Appropriate Policy for the Processing of Special Category and Criminal Offence Data

1. Introduction
1. 1.1. This document covers all processing carried out by the Council which is subject to GDPR Article 9 - processing of special categories of personal data and Article 10 - processing of personal data relating to criminal convictions and offences.
2. 1.2.Schedule 1 of the Data Protection Act 2018 requires that organisations have an Appropriate Policy Document in place for when processing special category or criminal data for specific purposes.
3. 1.3. This document is Great Yarmouth Borough Council's Appropriate Policy Document and satisfies the requirements of Schedule 1, Part 4 of the Data Protection Act 2018.
2. Processing Activities
1. 2.1. The processing of special category data is undertaken in line with the following articles of the GDPR:
  - Article 9(2)(a) explicit consent
  - Article 9(2)(b) employment, social security, and social protection
  - Article 9(2)(c) vital interests of a data subject
  - Article 9(2)(f) the establishment, exercise of defence of legal claims
  - Article 9(2)(g) substantial public interest
  - Article 9(2)(h) the assessment of the working capacity of an employee
  - Article 9(2)(j) archiving in the public interest
2. 2.2. The council processes special category data to fulfil both our obligations as an employer and as part of our statutory duties.
3. 2.3.The council processes special category data about our employees that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs, and their membership of any trade union.
4. 2.4. Our processing for reasons of substantial public interest relates to the data we receive or obtain in order to fulfil our statutory function as a Local Authority. This includes information about our tenants, service users and residents of the Borough.
5. 2.5. We process criminal offence data under Article 10 of the GDPR. The council's processing of information concerning criminal convictions and offences includes pre-employment checks and declarations by an employee in line with contractual obligations.
3. Schedule 1 - Conditions for Processing
1. 3.1. The council processes special category data for the following purposes as listed in Schedule 1:
  - Paragraph 1(1) employment, social security, and social protection
  - Paragraph 2(2)(b) the assessment of the working capacity of an employee
  - Paragraph 6(1) and 6(2)(a) statutory, etc. purposes
  - Paragraph 10(1) preventing or detecting unlawful acts.
  - Paragraph 11(1) and 11(2) protecting the public against dishonesty.
  - Paragraph 12(1) and 12(2) regulatory requirements relating to unlawful acts and dishonesty.
  - Paragraph 24(1) and 24(2) disclosure to elected representatives.
2. 3.2.The council processes criminal offence data for the following purposes as listed in Schedule 1:
  - Paragraph 1 - employment, social security, and social protection
  - Paragraph 6(2)- statutory, etc. purposes
4. Procedures for ensuring compliance with the principles
1. 4.1.Article 5 of the UK General Data Protection Regulation sets out the key data protection principles. These are the council's procedures for ensuring that we comply with them and are detailed in or appended to the Council's Data Protection Policies.
2. 4.2. Accountability principle
3. 4.3.The council has in place appropriate technical and organisational measures to meet the requirements of accountability. These include the following:
  - the appointment of a Data Protection Officer
  - all employees receive regular data protection training
  - the adoption of a 'data protection by design and default' approach
  - documenting and maintaining records of our processing activities
  - the implementation and review of data protection policies
  - ensuring the council has written contracts in place with our data processors
  - implementing appropriate security measures in our processing activities
  - undertaking data protection impact assessments for high-risk processing
4. 4.4. The council reviews our accountability measures and updates them as required.
5. 4.5. Principle (a): lawfulness, fairness, and transparency
6. 4.6.Processing personal data must be lawful, fair, and transparent. It is only lawful if and to the extent it is based on law and meets at least one of the conditions in Schedule 1 of the Data Protection Act 2018 or with the data subject's consent.
7. 4.7.The council provides clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices and this Appropriate Policy Document.
8. 4.8. Principle (b): purpose limitation
9. 4.9.The council processes personal data for specific purposes and does not process such data for any purpose incompatible with or not permitted with regard to the original purpose for which it was collected.
10. 4.10. Principle (c): data minimisation
11. 4.11.The council processes personal data necessary for the relevant purposes and strives to ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to, or obtained by, the council but is not relevant to our stated purposes, we will erase it.
12. 4.12. Principle (d): accuracy
13. 4.13.Where the council becomes aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take reasonable steps to ensure that it is erased or rectified without delay. If the council decides not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights do not apply, we will document our decision.
14. 4.14. Principle (e): storage limitation
15. 4.15. Personal data processed by the council is retained for such periods based on our legal obligations and business needs. The council has adopted a Records Management Policy which is complement by individual Services retention schedules, these contain information of the data processed and the retention periods for each category of data processed and are maintained by the respective Services.
16. 4.16. Principle (f): integrity and confidentiality (security)
17. 4.17. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
18. 4.18. The council will ensure that there are appropriate organisational and technical measures in place to protect personal data.
5. Review Date
1. 5.1. This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
2. 5.2. This policy will be reviewed biennially with the next review date being June 2026.

Details about the status of this document
Author	James Wedon
Date	July 2024
Last review date	N/A
Review changes	Policy written to comply with Schedule 1, Part 4 of the Data Protection Act 2024
Version	1.0
Document status	Approved

Last modified on 29 October 2025

Cookie preferences

Appropriate Policy for the Processing of Special Category and Criminal Offence Data

On this page

1. Introduction

2. Processing Activities

3. Schedule 1 - Conditions for Processing

4. Procedures for ensuring compliance with the principles

4.2. Accountability principle

4.5. Principle (a): lawfulness, fairness, and transparency

4.8. Principle (b): purpose limitation

4.10. Principle (c): data minimisation

4.12. Principle (d): accuracy

4.14. Principle (e): storage limitation

4.16. Principle (f): integrity and confidentiality (security)

5. Review Date