Appropriate Policy Document (APD)

Our processing of special categories of personal information and criminal offence data policy document 

Introduction and scope 

This document serves as our Appropriate Policy Document (‘APD’) which is required to set out and explain our procedures for securing compliance with data protection principles and policies, including the retention and erasure of such personal data in respect of our processing of special category and criminal offence data. 

As part of our statutory, corporate and public task functions, Nottinghamshire County Council processes special category data and criminal offence data in accordance with the requirements of:

• Article 9 and 10 of the UK General Data Protection Regulation (‘UK GDPR’) and
  Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’). 

Some Schedule 1 conditions for processing special category and criminal offence data require us to have an APD in place.   

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.   

Special category data

Special category data is defined at Article 9 of the UK GDPR as personal data revealing: 

• Racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data for the purpose of uniquely identifying a natural person.
• Data concerning health.
• Data concerning a natural person’s sex life or sexual orientation.

Criminal offence data

Criminal offence data is described at Article 10(1) of the UK GDPR as any personal data relating to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’. 

Conditions for processing Special Category data 

We process special categories of personal data under the following Articles of the UK GDPR: 

• Article 9(2)(a) explicit consent for one or more specified purposes.
• Article 9(2)(b) employment and social security and social protection.
• Article 9(2)(c) protect the vital interests of the data subject.
• Article 9(2)(f) legal claims or judicial acts.
• Article 9(2)(g) reasons of substantial public interest.
• Article 9(2)(h) health or social care (with a basis in law).
• Article 9(2)(i) public health (with a basis in law).
• Article 9(2)(j) archiving, research or statistics.

Where we are processing special category data under the following UK GDPR Articles, we also rely on the lawful conditions in Schedule 1 of the Data Protection Act 2018 as set out below.  

Article 9(2)(b) – employment and social security and social protection. For these purposes, we rely on the condition at Schedule 1 paragraph 1 to the Data Protection Act 2018. 

Article 9(2)(g) - reasons of substantial public interest. For these purposes, we rely on the conditions at Schedule 1 Part 2 to the Data Protection Act 2018.  

Article 9(2)(h) - health or social care. For these purposes, we rely on the condition at Schedule 1 Part 1 paragraph 2 to the Data Protection Act 2018. 

Article 9(2)(i) - public health. For these purposes, we rely on the condition at Schedule 1 Part 1 paragraph 2 to the Data Protection Act 2018. 

Article 9(2)(j) –archiving purposes in the public interest. For these purposes, we rely on the condition at in Schedule 1 Part 1 paragraph 4 to the DPA 2018.  

Conditions for processing criminal offence data 

We process criminal offence data under Article 10 of the UK GDPR. For these purposes, we rely on the conditions as appropriate in Schedule 1 Part 3 of the DPA 2018. 

Where we are processing criminal offence data for Law Enforcement purposes and under the control of official authority, this processing is covered by Part 3 of the Data Protection Act 2018. Therefore, we are not required to identify a Schedule 1 condition for processing when processing personal data for these purposes.  

Procedures for securing compliance 

Article 5 of the UK General Data Protection Regulation sets out the data protection principles. These are the council’s procedures for ensuring that we comply with them. 

Principle (a): lawfulness, fairness, and transparency 

Personal data will be processed lawfully, fairly and in a transparent manner in relation to the data subject. 

Nottinghamshire County Council will: 

• ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful.
• only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing.
• ensure that data subjects receive full privacy information so that any processing of personal data is transparent. Our privacy notices can be found on our website.  

Principle (b): purpose limitation 

Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 

Nottinghamshire County Council will: 

• only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.
• not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

Principle (c): data minimisation 

Personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 

Nottinghamshire County Council will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant. 

Principle (d): accuracy

Personal data will be accurate and, where necessary, kept up to date. 

Nottinghamshire County Council will ensure that personal data is accurate and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals. 

Principle (e): storage limitation

Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Nottinghamshire County Council will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it will be deleted or rendered permanently anonymous. 

• ensure that records are kept of personal data processing activities, and that these are provided to the Information Commissioner on request.
• carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate.
• ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the council’s personal data handling, and that this person has access to report to the highest management level of the council and has the resources necessary to carry out the requirements of the role.
• have in place internal policies, procedures and processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.