Division of General Counsel, Governance and Compliance

Source: https://www.sussex.ac.uk/ogs/policies/information/dpa/sc-crim-convictions/apd Parent: https://student.sussex.ac.uk/centre/privacy

Appropriate Policy Document

Special categories of personal data and criminal convictions data\ Appropriate policy document

How we protect special category and criminal convictions data

This ‘appropriate policy document’ sets out how we protect special categories of personal data and criminal convictions data.

We have this document in place to explain the basis on which we process special category and criminal convictions data and to demonstrate that our processing is compliant with principles set out in data protection legislation.

Please see our Glossary of data protection terms and our dedicated page on special categories of personal data and criminal convictions data.

1. The special category and criminal convictions data that we process

A list of the categories of special category data that we process can be found in our Record of Processing Activity

Generally, when we are processing special category or criminal convictions data, it is on the basis that the individual has given explicit consent to the processing. This document sets out the other circumstances where we process such data and the conditions that we rely on under Schedule 1 of the Data Protection Act 2018.

Reference to ‘data’ in the remainder of this document means special category data and / or criminal convictions data.

*Processing is on the basis ofemployment, social security and social protection*We process the data for the purposes of performing or exercising our obligations or rights under employment law, social security law or the law relating to social protection. This includes our health and safety responsibilities as well as other employment rights and obligations. (Schedule 1, Part 1)

*Processing is on the basis of health or social care purposes*We process the data for the purpose of assessing the working capacity of our employees so that we can safeguard their welfare.This means that we can provide any adjustments necessary for our staff and implement any changes advised by our occupational health provider. (Schedule 1, Part 1)

*Processing is on the basis ofresearch*We process the data for the purpose of our research, where such research is in the public interest. (Schedule 1, Part 1)

*Processing is on the basis ofequality of opportunity or treatment*We process certain categories of data for the purposes of monitoring, promoting and maintaining equality of opportunity and treatment of our staff and students, for example, in relation to our Equality Act duties and our work to widen participation in Higher Education. This data is limited to racial or ethnic origin, religious or philosophical beliefs, health and sexual orientation. Most of this data will be collected with the explicit consent of the individual. (Schedule 1, Part 2)

*Processing is on the basis ofpreventing or detecting unlawful acts*This condition applies when we process data about criminal convictions and offences, for example, as part of the recruitment of staff or the admissions process for applicants to certain courses, such as social work or education. We have a duty to do so to safeguard our students, staff and others. (Schedule 1, Part 2)

*Processing is on the basis ofcounselling*If we provide confidential counselling, advice or support to our staff and students, we need to process data. Usually, we will have consent for this purpose but that may not be possible in some instances, for example where the individual cannot give consent. (Schedule 1, Part 2)

*Processing is on the basis ofsafeguarding of children and of individuals at risk*We may need to process data in order to meet our safeguarding responsibilities, for example, to protect an individual at risk from physical, mental or emotional harm. (Schedule 1, Part 2)

*Processing is on the basis ofcriminal convictions and offences data*We process such data with the consent of the individual or, for example, where it is necessary to protect the vital interests of a person, it is necessary for legal proceedings or advice, or it is necessary for reasons of substantial public interest (such as preventing or detecting unlawful acts or safeguarding individuals in relation to discipline proceedings). (Schedule 1, Part 3)

*Processing is on the basis oflegal proceedings*We process such data where it is necessary for obtaining legal advice, or in connection with legal proceedings (including prospective proceedings) or for the purpose of establishing, exercising or defending legal rights. (Schedule 1, Part 3)

2. Accountability

The University has to be able to demonstrate that we are accountable for the personal data we process, that we are responsible for complying with our obligations under data protection legislation, and that we can demonstrate that compliance.

To demonstrate our compliance and accountability we will:

Document our processing activities and keep these records up to date;
Keep a record of personal data breaches;
Have appropriate contractual arrangements in place with organisations that process personal data on our behalf;
Complete a Data Protection Impact Assessment for any high risk personal data processing; and
Implement processes to make sure that personal data is only collected, used or handled in a way that is compliant with data protection legislation.

More detailed information about our processing activities can be found in our Privacy notice and our Record of Processing Activity

3. Procedures for ensuring compliance with the principles

When processing data, we meet the requirements of the data protection principles, as set out in data protection legislation:

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.