Home > About Us > Who we are and what we do > Strategies, policies and procedures > Data Protection Appropriate Policy

 

Data Protection – Appropriate Policy Document – Safeguards for the processing of Special Category and Sensitive Personal Data Policy

This document is part of North Yorkshire Fire & Rescue Service policy to which all Chief Fire Officer personnel and the functions provided by the Police, Fire and Crime Commissioner are required to adhere.

Purpose (Policy Statement)

This policy statement is open to public viewing from the NYFRS Website.

The UK GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

The Data Protection Act 2018 (DPA 2018), Section 35 (8) defines ‘sensitive processing’ as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious of philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual’s sex life or sexual orientation.

The DPA 2018 states that data controllers should have an appropriate policy document (APD) in place that documents the safeguards in place for the sensitive processing that is used for law enforcement purposes, where the processing is reliant on consent or a condition specified in Schedule 8 of DPA 2018.

When processing special category data under the General Data Protection Regulation (GDPR), the DPA 2018 Schedule 1, part 2, para 5, states that data controllers should have an appropriate policy document in place when relying on substantial public interest conditions.

This document will demonstrate that the processing of Special Category data by the FRS, based on these specific Schedule 1 and Schedule 8 conditions is compliant with the requirements of the Data Protection Principles.

Scope

This policy applies to everyone undertaking processing activity within the North Yorkshire Fire and Rescue Service, and specifically provides detail on the additional safeguards in place within the NYFRS when processing sensitive and special category data.

Definition of Special Terms

DPA 2018 – Data Protection Act 2018

DPIA – Data Protection Impact Assessment

DPO – Data Protection Officer

GDPR – General Data Protection Regulation 2016, as applied in the UK

IAO – Information Asset Owner, Head of function/Department lead responsible for information assets in their business areas

ICO – Information Commissioner’s Office, the UK regulator for data protection

RoPA – Record of Processing Activity created under Article 30 of the GDPR to record information assets

Special Category Data – personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; OR genetic data; biometric data (where used for identification purposes); OR data concerning health; a person’s sex life; and a person’s sexual orientation.

Sensitive Processing – Processing of special category data for law enforcement purposes

SIRO – Senior Information Risk Owner, the Deputy Chief Fire Officer, responsible for Information risks within the NYFRS

 

Policy

Securing Compliance with the Data Protection Principles

NYFRS ensure compliance with the data protection principles by a number of avenues.

Accountability and Governance

We have a process within the organisation whereby a Data Protection Impact Assessment (DPIA) should be completed by relevant business areas when processing meets certain criteria (these mirror those criteria documented on the Information Commissioner’s Office (ICO) website). This process is also embedded with the Procurement Process as a screening checklist to demonstrate from the very start of a procurement exercise that a DPIA has either been considered and the procurement doesn’t meet the DPIA criteria, or considered and is underway with consultation with the relevant stakeholder including the Data Protection Officer. The DPIA process and template identify any sensitive processing activities and look to put in place appropriate safeguards to protect this data. This includes implementing measures to achieve compliance with the principles and identifies the legal basis for the processing. The DPIAs are considered to be live documents and require periodic reviews.

Information Asset Owners (IAOs) have identified their information assets, and specifically those which contain sensitive processing, this is recorded on the Record of Processing Activities (RoPA). IAOs are required to complete bi-annual Assurance Statement for the Senior Information Risk Owner (SIRO) for each of their assets. The assurance statement contains questions that refer to the data protection principles and ask the IAO to provide evidence and assurances as to how they are ensuring compliance with these statements. Any concerns raised within these assurance statements are brought to the attention of relevant stakeholders, i.e. IAO, system owners, ICT, Information Security Officer, Records Manager, Data Protection Officer and the SIRO.

Although every employee in the organisation has a responsibility to ensure compliance with the data protection principles, there are key roles which take a more active role in the consultation, providing advice and input to ensuring compliance: the SIRO, the Data Protection Officer, the IAOs, the Information Management Lead, the Records Compliance Manager and the Information Security Officer. NYFRS also has an Tactical Leadership Team (TLT) which is a meeting of relevant stakeholders in governing NYFRS management of information and relevant matters.

Record of Processing Activities (RoPA)

This APD complements the record of processing created under Article 30 of the GDPR and provides special category data with further protection and accountability. The RoPA is also the Information Asset Register, which is a record maintained and reviewed by IAOs annually (as part of their assurance statements). The record is maintained as and when DPIAs identify new processing or the re-use of personal data. The record documents the legal bases for processing of all personal data.

 Lawfulness, fairness and transparency

We have identified an appropriate lawful basis for all processing undertaken and further Schedule 1 and Schedule 8 conditions for processing special category data, as required. These are documented in the RoPA. We are also open and honest when we collect such data and ensure we do not deceive or mislead people about this, by providing suitable privacy notices on our website and via printed copies, if requested.

 Purpose Limitation

We have clearly identified our purpose(s) for processing the special category data and have included appropriate details of these purposes in our privacy information for individuals. If we plan to use personal data for a new purpose (other than a legal obligation or function set out in law), we check that this is compatible with our original purpose or get specific consent for the new purpose, as required by the data protection legislation.

Data Minimisation

We are satisfied that we only collect special category personal data we actually need for our specified purposes. We are satisfied that we have sufficient special category data to properly fulfil those purposes and we periodically review this particular data, and delete anything we don’t need.

 Data Accuracy

We have appropriate processes in place to check the accuracy of the special category data we collect, and we record the source of that data, where appropriate. We have a process in place to identify when we need to keep the special category data updated to properly fulfil our purpose, and we rectify or erase it as necessary without undue delay. We keep records of mistakes and opinions, distinguishing sensitive data processed based on fact from that based on opinion or assessment. We also deal with challenges to the accuracy of data and ensure compliance with the individual’s right to rectification.

Storage Limitation

We carefully consider how long we keep the special category data and we can justify this amount of time. We regularly review our information and erase or anonymise this data when we no longer need it. Where a sustained need for continued retention of the information is identified, this is appropriately recorded and maintained. We have clearly identified any special category data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes and the appropriate data protection requirements are met where this applies.

Integrity and Confidentiality

We have analysed the risks presented by our processing and used this to assess the appropriate level of security we need for this data. We have an information security policy in place and we take steps to make sure the policy is implemented and regularly reviewed. Where appropriate, we have also put other technical measures or controls in place because of the circumstances and the type of special category data we are processing.

Managing Consent

NYFRS manage consent in a data protection compliant way, ensuring we seek valid and explicit consent where needed, manage requests to withdraw consent and that we will conduct consent audits, as and when required.

Retention and Erasure

NYFRS maintains a retention schedule which serves as a policy document stipulating how long we should retain information, or even the criteria for retention, and the citation supporting the rationale. This is published on the internal intranet and on the website alongside our privacy notices.

When it is determined that the processing of special category data is no longer appropriate, we have active processes in place. The IAOs nominate individuals within their departments, to regularly manage the retention, deletion or restriction of their information across all systems within their area of responsibility.

In cases where it is not possible to delete or dispose in accordance with policies for example system constraints, we identify and apply measures to limit further processing.

Other Appropriate Safeguards in Place to Secure Compliance with Data Protection Principles
  • Maintenance of an Information Risk Register
  • Governance – Policies, Procedure, Guidance, Roles and Responsibilities, Information Assurance Board, reporting to SIRO
  • Privacy Notice information – Privacy Policies – North Yorkshire Fire & Rescue Service (northyorksfire.gov.uk)
  • Audit and training
  • Data Processing Contracts
  • Information Sharing Agreements
  • Standard Operating Procedures
  • Upholding Information Rights

 

Share: