(special categories of personal
data and criminal convictions data)
1. About this policy
1.1 This is the "appropriate policy
document" for Twelve Oaks setting out how we will protect Special
Categories of Personal Data and Criminal Convictions Data.
1.2 This policy supports our data protection
policy in force from time to time.
1.3 This document meets the requirement of the Data
Protection Act 2018 that an appropriate policy document be in place where
Processing Special Categories of Personal Data and Criminal Convictions Data in
certain circumstances.
2. Definitions
2.1 Controller: the person or organisation
that determines when, why and how to Process Personal Data.
2.2 Criminal Convictions Data: personal data
relating to criminal convictions and offences, including Personal Data relating
to criminal allegations and proceedings.
2.3 Data Retention Policy: explains how the
organisation classifies and manages the retention and disposal of its
information. Time periods for retention are set available on request and in
any retention policy from time to time in force.
2.4 Data Subject: a living, identified or
identifiable individual about whom we hold Personal Data. Data Subjects may be
nationals or residents of any country and may have legal rights regarding their
Personal Data.
2.5 Data
Privacy Impact Assessment (DPIA): tools and assessments used to identify
and reduce risks of a data Processing activity. A DPIA can be carried out as
part of Privacy by Design and should be conducted for all major system or
business change programmes involving the Processing of Personal Data.
2.6 DPA 2018: the Data Protection Act 2018.
2.7 Data
Protection Officer (DPO):the person required to be appointed in specific circumstances under the UK
GDPR. Where a mandatory DPO has not been appointed, this term means a data
protection manager or other voluntary appointment of a DPO or refers to the
organisation's data privacy team with responsibility for data protection
compliance.
2.8 UK GDPR: the retained EU law version of
the General Data Protection Regulation ((EU) 2016/679).
2.9 Personal
Data: any information
identifying a Data Subject or information relating to a Data Subject that we
can identify (directly or indirectly) from that data alone or in combination
with other identifiers we possess or can reasonably possess. Personal Data
includes Special Categories of Personal Data.
2.10 Privacy
Notice: a separate notice
setting out information that may be provided to Data Subjects when the
organisation collects information about them.
2.11 Processing
or Process: any activity
that involves the use of Personal Data. It includes obtaining, recording or
holding the data, or carrying out any operation or set of operations on the
data including organising, amending, retrieving, using, disclosing, erasing or
destroying it. Processing also includes transmitting or transferring Personal
Data to third parties.
2.12 Special
Categories of Personal Data:any information revealing racial or ethnic origin, political opinions,
religious or similar beliefs, trade union membership, physical or mental health
conditions, sexual life, sexual orientation, biometric or genetic data.
3. Why we Process Special Categories of Personal
Data and Criminal Convictions Data
3.1 We Process Special Categories of Personal Data
and Criminal Convictions Data for the following purposes:
(a) assessing an employee's fitness to work;
(b) complying with health and safety obligations;
(c) complying with the Equality Act 2010;
(d) checking applicants' and employees' right to
work in the UK;
(e) verifying that candidates are suitable for
employment or continued employment; and
(f) verifying that candidates are suitable for
introductions to hirers as part of our recruitment business model.
4. Personal data protection principles
4.1 The UK GDPR requires personal data to be
processed in accordance with the six principles set out in Article 5(1).
Article 5(2) requires controllers to be able to demonstrate compliance with
Article 5(1).
4.2 We comply with the principles relating to
Processing of Personal Data set out in the UK GDPR which require Personal Data
to be:
(a) Processed lawfully, fairly and in a transparent
manner (Lawfulness, Fairness and Transparency);
(b) collected only for specified, explicit and
legitimate purposes (Purpose Limitation);
(c) adequate, relevant and limited to what is
necessary in relation to the purposes for which it is Processed (Data
Minimisation);
(d) accurate and where necessary kept up to date
(Accuracy);
(e) not kept in a form which permits identification
of Data Subjects for longer than is necessary for the purposes for which the
data is Processed (Storage Limitation); and
(f) Processed in a manner that ensures its security
using appropriate technical and organisational measures to protect against
unauthorised or unlawful Processing and against accidental loss, destruction or
damage (Security, Integrity and Confidentiality).
4.3 We are responsible for and must be able to
demonstrate compliance with the data protection principles listed above
(Accountability).
5. Compliance with data protection principles
Lawfulness, fairness and transparency
5.1 Personal Data must be Processed lawfully, fairly
and in a transparent manner in relation to the Data Subject.
5.2 We will only Process Personal Data fairly and
lawfully and for specified purposes. The UK GDPR restricts our actions
regarding Personal Data to specified lawful purposes. We can Process Special
Categories of Personal Data and Criminal Convictions Data only if we have a
legal ground for Processing and one of the specific Processing conditions
relating to Special Categories of Personal Data or Criminal Convictions Data
applies. We will identify and document the legal ground and specific Processing
condition relied on for each Processing activity.
5.3 When collecting Special Categories of Personal
Data and Criminal Convictions Data from Data Subjects, either directly from
Data Subjects or indirectly (for example from a third party or publicly
available source), we will provide Data Subjects with a Privacy Notice setting
out all the information required by the UK GDPR in a privacy notice which is
concise, transparent, intelligible, easily accessible and in clear plain
language which can be easily understood.
|
Lawful Processing
basis |
Processing
condition for Special Categories of Personal Data |
|
Data concerning
health
Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract
with the Data Subject (Article 6(1)(b)). |
Necessary for the purposes of performing or exercising
obligations or rights which are imposed or conferred by law on the controller
or the Data Subject in connection with employment, social security or social
protection.
(Paragraph 1(1)(a),
Schedule 1, DPA 2018.) |
|
Racial or ethnic
origin data
Compliance with a legal obligation (Article 6(1)(c)). |
Necessary for the purposes of performing or exercising
obligations or rights which are imposed or conferred by law on the controller
or the Data Subject in connection with employment, social security or social
protection.
(Paragraph 1(1)(a),
Schedule 1, DPA 2018.) |
|
Criminal
Convictions Data
Compliance with a legal obligation (Article 6(1)(c)).
|
Necessary for the purposes of performing or exercising
obligations or rights which are imposed or conferred by law on the Controller
or the Data Subject in connection with employment, social security or social
protection. (Paragraph 1(1)(a),
Schedule 1, DPA 2018.) |
|
Equal opportunity
data
In the organisation's legitimate interests (Article 6(1)(f)) which are not
outweighed by the fundamental rights and freedoms of the Data Subject. |
Necessary for the purposes of identifying or keeping under
review the existence or absence of equality of opportunity or treatment
between groups of people specified in relation to that category with a view
to enabling such equality to be promoted or maintained.
(Paragraph 8(1)(b),
Schedule 1, DPA 2018.) |
Purpose
limitation
5.4 Personal Data must be collected only for
specified, explicit and legitimate purposes. They must not be further Processed
in any manner incompatible with those purposes.
5.5 We will only collect personal data for specified
purposes and will inform Data Subjects what those purposes are in a published
Privacy Notice. If we use Personal Data for a new compatible purpose then we
will inform the Data Subject first.
Data
minimisation
5.6 Personal Data shall be adequate, relevant and
limited to what is necessary in relation to the purposes for which it is Processed.
5.7 We will only collect or disclose the minimum
Personal Data required for the purpose for which the data is collected or
disclosed. We will ensure that we do not collect excessive data and that the
Personal Data collected is adequate and relevant for the intended purposes.
Accuracy
5.8 Personal Data must be accurate and, where
necessary, kept up to date. It must be corrected or deleted without delay when
inaccurate.
5.9 We will ensure that the Personal Data we hold
and use is accurate, complete, kept up to date and relevant to the purpose for
which it is collected by us. We check the accuracy of any Personal Data at the
point of collection and at regular intervals afterwards. We take all reasonable
steps to destroy or amend inaccurate or out-of-date Personal Data.
Storage
limitation
5.10 We only keep Personal Data in an identifiable
form for as long as is necessary for the purposes for which it was collected,
or where we have a legal obligation to do so. Once we no longer need Personal
Data it shall be deleted or rendered permanently anonymous.
5.11 We maintain a Data Retention Policy and related
procedures to ensure Personal Data is deleted after a reasonable time has
elapsed for the purposes for which it was being held, unless we are legally
required to retain that data for longer.
5.12 We will ensure Data Subjects are informed of the
period for which data is stored and how that period is determined in any
applicable Privacy Notice.
Security,
integrity, confidentiality
5.13 Personal Data shall be Processed in a manner
that ensures appropriate security of the Personal Data, including protection
against unauthorised or unlawful Processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures.
5.14 We will implement and maintain reasonable and
appropriate security measures against unlawful or unauthorised Processing of
Personal Data and against the accidental loss of or damage to Personal Data.
Accountability
principle
5.15 We are responsible for, and able to demonstrate
compliance with these principles. Our DPO is responsible for ensuring that we
are compliant with these principles. Any questions about this policy should be
submitted to the DPO.
5.16 We will:
(a) Ensure that records are kept of all Personal
Data Processing activities, and that these are provided to the Information
Commissioner on request.
(b) Carry out a DPIA for any high-risk Personal Data
Processing to understand how Processing may affect Data Subjects and consult
the Information Commissioner if appropriate.
(c) Ensure that a DPO is appointed to provide
independent advice and monitoring of Personal Data handling, and that the DPO
has access to report to the highest management level.
(d) Have internal processes to ensure that Personal
Data is only collected, used or handled in a way that is compliant with data
protection law.
6. Controller's policies on retention and erasure
of personal data
6.1 We take the security of Special Categories of
Personal Data and Criminal Convictions Data very seriously. We have
administrative, physical and technical safeguards in place to protect Personal
Data against unlawful or unauthorised Processing, or accidental loss or damage.
We will ensure, where Special Categories of Personal Data or Criminal
Convictions Data are Processed that:
(a) The Processing is recorded, and the record sets
out, where possible, a suitable time period for the safe and permanent erasure
of the different categories of data in accordance with our Data Retention
Policy.
(b) Where we no longer require Special Categories of
Personal Data or Criminal Convictions Data for the purpose for which it was
collected, we will delete it or render it permanently anonymous as soon as
possible.
(c) Where records are destroyed we will ensure that
they are safely and permanently disposed of.
6.2 Data Subjects receive a Privacy Notice setting
out how their Personal Data will be handled when we first obtain their Personal
Data, and this will include the period for which the Personal Data will be
stored, or if that is not possible, the criteria used to determine that period.
The Privacy Notice applicable to candidates we put forward for hirers is also
available on our website and our staff privacy notice is given to staff by
HR.
7. Review
7.1 This policy on Processing Special Categories of
Personal Data and Criminal Convictions Data is reviewed annually.
7.2 The policy will be retained where we Process
Special Categories of Personal Data and Criminal Convictions Data and for a
period of at least six months after we stop carrying out such Processing.
7.3 A copy of this policy will be provided to the
Information Commissioner on request and free of charge.
Dated: 14/10/2025
Review date: 14/10/2025
Next review: 14/10/2026
8. Further
information
For further information about our compliance with data
protection law, please contact our data protection manager on info@twelveoakstuition.co.uk .
