Introduction
1. This Appropriate Policy Document is produced in accordance with the obligations of the Dawn Sturgess Inquiry (‘the Inquiry’) under the UK General Data Protection Regulation and the Data Protection Act 2018. It should be read alongside the Inquiry’s Privacy Notice. It is intended to set out how the Inquiry will process special category and criminal convictions personal data.
2. The Data Protection Act 2018 defines special category data as that which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
3. This document is intended to meet the requirement at paragraph 5 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest.
4. Article 9(1) of the UK General Data Protection Regulation prohibits the processing of special categories of personal data unless a condition in Article 9(2) is met. The conditions under which such processing may take place are contained within Schedule 1 of the Data Protection Act 2018.
5. This Inquiry will process special category and conviction data under paragraph 6 of Schedule 1 to the Data Protection Act 2018:
Statutory etc and government purposes
6(1) This condition is met if the processing—
(a) is necessary for a purpose listed in sub-paragraph (2), and
(b) is necessary for reasons of substantial public interest
6(2) Those purposes are—
(a) the exercise of a function conferred on a person by an enactment or rule of law;
(b) the exercise of a function of the Crown, a Minister of the Crown or a government department
6. In processing special category data, the Inquiry is exercising a function conferred by enactment – the Inquiries Act 2005 – and is doing so for reasons of substantial public interest.
7. There is a further requirement that this condition will only be met if the processing of special category data and criminal conviction data is carried out in accordance with this policy. Inquiry team members must therefore have regard to this policy when carrying out the processing of such material on behalf of the Inquiry.
Purposes of data collection
8. As noted above, the Inquiry is exercising statutory functions in the public interest under the Inquiries Act 2005. The Inquiry is investigating those matters set out in its Terms of Reference. The Inquiry will need to collect and process personal information to carry out its investigation, conduct hearings and to discharge its duties under the Inquiries Act 2005. Personal information is used by the Inquiry in several ways – for example, to gather evidence as part of the Inquiry’s investigations, to manage Inquiry staff and to communicate with the public. Personal information may be used by the Inquiry to comply with contracts that the Inquiry has entered. Personal information may also be contained in the Report of the Inquiry, which will be published at its conclusion.
Assuring compliance
9. Article 5 of the UK General Data Protection Regulation sets out the six data protection principles. These are the Inquiry’s procedures for ensuring that we comply with them.
Principle 1 Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Inquiry will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful. The lawfulness of the Inquiry’s processing is derived from its official functions as a statutory inquiry under the Inquiries Act 2005
- take responsibility for complying with the UK GDPR, at the highest management level and throughout our organisation, overseen by an experienced data protection officer
- Only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing. The Inquiry has published details about the way in which it will process personal data in its Privacy Notice and in this document
- adopt and implement a data protection policy that underpins data protection by design, ensuring that all personal data is protected by appropriate measures throughout its lifecycle
- Put additional technical and organisational measures in place for special category data
- document and monitor our data processing activities, through the use of data protection impact assessments and related documentation, and through regular audits of higher risk processes
- review our accountability measures at least once per year, and providing transparency around the Inquiry’s data processing by publishing an updated Privacy Notice and Appropriate Policy Document on the Inquiry’s website
Principle 2 Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
The Inquiry will:
- only process personal data where it is permitted to do so by law, under the lawful bases set out at paragraph 5. It will only collect personal data for specified, explicit and legitimate purposes, and has informed data subjects what those purposes are in a published Privacy Notice
- not use personal data for purposes that are incompatible with the purposes for which it was collected (unless doing so is permitted by the relevant legislation)
Principle 3 Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The Inquiry will:
- not ask for personal information that is not potentially required, or potentially necessary for the Inquiry to deliver its terms of reference
- Only collect and/or disclose the minimum personal data that it needs for the purpose for which it is collected and/or disclosed.
- Ensure that the data it collects is adequate and relevant
- Will periodically review the information we hold and delete data that is no longer needed
Principle 4 Personal data shall be accurate and, where necessary, kept up to date The Inquiry will:
- ensure that personal data is accurate and kept up to date where necessary and take particular care to do this where its use of the personal data has a significant impact on individuals
- ask data subjects to notify the Inquiry of relevant changes to their circumstances, such as a change of address
- Maintain a record of mistakes or requests for data rectification
Principle 5 Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. The Inquiry will:
- Ensure we know what personal data we hold
- Document our reasons for holding it, how long we need to keep it for and why
- Be transparent about how long we keep information, by publishing details in our Privacy Notice
- Clearly identify any personal data that we need to keep for public interest archiving
Principle 6 Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The Inquiry will ensure that:
- personal data is shared only with those who are required to see it as part of their role or as part of the legal process of the Inquiry. This may include individuals or bodies who the Inquiry considers it necessary to pass information to for the purpose of further investigation in line with its terms of reference. The Inquiry will in each case consider whether the processing or disclosure of such data is necessary for its proceedings and functioning
- any third party processing data on the Inquiry’s behalf also has appropriate organisational and technical measures in place to protect Inquiry data
- appropriate organisational and technical measures are in place to protect personal data. These include implementing an information security policy using encryption of data during transit, and following robust redaction processes that govern the protection of personal data when being shared, published or archived. These processes ensure that only personal data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry or to those instructed by the Inquiry.
- we review our information security policies and measures at least annually and, where necessary, improve them
The Accountability principle
The data controller, who is the Chair of the Inquiry, shall be responsible for, and be able to demonstrate compliance with, these principles. The Inquiry will:
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate
- appoint a Data Protection Officer to provide independent advice and monitoring of the Inquiry’s personal data handling, and ensure that this person has access to the Chair and Secretary of the Inquiry
- have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
Data controller’s policies as regards retention and erasure of personal data
The Inquiry will ensure, where special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
- where it no longer requires special category or criminal convictions personal data for the purpose for which it was collected, it will delete it or render it permanently anonymous
- data subjects receive (via the privacy notice) full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period