Processing of criminal conviction data policy

6.

Schedule 1, Part 4, of the DPA 2018 requires the council to create and maintain an Appropriate Policy Document and keep a Record of Processing Activities in relation to processing of Criminal Conviction Data.

The following statements explain how the council meets the requirements of the Principles from Article 5 of the GDPR in connection with the processing of Criminal Conviction Data.

6.1 Principle 1 - Lawful, fair and transparent

The council will;

Ensure that Criminal Conviction Data is only processed where a lawful basis applies.

Ensure that processing does not take place unless the reason for processing is derived from legal powers granted to the council and it does not infringe data protection legislation or any other law.

Only process personal data fairly and ensure that data subjects are not misled about the purposes of any processing.

Ensure that data subjects receive full privacy information about the processing, unless an exemption applies.

Complete a Data Protection Impact Assessment (DPIA) for any high risk processing involving the use of Criminal Conviction Data. The assessment should be completed by the relevant Information Asset Owner (IAO).

6.2 Principle 2 - Purpose limitation

The council will:

Only process personal data for specific and explicit purposes which will be included within the relevant Privacy Notice, unless an exemption applies.

Not use personal data for purposes that are incompatible with the purposes for which it was collected unless required by law. We will inform data subjects of this change unless a relevant exemption applies or required by law not to disclose the new purpose.

Where a council service wishes to use personal data for a different purpose  they should consult IG for advice.

6.3 Principle 3 - Data minimisation

The council will ensure that Criminal Conviction Data processed by the council shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6.4 Principle 4 - Accuracy

The council will:

Ensure that Criminal Conviction Data is accurate and where necessary kept up to date.

Ensure that data quality is maintained in line with the council's Data Quality Standards.

Ensure that a distinction between the data relating to the below categories of  data subjects is made;

Suspects,

Those convicted of criminal offences,

Victims, and

Witnesses or individuals with information about offences.

Personal data based on a personal assessment and opinion (including intelligence) must be distinguished from that which is based on fact.

6.5 Principle 5 - Storage Limitation

All criminal conviction data will be retained in accordance with the council's Records Retention and Disposal Schedule.

6.6 Principle 6 - Security

Information processed for a law enforcement purpose must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The council's Information Security Policy sets out the security requirements  internally, and the Cyber and Information Management (Procurement) Policy sets out  the security requirements for third party suppliers (processors).

The council has a wide range of technical and procedural controls in place, in order to protect the criminal conviction data it processes. These controls are overseen by  the council's Information Management & Governance Board and the Senior Information Risk Owner (SIRO), supported by a network of IAOs.

These controls include, but are not limited to;

Mandatory information security training for all staff.

Mandatory acceptance of Information Governance and Acceptable Use policies by all staff.

Encryption of data in transit (i.e. secure email) where appropriate.

Appropriate levels of encryption, firewalls and business continuity arrangements for corporately servers holding personal data. Council hosted    systems are located in the UK and accredited to ISO 27001.

Contracts with processors and suppliers that contain appropriate GDPR and data protection clauses.

Role based access for systems holding Criminal Conviction Data.

Corporately-backed data protection by design processes and culture to ensure information security has been considered and implemented, via Data Protection Impact Assessment where appropriate, prior to the processing of personal data.

ID badges to control access to council buildings, which is reinforced by controls to confirm authenticity of badges by machine and by staff.

An established Data Incident procedure, in order to mitigate risk and ensure the council complies with its legal obligations where potential breaches may have occurred.

6.7 Principle 7 - Accountability

The council must be responsible for and demonstrate compliance with these principles. The council will:

Ensure that records are kept of all processing activities involving Criminal  Conviction Data (see section 9).

Ensure that IAOs will complete a Data Protection Impact Assessment for any  high risk processing involving the use of Criminal Conviction Data.

The council has appointed a Data Protection Officer whose role is to provide independent advice on data protection to the council, and to monitor compliance with relevant Data Protection legislation.