Special category and criminal conviction personal data (Appropriate Policy)
1. This document outlines how the Cranston Inquiry (“the Inquiry”) will protect special category and criminal convictions personal data.
2. It meets the requirement at paragraph 5 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document is in place where the processing of special category personal data and criminal offence personal data is necessary for reasons of substantial public interest and for the purpose of exercising a function conferred upon the Chair by a Minister of the Crown.
3. For further information about how the Inquiry will collect and use your personal data, and the purpose for which it is collected, please refer to the Inquiry’s Privacy Notice.
Procedures for securing compliance
4. The Inquiry’s procedures for ensuring that it complies with the data protection principles (set out in Article 5 of the General Data Protection Regulation) are as follows:
Principle 1
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Inquiry will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful;
- only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing; and
- ensure the transparency of processing, including via the information provided in the Privacy Notice published on the Inquiry website.
Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes consistent with the Inquiry’s terms of reference and not further processed in a manner that is incompatible with those purposes.
The Inquiry will:
- only collect personal data for specified, explicit and legitimate purposes, and will inform data subjects what those purposes are in a published privacy notice;
- not use personal data for purposes that are incompatible with the purposes for which it was collected, and if we do use personal data for a new purpose that is compatible, we will inform the data subject first.
Principle 3
The Inquiry will ensure that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, and we will complete a Data Protection Impact Assessment when appropriate.
The Inquiry will only collect the minimum personal data that it needs for the purpose for which it is collected. The Inquiry will ensure that the data it collects is adequate and relevant.
Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
The Inquiry will ensure that personal data is accurate and kept up to date where necessary by taking particular care where its use of the personal data has a significant impact on individuals. The Inquiry will take every reasonable step to ensure that inaccurate data is erased or rectified without delay.
Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The Inquiry will only keep personal data in identifiable form until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data will be transferred for the purposes of retention of the Inquiry records by The National Archives in accordance with the Public Records Act 1958, where it will be available for historical research. Personal data that is not required for archiving purposes will be securely destroyed.
Principle 6
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The Inquiry will ensure that personal data is shared only with those who are required to see it as part of the Inquiry’s work (which may include the public). The Inquiry will, at all times, consider whether the processing or disclosure of such data is necessary for its proceedings and functioning.
The Inquiry will ensure that appropriate organisational and technical measures are in place to protect personal data. These include Disclosure and Redaction Protocols [link] that govern the protection of personal data. These processes ensure that only personal data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry.
Accountability principle
The Inquiry’s Chair, Sir Ross Cranston, is the Data Controller and shall be responsible for, and be able to demonstrate compliance with, the UK GDPR principles. The Secretary to the Inquiry is the Senior Information Risk Owner for the Inquiry who is responsible for ensuring that the Inquiry is compliant with these principles.
The Inquiry will:
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request;
- carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate;
- appoint a Data Protection Officer to provide independent advice and monitoring of the Inquiry’s personal data handling, and ensure that this person has access to the Chair and Secretary of the Inquiry;
- have appropriate data protection policies in place;
- have internal processes in place to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.
Data controller’s policies as regards retention and erasure of personal data
The Inquiry will ensure, where personal data, special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that that record will set out, where possible, the time limits envisaged for erasure of the different categories of personal data;
- where it no longer requires personal data, special category or criminal convictions personal data for the purpose for which it was collected, it will delete it or render it permanently anonymous;
- data subjects receive (via the privacy notice) full privacy information about how their data will be handled, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
Further information
For further information about the Inquiry’s compliance with data protection law, please contact: info@cranston-independent-inquiry.uk.
This version of the Appropriate Policy was published on 15 February 2024.