Appropriate Policy Document (APD) Sensitive Data Processing

This Appropriate Policy Document (APD) has been prepared for the RGP in accordance with its obligations under the Gibraltar General Data Protection Regulation (GDPR) and the Data Protection Act 2004 (DPA 2004).

This policy explains RGP procedures for securing compliance with the data protection principles listed below in relation to sensitive processing for law enforcement purposes when acting in the capacity of a competent authority. It also explains the retention and erasure policies in relation to sensitive processing.

This policy meets the requirement under section 51 of the DPA 2004 that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising legal obligations or rights on the controller or the data subject in connection with employment, social security or social protection, and where it is necessary for reasons of substantial public interest. 

1. What is sensitive processing?

• Sensitive processing is defined in Section 44 of the DPA 2004 and means the processing of personal data of:
• Racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership,
• Genetic data, or of biometric data, for the purpose of uniquely identifying an individual,
• Data concerning health,
• Data concerning an individual’s sex life or sexual orientation.

2. Procedures for securing compliance with Data Protection Principles

Article 5 of the GDPR and Section 44 to 49 of Part 3 of the DPA 2004 set out the data protection principles. These are our procedures for ensuring that we comply with them.

2.1 Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The RGP will:

• Ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful. The most common Schedule 8 condition relevant to law enforcement processing are:
  • Statutory Purposes
  • Administration of Justice
  • Protecting individual’s vital interests.
  • Safeguarding of children and of individuals
• Only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing.
• Ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

2.2 Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The RGP will: 

• Only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.
• Not use personal data for purposes that are incompatible with the purpose for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

2.3 Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The RGP will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

2.4 Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

The RGP will ensure that personal data is accurate and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

2.5 Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.

The RGP shall only keep identifiable data form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

2.6 Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The RGP will ensure that there are appropriate organisational and technical measures in place to protect personal data. 

3. Accountability

The data controller shall be responsible for and be able to demonstrate compliance with these principles.

The RGP will:

• Ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request.
• Carry out a Data Protection Impact Assessment for any high-risk personal data processing and consult the Information Commissioner if appropriate.
• Ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the organisations’ personal data handling, and that this person has access to report to the highest management level of the organisation.
• Have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection legislation.
• Take a “data protection by design and default” approach – putting appropriate data protection measures in place throughout the entire lifecycle of our processing operations.
• Implement appropriate security measures to protect all personal data held. ▪ Record and investigate all data breaches.
• Review and update our accountability measures at appropriate intervals. 

4. Retention of personal data

We will ensure, where special category or criminal convictions personal data is processed, that:

• There is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data.
• Where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous.
• Where possible data subjects will receive details of our full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. 

5. Erasure of personal data

Erasure of personal data will be dealt with in accordance with the DPA 2004. See the Privacy Notice (Paragraph 11 within the Privacy Notice explains the data subject rights in relation to the erasure or rectification). A request for erasure or rectification can be made by contacting datarequests@royalgib.police.gi  

6. Review and Retention of this APD

This document will be reviewed annually, or sooner if legislation or operational practices change.

This document will be retained for at least six months after all sensitive processing it relates to has ended in accordance with Section 40 of the DPA 2004.

This document will be made available to the Gibraltar Regulatory Authority (GRA) if requested. 

7. Further information

The Data Protection Officer for the RGP can be contacted by email at: dpo@royalgib.police.gi