Guidance

Special category data privacy notice for public appointment candidates at DCMS

Published 31 July 2025

This policy explains how the Department for Culture, Media and Sport (DCMS) processes special category data of candidates applying for public appointment roles.

You can also view the general privacy notice for candidates applying for a public appointment role at DCMS.

DCMS processes special category data in accordance with paragraph 8 to Schedule 1 of the Data Protection Act 2018 and it is necessary for reasons of substantial public interest as set out in Article 9(2) of the UK GDPR.

The special category data DCMS processes includes data concerning candidates’:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• data concerning health;
• data concerning sexual orientation.

1. Purpose of processing special category data

We process special category data about candidates that is necessary to fulfil our recruitment and appointment obligations. This includes information about disability, ethnicity or membership of a political party.

This policy document should be read alongside the DCMS Public Appointments Privacy Notice.

2. Conditions for processing special category data

We process special categories of data under the following GDPR articles.

2.1 Substantial public interest

We process special category data (as defined in Article 9(1) of the UK GDPR) because it meets the requirements of paragraph 8 to Schedule 1 of the Data Protection Act 2018, i.e. is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained and it is necessary for reasons of substantial public interest as set out in Article 9(2) of the UK GDPR, such as carrying out functions of the Crown, a minister, or a government department.

2.2 Procedures for ensuring compliance with the principles

Accountability principle

To meet the accountability requirements, we have put in place some technical organisational measures including:

• conducting a data protection impact assessment
• implementing appropriate security measures, adhering to DCMS and Civil Service policies on data protection, including seeking advice from the DCMS data protection team
• updating DCMS records of processing activity and the information asset register
• ensuring members of the team are up to date with the mandatory data protection training
• conducting information asset audits

These measures are regularly reviewed and updated or amended when required.

Principle (a): lawfulness, fairness and transparency

DCMS’s published public appointments privacy notice provides clear information about why we process personal data for applicants of regulated and non-regulated public or direct appointments. 

From the privacy notice:

Our legal reason for collecting or processing personal data is: Article 6(1)e: it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law). 

Our legal reason for collecting or processing personal data is in accordance with paragraph 8 to Schedule 1 of the Data Protection Act 2018 and because it is necessary for reasons of substantial public interest as set out in Article 9(2) of the UK GDPR, such as carrying out functions of the Crown, a minister, or a government department.

Principle (b): purpose limitation

The data will be visible to departmental officials for the purpose of managing the Public Appointment Process for which you have applied. Data will also be available to other individuals involved in the process including Government Ministers, Advisory Assessment Panel members and members of the Commissioner for Public Appointments team, and our IT providers.

To monitor the diversity and inclusivity of our processes, your special category data may be shared with the Advisory Assessment Panel that is responsible for sifting candidate CVs and interviewing candidates. The Advisory Assessment Panel may use your special category data to help ensure Boards are representative of the United Kingdom. The data will help us understand the diversity of public appointees and to satisfy our public sector equality duty (PSED). You may opt out of this if you so wish by selecting “prefer not to say” for any or all categories, and your application will still be considered. You must opt out before the application deadline closes.

If you are offered an interview for a Public Appointment your data may be shared with the employees and Board Members of the Public Body for which you are applying, for the purposes of scheduling the interview, informing you of the outcome and providing feedback after the interview. If you are successful in your application we will share your contact details with the Public Body so that staff can make arrangements for you to start your role. 

We will process your personal data in order to communicate with you to invite you to events promoting public appointments.

If you have not opted out of being contacted about future opportunities that may be of interest your data is retained for this purpose for as long as you choose to remain open to such contact.

Principle (c): data minimisation

We only collect SC/CO personal data for the purposes set out in the privacy notice and are satisfied that we have sufficient SC/CO data to properly fulfil those purposes. 

Principle (d): accuracy

We rely on the information supplied by the data subject and the result of the vetting process conducted by main vetting provider in the UK. We will take all reasonable steps to correct inaccurate personal data.

In addition to that, we will ensure that we are not keeping out of date information, that we will take every reasonable step to erase or amend inaccurate personal information without delay, unless otherwise required by law or regulation to keep the data in its original form

Principle (e): storage limitation

All personal data processed by the team for the purpose of employment or substantial public interest is retained for the periods set out in our retention scheduled, unless retained for longer period for archiving purposes.

If applicants are successful and appointed we will hold the data relating to their application for the duration of their appointment plus two years. If applicants are unsuccessful we will hold the data relating to their application for two years from the date the successful appointee was announced. This is in line with DCMS records retention schedule and the Cabinet Office’s privacy notice.

We have determined the retention period for the data that we hold based on our legal obligations and the necessity of its retention for our business needs.

DCMS’s retention schedule is reviewed regularly and updated when necessary.

Principle (f): integrity and confidentiality

Electronic information is processed on a secure network, which has appropriate access controls applied. Hard copy information is processed in line with our security procedures. Documents (either electronic or hard copy) are protectively marked with appropriate security markings such as ‘Official Sensitive: Personal’.

The systems we use to process personal data allow us to erase or update personal data as appropriate and if needed.

3. Retention and erasure policy

Type of data	Trigger point	Duration	Action
Successful recruitment candidate information	End of appointment	For duration of appointment plus 2 years	Destroy
Unsuccessful recruitment candidate information	Last action	2 years from date successful appointee announced	Destroy
Records developed in support of data protection compliance	The date the record is created	Active + 6 years	Destroy

4. Review date of this document

This document will be retained for the duration of our processing. The document will be reviewed annually or more frequently, if necessary.