How DESNZ processes special category data and criminal offence data (Appropriate Policy Document)
Published 29 May 2025
1. Introduction
This is the Appropriate Policy Document (APD) for the Department for Energy Security and Net Zero (DESNZ) that sets out how we will protect special category and criminal convictions personal data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘UK GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
2. Scope
This document has been developed by DESNZ to meet the requirement under Schedule 1 of the DPA 2018 for an appropriate policy document which sets out how we will protect special category and criminal office data as defined under Article 9 and 10 of the UK GDPR. The document also sets out and explains our approach for securing compliance with the principles in Article 5 of the UK GDPR.
This policy applies to all DESNZ personnel involved in the processing of special category and criminal convictions data.
Special category data
Special category data (defined by Article 9 of the UK GDPR) is personal data which reveals:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
Criminal offence data
Article 10 of the UK GDPR covers processing in relation to criminal convictions and offences. Section 11(2) of the DPA 2018 provides that criminal conviction data includes data which relates to the alleged commission of offences and related proceedings and sentencing. This is collectively referred to as ‘criminal offence data’.
3. Purpose
The APD meets the requirement at paragraph 1 of Schedule 1 Part 1 to the DPA 2018 that an APD be in place where the processing of special category personal data is necessary under Article 9 for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
It also meets the requirement at paragraph 5 of Schedule 1 Part 2 to the DPA 2018 that an APD be in place where the processing of special category personal data is necessary under Article 9 for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 1 to 37 of Schedule 1 to the DPA 2018.
Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD (see Schedule 1 paragraphs 1 and 5).
4. Schedule 1 conditions for processing special category and criminal offence data
DESNZ predominantly processes special category data in the performance of its statutory and corporate functions. We process the special category data about our employees that is necessary to fulfil our obligations as an employer.
We have listed below the Schedule 1 conditions upon which we are relying and which are covered by this APD:
Part 1 - Conditions relating to Employment, Health and Research:
- Paragraph 1: Employment, social security and social protection.
Part 2 - Substantial Public Interest Conditions:
- Paragraph 6: Statutory etc and government purposes
- Paragraph 8: Equality of opportunity and treatment
- Paragraph 10: Preventing or detecting unlawful acts
- Paragraph 12: Regulatory requirements relating to unlawful acts and dishonesty etc
- Paragraph 14: Preventing fraud
- Paragraph 21: Occupational pensions
- Paragraph 24: Disclosure to elected representatives.
Criminal offence data is processed for the following conditions under Part 1,2 and 3 of Schedule 1 of the DPA 2018:
- Paragraph 1: Employment, social security and social protection
- Paragraph 6: Statutory etc and government purposes
- Paragraph 14: Preventing Fraud
- Paragraph 32: Personal data in the public domain
- Paragraph 33: Legal claims
5. Compliance with data protection principles
In accordance with the accountability principle, DESNZ maintains records of processing activities under Article 30 of UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR and section 64 of the DPA 2018 for law enforcement processing to ensure data protection by design and default.
DESNZ follows the data protection principles set out in Article 5 of the UK GDPR, and Part 3, Chapter 2 of the DPA 2018 for law enforcement processing, as follows:
Principle 1
Personal data shall be processed lawfully, fairly and transparently in relation to the data subject.
DESNZ will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
- only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
- where appropriate, ensure that data subjects receive full privacy information so that any processing of personal data is transparent. We provide clear transparent information to those who provide personal data to us in the DESNZ Personal Information Charter and relevant privacy notices
Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
DESNZ will:
- only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
- not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first
- if we share personal data with another controller we will document that they are authorised by law to process the data for their purpose
Principle 3
Personal data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.
DESNZ will only collect the minimum personal data that we need for the purpose for which it is collected. The data is periodically reviewed to ensure that the data we collect is adequate and relevant.
Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
DESNZ will take every reasonable step to ensure that personal data is accurate and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.
Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
DESNZ will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, scientific or historical research purposes, statistical purposes are retained for the periods set out in our retention schedule. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs.
Principle 6
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
DESNZ will ensure that there are appropriate organisational and technical measures in place to protect personal data.
Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures. Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
Accountability principle
The Controller shall be responsible for and be able to demonstrate compliance with the principles above. We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- ensuring that a Data Protection Officer is appointed to provide independent advice and monitoring of the departments’ personal data handling, and that this person has access to report to the highest management level of the department
- ensuring that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- taking a ‘data protection by design and default’ approach to our activities putting appropriate data protection measures in place throughout the lifecycle of our processing activities.
- adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
- having in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
6. Data controller’s policies as regards retention and erasure of personal data
We have a retention and destruction policy in place. Where special category or criminal convictions personal data is processed we ensure that:
- there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
- where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
- data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
Additional Special Category and Criminal Offence data
We may also process special category data and criminal offence data where an APD is not required, such as for archival, research and statistical purposes. In these circumstances we will respect the rights and interests of our data subjects by informing them about the processing in our privacy notices.
7. Further information
This policy will be retained for the duration of the processing and for a minimum of 6 months thereafter. The policy will be reviewed annually or revised more frequently if necessary.
Should you have any queries regarding this policy or how we process your personal data you can contact the DESNZ Data Protection Officer at dataprotection@energysecurity.gov.uk.