The Data Protection Act 2018 ("DPA”) outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category and criminal offence data under certain specified conditions.
The Development Bank of Wales ("DBW", "we", "us", "our") processes special category data and criminal offence data.
For certain conditions related to the processing of these types of data, we are required to have an Appropriate Policy Document in place setting out and explaining our procedures and policies. This policy supplements the DBW Data Protection & Privacy Policies and complies with our obligations under Schedule 1, Part 4 of the Data Protection Act 2018.
This policy applies to the DBW Group and its subsidiaries.
Specific Data Covered by This Document
Special Category Data
DBW process special category data as defined by Article 9 UK General Data Protection Regulation (“GDPR”), which is personal data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
Personal data relating to criminal offences (Criminal Offence Data)
In certain circumstances we may also process criminal offence data, which includes processing data about: criminal offences, allegations of offences, legal proceedings, related security measures and information relating to the absence of convictions.
Purposes for Processing
We will process special category data for the following purposes:
Recruitment and employment, assessment of applications submitted to us, safety, security, and legal requirements, answering requests and queries, providing advice, equality and diversity monitoring, safeguarding the economic well-being of data subjects, and protecting vulnerable data subjects from harm.
We rely on several Article 9 conditions of the UK GDPR to process special category data. Not all of these Article 9 conditions require an additional Schedule 1 condition, however some of them do. The conditions relied upon by us that require an additional Schedule 1 condition to process Special Category Data are listed below:
- (b) Employment, Social Security and Social Protection
- (g) Substantial Public Interest Conditions
Employment, Social Security, and Social Protection
Under Article 9(2)(b) UK GDPR, we may process special category data and criminal offence data where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment. Examples of this include checking individuals’ entitlement to work in the UK, and ensuring the health, safety, and welfare of our employees. Section 10(2) DPA sets out that the processing meets the above requirement in Article 9(2)(b) only if it meets the conditions set out in Part 1 of Schedule 1 of the DPA.
We process special category data for the following purposes in Part 1 of Schedule 1. Depending on the context, the processing will be required for one or more of the listed purposes below:
- Paragraph 1 (Employment, social security, and social protection)
Substantial Public Interest
Under Article 9(2)(g) UK GDPR, we may process special category data where it is necessary for reasons of substantial public interest. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Section 10(3) of the DPA sets out that the processing meets the above requirement in Article 9(2)(g) only if it meets a condition (or purpose) in Part 2 of Schedule 1 of the DPA. Depending on the context, the processing will be required for one or more of the listed purposes below:
- Paragraph 6 (Statutory and Government Purposes)
- Paragraph 8 (Equality of opportunity or treatment)
- Paragraph 9 (Racial and ethnic diversity at senior levels of organisations)
- Paragraph 10 (Preventing or detecting unlawful acts) – only when disclosing or preparing a disclosure of personal data to a competent authority.
- Paragraph 11 (Protecting the Public Against Dishonesty)
- Paragraph 12 (Regulatory Requirements relating to unlawful acts and dishonesty etc.)
- Paragraph 15 (Suspicion of Terrorist Financing and Money Laundering)
- Paragraph 18 (Safeguarding of children and of individuals at risk)
- Paragraph 19 (Safeguarding of economic well-being of certain individuals)
Criminal Offence Data
Under Article 10 UK GDPR, we may process personal data relating to criminal offences, allegations of criminal offences, legal proceedings, and related security measures taken when the processing is authorised under UK law providing for appropriate safeguards for the rights and freedoms of data subjects.
Section 10(5) DPA sets out that the processing meets the above requirement in Article 10 UK GDPR only if it meets a condition in Part 1, 2 or 3 of Schedule 1 DPA.
In addition to the relevant conditions in Parts 1 and 2 of Schedule 1 set out above, there are additional processing conditions for criminal offence data set out in Part 3 of Schedule 1, of which we rely on the following:
- Paragraph 29 (Consent)
- Paragraph 32 (Personal Data in the Public Domain)
- Paragraph 33 (Legal Claims)
- Paragraph 36 (Extension of Part 2 Conditions relating to Substantial Public Interest)
How we comply with the Data Protection Principles
In accordance with the accountability principle, DBW maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.
DBW ensures compliance with the data protection principles set out in Article 5 of the UK GDPR as follows:
Principle 1 – Lawfulness, Fairness and Transparency
Processing personal data must be lawful, fair, and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in UK GDPR or DPA. We provide clear transparency information (privacy notices) to all those who provide personal data to us, stating the lawful basis for processing and providing the purposes for processing the different types of special category personal data and criminal offence data where these relate to Schedule 1 of the DPA.
In circumstances where we seek consent, we make sure that:
- The consent is unambiguous
- The consent is given by an affirmative action
- The consent is recorded as the condition for processing
Principle 2 - Purpose Limitation
The purposes for which we process special category and criminal offence data where an appropriate policy document is required are detailed above. We may process personal data collected for any one of these purposes, providing the processing is necessary and proportionate to that purpose. If we are sharing data with another controller, we will document that they are legitimately processing the data for their purpose. We will not process personal data for purposes which are incompatible with the original purpose for which it was collected.
Principle 3 – Data Minimisation
We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where we become aware that personal data provided to us or obtained by us is not relevant to our stated purposes, we will erase it.
Principle 4 – Accuracy
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.
Principle 5 – Storage Limitation
Principle 6 – Integrity and Confidentiality (Security)
Electronic information is processed within our secure network or managed by suppliers on solutions that have been security accredited. Hard copy information is processed within our secure premises. Our electronic systems and physical storage have appropriate access controls applied. The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures which include:
- Acceptable Use Policy
- Data Protection Policy
- Information Security Policy
- Physical Security Policy
- CCTV Policy
- Business Continuity Policy
Principle 7 – Accountability
To fulfil the accountability principle, DBW maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.
DBW has an appointed Data Protection Officer who reports directly to our highest management level, and we regularly review our accountability measures and update or amend them when required.
This document will be reviewed and periodically updated.