Appropriate policy document
Published: April 2021
Next formal review: 2 years from the date of the last review. This will be no later than March 2023 or in the event of a recommended improvement, a change in legislation, or a change of council wide policy.
The Appropriate Policy Document (APD) sets out how Bracknell Forest Council (the council) will protect the special category and criminal offence data which it processes.
When processing personal data, we comply with the requirements of the EU General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA) and any associated legislation.
This APD will cover all processing of special category personal data carried out by the council for which all of the following conditions are met:
- we (data controller) are processing personal data which is the subject of Articles 9 or 10 of EU GDPR
- we (data controller) are processing the personal data in reliance of a condition listed in Parts 1,2 or 3 or Schedule 1 of the DPA
- the condition listed in Parts 1, 2 or 3 Schedule 1 includes a requirement for the data controller to have an APD - some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an APD in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data
- this document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018
In addition it provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement.
The information supplements our privacy notice and service specific privacy notices.
Schedule 1, Part 4 of the Data Protection Act 2018
The council relies on DPA Schedule 1 conditions to process special categories of personal data.
Part 1 - conditions relating to employment, social security and social protection
- processing personal data concerning health in connection with the council’s rights under employment law
- processing data relating to criminal convictions under Article 10 EU GDPR in connection with your rights under employment law in connection with recruitment, discipline or dismissal
- providing human resource and occupational health facilities for employees
Part 2 - substantial public interest conditions
Statutory and government purposes
- fulfilling the council's obligations under the UK legislation for the provision of services to residents within the borough of Bracknell Forest Council
- complying with other legal requirements, such as the requirement to disclose information in connection with legal proceedings
Equality of opportunity or treatment
- ensuring compliance with the council's obligations under legislation such as the Equality Act 2010 and Sex Discrimination Act 1970
- ensuring that we fulfil our public sector equality duty when carrying out our work
- ensuring we provide equal access to our services, to all sections of the community in recognition of our legal and ethical duty and serve communities
Preventing or detecting unlawful acts
- processing data concerning criminal records in connection with employment in order to reduce the risk to the council and the community
- carrying out enforcement action in connection with the council's statutory duties
- carrying out investigations and disciplinary actions relating to our employees
Protecting the public against dishonesty
- processing data concerning dishonesty, malpractice or other improper conduct in order to protect the local community
- carrying out enforcement action in connection with the council's statutory duties
- carrying out investigations and disciplinary actions relating to our employees
Regulatory requirements relating to unlawful acts and dishonesty
- complying with the council's enforcement obligations under UK legislation
- assisting other authorities in connection with their regulatory requirements
- disclosing personal data in accordance with arrangements made by an anti-fraud organisation
Support for individuals with a particular disability or medical condition
- to provide services or raise awareness of a disability or medical condition in order to deliver services to service users and their carers
- for the provision of confidential counselling, advice or support or another similar service provided confidentially
Safeguarding of children and individuals at risk
- protecting vulnerable children and young people from neglect, physical, mental or emotional harm
- identifying individuals at risk while attending emergency incidents
- data sharing with our partners to assist them to support individuals
- information that is necessary for insurance purposes
- fulfilling the council’s obligation to provide an occupational pension scheme
- determining benefits payable to dependents of pension scheme members
Disclosure to elected representatives
- assisting elected representatives such as local government councillors and Members of Parliament with requests for assistance on behalf of their constituents
Additional conditions for processing special category and criminal offence data
- extensions of conditions in Part 2 of Schedule 1 referring to substantial public interest
- the council may process personal data relating to criminal convictions in connection with its enforcement obligations as above
- we also maintain a record of our processing activities in accordance with Article 30 of the GDPR
Processing which requires an APD
Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD.
This section of the policy is the APD for the council. It demonstrates that the processing of special category (SC) and criminal offence (CO) data based on these specific Schedule 1 conditions is compliant with the requirements of the GDPR Article 5 principles. In particular, it outlines our retention policies with respect to this data.
Schedule 1 conditions for processing
- there is a record of that processing, and that record will be set out, where possible, the envisaged time limits for erasure of the different categories of data (ROPA and Retention and Disposal Schedule)
- where special category or criminal convictions personal data is no longer required for the purpose for which it was collected, it will be securely deleted or rendered permanently anonymous
Procedures for ensuring compliance with the principles
The council are responsible and must be able to demonstrate compliance with the principles
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a data protection officer who reports directly to our highest management level
- taking a ‘data protection by design and default’ approach to our activities
- maintaining documentation of our processing activities and these are provided to the Information Commissioner on request (ROPA)
- all employees receiving data protection and information security training
- having an information governance review and audit plan in place
- adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out data protection impact assessments for our high-risk processing and consult the ICO if appropriate
- regularly reviewing our accountability measures and update or amend them when required
Securing compliance with the Data Protection principles (GDPR Article 5)
Principle A is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.
- provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices (on our website), staff privacy notice and this policy document
- only process personal data fairly and we ensure that data subjects are not misled about the purposes of any processing
- our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on the council by the legislation for which we act as a local authority, for example, the Data Protection Act 2018
- as a local authority is officially responsible for all the public services and facilities in its area
- use Data Protection Impact Assessments to ensure proposed processing is carried out fairly
- our processing for the purposes of employment relates to our obligations as an employer
Principle B is purpose limitation. Personal data shall be specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our statutory functions, where it is necessary to provide public services and facilities
- are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose
- if we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose
- collect personal data only for specified, explicit and legitimate purposes and will inform data subjects what those purposes are (provision of privacy notices)
- will not process personal data for purposes incompatible with the original purpose it was collected. Prior to personal data being used for a new purpose that is compatible, the council will inform the data subject
Principle C is data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes.
Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.
Principle D is accuracy. Personal data shall be accurate and, where necessary, kept up to date.
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to make sure that data is erased or rectified without delay.
If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Principle E is storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our Retention and Disposal Schedule.
We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary.
Principle F is integrity and confidentiality (security). Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.
Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
Personal data is held and disposed of in line with the council's retention and disposal schedule.
Appropriate policy document has a defined date for review as stated at the top of this document or more frequently if necessary and is held and managed within the IG Policies and Key Documents Review Schedule.
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
Retention and erasure of personal data
Personal data is held and disposed of in line with the council’s retention and disposal schedule. When disposing of information, the council makes sure this is carried out securely by using physical destruction methods as well as electronic data deletion.
The retention schedule contains details of the retention periods for the council’s data processing activities and the ROPA contains the lawful basis for processing.
Additional special category processing
We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and service specific privacy notices.
Responsibility for processing sensitive data
All employees are required to comply with the council's information governance policies and information security framework when processing sensitive or personal data to make sure that processing is carried out legally, fairly and transparently.
Information Asset Owners are responsible for ensuring that systems and processes under their control comply with current data protection legislation and that personal data is processed in accordance with the data protection principles.
The council has Information Governance Leads in each directorate to work with the Data Protection Officer to ensure compliance.
We consider whether we can rely on an exemption on a case by case basis. These would be very rare for the council.
Where appropriate, we carefully consider the extent to which the relevant UK GDPR requirements would be likely to prevent, seriously impair, or prejudice the achievement of our processing purposes. In the rare occasion we would justify and document our reasons for relying on an exemption.
When an exemption does not apply (or no longer applies) to our processing of personal data, we comply with the UK GDPR’s requirements as normal.
For further information, please contact the owner of this policy:
The Data Protection Officer
Bracknell Forest Council
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a human being, which allow or confirm the unique identification of that person, such as facial images or fingerprints.
Consent of the data subject
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The person, company, public authority (such as the service), agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Protection Act 2018
The current UK legislation governing data protection Data Subject – an individual who is the subject of personal data.
Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Personal data relating to the inherited or acquired genetic characteristics of a human being which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.
Information Commissioner (ICO)
The UK's independent body responsible for monitoring the Data Protection Act. Visit the ICO website for more information.
Any information relating to an identified or identifiable human being (‘data subject’). An identifiable human being is one who can be identified, directly or indirectly, in particular by reference to their:
- telephone numbers
- identification numbers, such as payroll number, service number or National Insurance number
- recordings, photographs or reproductions of a person's voice, likeness or image
- bank account numbers
- medical records, attendance and sickness records
- online identifiers (for example, username or cookie)
Special categories of personal data
This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data processing is the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
A person, company, public authority, agency or other body which processes personal data on behalf of the controller.
Any form of automated processing that evaluates personal aspects relating to a human being, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable human being.
A person, company, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Restriction of processing
The marking of stored personal data with the aim of limiting their processing in the future.
A person, company, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.