Special category and criminal conviction personal data
This document outlines how the Post Office Horizon Inquiry (‘‘the Inquiry’’) will protect special category and criminal convictions personal data.
It meets the requirement at paragraph 1 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document is in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
It also meets the requirement at paragraph 5 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 5 to 28 of Schedule 1 to the Data Protection Act 2018.
Purposes of data collection
The purposes for which the Inquiry collects and processes personal data are the effective conduct of the public inquiry into the events leading to the failings of the Horizon IT system from its inception and discharging the Inquiry’s duties pursuant to the Inquiries Act 2005 (‘‘the 2005 Act’’).
The Inquiry is investigating the matters set out in its Terms of Reference and does so by means of a legal process within the framework of the 2005 Act and the Inquiry Rules 2006 (‘‘the Rules’’). The Inquiry must process personal information for the purposes of its investigations and to enable it to carry out its work, including the conduct of hearings. Those hearings save for exceptional circumstances and as required by law, will be held in public and so evidence (including witnesses’ personal data) referred to at hearings, will become publicly available.
Personal information is used by the Inquiry in a number of ways – for example, to gather evidence as part of the Inquiry’s investigation, to facilitate access to the Inquiry, to enable witnesses to give evidence and/or participate in the Inquiry’s human impact engagement, to communicate with individuals to keep them updated on the progress of the Inquiry, and to manage Inquiry staff. Personal information may also be contained in the Report of the Inquiry.
Personal information may also be used by the Inquiry to comply with the law and with contracts that the Inquiry has entered into.
Procedures for securing compliance
Article 5 of the General Data Protection Regulation sets out the data protection principles. These are the Inquiry’s procedures for ensuring that we comply with them.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Inquiry will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful;
- only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing; and
- ensure the transparency of processing, including via the information provided in the privacy notice published on the Inquiry website.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The Inquiry will:
- only collect personal data for specified, explicit and legitimate purposes, and will inform data subjects what those purposes are in a published privacy notice
- not use personal data for purposes that are incompatible with the purposes for which it was collected (unless doing so is permitted by the relevant legislation).
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
The Inquiry will only collect and/or disclose the minimum personal data that it needs for the purpose for which it is collected and/or disclosed. The Inquiry will ensure that the data it collects is adequate and relevant.
Personal data shall be accurate and, where necessary, kept up to date.
The Inquiry will ensure that personal data is accurate, and kept up to date where necessary. It will take particular care to do this where its use of the personal data has a significant impact on individuals.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The Inquiry will only keep personal data in identifiable form until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data will be transferred for the purposes of retention of the Inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Inquiry will ensure that personal data is shared only with those who are required to see it as part of the legal process of the Inquiry (which, as part of the Inquiry’s duties under the Inquiries Act 2005, may include the public). The Inquiry will, at all times, consider whether the processing or disclosure of such data is necessary for its proceedings and functioning.
The Inquiry will ensure that appropriate organisational and technical measures are in place to protect personal data. These include robust redactions processes that govern the protection of personal data. These processes ensure that - save where consent is provided by the data subject - only personal data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry or to those instructed by the Inquiry.
The controller shall be responsible for, and be able to demonstrate compliance with, these principles. The Secretary to the Inquiry is the Senior Information Risk Owner for the Inquiry who is responsible for ensuring that the Inquiry is compliant with these principles.
The Inquiry will:
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
- appoint a Data Protection Officer to provide independent advice and monitoring of the Inquiry’s personal data handling, and ensure that this person has access to the Chair and Secretary of the Inquiry
- have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
Data controller’s policies as regards retention and erasure of personal data
The Inquiry will ensure, where special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
- where it no longer requires special category or criminal convictions personal data for the purpose for which it was collected, it will delete it or render it permanently anonymous
- data subjects receive (via the privacy notice) full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
The Inquiry is a data controller. The Inquiry’s Data Protection Office can be contacted at the email and postal address below:
The Post Office Horizon IT Inquiry (Data Protection)
PO Box: PO Horizon IT Inquiry
1 Victoria Street
This version of the Appropriate Policy was last updated 21 September 2021.