Appropriate Policy Document (APD)

Special category and criminal conviction personal data

Introduction and scope

As part of our statutory, corporate and public task functions, we process special category data and criminal convictions data in accordance with the requirements of: 

  • Article 9 and 10 of the UK General Data Protection Regulation (‘UK GDPR’) and 

  • Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’). 

Some Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place. This sets out and explains our procedures for securing compliance with the principles in Article 5 UK GDPR, and policies regarding the retention and erasure of such personal data. 

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018. 

Special category data

Special category data is defined at Article 9 of the UK GDPR as personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health; or
  • data concerning a natural person’s sex life or sexual orientation.

Criminal offence data

Criminal conviction data is described at Article 10(1) of the UK GDPR as any personal data relating to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Procedures for securing compliance

Article 5 of the UK General Data Protection Regulation sets out the data protection principles. These are the council’s procedures for ensuring that we comply with them.

Our compliance with data protection principles

Lawfulness, fairness and transparency

We will process personal data lawfully, fairly and in a transparent manner in relation to the data subject, also:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
  • only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

Purpose limitation

We will collect personal data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes and we will inform data subjects what those purposes are in a privacy notice. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

Data minimisation

Personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We will only collect the minimum personal data that we need for the purpose for which it is collected and ensure that the data we collect is adequate and relevant.

Accuracy

Personal data will be accurate and, where necessary, kept up to date. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

Storage limitation

Personal data will be kept in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it will be deleted or rendered permanently anonymous.

Integrity and confidentiality

Personal data processed by us will be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

Our Data Protection Officer is responsible for monitoring our compliance with these principles and will:

  • ensure that records are kept of personal data processing activities, and that these are provided to the Information Commissioner on request
  • carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate
  • ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the departments’ personal data handling, and that this person has access to report to the highest management level of the department and has the resources necessary to carry out the requirements of the role
  • have in place internal policies, procedures and processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.

Data controller’s policies with regards to retention and erasure of personal data

Where special category or criminal convictions personal data is processed, we will ensure that:

  • there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
  • where we no longer require special category or criminal convictions personal data for the purpose for which it was collected or where we have a legal obligation to do so, we will delete it or render it permanently anonymous
  • data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

Further information

For further information about our compliance with data protection law, please contact us at DPO@nottscc.gov.uk.

Last updated February 2025

Share this page?