SOAS University of London

Appropriate Policy Document

1. Introduction

2. Description of the data processed

3. Schedule 1 condition for processing

4. How we comply with the data protection principles

4.1 Accountability

4.2 Lawful, fair and transparent processing

4.3 Purpose limitation

4.4 Data minimisation

4.5 Accuracy

4.6 Storage limitation

4.7 Security

5. Retention and erasure policies

6. Appropriate Policy review date

7. Additional Special Category and Criminal Offence data processing

1. Introduction

As part of SOAS’s public function as a higher education provider, we process Special Category and Criminal Offence data in accordance with Article 9 of the General Data Protection Regulation (GDPR) and Schedule 1 of the Data Protection Act (2018) (DPA).

Schedule 1 Part 4 of the DPA requires us to have in place this document, called an ‘Appropriate Policy’, when we rely on certain conditions for processing Special Category and Criminal Offence data. This policy will tell you what Special Category and Criminal Offence data we process, our lawful basis (schedule 1 condition in the DPA) for processing it, the purposes for which we process it, and how we ensure compliance with the principles of data protection law provided in Article 5 of the GDPR.

We will also tell you how long we will hold the Special Category and Criminal Offence data. Some of the information is already held in other documents on the SOAS website, and we have linked to the relevant documents when it is necessary to do so.

2. Description of the data processed

We process the following types of Special Category and Criminal Offence data:

  • Health and disability
  • Religious/philosophical belief
  • Ethnic/racial background
  • Sexual life/sexual orientation
  • Political views
  • Trade Union membership
  • Criminal Offence data

We do not process biometric or genetic data.

3. Schedule 1 condition for processing

Below we have listed the Schedule 1 conditions on which we are relying, and which need to be covered by this document. In this list, Special Category Data is abbreviated as SC; Criminal Offence Data is abbreviated as CO.

Schedule 1 Part 1 para 1 (employment and social protection), where SOAS needs to process SC/CO data for the purposes of performing its obligations or rights as an employer, or for guaranteeing the social protection of individuals

Schedule 1 Part 2 para 8 (equality of opportunity), where SOAS needs to process SC/CO data for the purposes of monitoring equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

Schedule 1 Part 2 para 10 (prevention of crime), where SOAS needs to process CO data for the purpose of preventing or detecting unlawful acts

Schedule 1 Part 2 para 11 (protecting the public from dishonesty) where SOAS needs to process CO data to protect members of the public from malpractice, unfitness, incompetence or mismanagement in the administration of a body or organisation, and obtaining consent would prejudice the exercise of the protective function

Schedule 1 Part 2 para 12 (Regulatory requirements relating to unlawful acts and dishonesty) where SOAS needs to process CO data to comply with a requirement which involves taking steps to establish whether an individual has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.

Schedule 1 Part 2 para 17 (counselling), where SOAS needs to process SC/CO data in order to provide confidential counselling, advice or support or of another similar service provided confidentially, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining consent would prejudice the provision of the service, and is necessary for reasons of substantial public interest

Schedule 1 Part 2 para 18 (safeguarding), where SOAS needs to process SC/CO data in order to protect the physical, mental or emotional well-being of an individual under the age of 18, or over the age of 18 and at risk, only where, in the circumstances, consent cannot be given by the data subject, cannot be reasonably obtained from the data subject, or where the processing must be carried out without the consent of the data subject because obtaining the data subject’s consent would prejudice the provision of the protection, and is necessary for reasons of substantial public interest

4. How we comply with the data protection principles in Article 5 of the GDPR

Article 5(2) of the GDPR requires Data Controllers to demonstrate how they comply with the data protection principles provided in Article 5(1). This section illustrates the measures we have taken to demonstrate accountability for the personal data we process, and contains details about how we ensure compliance with the principles of the GDPR.

4.1 Accountability

We demonstrate our compliance with the data protection principles provided in Article 5 of the GDPR through the following measures and documents:

We have appointed a Data Protection Officer whose role and responsibilities align with the provisions of Articles 37-39 of the GDPR.

Our Record of Processing Activities sets out the personal data categories we process, the purposes, the lawful basis, our retention periods for the data, our legitimate interests, Schedule 1 conditions for processing, recipients of personal data, any international transfers of data and our means of keeping data secure.

Our Privacy Notices explain to individuals how and why their data is processed by SOAS, what their rights are, and how they can get in touch with our DPO and the regulatory authority.

When we routinely and/or regularly share data with third parties, we enter into written agreements with Data Controllers and Data Processors which meet the provisions of Articles 26 and 28 of the General Data Protection Regulation respectively.

When we make decisions on whether to share data with third parties on an occasional or one-off basis, we do so in accordance with our Information Sharing Protocol.

We carry out data protection impact assessments (DPIA) for uses of personal data that are likely to result in a risk to individuals’ data protection rights and freedoms.

We implement appropriate security measures which are proportionate to the risk associated with the processing.

4.2 Lawful, fair and transparent processing

We provide clear and transparent information to individuals about why we process their personal data, including our lawful basis in our Privacy Notices. This includes information about why we process Special Category and Criminal Offence data.

As a public authority we need to process Special Category Data for the substantial public interest conditions outlined in section 3 of this policy to meet the requirements of legislation such as the Higher Education and Research Act (2017), the Equality Act (2010), the Health and Safety Act (1974), the CTSA (2015), and legislation relating to safeguarding.

We process employment data to meet our legal obligations as an employer.

4.3 Purpose limitation

We process Special Category and Criminal Offence data where it is necessary to meet the following purposes.

  • Equal opportunities monitoring, including statutory returns to the Higher Education Statistics Agency
  • Certain work placements or casual work opportunities where a DBS check is required
  • Supporting special arrangements, such as building access plans, study inclusion plans, and mitigating circumstances applications
  • Providing individuals with appropriate support in a counselling session
  • To allow us to fully investigate a complaint or grievance
  • To understand dietary requirements based on health or belief
  • Recording sickness absence
  • Complying with health and safety obligations
  • Where processing is necessary to respond to an emergency situation
  • Responding to binding requests or search warrants from courts, the government, regulatory or enforcement bodies
  • To fully process job applications
  • For the prevention and detection of unlawful acts (e.g. incidents captured on CCTV)
  • To verify the good character, competence and integrity of senior managers and trustees
  • To take necessary steps to ensure that a natural or legal person offering philanthropic support or other support to SOAS has not committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.
     

We will only process Special Category and Criminal Offence data for the listed purposes, and in accordance with a condition in Articles 9-10 of the GDPR and Schedule 1 Parts 1-3 of the DPA. We process some Special Category and Criminal Convictions data for purposes not covered in this policy document. These conditions are:

  • where we ask for your explicit consent to process Special Category and Criminal Offence data
  • for the purposes of preventative or occupational medicine,
  • where processing is necessary to protect your vital interests, and
  • for research, statistics and archival purposes.

We may process data collected for any one of these purposes (whether by us or another Data Controller), for any of the other listed purposes, so long as the processing is necessary and proportionate to that purpose.

We will not process any personal data for purposes which would be incompatible with the purpose for which the data was originally collected.

4.4 Data minimisation

We design our data collection forms and other data collection tools to ensure that we only collect the Special Category or Criminal Offence data necessary to achieve the purpose. Our purposes are set out in our Privacy Notices. Layered privacy statements are also included in data collection tools.

Where we operate systems which cannot control the volume of special category data collected (i.e. CCTV) we take measures to minimise the volume of data processed. We only monitor public spaces with the minimum number of cameras needed to cover the area, and we operate a short retention period of 15 days from the date the footage is recorded.

We are satisfied that we collect and retain Special Category and Criminal Offence data for long enough to fulfil our purposes. We collect enough but no more than we need in accordance with the data minimisation principle, and we only hold Special Category and Criminal Offence data for the period set out in our retention policies.

Our retention schedule sets out the correct disposal action once records containing special category data are no longer required.

4.5 Accuracy

When we identify data which is inaccurate or out of date, having due regard for the purpose for which the data was processed, we will take necessary steps to rectify, replace or erase it as soon as possible and within one month. If there is a specific reason we cannot rectify or erase the data, for instance because the lawful basis does not permit it, we will record the decision.

We provide interfaces for staff and students to keep their personal data up to date, as well as issuing regular reminders to update or provide equalities monitoring data.

4.6 Storage limitation

Special Category and Criminal Offence data processed by us for the purpose of employment or substantial public interest, will be retained for the periods set out in our retention schedule. The retention policy for record categories is determined by our legal and regulatory obligations, and our business requirements. The retention schedule is available to view here: https://www.soas.ac.uk/infocomp/recordsmanagement/retention/file74425.pdf

4.7 Security

Electronic data is hosted on a secure network, and on the secure servers of third party cloud storage providers with whom we have contractual agreements. Electronic and hard copy data is managed according to our internal records management policies and procedures.

5. Retention and erasure policies

Our retention period and disposal actions for records containing Special Category Data can be found on our corporate retention schedule here: https://www.soas.ac.uk/infocomp/recordsmanagement/retention/file74425.pdf

6. Appropriate Policy review date

This policy will be retained for the duration of the processing, and for a minimum of 6 months thereafter.

The policy will be reviewed annually, or revised more frequently if necessary.

7. Additional Special Category and Criminal Offence data

We also process special category data and criminal offence data where an Appropriate Policy Document is not required e.g. for archival, research and statistical purposes. In these circumstances we will respect the rights and interest of our data subjects by informing them about the processing in our Privacy Notices

Page created on 24 April 2020