This document explains how the RGP protects special category and criminal conviction personal data.
Article 10 of the General Data Protection Regulation (GDPR) sets out our legal authority for processing criminal convictions and offences and in accordance with the Data Protection Act 2004. The RGP process criminal conviction personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against the prevention of threats to public security.
This policy meets the requirements of the DPA that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
This policy also meets the requirements in the DPA that an appropriate policy document be in place where the processing of special category data is necessary for reasons of substantial public interest.
This policy should be read in conjunction with the RGP Privacy Notice.
Article 5 of the GDPR and Section 44 to 49 of Part 3 of the DPA 2004 set out the data protection principles. These are our procedures for ensuring that we comply with them.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
The RGP will:
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
The RGP will:
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
The RGP will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.
Personal data shall be accurate and, where necessary, kept up to date
The RGP will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.
Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed
The RGP shall only keep identifiable data form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The RGP will ensure that there are appropriate organisational and technical measures in place to protect personal data
The data controller shall be responsible for, and be able to demonstrate compliance with these principles
The RGP will:
We will ensure, where special category or criminal convictions personal data is processed, that:
The Data Protection Officer for the RGP can be contacted by email at: firstname.lastname@example.org