As part of the our corporate functions, we process special category data in accordance with the requirements of Article 9 of the General Data Protection Regulation (‘GDPR’).
Special category data
Special category data is defined at Article 9 GDPR as personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
This policy document
This policy document provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our privacy notice.
Conditions for processing special category data
We process special categories of personal data under the following GDPR Articles:
- Article 9(2)(a) – explicit consent
In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
Description of data processed
We process the special category data about our service users that is necessary to fulfil the service we provide to them. This includes information about their health and wellbeing, ethnicity, sexual orientation and sex life. Further information about this processing can be found in our privacy notice.
We also maintain a record of our processing activities in accordance with Article 30 of the GDPR.
Procedures for ensuring compliance with the principles
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- The appointment of a data protection officer who reports directly to our highest management level.
- Taking a ‘data protection by design and default’ approach to our activities.
- Maintaining documentation of our processing activities.
- Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
- Implementing appropriate security measures in relation to the personal data we process.
- Carrying out data protection impact assessments for our high risk processing.
We regularly review our accountability measures and update or amend them when required.
Principle (a): lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.
We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and this policy document.
Principle (b):data minimisation
We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.
Principle (c): integrity and confidentiality (security)
Electronic information is processed within our secure network. No hard copies are retained.
Our electronic systems have appropriate access controls applied.
The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
APD review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually or revised more frequently if necessary.