Guidance

How DHSC processes special category data

Published 27 October 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/how-dhsc-processes-special-category-data/how-dhsc-processes-special-category-data

Introduction

The aim of this document is to set out how, within the provisions of applicable data protection law (specifically the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK GDPR)), the Department of Health and Social Care (DHSC) will seek to protect special category and criminal convictions personal data.

It meets the requirement at paragraph 1 of schedule 1 of the Data Protection Act 2018, that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

It also meets the requirement at paragraph 5 of schedule 1 of the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of schedule 1 of the Data Protection Act 2018.

This document should be read alongside DHSC’s Personal information charter and privacy notice.

Purpose

The purpose of this document is to explain:

  • DHSC procedures that are in place to secure compliance with the UK GDPR and data protection principles when relying on employment, social security and social protection conditions in part 1 of schedule 1, Data Protection Act 2018
  • DHSC procedures that are in place to secure compliance with UK GDPR data protection principles when relying on substantial public interest conditions in part 2 of schedule 1, Data Protection Act 2018
  • retention and erasure policies concerning the processing of special category data on the grounds of employment and substantial public interest

Procedures for securing compliance

Article 5 of UK GDPR sets out the data protection principles. Below we set out our procedures for ensuring that we comply with them.

Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

DHSC will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
  • only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent, as well as being clear and easy to understand

Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

DHSC will:

  • only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a data protection impact assessment
  • not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first

Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

DHSC will:

  • only collect the minimum personal data that we need for the purpose for which it is collected
  • ensure that the data we collect is adequate and relevant

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

DHSC will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

DHSC will only keep personal data in identifiable form for as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data, it shall be deleted or rendered permanently anonymous.

Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

DHSC will ensure that there are appropriate organisational and technical measures in place to protect personal data.

Principle 7

The controller shall be responsible for, and be able to demonstrate compliance with, all of the above principles (‘accountability’).

DHSC will ensure that all of its personal data processing activities are properly documented and that such documentation evidences accountability with the aforementioned principles.

Special category personal data - an overview

‘Special category’ personal data is personal data deemed to be more sensitive by law, and so needs additional protection. Special categories of data consist of information which relates to:

  • the racial or ethnic origin of the data subject
  • their political opinions
  • their religious beliefs or other beliefs of a similar or philosophical nature
  • whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • their physical or mental health
  • their sexual life or orientation
  • genetic or biometric data (where processed to uniquely identify an individual)

In addition to establishing an appropriate legal basis for the processing of personal data, special category data may only be processed where at least one further condition for processing is fulfilled. These conditions are:

  • the data subject has given explicit consent
  • the processing is necessary in the context of employment law, or laws relating to social security and social protection
  • the processing is necessary to protect vital interests of the data subject or of another natural person
  • the processing is carried out in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members or persons with whom it has regular contact in connection with its purposes
  • the processing relates to personal data which has been manifestly made public by the data subject
  • the processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity
  • the processing is necessary for reasons of substantial public interest and occurs on the basis of a law that is proportionate to the aim pursued and protects the rights of data subjects
  • the processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services
  • the processing is necessary for reasons of public interest in the area of public health (for example, ensuring the safety of medicinal products)
  • the processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards

Conditions relating to the processing of special category personal data

Schedule 1 of the Data Protection Act 2018 establishes conditions that permit the processing of the special categories of personal data and criminal convictions data. The schedule is split into 4 parts: 

  • part 1 - conditions relating to employment, health and research
  • part 2 - substantial public interest conditions
  • part 3 - additional conditions relating to criminal convictions
  • part 4 - appropriate policy document and additional safeguards

Schedule 1 of the Data Protection Act 2018 establishes conditions that permit the processing of the special categories of personal data as follows: 

  • the processing of the special categories of personal data meets the requirement of article 9(2) of the UK GDPR if it meets one of the conditions listed in part 1 of schedule 1
  • the processing of the special categories of personal data meets the requirement of article 9(2) of the UK GDPR if it meets one of the conditions listed in part 2 of schedule 1
  • processing meets the requirement in article 10 of the UK GDPR if it meets one of the conditions listed in part 1, 2 or 3 of schedule 1

Schedule 1 conditions that are relevant to DHSC

a) Schedule 1, part 1 conditions for processing in connection with employment, health and research that are relevant to DHSC activity are:

  • employment, social security and social protection: processing is necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection
  • health or social care: processing is necessary for health or social care purposes
  • public health: processing is necessary for reasons of public interest in the area of public health
  • research: processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes and is in the public interest

b) Schedule 1, part 2 conditions for processing in the substantial public interest that are relevant to DHSC activity are:

  • statutory and government purposes: processing is necessary for the exercise of a function conferred on a person by enactment or the exercise of a function of the Crown, a minister or a government department
  • equality of opportunity or treatment: processing is necessary for identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with the view to enabling such equality to be promoted or maintained
  • preventing fraud: processing is necessary for the purposes of preventing fraud

c) Schedule 1, part 3 conditions for processing of criminal convictions data that is relevant to DHSC activity are:

  • consent: processing with the consent of the data subject
  • legal claims: processing is necessary for the purpose of, or in connection with:
    • any legal proceedings (including legal proceedings)
    • obtaining legal advice
    • establishing, exercising or defending legal rights
  • extension of certain conditions under schedule 1 part 2: allows processing of criminal convictions data where processing meets a condition in schedule 1 part 2 that meets the substantial public interest test

The processing of special category personal data by DHSC

a) Race or ethnic origin, health, sexual orientation, trade union membership

Purpose: employment.

Law: employment law.  

UK GDPR article 6 (1) (b) contract, article 9 (2) (b) for the purpose of employment, social security and social protection.

Data Protection Act schedule 1 part 1 condition: employment, social security and social protection.

Retention period: current record retained as long as is necessary to comply with employment law.

b) Race or ethnic origin, health, sexual orientation

Purpose: equality and diversity. 

Law: Equality Act 2010 and associated regulations. 

UK GDPR article 6 (1) (e) public task, article 9 (2) (g) substantial public interest. 

Data Protection Act schedule 1 part 2 conditions: equality of opportunity or treatment. 

Retention period: current record retained as long as is necessary to comply with equality law. 

c) Race or ethnic origin, health, sexual orientation, genetic data

Purpose: health or social care, public health and research (including policy development).

Law: NHS Act 2006 (as amended by the Health and Social Care Act 2012) and associated regulations.

UK GDPR article 6 (1) (e) public task, article 9 (2) (h) health or social care, article 9 (2) (i) public health, article 9 (2) (j) archiving, research and statistics.

Data Protection Act schedule 1, part 1 conditions: health or social care purposes, public health and research.

Retention period: records retained as long as is necessary to fulfil the stated purposes.

d) Criminal offence data

In connection with employment

Purpose: the processing of criminal offence data where necessary for the purposes of performing or exercising employment law obligations or rights (criminal offence disclosure certificate, criminal offence declaration form at recruitment and selection) or consent has been granted to process the information.

Law: employment law and data protection law.

UK GDPR article 6 (1) (b) contract, and article 6 (1) (a) consent, article 9 (2) (b) for the purpose of employment, social security and social protection.

Data Protection Act schedule 1 part 3 condition: processing criminal convictions data with consent and/or the extension of certain conditions under schedule 1 part 2 processing in the substantial public interest.

Retention period: current record retained as long as is necessary to comply with employment law.

Purpose: the processing of criminal offence data where necessary in connection with legal proceedings and the prevention of fraud.

Law: Criminal Procedure and Investigations Act 1996.

UK GDPR article 6 (1) (c) legal obligations and article 6 (1) (e) public task, article 9 (2) (f) legal claims or judicial acts, article 9 (2) (g) reasons of substantial public interest.

Data Protection Act schedule 1 part 2 condition: preventing fraud.

Data Protection Act schedule 8 conditions (where processing is conducted under part 3 of the act, by virtue of the department’s status as a competent authority as per schedule 7 of the act): necessary for legal claims and necessary for the purposes of preventing fraud.

Retention period: 3 years if no interview under caution takes place, or 7 years from case closure where an interview under caution takes place.

Our official functions have a clear basis in law which are:

DHSC policies regarding retention and erasure of personal data

We will ensure, where special category or criminal offences personal data is processed, that:

  • there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
  • where we no longer require special category or criminal offences personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
  • data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period

How to contact our Data Protection Officer

DHSC is the data controller for the department itself and also joint data controller for its executive agencies (United Kingdom Health Security Agency (UKHSA) and the Medicines and Healthcare products Regulatory Authority (MHRA)).

Our Data Protection Officer provides independent advice and monitoring of DHSC’s use of personal information. The contact details for the Data Protection Officer are:

Data Protection Officer
Department of Health and Social Care
39 Victoria Street
London
SW1H 0EU

Email: data_protection@dhsc.gov.uk

Back to top