Processing Special Category data
The organisation’s conditions for processing special category data under the provisions of the GDPR & Data Protection Act 2018.
Published: 28/07/2022
Version: 3.0
Published: 28/07/2022
Version: 3.0
This policy is produced in accordance with the NHS Counter Fraud Authority’s (NHSCFA) obligations under the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018. It should be read alongside the NHSCFA’s GDPR - Data Protection and its website’s Privacy policies.
This is the ‘appropriate policy document’ for NHSCFA that sets out how we will protect special category and criminal convictions data.
Article 9(1) of the GDPR prohibits the processing of special categories of personal information unless a condition in Article 9(2) is met, such as for a reason of substantial public interest (see Part 2, Schedule 1 of the DPA 2018). For the NHSCFA, the processing of special categories of personal data (“sensitive processing”) is permitted where it is necessary for a function conferred by an enactment or a government department , preventing and detecting unlawful acts , protecting the public from dishonesty etc and it is necessary for reasons of substantial public interest.
It is important to note that NHSCFA is not a ‘specified anti-fraud organisation’ within the meaning of s.68 of the Serious Crime Act 2007 and therefore we cannot rely on the specific function of ‘preventing fraud’ in Part 2, Schedule 1 of the DPA 2018.
There is a further requirement that this condition will only be met if the sensitive processing is carried out in accordance with this policy . All staff must therefore have regard to this policy when carrying out sensitive processing on behalf of the NHSCFA, when acting in its capacity as ‘controller’ of the personal data.
Personal data about criminal offences and convictions are dealt with separately in Article 10 of GDPR. The DPA provides that the processing of such data only meets the requirements of Article 10 if it conforms to a condition set out in Part 1, 2 or 3 of Schedule 1. This requires that the controller must have an appropriate policy in place when the processing is carried out. The NHSCFA must have regard to this policy.
The purpose of this policy is to explain:
This policy applies to the Board and all NHSCFA staff who process, access, use or manage sensitive personal data during their course of employment.
Special category data as defined in Article 9 of GDPR, is personal data revealing any of the following:
The term ‘substantial public interest’ is not defined in the DPA or the GDPR. Some of the conditions assume that processing under that condition is always in the substantial public interest such as the ‘prevention, detection and investigation of fraud ’.
Substantial public interest means the public interest needs to be real and of substance. Given the inherent risks of special category data it is not enough for an organisation to make a vague or generic public interest argument. It should be able to make specific arguments about the concrete wider benefits of the organisation’s processing.
Commercial or private interests are not the same as a public interest and where the organisation needs to point to reasons of substantial public interest, it is not enough for it to point to its own interests. It is still possible for an organisation to have a private interest, it just needs to make sure that it can also point to a wider public interest.
The organisation should focus on showing that its overall purpose for processing has substantial public interest benefits. It is not necessary for it to make separate public interest arguments or show benefits each time it undertakes that processing, or for each special category data, if the overall purpose for processing special category data is for a substantial public interest.
The organisation must always be able to demonstrate that all of its processing under the relevant condition is actually necessary for that purpose and complies with the data minimisation principle.
NHSCFA also processes criminal convictions data, which also includes processing in relation to offences or related security measures. NHSCFA must identify both a general lawful basis for processing and an additional condition for processing this type of data.
The general lawful basis under Article 6(1) is:
The additional conditions under Article 9 (2) are:
The lawfulness of the NHSCFA’s processing is derived from its official statutory functions. Transparency is provided by using a layered approach. Detailed information about how the NHSCFA uses personal data including special category data, is published in the NHSCFA’s privacy policy on its website. It makes clear what data we collect, why it is required and with whom it may be shared.
The NHSCFA only processes personal data when permitted to do so by law. Personal data is collected for specific and legitimate purposes such as the prevention and detection of economic crime and other related unlawful acts against the NHS in England. Any use of NHSCFA data for a non-related NHSCFA function must have a specific lawful basis and it must be compatible with data protection obligations - the processing must therefore be proportionate and necessary.
Each NHSCFA business function has a process in place to ensure that it only collects the information necessary to deliver that function. NHSCFA will not seek or where applicable, data subjects will not be asked to provide more information than is required. Additionally, NHSCFA internal guidance, training and policies require staff to use only the minimum amount of personal data required to enable specific tasks to be completed.
Where processing is for research and analysis purposes, wherever possible this is done using anonymised or pseudonymised data sets.
It is important when NHSCFA receive or provide information that it is complete, accurate and up to date. When permitted by law or when it is reasonable and proportionate to do so, NHSCFA may check this information with other organisations such as the Police, HMRC or the Home Office.
If a change is reported by a data subject to one of NHSCFA’s business areas, wherever possible and appropriate this should also be used to update other functions, both to improve accuracy and avoid the data subject having to report the same information to the one Controller multiple times.
NHSCFA has a comprehensive data handling and retention policy in place which is available on Go2 and externally on the organisation’s website.
The NHSCFA has a range of security standards and policies based on best practice, current legal and government requirements to protect information from relevant threats. These standards are applied whether data is being processed by NHSCFA staff or a processor on its behalf.
All staff handling NHSCFA information are vetted and where required security cleared; they are also required to complete annual training on the importance of security and how to handle information appropriately.
In addition to having information governance and security policies and guidance embedded throughout NHSCFA, the organisation also has IT security specialists and cyber resilience staff to help ensure that information is protected from risks of accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure.
NHSCFA as ‘controller’ shall be responsible for and be able to demonstrate compliance with the data protection principles. Our Accountable Officer is responsible for ensuring that the organisation is compliant with these principles.
NHSCFA will:
NHSCFA will ensure, where special category or criminal convictions data is processed, that:
NHSCFA will formally review this document on a biennial basis.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.