How the FCDO protects special category and criminal convictions personal data: appropriate policy document
Updated 21 September 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/fcdo-appropriate-policy-document-protecting-special-category-and-criminal-convictions-personal-data/how-the-fcdo-protects-special-category-and-criminal-convictions-personal-data-appropriate-policy-document
What an Appropriate Policy Document is
The UK General Data Protection Regulation and the Data Protection Act 2018 require that data controllers provide information to people whose personal information they process. This includes having an Appropriate Policy Document to record their policies for processing special category and criminal offence data. Processing information means how it is collected, used, stored, shared and destroyed.
This Appropriate Policy Document includes:
- who we are
- what we mean by special category and criminal offence data
- what information we process
- which conditions we rely on
- how we comply with the data protection principles
- how long we keep your data for
- how to contact us
- how to make a complaint
Who we are
The Foreign, Commonwealth and Development Office pursues our national interests and projects the UK as a force for good in the world. We promote the interests of British citizens and provide consular services overseas, safeguard the UK’s security, defend our values, reduce poverty and tackle global challenges with our international partners. To do this effectively we must collect, use, store and share special category and criminal offence data.
What we mean by special category and criminal offence data
Special category data is any personal information that can reveal your:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetics
- biometrics
- health
- sex life
- sexual orientation
Criminal offence data is any information about a person’s criminal convictions, offences or related security measures. This can include suspicions and allegations of criminal offences or confirmation that they have not been committed. Security measures are penalties, conditions and restrictions imposed through the criminal justice system. They can also include civil measures that carry a criminal penalty for non-compliance.
What information we process
As an employer, we process special category and criminal offence data about our staff and job applicants. This can include:
- information about race or ethnicity, religious beliefs, sexual orientation and political opinions
- trade union membership
- information about health, including medical conditions, health and sickness records
- genetic information and biometric data
- information on past criminal convictions
We also process special category and criminal offence data in order to provide consular services, for example if you are arrested or fall ill overseas. This can include:
- health information
- your racial or ethnic origin
- information on your sex life or sexual orientation
- your political, religious or philosophical beliefs
- criminal offence data
- any sensitive information you consent to share when providing feedback for consular research
Other instances where we may process special category and criminal offence data include:
- health information you may provide when applying for an Antarctic permit
- medical details you may provide under the Afghan Citizens Resettlement Scheme Pathway 3
- information disclosed as part of a fraud and safeguarding investigation, for example your cultural and social identity, racial and ethnic origin, religious belief, sexual orientation, physical and mental health or criminal offence data
- criminal offence data we may collect when conducting a central assurance or due diligence assessment
- health information you may provide when attending an event in the UK or overseas, for example accessibility and dietary requirements
Which conditions we rely on
We are required by data protection law to document certain conditions we rely on to process special category and criminal offence data. We rely on the following conditions that require documentation in Schedule 1 of the Data Protection Act 2018:
- employment, social security and social protection
- statutory etc. and government purposes
- equality of opportunity or treatment
- racial and ethnic diversity at senior levels of organisations
- preventing or detecting unlawful acts
- protecting the public against dishonesty etc.
- regulatory requirements relating to unlawful acts and dishonesty etc.
- preventing fraud
- suspicion of terrorist financing or money laundering
- safeguarding of children and of individuals at risk
- occupational pensions
- disclosure to elected representatives
- informing elected representatives about prisoners
How we comply with the data protection principles
The UK General Data Protection Regulation sets out seven principles to follow when processing personal data. We comply with these principles in several ways when processing special category and criminal offence data.
We comply with the lawfulness, fairness and transparency principle by:
- ensuring that personal data is only processed where a lawful basis applies and where processing is otherwise lawful
- processing personal data fairly and ensuring that data subjects are not misled about the purposes of any processing
- ensuring that data subjects receive full privacy information so that any processing of personal data is transparent
We comply with the purpose limitation principle by:
- only collecting personal data for specified, explicit and legitimate purposes and informing data subjects what those purposes are in a privacy notice
- only using personal data for purposes that are compatible with the purposes for which it was collected and informing data subjects if we use it for a new purpose
We comply with the data minimisation principle by:
- only collecting the minimum personal data that we need for the purpose for which it is collected
- ensuring that the data we collect is adequate and relevant
We comply with the accuracy principle by:
- ensuring that personal data is accurate and kept up to date where necessary
- taking particular care to ensure accuracy where our use of personal data has a significant impact on individuals
We comply with the storage limitation principle by:
- only keeping personal data in an identifiable form as long as is necessary for the purposes for which it is collected or where we have a legal obligation to do so
- deleting personal data or rendering it permanently anonymous once we no longer need it
We comply with the integrity and confidentiality principle by:
- ensuring that we have appropriate organisational and technical measures in place to protect personal data
We comply with the accountability principle by:
- ensuring that records are kept of our personal data processing activities
- carrying out Data Protection Impact Assessments for any high-risk personal data processing
- appointing a Data Protection Officer to provide independent advice and monitoring of our personal data handling, ensuring that they report to the highest management level of the department
- implementing internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
How long we keep your data for
We keep special category and criminal offence data only for as long as it is necessary or for as long as we are legally required to do so. We retain and destroy personal data securely in line with our retention and disposal policy.
How to contact us
If you have any questions about this document, you can contact the Data Protection Officer at the Foreign, Commonwealth and Development Office:
Data Protection Officer
Foreign, Commonwealth and Development Office
King Charles Street
London
SW1A 2AH
Tel: 020 7008 5000
Email: Data.Protection@fcdo.gov.uk
How to make a complaint
You may also make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Changes to this notice
We encourage you to reread this document occasionally as we aim to update it regularly, in order to keep you fully informed about how we use your personal information.
This document was last updated on 19 September 2023.