As part of the NHS Business Services Authority (NHSBSA) statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘UK GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
Special category data
Special category data is defined at Article 9 of the UK GDPR as personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
Criminal offence data
Article 10 of the UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
This policy document
Some of the Schedule 1 DPA 2018 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.
This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.
In addition, it provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our privacy notice and staff privacy notice.
Lawful basis for Processing
As part of the NHSBSA’s statutory and corporate functions, we process special category and criminal offence data under:
- Article 6(1)(a) where the data subject has given consent to the processing
- Article 6(1)(b) where the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Article 6(1)(c) where the processing is necessary for compliance with a legal obligation to which the NHSBSA is subject;
- Article 6(1)(d) where the processing is necessary in order to protect the vital interests of the data subject or of another person;
- Article 6(1)(e) where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the NHSBSA;
- Article 6(1)(f) where the processing is necessary for the purposes of the legitimate interests
Conditions for processing special category and criminal offence data
We process special categories of personal data under the following of the UK GDPR Articles:
- Article 9(2)(a) – where the data subject has given explicit consent to the processing;
- Article 9(2)(b) – where processing is necessary for the purposes of employment, social security and social protection law;
- Article 9(2)(c) – where the processing is necessary in order to protect the vital interests of the data subject or of another person;
- Article 9(2)(f) – where the processing is necessary for the establishment, exercise or defence of legal claims;
- Article 9(2)(g) – where the processing is necessary for reasons of substantial public interest;
- Article 9(2)(h) – where the processing is necessary for reasons for health or social care.
Processing which requires an Appropriate Policy Document
The following Article 9 lawful basis for processing require an appropriate document:
- Article 9(2)(b) Employment, social security and social protection law; and
- Article 9(2)(g) Substantial public interest
Almost all the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD (see Schedule 1 paragraphs 1 and 5 of the DPA 2018).
This section of the policy is the APD for the NHSBSA. It demonstrates that the processing of special category (‘SC’) and criminal offence (‘CO’) data based on these specific Schedule 1 conditions is compliant with the requirements of the UK GDPR Article 5 principles. It outlines our retention policies with respect to this data.
Schedule 1 conditions for processing
Special category data
We process SC data for the following purposes in Part 1 of Schedule 1:
- Paragraph 1 employment, social security and social protection.
- Paragraph 2 health and social care purposes
We process SC data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:
- Paragraph 8 equality of opportunity or treatment
- Paragraph 10 preventing or detecting unlawful acts
- Paragraph 11 protecting the public against dishonesty
- Paragraph 12 regulatory requirements relating to unlawful acts and dishonesty
- Paragraph 14 preventing fraud
- Paragraph 18 safeguarding children and individuals at risk
- Paragraph 21 occupational pensions
Criminal offence data
We process criminal offence data for the following purposes in Parts 1 and 2 of Schedule 1
- Paragraph 1 employment, social security and social protection
- Paragraph 10 preventing or detecting unlawful acts
- Paragraph 11 protecting the public against dishonesty
- Paragraph 12 regulatory requirements relating to unlawful acts and dishonesty
- Paragraph 14 preventing fraud
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- The appointment of a Data Protection Officer.
- Taking a ‘data protection by design and default’ approach to our activities.
- Maintaining a record of our processing activities under Article 30 of the UK GDPR.
- Adopting and implementing data protection policies and ensuring we have written data processing agreements in place with our data processors.
- Implementing appropriate security measures in relation to the personal data we process.
- Carrying out Data Protection Impact Assessments (DPIAs) for our high-risk processing.
- Provide advice and monitoring of the NHSBSA’s personal data handling.
We regularly review our accountability measures and update or amend them when required.
Principle (a): lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent.
The NHSBSA will:
- Ensure personal data is only processed where a lawful basis has been identified and where processing is otherwise lawful.
- Process personal data fairly and ensure transparency with data subjects regarding the purposes of any processing.
- Ensure a process for the completion and assessment of DPIAs including review where changes to processing occur.
- Provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice, staff privacy notice and this policy document.
Principle (b): purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with the purpose.
The NHSBSA will:
- Collect personal data for specified, explicit and required purposes and will inform data subjects what those purposes are in a privacy notice.
- Not use personal data for purposes incompatible with the purposes for which it was collected or where a statutory basis exists.
- Ensure any changes to the processing of data are considered through a thorough DPIA process.
- When we share special category data, sensitive data or criminal offence data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international data mechanisms, data sharing agreements and contracts.
Principle (c): data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The NHSBSA will:
- Only collect and use the minimum personal data that is needed for the purposes for which it is collected (i.e., ‘Data minimisation’) and ensure it is not excessive.
- Ensure processes are in place to have assurances that the personal data we collect is adequate and relevant.
- Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.
Principle (d): accuracy
Personal data shall be accurate and where necessary, kept up to date.
The NHSBSA will:
- Ensure processes are in place so that personal data is accurate and kept up to date where necessary.
- Carry out data quality exercises as part of standard practice.
- Include data accuracy clauses within agreements and contracts with other organisations where data sharing takes place.
- Have processes in place to manage the rectification of data errors in records.
Principle (e): storage limitation
Personal data shall be kept in a form which permits identification of data subjects no longer than necessary, or required legally, for purposes for which the personal data is processed.
The NHSBSA will:
- Keep personal data in identifiable form for as long as necessary for purposes for which it is collected or where we have a legal obligation to do so.
- All personal data will be retained in accordance with our retention schedule.
Principle (f): integrity and confidentiality (security)
Personal data be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using the appropriate technical or organisational measures.
The NHSBSA will:
- Ensure there are appropriate technical and organisational measures in place to protect personal data.
- Ensure that guidance is available for staff on the requirement of Data Protection Impact Assessments.
- Ensure that annual training is available in relation to data protection and confidentiality.
- Restrict access to personal data to only those individuals who need access for their role.
- Carry out due diligence on third party organisations we work with who may be involved in the processing of personal data, and ensure appropriate contracts are in place.
- Have appropriate data protection policies and procedures in place.
- Ensure electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.
- Our electronic systems and physical storage have appropriate access controls applied.
- The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
- Submit the annual submission of the Data Security and Protection Toolkit (DSPT) which ensures compliance with the National Cyber Security Centre’s Cyber Assessment Framework (CAF).
Retention and erasure policies
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements; this includes any legal holds on the destruction of records that are subject to a Public Inquiry, such as the covid-19 Inquiry for example.
To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the data was processed and whether we can achieve those purposes through other means, and the applicable legal requirements will be considered.
Our retention periods are set out in our retention schedule.
Additional special category processing
We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices and staff privacy notice.