Policy paper

Processing Special Category and Criminal Convictions data

Updated 25 January 2024

Who must comply?

The policy applies to current and former MOD personnel (including their dependents) and contractors. Those who must comply will be made aware of their responsibilities via mandatory data protection training.

Who is responsible for ensuring compliance?

The Data Protection Officer and all those acting under their authority will regularly review the systems and processes under MOD’s control to ensure they comply with this policy. They will also investigate any alleged breach of this policy.

Why is this important?

The law compels us to protect personal information under DPA18. Failure to comply with the law may result in fines, reputational damage and harm the data subjects.

Procedures for securing compliance

MOD’s procedures for ensuring compliance with the principles can be found below.

Principle 1: Lawfulness, fairness and transparency

‘Personal data must be processed lawfully, fairly and in a transparent manner.’

The MOD will:

• ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
• only process personal data fairly, and ensure that data subjects are not misled about the purposes of any processing
• ensure that data subjects receive full privacy information, so they know what is happening with their data and why

General information about how we process personal data as a public authority, referred to as fair processing information, is available through privacy notices and we will normally provide fair processing information when we collect the personal data. If we do not, we will provide the information within 30 days upon request. In certain circumstances, it may not be possible or appropriate to provide fair processing information within that time frame.

Principle 2: Purpose limitation

‘Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’

The MOD will:

• be clear about its purposes for processing information from the start
• ensure those purposes are explicit and legitimate
• record those purposes and specify them in a privacy notice
• not use personal data for purposes that are incompatible with the purposes for which it was initially collected

If we do use the data for a new, compatible purpose - or where we have a clear basis in law - we will inform the data subject first and seek consent if appropriate.

Principle 3: Data minimisation

‘Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’

The MOD will:

• only collect the minimum personal data it needs to fulfil its purpose
• ensure that the data we collect is adequate and relevant

Principle 4: Accuracy

‘Personal data shall be accurate and, where necessary, kept up to date.’

The MOD will:

• take reasonable steps to ensure that personal data is accurate (e.g. consider if it is necessary to periodically update the information)
• ensure the source and status of personal data is clear
• carefully consider any challenges to the accuracy of information
• ensure inaccurate personal data is rectified or erased without delay
• take particular care to do this where our use of the personal data has a significant impact on individuals

Principle 5: Storage limitation

‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.’

The MOD will:

• only keep personal data for as long as required to fulfil our purpose, or where we have a legal basis to do so
• delete, permanently anonymize or archive (as per MOD procedures) personal data we no longer need

Principle 6: Integrity and confidentiality

‘Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

The MOD will:

• ensure that there are appropriate organisational and technical measures in place to protect personal data.

Accountability Principle

The MOD must be able to demonstrate compliance with these principles. The MOD Data Protection Officer is responsible for ensuring compliance.

We will:

• ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
• carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate
• ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the departments’ personal data handling, and that this person has access to report to the highest management level of the department
• have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law

MOD’s policies regarding retention and erasure of personal data

Where MOD processes special category or criminal conviction personal data, we will ensure that:

• there is a record of that processing
• the record of processing activities sets out the envisaged retention periods for different types of data where possible
• we only retain the information as long as we need to fulfil the purpose we collected it for (including purposes of satisfying any legal, accounting, or reporting requirements).

We determine an appropriate retention period, by considering:

• the amount, nature, and sensitivity of the personal data
• the potential risk of harm from unauthorised use or disclosure
• the purposes for which we processed the personal data and if we can achieve those purposes through other means
• applicable legal requirements

Once the retention period has elapsed, all data will either be:

• permanently anonymised (so it can no longer be associated with you; in which case we will use such information without further notice to you)
• destroyed in line with MOD data retention policy
• ex-staff and contractors who are no longer employed by MOD (including their dependents) will have their data retained or securely destroyed in accordance with our data retention policy, applicable laws and regulations
• data subjects receive full privacy information, which includes retention periods, or if that is not possible, the criteria used to determine that period
• personal data is stored in a secure government information technology system
• appropriate security measures are in place to prevent personal information from being accidentally lost, altered, disclosed, used or accessed in an unauthorised way
• personal information can only be accessed by MOD personnel, agents, contractors and other third parties who have a business reason to see it. They will only process your personal information under our instructions. Details of these measures are available upon request from local Data Protection Advisors
• third parties will only process personal information under our instructions and if they have agreed to protect the information under contract
• we have procedures to deal with any suspected breach
• MOD will notify you and the Information Commissioner’s Office of a suspected breach where we are legally required to do so

Further information

For further information about the MOD’s compliance with data protection law, please contact us at: MOD Data Protection Officer Ground Floor, Zone D Main Building Whitehall London SW1A 2HB

Email: cio-dpa@mod.gov.uk

We will acknowledge your enquiry within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

Changes to this appropriate policy document

We reserve the right to update this policy document at any time.