Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, additional protections for service users, job applicants, employees and other data subjects apply if an organisation is processing “special categories” of personal data and criminal records data.
One of these protections is a requirement to have an appropriate policy document in place. This policy sets out Conviction’s approach to processing special category personal data and criminal records data. It supplements our data protection policy.
“Special category personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic or biometric data.
“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
Why Conviction processes special category personal data and criminal records data
Conviction processes special category personal data and criminal records data for the following purposes.
Equal opportunities monitoring
Data related to racial and ethnic origin, religious and philosophical beliefs, health (including information on whether or not an individual has a disability) and sexual orientation are processed for equal opportunities monitoring purposes.
Data related to health (including information on whether or not an individual has a disability) is processed to:
- ensure that the organisation is complying with its health and safety obligations;
- assess whether or not an employee is fit for work;
- carry out appropriate capability procedures if an employee is not fit for work;
- ensure that an employee receives sick pay or other benefits to which they may be entitled; and
- allow the organisation to comply with its duties under the Equality Act 2010 for individuals with a disability.
Racial or ethnic origin
Data related to data subjects’ nationality is processed to ensure that Conviction is complying with its obligations to check that they are entitled to work in the UK.
Criminal records data
Criminal records data is sometimes processed as part of recruitment processes and, where necessary, in the course of employment to verify that candidates are suitable for employment or continued employment and to comply with legal and regulatory obligations to which the Conviction is subject.
Compliance with data protection principles
Conviction processes HR-related special category personal data and criminal records data in accordance with the following data protection principles.
(1) The organisation processes personal data lawfully, fairly and in a transparent manner and for specified, explicit and legitimate purposes.
Employers can process special category personal data only if they have a legal basis for processing and, in addition, one of the specific processing conditions relating to special category personal data, or criminal records data, applies.
Conviction processes special category personal data and criminal records data for the purposes outlined above and in compliance with the following legal conditions for processing.
|Legal basis for processing||Special category personal data/criminal records data processing condition under sch.1 of the Data Protection Act 2018|
|Equal opportunities data|
|Processing is in Conviction’s legitimate interests. These interests are not outweighed by the interests of data subjects.||Processing is necessary for monitoring equality of opportunity or treatment, as permitted by the Data Protection Act 2018 (under para.8 of sch.1).|
|Processing is necessary for compliance with legal obligations (eg assessing an employee’s fitness for work, complying with health and safety obligations, carrying out capability procedures and complying with Equality Act 2010 duties).||Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).|
|Processing is necessary for the performance of a contract and/or complying with legal obligations (eg administering sick pay and other benefits).||Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).|
|Racial or ethnic origin data|
|Processing is necessary for compliance with legal obligations (eg checking job applicants’ and employees’ right to work in the UK).||Processing is necessary for the purposes of performing or exercising obligations or rights imposed by law in connection with employment (under para.1 of sch.1).|
|Criminal records data|
|Processing is necessary for compliance with legal obligations (ie the organisation’s legal requirement to carry out criminal records checks on those working with children or vulnerable adults). Processing is in the organisation’s legitimate interests. These interests are not outweighed by the interests of data subjects.||Processing is necessary to comply with regulatory requirements to establish whether or not someone has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct (under para.12 of sch.1).|
Conviction has conducted a data protection impact assessment in relation to each processing operation to understand how processing may affect data subjects. The impact assessment balances the importance to the organisation of the reasons for processing special category personal data and criminal records data with the possible adverse impact on data subjects (for example in relation to intrusion into an individual’s private life and the impact on the duty of trust and confidence between employer and employee).
The impact assessment concluded in each case that processing is necessary and proportionate in light of the other safeguards in place and does not pose a high risk to individuals. This conclusion was endorsed by Conviction’s data protection officer.
Conviction explains to data subjects how special category personal data and criminal records data is used when it collects the data. This information is set out in Conviction’s privacy notices. This policy is also made available to staff through Conviction’s intranet and staff handbook.
Conviction does not use the data for any other purpose and it reviews its processing and policies regularly to ensure that it is not using special category personal data or criminal records data for any other purpose. Conviction will not do anything unlawful with personal data.
Special category personal data and criminal records data are not disclosed to third parties, except in the context of seeking medical advice from the organisation’s occupational health adviser or other advisers who are subject to a professional duty of confidentiality. The organisation complies with the Access to Medical Reports Act 1988 where relevant.
(2) The organisation processes personal data only where the data is adequate, relevant and limited to what is necessary for the purposes of processing.
Conviction collects and retains the minimum amount of information necessary to allow it to achieve the purposes outlined above. The impact assessment carried out in relation to each processing operation involving special category personal data and criminal records data considered data minimisation as a way of reducing the possible adverse impact of processing for individuals.
As noted above, Conviction includes relevant information in privacy notices as to how special category personal data and criminal records data is used and does not use data for any other purpose.
As far as possible, information required for equal opportunities monitoring purposes is kept in an anonymised form. Monitoring forms are kept under review to ensure that the information collected is accurate and not excessive.
As far as possible, Conviction relies on health questionnaires, rather than medical testing, to obtain necessary information. Any medical testing that is carried out is relevant to the purpose for which it is undertaken and is focused on those performing high-risk roles.
Criminal records checks are carried out only for individuals undertaking roles where the organisation is under a legal obligation or regulatory requirement to perform such checks.
All data is reviewed periodically and unnecessary data is deleted.
(3) The organisation keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
Conviction takes reasonable steps to ensure that the personal data that it holds is accurate. Special category personal data and criminal records data is obtained:
- directly from job applicants, employees and other data subjects; or
- from external sources that the organisation is entitled to assume will provide accurate information, such as the Disclosure and Barring Service in the case of criminal records data, or medical professionals in the case of health data.
The organisation keeps a record of the source of all data it collects and data is reviewed periodically and checked for accuracy. Appropriate records are kept of amendments to data.
Conviction will erase or rectify inaccurate data that it holds without delay in accordance with our data protection policy if an individual notifies it that their personal data has changed or is otherwise inaccurate, or if it is otherwise found to be inaccurate. Individuals are reminded to review their data on a regular basis to ensure that it remains up to date.
(4) The organisation keeps personal data only for the period necessary for processing.
Conviction has considered how long it needs to retain special category personal data and criminal records data.
It retains and processes special category personal data for the duration of an individual’s employment or allocation of a service user’s case.
The periods for which special category personal data is retained after the end of employment are as follows:
- Equal opportunities data is kept for a period of six months, after which data is anonymised so that individuals can no longer be identified.
- Racial or ethnic origin data is kept for a period of three years.
- Health data is normally kept for a period of seven years, unless statutory requirements mean that we must keep records for longer than that.
Conviction does not retain criminal records data after the commencement of employment, although it will retain a note on individual HR files indicating that a satisfactory criminal records check was completed prior to the commencement of employment.
At the end of the relevant retention period, Conviction erases or securely destroys special category personal data and criminal records data.
(5) The organisation adopts appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
Conviction takes the security of special category personal data and criminal records data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by staff in the proper performance of their duties. Conviction has analysed the risk presented by processing special category personal data and criminal records data and taken this into account in assessing appropriate security requirements.
Conviction has put appropriate technical and organisation measures in place to meet accountability requirements. These include:
- appointing a data protection officer;
- maintaining appropriate documentation of processing activities, in particular a register of HR-related personal data, including special category personal data and criminal records data;
- adopting and implementing a data protection policy covering HR-related data, which is regularly reviewed; and
- carrying out data protection impact assessments into processing of special category personal data and criminal records data, as outlined in relation to compliance with the first data protection principle above.
Review and retention of policy and provision to Information Commissioner
This policy on processing special category personal data and criminal records data is reviewed annually and, if necessary, amended to ensure that it remains up to date and accurately reflects Conviction’s approach to processing such data.
This policy will be retained by us while special category personal data and criminal records data is being processed and for a period of at least six months after we stop carrying out such processing.
A copy of this policy will be provided on request and free of charge to the Information Commissioner.