Summary
This policy outlines the Council's obligations under data protection legislation with regard to the processing of special category personal data.
1. Policy statement
Surrey County Council is committed to ensuring that all personal data it processes, is managed appropriately and in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), collectively referred to as "DP legislation".
The Council recognises its duties to protect all personal data but in particular special category personal data as defined under data protection legislation, that is information that may identify an individual's:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- health,
- sex life and orientation
- genetic and biometric identifier
- criminal convictions and offences
Heads of Service and Information Asset Owners will ensure that all special category data is captured, held or used in their business area in compliance with this policy. Any proposed new use of special category data will be subject to a Data Protection Impact Assessment.
For all uses of special category data, the processing will be included in the Council's Record of Processing Activity (ROPA). This will include a description of the lawful basis for processing and confirmation that the appropriate data retention rules are being applied.
Failure to comply with this policy may be subject to disciplinary procedures.
2. Responsibilities
The Senior Information Risk Officer (SIRO) has overall responsibility for ensuring compliance with this policy and with DP legislation.
The Data Protection Officer (DPO) has responsibility for advising the organisation on data protection matters, and for monitoring compliance with this policy.
Heads of Service and Information Asset Owners are responsible for ensuring that all systems, processes, and information assets within their business area are compliant with this policy and with DP legislation.
All staff are responsible for understanding and complying with relevant policies and procedures for protecting special category and criminal conviction data.
3. Related documents
- Data Protection Policy
- Record of Processing Activity (Information Asset Register)
- Data Breach Policy
Compliance with the Principles
All processing of personal data, including special category data, is subject to the Council's Information Security and Data Protection Policies and all related procedures for data handling. Below is a summary of our procedures for compliance with the principles under Article 5 of GDPR.
Data protection principle - Lawfulness, fairness and transparency
Personal data will be processed lawfully, fairly and in a transparent manner
Procedures for securing compliance
All use of special category data will be:
- assessed for lawfulness, fairness and transparency as part of Data Protection Impact Assessments (DPIA)
- described clearly and precisely in privacy notices available to data subjects
The Council will ensure that personal data is only processed where a lawful basis applies, that is subject to clear justification under Article 6 and 9 of GDPR.
The Council will only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
Relevant policies or procedures
- Data Protection Policy
Data protection principle - Purpose limitation
Personal data will be collected and used for specified, explicit and legitimate purposes and not further processed in an incompatible way.
Procedures for securing compliance
This will be checked within the DPIA process.
Staff will be trained to ensure that they do not use personal data for purposes other than those authorised by the organisation. Staff will receive training and document procedures for relevant processes
Data subjects will be informed of the purpose for processing in a privacy notice
Relevant policies or procedures
- Data Protection Policy
- Record of Processing Activity (Information Asset Register)
- Mandatory information governance and data protection training
Data protection principle - Data minimisation
Personal data collected and processed will be adequate, relevant and limited to what is necessary for the purpose for processing.
Procedures for securing compliance
All forms and systems are subject to Data Protection by Design controls to ensure only data relevant to the business requirement is captured, held and made available
Our systems have roles-based access and staff will be trained to record only the minimal necessary personal data for business needs
This will be checked within the DPIA process.
Relevant policies or procedures
- Data Protection Policy
Data protection principle - Accuracy
Personal data will be accurate and where required, rectified without delay.
Procedures for securing compliance
Data accuracy verified using system controls, where applicable, and staff responsible for ensuring accuracy of data recording. This will be checked within the DPIA process.
Relevant policies or procedures
- Data Protection Policy
Data protection principle - Storage limitation
Personal data will not be kept in an identifiable form for longer than necessary such as in line with Council retention schedules.
Procedures for securing compliance
Heads of Service are tasked with ensuring that the Records Retention Schedule is applied to all personal data, and in particular to special category data. Where systems do not have the functionality to automate disposal, staff have a scheduled task to manually delete time-expired data
Relevant policies or procedures
- Data Protection Policy
- Records Retention Schedule
Data protection principle - Integrity and confidentiality
Personal data will be kept securely
Procedures for securing compliance
All use of personal data is subject to our Data Protection Policy and related controls. Staff are trained to be particularly aware of the additional risks to special category data and the relevant teams have appropriate data handling processes and guidance
Appropriate means of transmitting data are used. Data is securely stored and securely disposed of where retention periods are reached
Where processing is sub-contracted or outsourced there are suitable data protection clauses in the contract
Relevant policies or procedures
- Data Protection Policy
- Information Security Policy
Contact
If you have any questions about this policy, please contact the Data Protection Officer DPO@surreycc.gov.uk
This policy is subject to review annually. Superseded policies will be retained for at least 6 months.
Version 1 15 February 2019 Approved by Senior Information Risk Owner
Version 2 3 April 2020 Approved by Information Governance Risk Board
