APPROPRIATE POLICY DOCUMENT
APPROPRIATE POLICY DOCUMENT
PART 1. ABOUT THIS POLICY
This Appropriate Policy Document (APD) sets out how Tracy's TMAWA Warrior Army (we or our) will protect special category and criminal offence personal data.
We have this APD in place to explain the basis on which special category and criminal offence personal data is processed and to demonstrate that such processing is compliant with principles set out in data protection legislation, specifically the Data Protection Act 2018 and the UK General Data Protection Regulation.
PART 2. DESCRIPTION OF DATA PROCESSED
We process criminal offence and special category personal data, specifically:
data revealing racial or ethnic origin
data revealing political opinions
data revealing religious or philosophical beliefs
data revealing trade union membership
genetic data
biometric data, which is being used for identification purposes data concerning health
data concerning a person's sex life
data concerning a person's sexual orientation
We process special category and criminal offence personal data for the following purpose:
We want to implement a new surveillance system that records staff as a professional development tool.
PART 3. SCHEDULE 1 CONDITION(S) FOR PROCESSING
We process the special category personal data under the following condition(s) set out in Schedule 1 to the Data Protection Act 2018:
Employment, social security and social protection at paragraph 1 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. |
Substantial public interest - statutory and government purposes at paragraph 6 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for reasons of substantial public interest and for the exercise of a function given to a person by an enactment or rule of law or of the Crown, a Minister of the Crown or a government department. |
Substantial public interest - administration of justice and parliamentary purposes at paragraph 7 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the administration of justice or the exercise of a function of either House of Parliament. |
Substantial public interest - equality of opportunity or treatment at paragraph 8 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to a category of special category personal data with a view to enabling such equality to be promoted or maintained. The special category personal data is limited to data revealing or concerning racial or ethnic origin, religious or philosophical beliefs, health or an individual’s sexual orientation. |
Substantial public interest - The processing is of personal data revealing racial or ethnic origin, is carried out to
Substantial public interest - racial and ethnic diversity at senior levels of organisations at paragraph 9 of Schedule 1 to the Data Protection Act 2018
The processing is of personal data revealing racial or ethnic origin, is carried out to identify individuals to hold senior positions in organisations, is necessary to promote /maintain diversity in the racial and ethnic origins of individuals holding senior positions in organisations and can reasonably be carried out without the consent of the data subject.
Substantial public interest - preventing or detecting unlawful acts at paragraph 10 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of the prevention or detection of an unlawful act, is carried out without the data subject’s consent in order to not prejudice those purposes and is necessary for reasons of substantial public interest. |
Substantial public interest - protecting the public against dishonesty etc at paragraph 11 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the exercise of a protective function, is necessary for reasons of substantial public interest and is carried out without the data subject’s consent in order to not prejudice the exercise of that function. |
Substantial public interest - regulatory requirements relating to unlawful acts and dishonesty etc at paragraph 12 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for reasons of substantial public interest and necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has either committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct. |
Substantial public interest - preventing fraud at paragraph 14 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to prevent fraud (or a particular kind of fraud) and the personal data is either disclosed by a member of an anti-fraud organisation, disclosed in accordance with arrangements made by an anti-fraud organisation or processed after being dislocated by a member of or in accordance with arrangements made by an anti- fraud organisation. |
Substantial public interest - suspicion of terrorist financing or money laundering at paragraph 15 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to make a disclosure in good faith under section 21CA of the Terrorism Act 2000 or section 339ZB of the Proceeds of Crime Act 2002. |
Substantial public interest - support for individuals with a particular disability or medical condition at paragraph 16 of Schedule 1 to the Data Protection Act 2018 | The processing is carried out by a not-for-profit body that provides support to individuals with a particular disability or medical condition, can reasonably be carried out without the consent of the data subject, is necessary for reasons of substantial public interest and is in relation to a specific type of special category personal data. The special category personal data is limited to data revealing or concerning racial or ethnic origin, genetic or biometric data, health or an individual’s sexual orientation. The processing is further necessary to raise awareness of the disability or medical condition or provide support to (or enable individuals to provide support to) individuals who either have the disability/condition mentioned, had that disability or condition or have a significant risk of developing that disability or condition. |
Substantial public interest - counselling etc at paragraph 17 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for reason of substantial public interest and to provide confidential counselling (or advice, support or other similar confidential services). Further, the processing is carried out without the consent of the data subject because: in the circumstances, consent to the processing cannot be given by the data subject;    |
Substantial public interest -
The processing is necessary for protecting an individual from neglect or physical, mental or emotional harm or an individual’s physical, mental or emotional wellbeing and the individual is either aged under 18 or over 18 and at-risk.
Further, the processing is necessary for reasons of substantial public interest and is carried out without the consent of the data subject because:
Substantial public interest - safeguarding of children and of individuals at risk at paragraph 18 of Schedule 1 to the Data Protection Act 2018
in the circumstances, consent to the processing cannot be given by the data subject;
in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing; or
obtaining the consent of the data subject would prejudice the protection of the individual.
Substantial public interest - safeguarding of economic well- being of certain individuals at paragraph 19 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to protect the economic well-being of an individual at economic risk who is aged 18 or over, is of special category personal data concerning health, is necessary for reasons of substantial public interest and is carried out without the consent of the data subject because: in the circumstances, consent to the processing cannot be given by the data subject;    |
Substantial public interest - insurance at paragraph 20 of Schedule 1 to the Data Protection Act 2018 | The processing is of personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, data concerning health or trade union membership and is necessary for both an insurance purpose and for reasons of substantial public interest. |
Substantial public interest - occupational pensions at paragraph 21 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to make a determination in connection with eligibility for (or benefits payable under) an occupational pension scheme, is of data concerning health (relating to the data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme) and can reasonably be carried out without the consent of the data subject. |
Substantial public interest - political parties at paragraph 22 of Schedule 1 to the Data Protection Act 2018 | The processing is of special category personal data revealing political opinions, is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000 and is necessary for the purposes of the person’s or organisation’s political activities. |
Substantial public interest - elected representatives responding to requests at paragraph 23 of Schedule 1 to the Data Protection Act 2018 | The processing is carried out by an elected representative or a person acting with the authority of such a representative, in connection with the discharge of the elected representative’s functions and in response to a request by an individual that the elected representative take action on behalf of the individual. Further, the processing is necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request. |
Substantial public interest - disclosure to elected representatives at paragraph 24 of Schedule 1 to the Data Protection Act 2018 | The processing consists of the disclosure of personal data to an elected representative or a person acting with the authority of such a representative, in response to a communication to the organisation from that representative which was made in response to a request from an individual. Further, the personal data is relevant to the communication’s subject matter and disclosure is necessary for responding to that communication. |
Substantial public interest - informing elected representatives about prisoners at paragraph 25 of Schedule 1 to the Data Protection Act 2018 | The processing is of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner and the member is under an obligation not to further disclose the personal data. |
Substantial public interest - publication of legal judgment at paragraph 26 of Schedule 1 to the Data Protection Act 2018 | The processing consists of the publication of a judgment (or other decision of a court or tribunal) and is necessary for the purposes of publishing such a judgment (or decision). |
Substantial public interest - anti-
the purposes of measures designed to eliminate doping which are undertaken by
The processing is necessary for:
Substantial public interest - anti- doping in sport at paragraph 27 of Schedule 1 to the Data Protection Act 2018
the purposes of measures designed to eliminate doping which are undertaken by (or under the responsibility of a) body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally; or
the purposes of providing information about doping, or suspected doping, to such a body or association.
Substantial public interest - standards of behaviour in sport at paragraph 28 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event, is carried out without the data subject’s consent so as not to prejudice those purposes, and is necessary for reasons of substantial public interest. |
We process the criminal offence personal data under the following condition(s) set out in Schedule 1 to the Data Protection Act 2018:
Employment, social security and social protection at paragraph 1 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. |
Statutory and government purposes at paragraphs 6 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for reasons of substantial public interest and for the exercise of a function given to a person by an enactment or rule of law or of the Crown, a Minister of the Crown or a government department. |
Administration of justice and parliamentary purposes at paragraphs 7 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the administration of justice or the exercise of a function of either House of Parliament. |
Protecting the public against dishonesty etc at paragraphs 11 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the exercise of a protective function, is necessary for reasons of substantial public interest and is carried out without the data subject’s consent in order to not prejudice the exercise of that function. |
Regulatory requirements relating to unlawful acts and dishonesty etc at paragraphs 12 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has either committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct. |
Preventing fraud at paragraphs 14 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to prevent fraud (or a particular kind of fraud) and the personal data is either disclosed by a member of an anti-fraud organisation, disclosed in accordance with arrangements made by an anti-fraud organisation or processed after being dislocated by a member of or in accordance with arrangements made by an anti- fraud organisation. |
Suspicion of terrorist financing or money laundering at paragraphs 15 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to make a disclosure in good faith under section 21CA of the Terrorism Act 2000 or section 339ZB of the Proceeds of Crime Act 2002. |
Counselling etc at paragraphs 17 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary to provide confidential counselling (or advice, support or other similar confidential services) and the processing is carried out without the consent of the data subject because: in the circumstances, consent to the processing cannot be given by the data subject;    |
Safeguarding of children and of The processing is necessary for protecting an individual from neglect or physical,
Safeguarding of children and of The processing is necessary for protecting an individual from neglect or physical,individuals at risk at paragraphs mental or emotional harm or an individual’s physical, mental or emotional wellbeing 18 and 36 of Schedule 1 to the and the individual is either aged under 18 or over 18 and at-risk.
Data Protection Act 2018
Elected representatives responding to requests at paragraphs 23 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is carried out by an elected representative or a person acting with the authority of such a representative, in connection with the discharge of the elected representative’s functions and in response to a request by an individual that the elected representative take action on behalf of the individual. Further, the processing is necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request. |
Disclosure to elected representatives at paragraphs 24 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing consists of the disclosure of personal data to an elected representative or a person acting with the authority of such a representative, in response to a communication to the organisation from that representative which was made in response to a request from an individual. Further, the personal data is relevant to the communication’s subject matter and disclosure is necessary for responding to that communication. |
Informing elected representatives about prisoners at paragraphs 25 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner and the member is under an obligation not to further disclose the personal data. |
Publication of legal judgment at paragraphs 26 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing consists of the publication of a judgment (or other decision of a court or tribunal) and is necessary for the purposes of publishing such a judgment (or decision). |
Standards of behaviour in sport at paragraphs 28 and 36 of Schedule 1 to the Data Protection Act 2018 | The processing is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event and is carried out without the data subject’s consent so as not to prejudice those purposes. |
Administration of accounts used in commission of indecency offences involving children at paragraph 35 of 1 Schedule 1 to the Data Protection Act 2018 | This condition is met if the processing is of personal data about a conviction or caution for an offence under (or an incitement to commit an offence under): section 1 of the Protection of Children Act 1978 (indecent photographs of children); section 160 of the Criminal Justice Act 1988 (possession of indecent photographs of a child); or Further, the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card.     |
Insurance at paragraphs 20 and 37 of 1 Schedule 1 to the Data Protection Act 2018 | The processing is either: necessary for an insurance purpose and necessary for reasons of substantial public interest; or   |
PART 4. PROCEDURES FOR ENSURING COMPLIANCE WITH THE PRINCIPLES
Accountability principle
The data processor is responsible for complying with data protection laws and must be able to demonstrate this compliance.
We implement and maintain the following measures and records relating to our
What measures and records relating to our processing activities do we implement and maintain?
We implement and maintain the following measures and records relating to our processing activities:
We have appointed a Data Protection Officer (DPO).
We keep a record of our data processing activities, which can be requested from the DPO and is available here: https://www.tracysmichaelandalfiewarriorarmy. com.
We have in place appropriate data protection policies.
_________________
Do we have appropriate data protection policies? | We have the following in place: Data Retention Policy Information Security Policy Privacy Policy     |
Do we carry out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests? | Yes |
Principle (a) - lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. | |
Have we identified an appropriate lawful basis for the processing of personal data? | We have identified the following appropriate lawful ground(s) for the processing of special category and criminal offence personal data: Consent       |
Have we identified a further Schedule 1 condition for the processing of personal data? | Yes See ‘PART 3. SCHEDULE 1 CONDITION FOR PROCESSING’ for more details on the further conditions for processing. |
Do we make appropriate privacy information available with respect to personal data and are we open and honest when we collect personal data, ensuring that we do not deceive or mislead people about its use? | We make appropriate privacy information available through our Privacy Policy and Privacy Notice, which are made available to individuals when we collect their personal data. |
Principle (b) - purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. | |
Have we clearly identified our purpose for processing personal data? | Yes See ‘PART 2. DESCRIPTION OF DATA PROCESSED’ for more detail on the purpose for processing. |
Have we included appropriate details of the purpose in our privacy information for individuals? | Yes |
If we plan to use personal data for
We will not use personal data for new, different or incompatible purposes from those disclosed when the data was first obtained unless:
If we plan to use personal data for a new purpose, do we check that this is compatible with our original purpose or get specific consent for the new purpose?
we have informed the data subject of the new purposes and they have consented where necessary; or
if we use personal data for new compatible purposes, then we will inform the data subject first.
Principle (c) - data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. | |
Are we satisfied that we only collect personal data we actually need for our specified purpose and that we have sufficient personal data to properly fulfil this purpose? | Yes |
Do we periodically review this particular personal data, and delete anything we don’t need? | Yes - in accordance with our Data Retention Policy. |
Principle (d) - accuracy Personal data shall be accurate and, where necessary, kept up to date. | |
Do we have appropriate processes in place to check the accuracy of the personal data we collect and identify when we need to update the personal data? | Yes We check the accuracy of personal data at the time of collection and at regular intervals afterwards. We take steps to destroy or amend inaccurate or out-of- date personal data.  |
Who is the source of the personal data? | The individual to whom the personal data relates |
Do we have a policy (or procedure) outlining how we keep records of mistakes and opinions? | Yes _________________ |
Do we have a policy (or procedure) outlining how we deal with challenges to the accuracy of data and how we ensure compliance with individuals’ rights to rectification? | Yes _________________ |
Principle (e) - storage limitation Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. | |
Do we carefully consider how long we keep the personal data and can we justify this amount of time? | Yes - our Data Retention Policy sets out how long we can keep personal data for and provides a justification for this duration. |
Do we regularly review our information and erase or anonymise this personal data when we no longer need it? | Yes - in accordance with our Data Retention Policy. |
Do we need to keep any personal data for public interest archiving, scientific or historical research, or statistical purposes? | As set out in our Data Retention Policy and Privacy Notice, we need to keep personal data for: Archiving purposes in the public interest Statistical purposes    |
Principle (f) - integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the data (including protection against
Personal data shall be processed in a manner that ensures appropriate security of the data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage) using appropriate technical or organisational measures.
Have we analysed the risks presented by our processing and used this to assess the appropriate level of security we need for this personal data? | Yes We have analysed the risks presented by our processing and assessed, and put in place the security measure outlined below. |
Do we have an information security policy regarding this personal data in place? | Yes |
Do we take steps to ensure this policy is implemented? | Yes |
How often is this policy reviewed? | Every 6 months |
What other organisational and/or technical measures or controls have we put in place because of the circumstances and the type of personal data we are processing? | We have strictly limited access rights to certain datasets to ensure only those authorised to process the data have access  |
PART 5. RETENTION AND ERASURE POLICIES
We take the security of special category and criminal offence personal data very seriously and have physical and technical safeguards in place to protect this data against unlawful or unauthorised processing, accidental loss or damage.
We will ensure that when special category and criminal offence personal data is processed:
the processing is recorded and that any such records set out, where possible, a suitable time period for the safe and permanent erasure of the different categories of personal data in accordance with our Data Retention Policy and
Information Security Policy.
the special category and criminal offence personal data will be deleted or permanently anonymised as soon as possible when the data is no longer required for the purpose for which it was collected.
any destroyed records will be permanently disposed of.
Our data protection policies explain how special category and criminal offence personal data will be handled. This includes the time periods for which the personal data will be stored or, if that is not possible, the criteria used to determine that period.
A Privacy Policy can be requested from the DPO and is available on our website and can be found here: https://www. tracysmichaelandalfiewarriorarmy.com.
A Privacy Notice can be requested from the DPO and is available on our website and can be found here: https://www. tracysmichaelandalfiewarriorarmy.com.
PART 6. REVIEW
We will retain this APD for the duration of the data processing and for a minimum of 6 months after the processing ceases.
This APD will be regularly reviewed by our DPO, Tracy Taylor-Scott, with the next review date being 04 April 2024.
For further information or if you have questions about the handling of special category or criminal offence personal data, please contact our DPO at admin@tracystmawawarriorarmy.com.