Article 9(1) of the GDPR prohibits the processing of special categories of personal data unless a condition in Article 9(2) is met, such as for reasons of substantial public interest (see Part 2, Schedule 1 of the DPA 2018). For the SIA, the processing of special categories of personal data (“sensitive processing”) is only permitted where it is necessary for a function conferred by law or for Government purposes and it is necessary for reasons of substantial public interests. There is a further requirement that this condition will only be met if the sensitive processing is carried out in accordance with this policy. SIA staff must therefore have regard to this policy when carrying out sensitive processing on behalf of the authority, when it is acting in its capacity as Controller of the personal data.
Personal data about criminal offences and convictions are dealt with separately in Article 10 of the GDPR. The DPA 2018 provides the processing of such data meets the requirements of Article 10 only if it meets a condition set out in Part 1, 2 or 3 of Schedule 1. Where the processing of such data is carried out in reliance on a condition in Part 1, 2 or 3 of Schedule 1 which requires the controller to have an appropriate policy in place when the processing is carried out, SIA must have regard to this policy.
The purpose of this policy is to explain:
- SIA procedures which are in place to secure compliance with the GDPR data protection principles when relying on substantial public interest conditions in Part 2 of Schedule 1 DPA 2018; and
- Retention and erasure policies concerning the processing of special categories of data on grounds of substantial public interest.
Compliance with data protection principles
a) ‘lawfulness, fairness and transparency’
b) 'purpose limitation’
The SIA only processes personal data when permitted to do so by law. Personal data is collected for explicit and legitimate purposes such as for granting SIA licences and approval to join the Approved Contractor Scheme. Any use of SIA data for a non-SIA function is required to have a specific lawful basis and it must be compatible with data protection obligations; the processing must therefore be proportionate and necessary.
c) 'data minimisation’
Each SIA service has an application form or process to ensure the SIA only collects the information necessary to determine entitlement or deliver services. Data subjects will not be asked to answer questions and provide information that is not required.
Additionally, SIA internal guidance, training and policies require staff to use only the minimum amount of data required to enable specific tasks to be completed.
Where processing is for research and analysis purposes, wherever possible this is done using anonymised or de-identified data sets.
Providing complete and accurate information is required when applying for an SIA licence or to join the Approved Contractor Scheme. Data subjects are required to notify the SIA of relevant changes in their circumstances, such as changes of address or criminal record. Where permitted by law, and when it is reasonable and proportionate to do so, the SIA may check this information with other organisations – for example the Home Office, the Police or HMRC.
If a change is reported by a data subject to one function at the SIA, whenever possible this is also used to update other functions, both to improve accuracy and avoid the data subject having to report the same information multiple times.
e) 'storage limitation’
f) 'integrity and confidentiality’
The SIA has a range of security standards and policies based on industry best practice and government requirements to protect information from relevant threats. We apply these standards whether SIA data is being processed by our own staff, or by a processor on our behalf.
All staff handling SIA information are security cleared and required to complete annual training on the importance of security, and how to handle information appropriately.
In addition to having security guidance and policies embedded throughout SIA business, the SIA also has specialist security, cyber and resilience staff to help ensure that information is protected from risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
How often will this policy document be reviewed?
The SIA will formally review this document on an annual basis.