Division of General Counsel, Governance and Compliance

Appropriate Policy Document

Special categories of personal data and criminal convictions data
Appropriate policy document

How we protect special category and criminal convictions data

This ‘appropriate policy document’ sets out how we protect special categories of personal data and criminal convictions data. 

We have this document in place to explain the basis on which we process special category and criminal convictions data and to demonstrate that our processing is compliant with principles set out in data protection legislation.

Please see our Glossary of data protection terms and our dedicated page on special categories of personal data and criminal convictions data.

1. The special category and criminal convictions data that we process

A list of the categories of special category data that we process can be found in our Record of Processing Activity

Generally, when we are processing special category or criminal convictions data, it is on the basis that the individual has given explicit consent to the processing. This document sets out the other circumstances where we process such data and the conditions that we rely on under Schedule 1 of the Data Protection Act 2018. 

Reference to ‘data’ in the remainder of this document means special category data and / or criminal convictions data.

Processing is on the basis of employment, social security and social protection
We process the data for the purposes of performing or exercising our obligations or rights under employment law, social security law or the law relating to social protection. This includes our health and safety responsibilities as well as other employment rights and obligations. (Schedule 1, Part 1)

Processing is on the basis of health or social care purposes
We process the data for the purpose of assessing the working capacity of our employees so that we can safeguard their welfare. This means that we can provide any adjustments necessary for our staff and implement any changes advised by our occupational health provider. (Schedule 1, Part 1)

Processing is on the basis of research
We process the data for the purpose of our research, where such research is in the public interest. (Schedule 1, Part 1)

Processing is on the basis of equality of opportunity or treatment
We process certain categories of data for the purposes of monitoring, promoting and maintaining equality of opportunity and treatment of our staff and students, for example, in relation to our Equality Act duties and our work to widen participation in Higher Education. This data is limited to racial or ethnic origin, religious or philosophical beliefs, health and sexual orientation. Most of this data will be collected with the explicit consent of the individual. (Schedule 1, Part 2)

Processing is on the basis of preventing or detecting unlawful acts
This condition applies when we process data about criminal convictions and offences, for example, as part of the recruitment of staff or the admissions process for applicants to certain courses, such as social work or education. We have a duty to do so to safeguard our students, staff and others. (Schedule 1, Part 2)

Processing is on the basis of counselling
If we provide confidential counselling, advice or support to our staff and students, we need to process data. Usually, we will have consent for this purpose but that may not be possible in some instances, for example where the individual cannot give consent. (Schedule 1, Part 2)

Processing is on the basis of safeguarding of children and of individuals at risk
We may need to process data in order to meet our safeguarding responsibilities, for example, to protect an individual at risk from physical, mental or emotional harm. (Schedule 1, Part 2)

Processing is on the basis of criminal convictions and offences data
We process such data with the consent of the individual or, for example, where it is necessary to protect the vital interests of a person, it is necessary for legal proceedings or advice, or it is necessary for reasons of substantial public interest (such as preventing or detecting unlawful acts or safeguarding individuals in relation to discipline proceedings). (Schedule 1, Part 3)

Processing is on the basis of legal proceedings
We process such data where it is necessary for obtaining legal advice, or in connection with legal proceedings (including prospective proceedings) or for the purpose of establishing, exercising or defending legal rights. (Schedule 1, Part 3)

2. Accountability  

The University has to be able to demonstrate that we are accountable for the personal data we process, that we are responsible for complying with our obligations under data protection legislation, and that we can demonstrate that compliance.

To demonstrate our compliance and accountability we will:

  • Document our processing activities and keep these records up to date;
  • Keep a record of personal data breaches;
  • Have appropriate contractual arrangements in place with organisations that process personal data on our behalf;
  • Complete a Data Protection Impact Assessment for any high risk personal data processing; and
  • Implement processes to make sure that personal data is only collected, used or handled in a way that is compliant with data protection legislation.

More detailed information about our processing activities can be found in our Privacy notice and our Record of Processing Activity

3. Procedures for ensuring compliance with the principles

When processing data, we meet the requirements of the data protection principles, as set out in data protection legislation:

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

To stay compliant with this principle we will:

  • Make sure that we only process personal data lawfully and where we have identified a clear lawful basis to do so.
  • Process personal data fairly and make sure that data subjects are not misled about the purposes of any of our processing.
  • Provide data subjects with full privacy information so that we are transparent in how and why we process personal data.

Principle 2 - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  

To stay compliant with this principle we will:

  • Only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.
  • Not use personal data for purposes that are incompatible with the original purpose

Principle 3 - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.  

To stay compliant with this principle we will:

  • Ensure that we do not collect data that we do not need and will only collect the minimum personal data that is necessary for the purpose for which it is collected.
  • We will ensure that the data we do collect is adequate for our purpose and relevant.

Principle 4 - Personal data shall be accurate and, where necessary, kept up to date.

To stay compliant with this principle we will:

  • Make sure that the personal data we hold is accurate
  • Ensure there are processes for us or individuals to correct and keep data up to date where necessary.

Principle 5 - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  

To stay compliant with this principle we will:

  • Only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so.

Principle 6 - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against personal data breaches.

To stay compliant with this principle we will:

  • Make sure that there are appropriate organisational and technical measures in place to protect personal data.

4. Retention and erasure of personal data  

As part of our ongoing compliance obligations we make sure that data is only retained for as long as is necessary and we publish information about the retention periods for different categories of data. Data subjects have access to information about how their data is handled and how long it is retained. Where we no longer require data for the purpose for which it was collected, we will delete it, put it beyond use or make it permanently anonymous.

5. Further information  

If you require further information or have a question about our handling of special category or criminal convictions data, you can contact the University’s Data Protection Officer.

We keep our Appropriate Policy Document under regular review. This document was last updated on 28 February 2024.