House of Lords Policy on processing special categories of personal data and criminal convictions data
Owner | Information Compliance Team |
Date | 08/07/2021 |
Version | 2 |
Reviewed | 15/11/2022 |
Classification | Open |
1. Purpose
The House of Lords processes some special category data and criminal conviction data. For these types of processing we are required to have an appropriate policy in place, under Schedule 1, Part 4 of the Data Protection Act 2018 (“the DPA”), which sets out and explains our procedures and policies.
This policy has been developed to meet the requirement that an appropriate policy document be in place where the processing of special category personal data is necessary for:
- the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection (paragraph 1 of Schedule 1 to the DPA)
- reasons of substantial public interest (paragraph 5 of Schedule 1 to the DPA). The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1.
It explains the procedures:
- in place to comply with the six data protection principles in Article 5 of the UK General Data Protection Regulation (“the UK GDPR”) in relation to processing of the kind set out above
- relating to retention and erasure of special categories of personal data and criminal convictions personal data.
This policy should be read in conjunction with our Privacy Notices and the Authorised Records Disposal Practice.
2. Procedures for securing compliance with the data protection principles
Principle 1
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
We will process data only where a lawful basis applies. We will process personal data fairly, providing clear and accurate information as to the purposes of the processing. We will provide privacy notices so that processing of personal data is transparent.
Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We will collect personal data only for specified, explicit and legitimate purposes which will be set out in a privacy notice. We will not normally further process personal data in a way that is incompatible with the purposes for which the data were collected, as set out in a privacy notice. If, having collected data for one purpose, we wish to use them for a further purpose we will contact the data subjects first.
Principle 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will collect, use and retain only the minimum relevant personal data necessary for the purpose for which the data are processed.
Principle 4
Personal data shall be accurate and, where necessary, kept up-to-date.
We will take all reasonable steps to ensure that special categories of personal data are accurate and, where necessary, kept up-to-date. In the case of our staff we provide a facility for individuals to update their own personal data through our HR system. We encourage Members to inform us of any changes in relation to the limited amounts of special category data we process about them.
Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We will retain such data in identifiable form only for as long as is necessary for the purpose(s) for which they are processed, or where we have a legal obligation to do so. Data will be deleted or destroyed securely in accordance with the retention periods set out in the Authorised Records Disposal Practice:
Where processing is undertaken for research or analysis purposes, we will anonymise the data wherever possible.
Principle 6
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We have in place organisational and technical controls designed to safeguard personal data from unauthorised, unlawful or accidental loss, destruction or damage.
3. Policies relating to the retention and erasure of special categories of personal data and criminal convictions personal data
We will retain such data for the time periods set out in the Authorised Records Disposal Practice, which is published on our website at:
Special categories of data will sometimes be retained for longer periods, e.g. for HR purposes or in some cases permanently as part of the Parliamentary Archives, for example if the data have been provided as evidence to a select committee.
v.2 updated November 2022