Policies and Procedures

Appropriate Policy Document

Appropriate Policy Document

 

Introduction

 

Grimoldby and Manby Parish Council needs to process personal data about the customers of its facilities, its Councillors and current and former staff to carry out its functions.  As part of its operations, it is also sometimes necessary for the Council to process special category data.  Special category data (defined by Article 9 of the UK General Data Protection Regulation (GDPR)) and sensitive data (defined by section 35 of the Data Protection Act 2018 (DPA)) is personal data which reveals:

 

• racial or ethnic origin

• political opinions

• religious or philosophical beliefs

• trade union membership

• genetic data

• biometric data for the purpose of uniquely identifying a natural person

• data concerning health

• data concerning a natural person’s sex life or sexual orientation

 

Article 10 of the UK GDPR applies to the processing of personal data relating to criminal convictions and offences or related security measures.  Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences and related proceedings and sentencing.  Information about victims and witnesses of crime is also included in the scope of data relating to criminal convictions and offences.

 

This policy meets the requirement in the DPA 2018 for an appropriate policy document which details the lawful basis and conditions for processing and safeguards Grimoldby and Manby Parish Council has put in place when processing special category data and criminal offence data.

 

Description of Data Processed

The Grimoldby and Manby Parish Council Privacy Statement has more information about the information processed by the Council, the legal basis for processing and what the information is used for.

 

Special Category Data

Grimoldby and Manby Parish Council processes special category personal data under the following legal basis:

  • Article 9(2)(a) – explicit consent. An example of which would include health information we receive from employees or Councillors who require additional support.
  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Council or the data subject in connection with employment, social security, or social protection. For examples where the Council processes staff sickness and absences information.
  • Article 9(2)(c) – where processing is necessary to protect vital interests. An example of this processing would be using health information about a member of staff or Councillor in a medical emergency.
  • Article 9(2)(f) – for the establishment, exercise, or defence of legal claims. Examples of this processing include processing relating to any employment tribunal or other litigation.
  • Article 9(2)(g) – reasons of substantial public interest. For example, to comply with other obligations imposed on the Council in its capacity as a public authority e.g., the Equality Act.
  • Article 9(2)(i) – where processing is necessary for public health. For example, in relation to the Council’s processing of data in response to the Covid-19 pandemic.

 

Section 10(3) of the DPA 2018 sets out that for processing of special categories of personal data and criminal offence data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.

 

The Council processes special category and criminal offence data in the performance of its statutory and corporate functions when the following conditions set out in the following paragraphs of Part 2 of Schedule 1 to the DPA 2018 are met:

  • paragraph 6 Statutory etc and government purposes
  • paragraph 8 Equality of opportunity or treatment
  • paragraph 10 Preventing or detecting unlawful acts
  • paragraph 12 Regulatory requirements relating to unlawful acts and dishonesty etc.
  • paragraph 18 Safeguarding of children and individuals at risk
  • paragraph 19 Safeguarding of economic well-being of certain individuals

 

Criminal Offence Data

Grimoldby and Manby Parish Council processes criminal offence data under Article 10 of the GDPR. Examples of our processing of criminal offence data include pre-employment checks and declarations by an employee in line with contractual obligations. All processing might also be for others dependent on the context. The Council may also process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. The processing of such data respects the rights and interests of the data subjects.

 

Compliance with the Data Protection Principles

In accordance with the accountability principle, the Council maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. The Council will carry out data protection impact assessments (where appropriate) in accordance with Articles 35 and 36 of the UK GDPR and section 64 of the DPA 2018 to ensure data protection by design and default. The Council follows the data protection principles set out in Article 5 of the UK GDPR, and Part 3, Chapter 2 of the DPA 2018 for processing, as follows:

 

Accountability Principle
The Council has put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

  • The appointment of the Clerk as data control officer
  • Taking a ‘data protection by design and default’ approach.
  • Maintaining documentation of processing activities.
  • Adopting and implementing data protection policies. Implementing contracts with data processors where appropriate.
  • Implementing appropriate security measures in relation to the personal data.
  • Carrying out data protection impact assessments (where required).
  • Regular review of accountability measures.

 

Principle (a): Lawfulness, Fairness, and Transparency

  • The Council provides clear and transparent information about the processing of personal data including the lawful basis for that processing in the Council’s Records of Processing Activities (ROPA), Privacy Statement and this policy document.

Principle (b): Purpose Limitation

  • The Council processes personal data for purposes of substantial public interest as explained Page 3 of 4 above when the processing is necessary to fulfil statutory and corporate functions. The Council is authorised by law to process personal data for these purposes.
  • Where the Council shares data with another organisation, the Council shall document that sharing and implement a data sharing agreement (where required).
  • The Council shall not process personal data for purposes incompatible with the original purpose it was collected for.

Principle (c): Data Minimisation

  • The Council shall collect personal data necessary for the relevant purposes and ensure it is not excessive. The information processed is necessary for and proportionate.
  • Where personal data is provided to the Council or obtained but is not relevant to our stated purposes, it will be erased.

Principle (d): Accuracy

  • The Council shall ensure that where personal data is identified as inaccurate or out of date, having regard to the purpose for which it is being processed, and the Council will take every reasonable step to ensure that data is erased or rectified without delay. If the Council decides not to either erase or rectify it, for example because the lawful basis means those rights don’t apply, the decision will be documented.

Principle (e): Storage Limitation

  • All special category data processed by the Council for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in the Council’s Retention of Documents Policy. This retention policy is reviewed regularly and updated when necessary.

Principle (f): Integrity and Confidentiality (Security)

  • The Council ensures that electronic information is processed within our secure networks. Hard copy information is processed in line with our security procedures. The systems used to process personal data allow data to be erased or updated as required. Electronic systems and physical storage have appropriate access controls applied.
     

Retention and Erasure Policies

We will ensure that:

  • our Data Map is kept up to date
  • disposal of SC/CO information is carried out securely
  • we assess the right retention period for SC/CO data by considering the following:
    • the amount, nature, and sensitivity of the personal data
    • the potential risk of harm from unauthorised use or disclosure
    • the purposes for which we process the data and it can be achieved through other means
    • any legal or regulatory requirements

 

Other Documentation

This policy should be read in conjunction with the Council’s:

  • Data Protection Policy
  • Retention of Documents and Records Policy
  • Data Breach Guidance
  • General Privacy Notice

Policies and Procedures can be viewed here:

https://grimoldby-manby.parish.lincolnshire.gov.uk/council-business/policies-procedures

 

Policy Review

This policy was last approved by Grimoldby and Manby Parish Council on 18th February 2026.  It is reviewed annually.

 

 

 

 

References:  This Policy document was developed using the ICO APD template 20191104 V1.0 and the HMRC appropriate Policy document updated 7 June 2019 in line with the terms of the Open Government Licence (nationalarchives.gov.uk).