the council’s statutory and corporate functions, we process special category and criminal conviction data under:
Article 6(a) of the General Data Protection Regulation (GDPR) (the data subject has given consent to the processing of his or her personal data for one or more specific purposes)
Article 6(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
Article 6(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the council is subject)
Article 6(d) of the GDPR (processing is necessary in order to protect the vital interests of the data subject or of another natural person
Article 6(e) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the council)
The council processes sensitive data for law enforcement purposes under section 35 of the DPA 2018.
The council’s Privacy Notice has more information about the council’s data protection policy and procedures, including the kind of information we hold and what it is used for.
2. Definition of special category, sensitive and criminal conviction data
Special category data (defined by Article 9 of the GDPR) and sensitive data (defined by section 35 of the DPA 2018) is personal data which reveals:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for the purpose of uniquely identifying a natural person
Data concerning health
Data concerning a natural person’s sex life or sexual orientation
Section 11(2) of the DPA 2018 provides that criminal conviction data includes data which relates to the alleged commission of offences and related proceedings and sentencing.
3. Conditions for processing special category data and criminal conviction data
In order to lawfully process special category data, the council must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
The council processes special category data under the following paragraphs of Article 9 of the GDPR:
Paragraph 2(a) (the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (e.g. for biometric voice authentication))
Paragraph 2(b) (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the council or the data subject in the field of employment and social security and social protection law)
Paragraph 2 (c) (processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent)
Paragraph 2(f) (processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity)
Paragraph 2(g) (processing is necessary for reasons of substantial public interest)
Paragraph 2(h) (processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care systems and services or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
[Paragraph 3 - Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member state law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union of Member State law or rules established by national competent bodies.]
Paragraph 2(i) (processing is necessary for reasons of public interest in the area of public health which provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject,
Paragraph 2(j) (processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1))
Article 10 of the GDPR permits processing of personal data relating to criminal convictions and offences under the control of official authority. The council may process criminal conviction data under Article 10 of the GDPR as it is a competent authority processing for law enforcement purposes and exercising official authority within the meaning set out in the DPA 2018.
4. Substantial public interest
Section 10(3) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.
The council processes special category data in the performance of its statutory and corporate functions when the following conditions set out in the following paragraphs of Part 2 of Schedule 1 to the DPA 2018 are met:
Paragraph 6 (Statutory etc. and government purposes)
Paragraph 8 (Equality of opportunity or treatment)
Paragraph 10 (Preventing or detecting unlawful acts)
Paragraph 11(Protecting the public against dishonestly
Paragraph 12 (Regulatory requirements relating to unlawful acts and dishonesty etc.) Paragraph 14 (Preventing fraud)
Paragraph 16 (Support for individuals with a particular disability or medical condition) Paragraph 17 (Counselling)
Paragraph 18 (Safeguarding of children and of individuals at risk)
Paragraph 19 (Safeguarding of economic well-being of certain individuals)
Paragraph 20 (Insurance)
Paragraph 21 (Occupational pension)
Paragraph 22 (Political parties)
Paragraph 24 (Disclosure to elected representatives)
These conditions apply to the council’s statutory and corporate functions. All processing is for the listed purpose and might also be for others, depending on the context.
5. Employment, social security and social protection law, Health or Social Care Purposes and Public Health
Section 10(2) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for the purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law, Health or Social Care Purposes and Public Health under Article 9(2)(b), (h) and (I) of the GDPR, that processing must meet one of the conditions set out in Part 1 of Schedule 1.
The council processes special category data for Employment (HR), social security and social protection, health, social care, public health and research purposes when the conditions set out in paragraph 1 of Part 1 of Schedule 1 to the DPA 2018 is met. These conditions may apply to the following council functions: revenues and benefits, council tax, public health, adult social care and to process special category data for those purposes.
6. Archiving purposes in the public interest
Under Article 9(2)(j) of the GDPR, the council may process special category data where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. We may also process criminal conviction data for these purposes under the DPA 2018.
Under section 10(2) of the DPA 2018, the council may process special category data and criminal conviction data for the purposes of archiving, research and statistics when a condition set out in Part 1 of Schedule 1 to the DPA 2018 is met.
7. Law enforcement processing
Section 31 of the DPA 2018 defines the law enforcement purposes as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The council is listed as a competent authority for the purposes of law enforcement in paragraph 1 of Schedule 7 to the DPA 2018 and does not rely on the consent of the data subject to process sensitive data.
[Schedule 7, DPA 2018 - a youth offending team established under section 39 of the Crime and Disorder Act 1998; and Section 30(1)(b) of the DPA 2018 - any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.]
Section 35(5) of the DPA 2018 sets out that where processing is strictly required for law enforcement purposes, the council must meet at least one of the conditions in Schedule 8.
The council processes data for the law enforcement purposes when the conditions set out in the following paragraphs of Schedule 8 to the DPA 2018 are met:
Paragraph 1 (Statutory etc. purposes)
Paragraph 3 (Protecting individual’s vital interests)
Paragraph 4 (Safeguarding of children and of individuals at risk)
Paragraph 5 (Personal data already in the public domain)
Paragraph 6 (Legal claims)
Paragraph 8 (Preventing fraud)
Paragraph 9 (Archiving etc.)
All processing is for the listed purpose and might also be for others dependent on the context.
8. The Council compliance with the data protection principles
In accordance with the accountability principle, the council maintains records of processing activities under Article 30 of the GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the GDPR and section 64 of the DPA 2018 for law enforcement processing to ensure data protection by design and default.
The council follows the data protection principles set out in Article 5 of the GDPR, and Part 3, Chapter 2 of the DPA 2018 for law enforcement processing, as follows:
8 (i). Lawfulness, fairness and transparency
We are a public authority. Local authorities are responsible for a range of vital services for people and businesses.
Local authority’s functions are set out in numerous Acts of Parliament and many of these functions have associated legal duties.
We provide clear, transparent information to all those who provide personal data to us in the council’s constitution and the council’s privacy notice. We publish an internal Staff Privacy Notice.
8 (ii). Purpose limitation
The council does not process personal data for purposes that are incompatible with the purposes for which it is collected. When we process personal data to fulfil our statutory functions, we do so in accordance with the various Acts of Parliament which have associated legal duties.
When we share special category data, sensitive data or criminal conviction data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts.
8 (iii). Data minimisation
We collect personal data that is adequate, relevant and limited to the relevant purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.
8 (iv). Accuracy
Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay.
8 (v). Storage limitation
The council retains special category data, criminal conviction data and sensitive data for law enforcement processing in accordance with the council’s Record Management, retention and disposal policy. These categories of personal data may be retained for longer than the council’s default standard retention period if required by statutory, regulatory, legal or security reasons.
8 (vi). Integrity and confidentiality
We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe. We limit access to your personal information to those employees, or third parties who have a business or legal need to access it.
Third parties or contractors that the council engages will only process your personal information on our instructions or with our agreement, and where they do so they have agreed to treat the information confidentially and to keep it secure. We will also disclose personal data to an agent if we receive the consent of the individual to whom the data concerns.
9. Policy review statement
This policy will be periodically reviewed and updated.
For further information about the Council’s compliance with data protection law, please contact us at: DPO@sutton.gov.uk