Special category and criminal conviction personal data (Appropriate Policy)

This document outlines how the Post Office Horizon Inquiry (‘‘the Inquiry’’) will protect special category and criminal convictions personal data.

It meets the requirement at paragraph 1 (1) (a) and (b) of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document is in place where the processing of special category personal data and criminal offence personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security, or social protection.

It also meets the requirement at paragraph 5 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed by the Inquiry for reasons of substantial public interest are set out at paragraphs 5 to 20 & paragraph 26 of Schedule 1 to the Data Protection Act 2018.

For further information on our conditions for processing please refer to the Inquiry’s Privacy Notice, which can be seen here: https://www.postofficehorizoninquiry.org.uk/privacy-notice

Purposes of data collection

The purposes for which the Inquiry collects and processes personal data are the effective conduct of the public inquiry into the events leading to the failings of the Horizon IT system from its inception and discharging the Inquiry’s duties pursuant to the Inquiries Act 2005 (‘‘the 2005 Act’’).

The Inquiry is investigating the matters set out in its Terms of Reference and does so by means of a legal process within the framework of the 2005 Act and the Inquiry Rules 2006 (‘‘the Rules’’). The Inquiry must process personal data for the purposes of its investigations and to enable it to carry out its work, including the conduct of hearings. Those hearings save for exceptional circumstances and as required by law, will be held in public and so evidence (including witnesses’ personal data) referred to at hearings, will become publicly available.

Personal data is used by the Inquiry  to gather evidence as part of the Inquiry’s investigation, to facilitate access to the Inquiry's Core Participant portal, to enable witnesses to give evidence and/or participate in the Inquiry’s human impact or other engagement activity, to communicate with individuals to keep them updated on the progress of the Inquiry, and to manage Inquiry staff. Personal data may also be contained in the Report of the Inquiry. 

Personal data may also be used by the Inquiry to comply with the law and with contracts that the Inquiry has entered into.

Under Article 30 of the UKGDPR the Inquiry’s record of processing activities (ROPA) states:

  • the condition relied upon
  • the legal basis for processing personal data under Article 6 of the UK GDPR
  • the legal basis for processing special category personal data under Article 9 of the UK GDPR
  • the condition for processing sensitive personal data under the Data Protection Act 2018

Procedures for securing compliance

Article 5 of the General Data Protection Regulation sets out the data protection principles. These are the Inquiry’s procedures for ensuring that we comply with them.

Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The Inquiry will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful;
  • only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing; and
  • ensure the transparency of processing, including via the information provided in the privacy notice published on the Inquiry website.

Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes consistent with the Inquiry’s terms of reference and not further processed in a manner that is incompatible with those purposes.

The Inquiry will:

  • only collect personal data for specified, explicit and legitimate purposes, and will inform data subjects what those purposes are in a published privacy notice
  • not use personal data for purposes that are incompatible with the purposes for which it was collected (unless doing so is permitted by the relevant legislation).

Principle 3

The Inquiry will ensure that Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, and we will complete a Data Protection Impact Assessment when appropriate to ensure we have sufficient data to properly fulfil these purposes.

The Inquiry will only collect and/or disclose the minimum personal data that it needs for the purpose for which it is collected and/or disclosed. The Inquiry will ensure that the data it collects is adequate,  relevant and reviewed regularly.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date in line with the Inquiry’s Records Management Policy.

The Inquiry will ensure that personal data is accurate, and kept up to date where necessary by taking particular care where its use of the personal data has a significant impact on individuals. The Inquiry will follow the Inquiry’s Data Subject Rights procedure to ensure we record mistakes and/or challenges to the accuracy of our data and ensure compliance with the individual’s right to rectification.

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The Inquiry will only keep personal data in identifiable form until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data will be transferred for the purposes of retention of the Inquiry records by The National Archives in accordance with the Public Records Act 1958, where it will be available for historical research. Personal data that is not required for archiving purposes will be destroyed, in line with the Inquiry’s retention schedule or anonymised when no longer required.

Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.  The Inquiry will audit periodically for compliance and follow its Information Security Policy.

The Inquiry will ensure that personal data is shared only with those who are required to see it as part of the legal process of the Inquiry (which, as part of the Inquiry’s duties under the Inquiries Act 2005, may include the public). The Inquiry will, at all times, consider whether the processing or disclosure of such data is necessary for its proceedings and functioning.

The Inquiry will ensure that appropriate organisational and technical measures are in place to protect personal data. These include robust redactions processes that govern the protection of personal data. These processes ensure that - save where consent is provided by the data subject - only personal data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry or to those instructed by the Inquiry.

Accountability principle

The Inquiry is the Data Controller and shall be responsible for, and be able to demonstrate compliance with, the UK GDPR principles. The Secretary to the Inquiry is the Senior Information Risk Owner for the Inquiry who is responsible for ensuring that the Inquiry is compliant with these principles.

The Inquiry will:

  • ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
  • carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate
  • appoint a Data Protection Officer to provide independent advice and monitoring of the Inquiry’s personal data handling, and ensure that this person has access to the Chair and Secretary of the Inquiry
  • have appropriate data protection policies in place
  • have internal processes in place to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law

Data controller’s policies as regards retention and erasure of personal data

The Inquiry will ensure, where personal data, special category or criminal convictions personal data is processed, that:

  • there is a record of that processing, and that that record will set out, where possible, the time limits envisaged for erasure of the different categories of personal data
  • where it no longer requires personal data, special category or criminal convictions personal data for the purpose for which it was collected, it will delete it or render it permanently anonymous in line with the Inquiry’s Retention Schedules.
  • data subjects receive (via the privacy notice) full privacy information about how their data will be handled, the period for which the personal data will be stored as outlined in the Inquiry’s Retention Policy & Schedules, or if that is not possible, the criteria used to determine that period.

Further information

The Inquiry is a data controller. The Inquiry’s Data Protection Office can be contacted at the email and postal address below: 

Email: dp@postofficehorizoninquiry.org.uk

Address:

The Post Office Horizon IT Inquiry (Data Protection)

5th Floor,

Aldwych House,

71-91 Aldwych,

London, WC2B 4HN

This version of the Appropriate Policy was last updated 02 June 2023.