Directors UK Appropriate Policy Document
The appropriate policy document provides information about the legal basis and safeguards that Directors UK has put in place for the processing of special categories of personal data.
The Data Protection Act 2018 requires organisations who process personal data to meet certain legal obligations.
This document outlines where the processing of special categories of personal data and sensitive personal data is required for:
- performing or exercising obligations or rights, which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
- reasons of substantial public interest
- archiving, research and statistical purposes
Additionally, it provides information about the safeguards that Directors UK has put in place in accordance with the Data Protection principles, including our policy for the retention and erasure of personal data.
Special Categories of Personal Data Processing Policy for Directors UK
By Charlotte Brotherton, Senior Legal Advisor
Published: 30 May 2018
Review date: 28 January 2021
The aim of this policy document is to set out how, within the provisions of applicable data protection law (specifically the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulation)( “GDPR”), Directors UK will seek to protect special category personal data.
Directors UK meets the requirement at paragraph 1 of Schedule 1 of the DPA, that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
It also meets the requirement at paragraph 5 of Schedule 1 of the DPA that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1 of the DPA.
Special Categories of Personal Data Processing Policy
The purpose of this policy is to explain:
- Directors UK’s procedures which are in place to secure compliance with the GDPR, the DPA and data protection principles when relying on employment, social security and social protection conditions in Part 1 of Schedule 1, DPA.
- Directors UK’s procedures which are in place to secure compliance with the DPA, the GDPR and data protection principles when relying on substantial public interest conditions in Part 2 of Schedule 1, DPA; and
- Retention and erasure policies concerning the processing of special categories of data on the grounds of employment and substantial public interest.
3. Procedures for securing compliance
Article 5 of the GDPR sets out the data protection principles. These are our procedures for ensuring that we comply with them:
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
DIRECTORS UK will:
- ensure that personal data are only processed where a lawful basis applies and where processing is otherwise lawful
- only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing
- ensure that data subjects receive full privacy information upon request so that any processing of personal data is transparent
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
DIRECTORS UK will:
- not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
DIRECTORS UK will ensure that personal data we receive is accurate and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
DIRECTORS UK has strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe. We shall limit access to any special categories of data only to those employees, or third parties who have a business or legal need to access it.
4. Accountability principle
Each department within DIRECTORS UK who is the controller of particular personal data shall be responsible for and be able to demonstrate compliance with these principles. The CEO is responsible for ensuring that each department is compliant with these principles.
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- carry out a Data Protection Impact Assessment for any personal data processing that is likely to result in a high risk to data subjects, and consult the Information Commissioner if appropriate
- ensure that the relevant Head of Department monitors the departments’ personal data handling
- have in place internal processes to ensure that personal data are only collected, used or handled in a way that is compliant with data protection law
5. Special categories of personal data overview
These are personal data deemed to be more sensitive by law, and so need additional protection. In addition to establishing an appropriate legal basis for the processing of personal data, special category data may only be processed where at least one further condition for processing is fulfilled. These conditions are:
- The data subject has given explicit consent;
- The processing is necessary in the context of employment law, or laws relating to social security and social protection;
- The processing is necessary to protect vital interests of the data subject or of another natural person;
- The processing is carried out in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes;
- The processing relates to personal data which have been manifestly made public by the data subject;
- The processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity;
- The processing is necessary for reasons of substantial public interest, and occurs on the basis of a law that is, inter alia, proportionate to the aim pursued and protects the rights of data subjects;
- The processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services;
- The processing is necessary for reasons of public interest in the area of public health (e.g. ensuring the safety of medicinal products);
- The processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards.
Special categories of data consist of information which relates to:
- the racial or ethnic origin of the data subject;
- their political opinions;
- their religious beliefs or other beliefs of a similar or philosophical nature;
- whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
- their physical or mental health;
- their sexual life or orientation;
- genetic/biometric data (where processed to uniquely identify an individual).
6. Conditions relating to the processing of special categories of personal data
Schedule 1 of the Data Protection Act 2018 establishes conditions that permit the processing of the special categories of personal data. The Schedule is split into four parts. The three parts that are relevant to Directors UK are:
- Part 1 – Conditions relating to employment, health and research
- Part 2 – Substantial public interest conditions
- Part 4 – Appropriate policy document and additional safeguards
Schedule 1 of the Data Protection Act 2018 establishes conditions that permit the processing of the special categories of personal data as follows:
- The processing of the special categories of personal data meets the requirements of Article 9(2) of the GDPR if it meets one of the conditions listed in Part 1 of Schedule 1;
- The processing of the special categories of personal data meets the requirement of Article 9(2) of the GDPR if it meets one of the conditions listed in Part 2 of Schedule 1;
- Processing meets the requirement in Article 10 of the GDPR if it meets one of the conditions listed in Part 1, 2 or 3 of Schedule 1.
7. Schedule 1 conditions that are relevant to DIRECTORS UK
Schedule 1, Part 1 conditions for processing in connection with employment, health and research that are relevant to DIRECTORS UK activity are:
- Employment, social security and social protection: Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection.
Schedule 1, Part 2 conditions for processing in the substantial public interest that are relevant to DIRECTORS UK activity are:
- Equality of opportunity or treatment: Processing necessary for identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with the view to enabling such equality to be promoted or maintained.
8. The processing of special category personal data by DIRECTORS UK
Race or ethnic origin, health, sexual orientation:
- Purpose: Employment.
- Law: Employment Law.
- GDPR Article 6 (1) (b) contract, Article 9 (2) (b) for the purpose of employment, social security and social protection.
- DPA Schedule 1 part 1, 1 condition: employment, social security and social protection.
- Retention period: current record retained as long as is necessary to comply with employment law.
Race or ethnic origin:
- Purpose: Equality and diversity.
- Law: Equality Act 2010 and associated regulations.
- GDPR Article 6 (1) (f) legitimate interests, Article 9 (2) (d) legitimate activities by not-for-profit body, Article 9 (2) (g) substantial public interest.
- DPA Schedule 1 part 2, 3 conditions: equality of opportunity or treatment.
- Retention period: current record retained as long as is necessary to comply with equality law.
The purposes of the processing, where relevant, are:
- Employment for managing absence, reporting on health and safety, and recruitment monitoring;
- Equality and diversity monitoring of TV and film directors within the media industry.
9. Directors UK policies regarding retention and erasure of personal data
We will ensure, where special category personal data is processed, that:
- there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data;
- where we no longer require special category personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous;
- data subjects can review Directors UK’s full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
10. Address and contact details of our Data Protection Officer
Directors UK is the data controller and The Data Protection Officer is the CEO who can be contacted in writing at: Directors UK, 3rd and 4th Floor, 22 Stukeley Street, London, WC2B 5LR.