Appropriate Policy Document

Off

1. Introduction

As part of the University of Sheffield’s public function as a higher education provider, we process Special Category and Criminal Offence data in accordance with Article 9 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act (2018) (DPA).

Schedule 1, Part 4 of the DPA requires us to have in place this document, called an ‘Appropriate Policy Document’, when we rely on certain conditions for processing Special Category and Criminal Offence data. This policy will tell you what Special Category and Criminal Offence data we process, our lawful bases (including our schedule 1 condition in the DPA) for processing that data, the purposes for which we process it, and how we ensure compliance with the principles of data protection law provided in Article 5 of the UK GDPR.

We will also tell you how long we will hold the Special Category and Criminal Offence data. Some of the information is already held in other documents on the University of Sheffield website, and we have linked to the relevant documents when it is necessary to do so.


2. Description of the data processed

We process the following types of Special Category and Criminal Offence data:

  • Racial/ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Data concerning health
  • Data concerning sex life or sexual orientation
  • Criminal offence data

3. Schedule 1 DPA 2018 conditions for processing

Below we have listed the Schedule 1 conditions upon which we are relying, and which need to be covered by this document.

  • Schedule 1, Part 1, para 1 (employment and social protection), where the University of Sheffield needs to process Special Category/Criminal Offence data for the purposes of performing its obligations or rights as an employer, or for guaranteeing the social protection of individuals
  • Schedule 1, Part 1, para 6 (statutory purposes), where the University of Sheffield needs to process Special Category/Criminal Offence data to comply with our statutory obligations
  • Schedule 1, Part 2, para 8 (equality of opportunity), where the University of Sheffield needs to process Special Category/Criminal Offence data for the purposes of monitoring equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
  • Schedule 1, Part 2, para 10 (preventing or detecting unlawful acts), where the University of Sheffield needs to process Criminal Offence data for the purpose of preventing or detecting unlawful acts and obtaining consent would prejudice those purposes, and the processing is necessary for reasons of substantial public interest
  • Schedule 1, Part 2, para 11 (protecting the public from dishonesty), where the University of Sheffield needs to process Criminal Offence data to protect members of the public from malpractice, unfitness, incompetence or mismanagement in the administration of a body or organisation, and obtaining consent would prejudice the exercise of the protective function, and the processing is necessary for reasons of substantial public interest
  • Schedule 1, Part 2, para 12 (Regulatory requirements relating to unlawful acts and dishonesty), where the University of Sheffield needs to process Criminal Offence data to comply with a requirement which involves taking steps to establish whether an individual has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct, and the processing is necessary for reasons of substantial public interest
  • Schedule 1, Part 2, para 17 (counselling), where the University of Sheffield needs to process Special Category/Criminal Offence data in order to provide confidential counselling, advice or support or of another similar service provided confidentially, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining consent would prejudice the provision of the service, and the processing is necessary for reasons of substantial public interest
  • Schedule 1, Part 2, para 18 (safeguarding), where the University of Sheffield needs to process Special Category/Criminal Offence data in order to protect the physical, mental or emotional well-being of an individual under the age of 18, or over the age of 18 and at risk, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining the data subject’s consent would prejudice the provision of the protection, and the processing is necessary for reasons of substantial public interest

4. How we comply with the data protection principles in Article 5 of the UK GDPR

Article 5(2) of the UK GDPR requires Data Controllers to demonstrate how they comply with the data protection principles provided in Article 5(1). This section illustrates the measures we have taken to demonstrate accountability for the personal data we process, and contains details about how we ensure compliance with the principles of the UK GDPR.

4.1 Accountability

We demonstrate our compliance with the data protection principles provided in Article 5 of the UK GDPR through the following measures and documents:

  • We have appointed a Data Protection Officer whose role and responsibilities align with the provisions of Articles 37-39 of the UK GDPR.
  • Our Record of Processing Activities sets out the personal data categories we process, the purposes, the lawful bases under Article 6 and Article 9 UK GDPR including the Schedule 1 DPA 2018 condition, our retention periods for the data, recipients of personal data, any international transfers of data and our means of keeping data secure.
  • Our Privacy Notices explain to individuals how and why their data is processed by the University of Sheffield, what their rights are, and how they can get in touch with our DPO and the ICO.
  • When we routinely and/or regularly share data with third parties, we enter into written agreements with Data Controllers and Data Processors which meet the provisions of Articles 26 and 28 of the UK GDPR respectively.
  • We carry out Data Protection Impact Assessments (DPIAs) for uses of personal data that are likely to result in a risk to individuals’ data protection rights and freedoms.
  • We implement appropriate security measures which are proportionate to the risks associated with the processing.

4.2 Lawful, fair and transparent processing

  • We provide clear and transparent information to individuals about why we process their personal data, including our lawful basis, in our Privacy Notices. This includes information about why we process Special Category and Criminal Offence data.
  • As a public authority, we need to process Special Category Data for the substantial public interest conditions outlined in section 3 of this policy to meet the requirements of legislation such as the Higher Education and Research Act 2017, the Equality Act 2010, the Health and Safety Act 1974, the Counter Terrorism and Security Act 2015, and legislation relating to safeguarding.
  • We process employment data to meet our legal obligations as an employer.

4.3 Purpose limitation

We process Special Category and Criminal Offence only data where it is necessary to do so for specified purposes. We only process Special Category and Criminal Offence where we have a lawful basis to do so under Articles 6, 9 and 10 UK GDPR and, where required, when we have identified a condition under Schedule 1 DPA 2018.

We will not process any Special Category and Criminal Offence for purposes which would be incompatible with the purpose for which the data was originally collected.

4.4 Data minimisation

We design our data collection forms and other data collection tools to ensure that we only collect the Special Category or Criminal Offence data necessary to achieve the relevant purpose. Our purposes are set out in our Privacy Notices.

We are satisfied that we collect and retain Special Category and Criminal Offence data only for long enough to fulfil our purposes. We collect enough but no more than we need in accordance with the data minimisation principle, and we only hold Special Category and Criminal Offence data for the period set out in our retention policies.

Our retention schedule sets out the correct disposal action once records containing special category data are no longer required.

4.5 Accuracy

When we identify data which is inaccurate or out of date, having due regard for the purpose for which the data was processed, we will take necessary steps to rectify or erase it without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

4.6 Storage limitation

Special Category and Criminal Offence data processed by us for the purpose of employment or substantial public interest will be retained for the periods set out in our retention schedule. The retention policy for record categories is determined by our legal and regulatory obligations, and our business requirements. The retention schedule is available to view here: https://www.sheffield.ac.uk/library/records-management-policy-and-guidance

4.7 Security

Electronic data is hosted on a secure network, and on the secure servers of third party cloud storage providers with whom we have contractual agreements. Electronic and hard copy data is managed according to our internal records management policies and procedures.


5. Retention and erasure policies

Our retention period and disposal actions for records containing Special Category Data can be found on our corporate retention schedule here: https://www.sheffield.ac.uk/library/records-management-policy-and-guidance


6. Appropriate Policy review date

This policy will be retained for the duration of the processing, and for a minimum of 6 months thereafter.

The policy will be reviewed annually, or revised more frequently if necessary.


7. Additional Special Category and Criminal Offence data

We also process special category data and criminal offence data where an Appropriate Policy Document is not required e.g. for archival, research and statistical purposes. In these circumstances we will respect the rights and interests of our data subjects by informing them about the processing in our Privacy Notices