Policy paper

DfE appropriate policy document

Updated 15 March 2024

Applies to England

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dfe-appropriate-policy-document/dfe-appropriate-policy-document

1. Scope

As part of the Department for Education’s (DfE’s) statutory and departmental functions, we process special category data and criminal offence data (collectively referred to as ‘sensitive data’) in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

This policy covers:

  • substantial public interest processing for DfE statutory and departmental functions
  • employment, as it affects the provision of or participation in training or education and processing for human resources (HR) purposes
  • processing for archiving, research and statistical purposes

This appropriate policy document demonstrates that the DfE processing of special category and criminal offence data based on these specific Schedule 1 conditions is compliant with the requirements of the UK GDPR Article 5 principles.

Any processing will only be conducted once a data protection impact assessment has been completed and that the Office of the Data Protection Office is content that the request:

  • is lawful
  • meets the data protection principles set out in UK GDPR
  • meets the additional policy requirements set out in this document

2. Definition of special category, sensitive and criminal offence data

Special category data (defined by Article 9 of the UK GDPR) and sensitive data (defined by section 35 of the DPA 2018) is personal data which reveals:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Article 10 of the UK GDPR applies to the processing of personal data relating to criminal convictions and offences or related security measures.

Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences and related proceedings and sentencing. Information about victims and witnesses of crime is also included in the scope of data relating to criminal convictions and offences.

3. Conditions for processing special category data and criminal convictions

DfE processes special category data under the following paragraphs of Article 9 of the UK GDPR:

  • (a) explicit consent
  • (b) employment, social security and social protection (if authorised by law)
  • (c) vital interests
  • (d) not-for-profit bodies
  • (e) made public by the data subject
  • (f) legal claims or judicial acts
  • (g) reasons of substantial public interest (with a basis in law)
  • (h) health or social care (with a basis in law)
  • (i) public health (with a basis in law)
  • (j) archiving, research and statistics (with a basis in law)

Article 10 of the UK GDPR permits processing of personal data relating to criminal convictions and offences under the control of official authority. It follows that DfE may process criminal offence data under Article 10 of the UK GDPR when it is exercising official authority that enables it to do so. When processing is for DfE statutory functions within the meaning set out in section 8 of the DPA 2018, including departmental functions, DfE must meet one of the conditions in Schedule 1 of the DPA 2018. DfE may process criminal offence data under any of the Schedule 1 conditions listed in this document with the exception of paragraph 8 (information in section 5 of this document), which is only applicable to special category data. DfE may further process criminal offence data when the additional processing conditions relating to criminal offence data are met under DPA 2018, Part 3 of Schedule 1:

  • paragraph 32 (personal data in the public domain)
  • paragraph 33 (legal claims)
  • paragraph 36 (substantial public interest)

The above does not apply to law enforcement processing which is covered by section 8 of this policy.

Explicit consent will only be used where there is not an imbalance of power, for example, for research purposes. It will only be used where the department can demonstrate that the data subject has a genuine choice and will not be chased or suffer any detriment if they choose not to provide the data. The data subject will not be asked for a reason why they have chosen not to provide the data and there will be a choice provided to demonstrate they have chosen not to provide the data.

Processing of the data collected will be the minimum required for the stated purpose and processing will be limited to its original purpose only and deleted after the original use has been concluded. The rights to object and to erasure will be absolute.

5.  Employment, social security and social protection law

Section 10(2) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for the purposes of carrying out the obligations and exercising specific rights of DfE or of the data subject in the field of employment, social security and social protection law under Article 9(2)(b) of the UK GDPR, that processing must meet one of the conditions set out in Part 1 of Schedule 1.

DfE processes special category data for HR purposes when the condition set out in paragraph 1 of Part 1 of Schedule 1 to the DPA 2018 is met. This condition may apply to DfE assessing policy in relation to social security or employment as it affects the provision of or participation in training or education and to processing for HR purposes.

DfE will consider each request for processing (including information sharing) on a case-by-case basis. The Office of the Data Protection Officer will confirm the lawful basis for a request to process the data, including that the business area can clearly demonstrate that this relates to the provision of, or participation in, training or education as part of departmental function or, for employees, that the processing is necessary to fulfil DfE’s obligations as an employer. Only data that is necessary for the stated processing activity will be collected.

Further requests for reuse for other purposes will be considered under Articles 9(2)(b) (employment, social security and social protection law), (2)(c) (vital interests) and (2)(f) (legal claims and judicial acts), and the limitation principle will be further considered. Requests to object to processing and erasing data will be considered on a case-by-case basis. Information will be deleted once obligations under relevant legislative requirements cease. It is to be noted that these obligations may last longer than the period of employment.

6. Vital interest

The Office of the Data Protection Officer has cleared all DfE staff including contractors and third-party staff who are in a position to access personal data in the vital interests of the data subject to process and share personal data in cases of emergency. This will usually be a senior member of staff with a direct working relationship with the data subject or a local qualified first aider. The data subject will be informed that the data was shared at the earliest opportunity where they are able to understand what has happened. This may include drawing the attention of medical staff to personal data the data subject has made manifestly public by wearing a medical alert bracelet or other piece of jewellery.

In some cases, DfE may provide personal data about the next of kin to emergency services so that they can provide the necessary information.

The data subject has the right to discuss the processing with the DfE data protection officer.

7. Not for profit bodies

While DfE is not a body defined under this section, it should be noted that personal data may be shared with such bodies where DfE has established that such data sharing complies with its obligations under the data protection legislation.

8. Made public by the data subject

DfE will consider each request for processing (including data sharing) on a case-by-case basis and only where we have first confirmed that it is the data subject that has placed their personal data in the public domain and not a third party such as the press. This may include, in cases of emergency, drawing the attention of medical staff to personal data the data subject has made manifestly public by wearing a medical alert bracelet or other piece of jewellery.

If the department cannot confirm that the personal data was released by the data subject, then this personal data cannot be processed under this basis.

Requests to object to processing and erasing data will be considered on a case-by-case basis.

DfE will confirm that an organisation or other third party making a legal claim or request under a judicial act has the authority to request personal data and where they are acting on behalf of the data subject, they will need to confirm who the data subject is and that they have the authority to act.

The department will consider each request for processing (including data sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for us to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

10. Substantial public interest

Section 10(3) of the DPA 2018 sets out that in order for processing of special categories of personal data and criminal offence data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.

DfE processes special category and criminal offence data in the performance of its statutory and departmental functions when the following conditions set out in the following paragraphs of Part 2 of Schedule 1 to the DPA 2018 are met:

  • paragraph 6 (statutory etc and government purposes)
  • paragraph 8 (equality of opportunity or treatment)
  • paragraph 10 (preventing or detecting unlawful acts)
  • paragraph 11 (protecting the public against dishonesty etc)
  • paragraph 12 (regulatory requirements relating to unlawful acts and dishonesty etc)
  • paragraph 14 (preventing fraud)
  • paragraph 18 (safeguarding of children and of individuals at risk)
  • paragraph 21 (occupational pensions)
  • paragraph 24 (disclosure to elected representatives)

These conditions apply to DfE statutory and departmental functions. All processing is for the first listed purpose and might also be for others, depending on the context.

Paragraph 36 of Schedule 1 removes the requirement for the processing of criminal offence data for the above purposes to be in the ‘substantial’ public interest.

DfE will consider each request for processing (including information sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for us to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

11. Health or social care (with a basis in law)

DfE will consider each request for processing personal data (including data sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for us to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

12. Public health (with a basis in law)

DfE will consider each request for processing (including data sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for us to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

12.1 Infectious disease control in the workplace

Personal data to be collected will be limited only to that which is set out in law and in line with the best practice issued by the Information Commissioner’s Office. Where the department issues an alert that an infection disease is active in a specific workplace, no identifiable data will be released.

13. Archiving purposes in the public interest

Under Article 9(2)(j) of the UK GDPR, DfE may process special category data where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on UK or EU member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. We may also process criminal offence data for these purposes under the DPA 2018.

Under section 10(2) of the DPA 2018, DfE may process special category data and criminal offence data for the purposes of archiving, research and statistics when a condition of Part 1 of Schedule 1 to the DPA 2018 is met.
DfE will consider each request for processing (including data sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for us to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

14.  Law enforcement processing

Section 31 of the DPA 2018 defines the law enforcement purposes as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. DfE is listed as a competent authority for the purposes of law enforcement in paragraph 1 of Schedule 7 to the DPA 2018 and does not rely on the consent of the data subject to process sensitive data.

Section 35(5) of the DPA 2018 sets out that where processing sensitive data is strictly required for law enforcement purposes, DfE must meet at least one of the conditions in Schedule 8. DfE processes sensitive data for law enforcement purposes when the conditions set out in the following paragraphs of Schedule 8 to the DPA 2018 are met:

  • paragraph 1 (statutory etc purposes)
  • paragraph 3 (protecting individual’s vital interests)
  • paragraph 5 (personal data already in the public domain)
  • paragraph 6 (legal claims)
  • paragraph 8 (preventing fraud)
  • paragraph 9 (archiving etc)

All processing is for the first listed purpose and might also be for others dependent on the context.

DfE will consider each request for processing (including data sharing) on a case-by-case basis and ensure all incidents are recorded in the departmental records.

The Office of the Data Protection Officer will confirm whether it is a lawful request and will conduct a data protection impact assessment. Where there is a legislative requirement for DfE to collect the personal data, this will be documented in the relevant records. Only personal data that is necessary for the stated processing activity will be collected.

Rights to object and erasure will be considered on a case-by-case basis depending on basis for collection.

15. DfE compliance with the data protection principles

All processing activities which require special category of data must have a corresponding data protection impact assessment which is reviewed on an annual basis, which will consider the impact on the data subject and compliance with UK data protection legislation.

In accordance with the accountability principle, DfE maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. DfE carries out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.

Article 5(2) of the UK GDPR requires data controllers to demonstrate how they comply with the data protection principles provided in article 5(1). This is how the department demonstrates accountability for the personal data we process and how we ensure compliance with the principles of UK GDPR.

15.1 Principle 1: ‘lawful, fair and transparent’

We provide clear transparency information (privacy notices) to all those who provide personal data to us, stating the lawful basis for processing and providing the purposes for processing the different types of special category personal data and criminal convictions data where these relate to Schedule 1 of the DPA.

DfE and our executive agencies, Education and Skills Funding Agency (ESFA), Standards and Testing Agency (STA) and Teaching Regulation Agency (TRA), publish privacy notices for and process personal data about:

15.2 Principle 2: purpose limitation  

DfE does not process personal data for purposes that are incompatible with the purposes for which it was collected. When we process personal data to fulfil our statutory functions, we provide details in our privacy notices.

When we share special category data, sensitive data or criminal offence data with another controller or processor, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts.

15.3 Principle 3: data minimisation

We collect personal data that is adequate, relevant and limited to the relevant purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.

15.4 Principle 4: accuracy

Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

15.5 Principle 5: storage limitation

We retain special category data, criminal offence data and sensitive data in accordance with the DfE’s retention and disposal schedule. Details of how long we keep personal data are provided in the data-subject privacy notices.

15.6 Principle 6: integrity and confidentiality  

We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.

The access to sensitive personal data is limited to those personnel where it is necessary for them to undertake their jobs.

Where sensitive personal data is managed by the data processer, the conditions for access and processing will be set out in the applicable contract. DfE will set the standard for technical systems which will hold the data.

Electronic and hard copy data is managed according to our records management policies and procedures.

16.  Policy review statement

All data protection policy owned by the DfE is to be renewed on an annual basis and signed off by the data protection officer.

Back to top