DfC Data Protection Safeguards Policy; “Appropriate policy document”

Special categories of personal data and criminal convictions

The Department for Communities processes special category data and criminal conviction data.  We process special category data in accordance with Article 9 of the United Kingdom General Data Protection Regulation (UKGDPR). We process criminal conviction data in accordance with Article 10 of the UKGDPR.  Depending on the purpose for processing we must also adhere to conditions in Part 1 and Part 2 of Schedule 1 of the Data Protection Act 2018.

Special Category data

As per Article 9 of the UKGDPR, Special Category data is personal data revealing:

• Racial or ethnic origin
• Political opinions
• Religious of philosophical
• Trade Union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

We must also adhere to the conditions in Part 3 of Schedule 1 of the Data Protection Act 2018, these are additional safeguards for criminal conviction data. Criminal conviction data also includes processing in relation to offences, or related security measures.

Substantial public interest

Under Article 9 (2) (g) of the UKGDPR, we may process special category and criminal conviction data where it is necessary for reasons of substantial public interest. This must be carried out on the basis of United Kingdom domestic law which is proportionate to the aim pursued, respect the essence of the right to the data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.

The Data Protection Act 2018 sets out that the processing meets the requirement in point (g) only if it meets a condition (or purpose) in Schedule 1.

Employment, social care and social protection

Under Article 9 (2) (b) UKGDPR, we may process special category data and criminal convictions where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law. This must be carried out on the basis of union or member state law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interest of the data subject.

The  Data Protection Act 2018 sets out that the processing meets the requirement in point (b) only if it meets a condition (or purpose) in Schedule 1.

We must adhere to legislation such as, but not limited to:

• Social Security Administration (Northern Ireland) Act 1992
• Social Security Contributions and Benefits (Northern Ireland) Act 1992
• Jobseekers (Northern Ireland) Order 1995
• State Pension Credit Act (Northern Ireland) 2002
• Welfare Reform Act 2012

The law in relation to social security in Northern Ireland is available.

Archiving

Under Article 9 (2) (j) UKGDPR, we may process special category data and criminal convictions where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The Data Protection Act 2018 sets out that the processing meets the requirement in point (j) only if it meets a condition (or purpose) of Schedule 1.

The following describes the measures we take to comply with the data protection principles in relation to these categories of personal data.

The first data protection principle ‘lawful, fair and transparent’

Processing personal data must be lawful, fair and transparent. We will ensure that we:.

•  process personal data only where a lawful basis applies.
• process data fairly, ensuring that our customers are not misled about how and why we process their data.
• rely upon consent only where appropriate to do so and when the consent is specific, freely given, informed and unambiguous
• have a Privacy Notice and supplementary privacy notices for our various business areas to ensure that we are open about how we process customer data.
• Our privacy notice is available.

The second data protection principle ‘specified, explicit and legitimate purposes’

• We will inform customers why we are processing the information and what lawful basis allows us to this.
• We will only process data where we have a lawful basis to do so.
• We will not process personal data for purposes incompatible with the original purpose it was collected for.

The third data protection principle ‘adequate, relevant and not excessive’

• We collect personal data necessary for the relevant purposes and ensure it is not excessive.
• The information we process is necessary for and proportionate to our purposes.
• We will not collect more information than we need,

The fourth data protection principle ‘accurate and up to date’

• Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

The fifth data protection principle ‘kept for no longer than necessary’. Our policy on retention and disposal of records.

• We will tell customers how long we will keep their data.
• We retain information processed for the periods set out in the disposal of records schedule.

The sixth data protection principle ‘appropriate security’

We have a range of technical, organisational and security measures which contribute to how we maintain ‘appropriate security’ of personal data. For example our IT systems are monitored internally to ensure appropriate use, our public buildings are staffed by recognised security firms and we have management and organisational structures in place to ensure the security of our data.

This policy satisfies the requirements of Schedule 1, Part 4 and is therefore an appropriate policy document in support of our compliance with the requirements of Articles 9 and 10 UKGDPR.

This policy will be reviewed annually or revised more frequently if necessary.

The Accountability principle

The controller shall be responsible for, and be able to demonstrate compliance with these principles. We maintain a record of our processing activities. We are registered with the ICO and our point of contact with the ICO is our Data Protection Officer. Our contact details are: