Appropriate policy document

Published: April 2023

Next formal review: 2 years from date of last review, or in the event of a recommended improvement, a change in legislation, or a change of council wide policy.

UKGDPR requires Bracknell Forest Council, as a data controller, to only process special category data (SCD) under certain conditions (Article 9) and, when we are doing so using the “substantial public interest” condition or the “employment, social security and social protection” condition, we must have an Appropriate Policy Document (APD) (Article 10). The DPA Schedule 1 sets out in more detail what is required in an APD, and this document fulfils that APD requirement.

Special category data is explained on the ICO website.

This information supplements our privacy notice and service specific privacy notices.

Schedule 1, Part 4 of the Data Protection Act 2018

The council relies on DPA Schedule 1 conditions to process special categories of personal data.

Part 1 - conditions relating to employment, social security and social protection

  • processing personal data concerning health in connection with the council’s rights under employment law
  • processing data relating to criminal convictions under Article 10 UK GDPR in connection with your rights under employment law in connection with recruitment, discipline or dismissal
  • providing human resource and occupational health facilities for employees
  • processing data concerning criminal records in connection with recruitment and employment in order to reduce the risk to the council and the community
  • processing necessary for revenue and benefits and health or social care purposes

Part 2 - substantial public interest conditions

Statutory and government purposes

  • fulfilling the council's obligations under the UK legislation for the provision of services to residents within the borough of Bracknell Forest Council
    complying with other legal requirements, such as the requirement to disclose information in connection with legal proceedings
    processing necessary for the exercise of a function conferred on a person by enactment or the exercise of a function of the Crown, a Minister or a government department

Equality of opportunity or treatment

  • making sure we are compliant with the council's obligations under legislation such as the Equality Act 2010 and Sex Discrimination Act 1970
  • making sure we fulfil our public sector equality duty when carrying out our work
  • making sure we provide equal access to our services, to all sections of the community in recognition of our legal and ethical duty and serve communities

Preventing or detecting unlawful acts

  • carrying out enforcement action in connection with the council's statutory duties
  • carrying out investigations and disciplinary actions relating to our employees

Protecting the public against dishonesty

  • processing data concerning dishonesty, malpractice or other improper conduct in order to protect the local community
  • carrying out enforcement action in connection with the council's statutory duties
  • carrying out investigations and disciplinary actions relating to our employees

Regulatory requirements relating to unlawful acts and dishonesty

  • complying with the council's enforcement obligations under UK legislation
  • assisting other authorities in connection with their regulatory requirements

Preventing fraud

  • processing necessary for the purposes of preventing fraud
  • disclosing personal data in line with arrangements made by an anti-fraud organisation

Support for individuals with a particular disability or medical condition

  • to provide services or raise awareness of a disability or medical condition in order to deliver services to service users and their carers

Counselling

  • for the provision of confidential counselling, advice or support or another similar service provided confidentially

Safeguarding of children and individuals at risk

  • protecting vulnerable children and young people from neglect, physical, mental or emotional harm
  • identifying individuals at risk while attending emergency incidents
  • data sharing with our partners to assist them to support individuals
  • sharing information with relevant agencies for the purposes of safeguarding

Insurance

  • information that is necessary for insurance purposes

Occupational pensions

  • fulfilling the council’s obligation to provide an occupational pension scheme
  • determining benefits payable to dependents of pension scheme members

Disclosure to elected representatives

  • assisting elected representatives such as local government councillors and Members of Parliament with requests for assistance on behalf of their constituents

Additional conditions for processing special category and criminal offence data

  • extensions of conditions in Part 2 of Schedule 1 referring to substantial public interest
  • the council may process personal data relating to criminal convictions in connection with its enforcement obligations as above
  • we also maintain a record of our processing activities in line with Article 30 of the GDPR

Processing which requires an APD

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD.

This section of the policy is the APD for the council. It demonstrates that the processing of special category (SC) and criminal offence (CO) data based on these specific Schedule 1 conditions is compliant with the requirements of the GDPR Article 5 principles. In particular, it outlines our retention policies with respect to this data.

Schedule 1 conditions for processing

The council:

  • there is a record of that processing, and that record will be set out, where possible, the envisaged time limits for erasure of the different categories of data (ROPA and Retention and Disposal Schedule)
  • where special category or criminal convictions personal data is no longer required for the purpose for which it was collected, it will be securely deleted or rendered permanently anonymous

Procedures for making sure we are compliant with the principles

Accountability principle

The council are responsible and must be able to demonstrate compliance with the principles

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • the appointment of a data protection officer who reports directly to our highest management level
  • taking a ‘data protection by design and default’ approach to our activities
  • maintaining documentation of our processing activities and these are provided to the Information Commissioner on request (ROPA)
  • all employees receiving data protection and information security training
  • having an information governance review and audit plan in place
  • adopting and implementing data protection policies and making sure we have written contracts in place with our data processors
  • implementing appropriate security measures in relation to the personal data we process
  • carrying out data protection impact assessments for our high-risk processing and consult the ICO if appropriate
  • regularly reviewing our accountability measures and update or amend them when required

Securing compliance with the Data Protection principles (GDPR Article 5)

Principle A

Principle A is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.

The council:

  • provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices, staff privacy notice and this policy document
  • only process personal data fairly and we make sure that data subjects are not misled about the purposes of any processing
  • our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on the council by the legislation for which we act as a local authority, for example, the Data Protection Act 2018
  • as a local authority is officially responsible for all the public services and facilities in its area
  • use Data Protection Impact Assessments to make sure proposed processing is carried out fairly
  • our processing for the purposes of employment relates to our obligations as an employer

Principle B

Principle B is purpose limitation. Personal data shall be specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The council:

  • process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our statutory functions, where it is necessary to provide public services and facilities
  • are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose
  • if we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose
  • collect personal data only for specified, explicit and legitimate purposes and will inform data subjects what those purposes are (provision of privacy notices)
  • will not process personal data for purposes incompatible with the original purpose it was collected. Prior to personal data being used for a new purpose that is compatible, the council will inform the data subject

Principle C

Principle C is data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We collect personal data necessary for the relevant purposes and make sure it is not excessive. The information we process is necessary for and proportionate to our purposes.

Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.

Principle D

Principle D is accuracy. Personal data shall be accurate and, where necessary, kept up to date.

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to make sure that data is erased or rectified without delay.

If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

Principle E

Principle E is storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our retention and disposal schedule.

We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention and disposal schedule is reviewed regularly and updated when necessary.

Principle F

Principle F is integrity and confidentiality (security). Personal data shall be processed in a manner that makes sure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.

Personal data is held and disposed of in line with the council's retention and disposal schedule.

Appropriate policy document has a defined date for review as stated at the top of this document or more frequently if necessary and is held and managed within the IG Policies and Key Documents Review Schedule.

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
 

Retention and erasure of personal data

Personal data is held and disposed of in line with the council’s retention and disposal schedule. When disposing of information, the council makes sure this is carried out securely by using physical destruction methods as well as electronic data deletion.

The retention schedule contains details of the retention periods for the council’s data processing activities and the ROPA contains the lawful basis for processing.

Additional special category processing

We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and service specific privacy notices.

Responsibility for processing sensitive data

All employees are required to comply with the council's information governance policies and information security framework when processing sensitive or personal data to make sure that processing is carried out legally, fairly and transparently.

Information Asset Owners are responsible for making sure that systems and processes under their control comply with current data protection legislation and that personal data is processed in line with the data protection principles.

The council has Information Governance Leads in each directorate to work with the Data Protection Officer to make sure we are compliant.

Exemptions

We consider whether we can rely on an exemption on a case by case basis. These would be very rare for the council.

Where appropriate, we carefully consider the extent to which the relevant UK GDPR requirements would be likely to prevent, seriously impair, or prejudice the achievement of our processing purposes. In the rare occasion we would justify and document our reasons for relying on an exemption.

When an exemption does not apply (or no longer applies) to our processing of personal data, we comply with the UK GDPR’s requirements as normal.

More information

For more information, contact the owner of this policy:

The Data Protection Officer
Bracknell Forest Council
Time Square
Market Street
Bracknell
RG12 1JD

iso@bracknell-forest.gov.uk

Definitions

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a human being, which allow or confirm the unique identification of that person, such as facial images or fingerprints.

Consent of the data subject

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller

The person, company, public authority (such as the service), agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Protection Act 2018

The current UK legislation governing data protection Data Subject – an individual who is the subject of personal data.

Filing system

Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of a human being which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.

Information Commissioner (ICO)

The UK's independent body responsible for monitoring the Data Protection Act. Visit the ICO website for more information.

Personal data

Any information relating to an identified or identifiable human being (‘data subject’). An identifiable human being is one who can be identified, directly or indirectly, in particular by reference to their:

  • name
  • address
  • telephone numbers
  • identification numbers, such as payroll number, service number or National Insurance number
  • recordings, photographs or reproductions of a person's voice, likeness or image
  • bank account numbers
  • medical records, attendance and sickness records
  • online identifiers (for example, username or cookie)

Special categories of personal data

This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing

Data processing is the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Processor

A person, company, public authority, agency or other body which processes personal data on behalf of the controller.

Profiling

Any form of automated processing that evaluates personal aspects relating to a human being, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable human being.

Recipient

A person, company, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Restriction of processing

The marking of stored personal data with the aim of limiting their processing in the future.

Third party

A person, company, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.