As part of the Information Commissioner’s statutory and corporate functions, we process special category data and criminal conviction data. These reasons include those of substantial public interest, and for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the ICO or the data subject in connection with employment, social security or social protection, and archiving.

For these types of processing we are required to have an appropriate policy in place setting out the explaining our procedures and policies.

Special category data

Special category data is defined at Article 9 GDPR as personal data revealing:

- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health, or
- Data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

Criminal conviction data also includes processing in relation to offences, or related security measures.

Substantial public interest

Under Article 9 (2) (g) GDPR, the ICO may process special category and criminal conviction data where it is necessary for reasons of substantial public interest. This must be carried out on the basis of union or member state law which proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.


s. 10 (3) Data Protection Act 2018 sets out that the processing meets the requirement in point (g) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • Paragraph 6 (1) and (2) statutory and government purposes
  • Paragraph 10 (1) preventing or detecting unlawful acts
  • Paragraph(1) and (2) protecting the public against dishonesty
  • Paragraph 12 (1) and (2) regulatory requirements relating to unlawful acts and dishonesty
  • Paragraph 24 (1) and (2) disclosure to elected representatives

In addition, there are additional processing conditions for criminal convictions set out in Part 3 of Schedule 1.

  • Paragraph 32 personal data in the public domain
  • Paragraph 33 legal claims
  • Paragraph 36 substantial public interest

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

Employment, social care and social protection

Under Article 9 (2) (b) GDPR, the ICO may process special category data and criminal convictions where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law. This must be carried out on the basis of union or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interest of the data subject.

s. 10 (2) Data Protection Act 2018 sets out that the processing meets the requirement in point (b) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • paragraph 6 (1) and (2) statutory and government purpose
  • paragraph 8 equality of opportunity or treatment
  • paragraph 9 racial or ethnic diversity at senior levels of organisation
  • paragraph 10 (1) preventing or detecting unlawful acts
  • paragraph 11 protecting the public against dishonesty
  • paragraph 12 (1) and (2) regulatory requirements relating to unlawful acts and dishonesty
  • paragraph 16 support for individuals with a particular disability or medical condition
  • paragraph 21 occupational pensions
  • paragraph 24 (1) and (2) disclosure to elected representatives

In addition, there are additional processing conditions for criminal convictions set out in Part 3 of Schedule 1.

  • Paragraph 32 personal data in the public domain
  • Paragraph 33 legal claims

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

Archiving

Under Article 9 (2) (j) GDPR, the ICO may process special category data and criminal convictions where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

s. 10 (2) Data Protection Act 2018 sets out that the processing meets the requirement in point (j) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • paragraph 6 (1) and (2) statutory and government purposes

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

The following describes the measures we take to comply with the data protection principles in relation to these categories of personal data.

The first data protection principle ‘lawful, fair and transparent’

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1. We provide clear transparency information to all those who provide personal data to us.

Our processing for purposes of substantial public interest satisfies the first Schedule 1 condition in that the processing is necessary for the exercise of a function conferred on the ICO by the legislation for which we act as a regulator e.g. Data Protection Act 2018. We act as a regulator in order to protect the fundamental rights and freedoms of natural persons in relation to processing as set out in Article 51 GDPR.

In circumstances where we seek consent, we make sure

  • The consent is unambiguous
  • The consent is given by an affirmative action
  • The consent is recorded as the condition for processing

The second data protection principle ‘specified, explicit and legitimate purposes’

We process personal data for purposes of substantial public interest. These are where the processing is necessary for the ICO to fulfil its statutory functions, where it is necessary for complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, to protect the public from dishonesty, preventing or detecting unlawful acts or for disclosure to elected representatives.

We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, or for our law enforcement purposes, providing the processing is necessary and proportionate to that purpose.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

We will not process personal data for purposes incompatible with the original purpose it was collected for.

The third data protection principle ‘adequate, relevant and not excessive’

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.

The fourth data protection principle ‘accurate and up to date’

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

The fifth data protection principle ‘kept for no longer than necessary’

We retain information processed for the periods set out in the corporate retention schedule

The sixth data protection principle ‘appropriate security’

Electronic information is processed within our secure network. Hard copy information is processed within our secure premises.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time.

This policy satisfies the requirements of Schedule 1, Part 4 and is therefore an appropriate policy document in support of our compliance with the requirements of Articles 9 and 10 GDPR.

This policy will be reviewed annually or revised more frequently if necessary.