- What is special category data?
- What are reasons of substantial public interest?
- Personal data relating to criminal convictions
- Compliance with data protection principles
- Accountability principle
- Retention and erasure of personal data
This is the ‘appropriate policy document’ for NHSCFA that sets out how we will protect special category and criminal convictions data.
Article 9(1) of the GDPR prohibits the processing of special categories of personal information unless a condition in Article 9(2) is met, such as for a reason of substantial public interest (see Part 2, Schedule 1 of the DPA 2018). For the NHSCFA, the processing of special categories of personal data (“sensitive processing”) is permitted where it is necessary for a function conferred by an enactment or a government department, preventing and detecting unlawful acts, protecting the public from dishonesty etc and it is necessary for reasons of substantial public interest.
It is important to note that NHSCFA is not an ‘anti-fraud organisation’ within the meaning of s.68 of the Serious Crime Act 2007 and therefore we cannot rely on the specific function of ‘preventing fraud’ in Part 2, Schedule 1 of the DPA 2018
There is a further requirement that this condition will only be met if the sensitive processing is carried out in accordance with this policy. NHSCFA staff must therefore have regard to this policy when carrying out sensitive processing on behalf of NHSCFA, when acting in its capacity as Controller of the personal data.
Personal data about criminal offences and convictions are dealt with separately in Article 10 of GDPR. The DPA provides that the processing of such data only meets the requirements of Article 10 if it conforms to a condition set out in Part 1, 2 or 3 of Schedule 1. This requires that the controller must have an appropriate policy in place when the processing is carried out. The NHSCFA must have regard to this policy.
The purpose of this policy is to explain:
- NHSCFA policies which are in place to secure compliance with GDPR data protection principles, when relying on substantial public interest conditions in Part 2 of Schedule 1 of the DPA; and
- The organisation’s data handling and retention policy.
This policy applies to the Board and NHS staff who process, access, use or manage personal data during their course of employment.
What is special category data?
Special category data as defined in Article 9 of GDPR, is personal data revealing any of the following:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
What are reasons of substantial public interest?
The term ‘substantial public interest’ is not defined in the DPA or the GDPR. Some of the conditions assume that processing under that condition is always in the substantial public interest such as the ‘prevention, detection and investigation of fraud’.
Substantial public interest means the public interest needs to be real and of substance. Given the inherent risks of special category data it is not enough for an organisation to make a vague or generic public interest argument. It should be able to make specific arguments about the concrete wider benefits of the organisation’s processing.
Commercial or private interests are not the same as a public interest and where the organisation needs to point to reasons of substantial public interest, it is not enough for it to point to its own interests. It is still possible for an organisation to have a private interest, it just needs to make sure that it can also point to a wider public interest.
The organisation should focus on showing that its overall purpose for processing has substantial public interest benefits. It is not necessary for it to make separate public interest arguments or show benefits each time it undertakes that processing, or for each special category data, if the overall purpose for processing special category data is for a substantial public interest.
The organisation must always be able to demonstrate that all of its processing under the relevant condition is actually necessary for that purpose and complies with the data minimisation principle.
Personal data relating to criminal convictions
NHSCFA also processes criminal convictions data, which also includes processing in relation to offences or related security measures. NHSCFA must identify both a general lawful basis for processing and an additional condition for processing this type of data.
The general lawful basis under Article 6(1) is:
- (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The additional conditions under Article 9 (2) are:
- (f) processing is necessary for the establishment, exercise or defence of legal claims….
- (g) processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which shall be proportionate toOFFICIAL the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
Compliance with data protection principles
Lawfulness, fairness and transparency
The NHSCFA only processes personal data when permitted to do so by law. Personal data is collected for specific and legitimate purposes such as the prevention and detection of economic crime and other related unlawful acts against the NHS in England. Any use of NHSCFA data for a non-related NHSCFA function must have a specific lawful basis and it must be compatible with data protection obligations - the processing must therefore be proportionate and necessary.
Each NHSCFA business function has a process in place to ensure that it only collects the information necessary to deliver that function. NHSCFA will not seek or where applicable, data subjects will not be asked to provide more information than is required. Additionally, NHSCFA internal guidance, training and policies require staff to use only the minimum amount of data required to enable specific tasks to be completed.
Where processing is for research and analysis purposes, wherever possible this is done using anonymised or pseudonymised data sets.
It is important when NHSCFA receive or provide information that it is complete, accurate and up to date. When permitted by law or when it is reasonable and proportionate to do so, NHSCFA may check this information with other organisations such as the Police, HMRC or the Home Office.
If a change is reported by a data subject to one of NHSCFA’s business areas, wherever possible and appropriate this should also be used to update otherOFFICIAL functions, both to improve accuracy and avoid the data subject having to report the same information to the one Controller multiple times.
NHSCFA has a comprehensive data handling and retention policy in place which is available on Go2 and externally on the organisation’s website.
Integrity and confidentiality
The NHSCFA has a range of security standards and policies based on best practice, current legal and government requirements to protect information from relevant threats. These standards are applied whether data is being processed by NHSCFA staff or a processor on its behalf.
All staff handling NHSCFA information are vetted and where required security cleared; they are also required to complete annual training on the importance of security and how to handle information appropriately.
In addition to having information governance and security policies and guidance embedded throughout NHSCFA, the organisation also has IT specialist security, cyber and resilience staff to help ensure that information is protected from risks of accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure.
NHSCFA as ‘Controller’ shall be responsible for and be able to demonstrate compliance with the data protection principles. Our Accounting Officer is responsible for ensuring that the organisation is compliant with these principles.
The NHSCFA will:
- Ensure that records are kept of all personal data processing activities and that these are provided to the Information Commissioner upon request.
- Carry out a Data Protection Impact Assessment for the processing of any high risk personal data and consult the Information Commissioner where the risks cannot be mitigated to an acceptable level.
- Ensure a Data Protection Officer is appointed to provide independent advice on the organisation’s personal data handling and that this person has access to the highest level of management within NHSCFA
- Have in place processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection legislation.
Retention and erasure of personal data
NHSCFA will ensure, where special category or criminal convictions data is processed, that:
NHSCFA will formally review this document on a biennial basis.