Menu
UK Parliament

House of Commons Special category and criminal convictions data processing policy

Purpose

The House of Commons processes special category data and criminal conviction data. For these types of processing we are required to have an appropriate policy in place setting out and explaining our procedures and policies.

This policy supplements the House of Commons’ Data Protection Policy and complies with our obligations under Schedule 1, Part 4 of the Data Protection Act 2018 (DPA 2018).

Scope

This policy applies to the House of Commons Service and the Parliamentary Digital Service (PDS). It also applies to bicameral parliamentary teams who handle House of Commons information.

It does not apply to Members of Parliament – or the staff who work for them – as they are each a separate organisation for the purpose of the UK General Data Protection Regulation (UK GDPR). It also does not apply to the House of Lords Administration, Peers or the staff who work for them.

Specific data covered

Special category personal data

We process special category data as defined in Article 9 of the UK GDPR, which is personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health, or
  • Data concerning a natural person’s sex life or sexual orientation

Personal data relating to criminal convictions

We also process criminal conviction data, which includes processing in relation to offences, or related security measures.

Purposes for processing

We process special category data for the purposes of recruitment and employment, safety and security requirements, answering requests, queries and providing advice, health and other services, and organising events and visits. The conditions for processing such data are as follows:

Employment and social protection

Under Article 9(2)(b) of the UK GDPR, we may process special category data and personal data relating to criminal convictions where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment. This must provide for appropriate safeguards for the fundamental rights and the interest of the data subject.

Section 10(2) of the DPA 2018 sets out that the processing meets the above requirement in Article 9(2)(b) only if it meets a condition (or purpose) in Part 1, Schedule 1 of the DPA 2018. We process for the following purposes in Part 1 of Schedule 1. Depending on the context, the processing will be required for one or more of the listed purposes below:

  • Paragraph 1: Employment, social security and social protection
  • Paragraph 2: Health or social care purposes
  • Paragraph 3: Public health

Substantial public interest

Under Article 9(2)(g) of the UK GDPR, we may process special category data where it is necessary for reasons of substantial public interest. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Section 10(3) of the DPA sets out that the processing meets the above requirement in Article 9(2)(g) only if it meets a condition (or purpose) in Part 2, Schedule 1 of the DPA 2018. We process for the following purposes in Part 2 of Schedule 1. Depending on the context, the processing will be required for one or more of the listed purposes below:

  • Paragraph 7 (a) and (b): the administration of justice, or for the exercise of a function of either House of Parliament
  • Paragraph 8 (1) and (2): to ensure the equality of opportunity or treatment
  • Paragraph 10 (1): preventing or detecting unlawful acts
  • Paragraph 12 (1): regulatory requirements relating to unlawful acts and dishonesty etc.
  • Paragraph 14 (1): preventing fraud
  • Paragraph 17 (1): counselling
  • Paragraph 18 (1) and (3): safeguarding of children and of individuals at risk

Archiving, research and statistical purposes

Under Article 9(2)(j) of the UK GDPR, we may process special category data and personal data relating to criminal convictions where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1). This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Section 10(2) of the DPA 2018 sets out that the processing meets the above requirement in Article (9)(2)(j) only if it meets a condition in Part 2, Schedule 1 of the DPA 2018. We process for the following purposes in Part 2 of Schedule 1. All processing is for the following purpose:

  • Paragraph 6 (1) and (2): statutory and government purposes
  • Paragraph 7 (a) and (b): the administration of justice, or for the exercise of a function of either House of Parliament

Criminal convictions

Under Article 10 of the UK GDPR, we may process personal data relating to criminal convictions when the processing is authorised under UK law providing for appropriate safeguards for the rights and freedoms of data subjects.

Section 10(5) of the DPA 2018 sets out that the processing meets the above requirement in Article 10 of the GDPR only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the DPA 2018.

In addition to the relevant conditions in Parts 1 and 2 of Schedule 1 already set out above, there are additional processing conditions for criminal convictions set out in Part 3 of Schedule 1:

  • Paragraph 32: personal data in the public domain
  • Paragraph 33: legal claims
  • Paragraph 36: substantial public interest

How we comply with the Data Protection Principles

The Principles are set out in Article 5 of the UK GDPR. We ensure compliance, including in relation to the retention and erasure of data, as follows:

Principle 1 - ‘lawful, fair and transparent’

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in the UK GDPR or the DPA 2018.

We provide clear transparency information (privacy notices) to all those who provide personal data to us, stating the lawful basis for processing and providing the purposes for processing the different types of special category personal data and criminal convictions data where these relate to Schedule 1 of the DPA.

In circumstances where we seek consent, we make sure that:

  • The consent is unambiguous
  • The consent is given by an affirmative action
  • The consent is recorded as the condition for processing

Principle 2 - ‘specified, explicit and legitimate purposes’

The purposes for which we process special category personal data, and data relating to criminal convictions, are detailed above.

We may process personal data collected for any one of these purposes, providing the processing is necessary and proportionate to that purpose. If we are sharing data with another controller, we will document that they are legitimately processing the data for their purpose.

We will not process personal data for purposes which are incompatible with the original purpose for which it was collected.

Principle 3 - ‘adequate, relevant and not excessive’

We collect personal data necessary for the relevant purposes and ensure it is not excessive.

The information we process is necessary for and proportionate to our purposes. Where we become aware that personal data provided to us or obtained by us is not relevant to our stated purposes, we will erase it.

Principle 4 - ‘accurate and up to date’

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

Principle 5 - ‘kept for no longer than necessary’

We retain information processed for the periods set out in Parliament’s Authorised Retention and Disposal Policy (ARDP). Where a record is not listed on the ARDP, the details of the retention period can be found on the related privacy notice.

Principle 6 - ‘appropriate security’

Electronic information is processed within our secure network or managed by suppliers on solutions that have been security accredited. Hard copy information is processed within our secure premises.

Our electronic systems and physical storage have appropriate access controls applied.

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures which include:

  • Our Data Protection Policy
  • Information security policies (available on the parliamentary intranet)
  • ICT cyber security policies (available on the parliamentary intranet)

Further information

More information about how we process personal data, as well as key contacts, can be found in our Data Protection Policy.

 

Version control

v2.3 October 2023

Policy owner: Data Protection Officer, House of Commons

Due for review: April 2025