Appropriate
Policy
1. INTRODUCTION
- As part of The Better Health Generation functions, we process special category personal data, sensitive personal data, and criminal data in accordance with Articles 9 and 10 of the UK GDPR and Schedule 1 Part 2 of the Data Protection Act 2018 and which is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us as the Data Controller and as a Data Processor or the Data Subject. This document outlines how The Better Health Generation will protect special category and criminal personal data.
2. SPECIAL CATEGORY & SENSITIVE PERSONAL DATA
- The Better Health Generation process; Special Category & Sensitive personal data for fulfilling contractual obligations and for processing employment, social security, and social protection.
- Special category data is defined in Article 9 of the UK GDPR as personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
- Criminal Offence data is defined under Article 10 of the UK GDPR which covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
3. PURPOSE
- Some of the Schedule 1 of the DPA 2018 conditions for processing special category and criminal offence data require us to have this Appropriate Policy Document (‘APD’) in place which sets out and explains:
- our processing, and
- procedures for securing compliance with the principles in Article 5 of the UK GDPR, and
- policies regarding the retention and erasure of such personal data.
- The purposes for which The Better Health Generation collects and processes personal data are to provide healthcare solutions to facilitate re-entry and return to the workforce and to provided health advisory services.
- The Better Health Generation must process personal information for the purposes of its services and to enable it to carry out its work, including providing employee assistance programmes and training solutions which will support individuals to find and sustain meaningful employment. Also, to communicate with you and to keep you updated on the progress of your support and to manage The Better Health Generation employees.
- Personal information may also be used by The Better Health Generation to comply with the law and with contracts that The Better Health Generation has entered into.
- Under Article 30 of the UK GDPR The Better Health Generation record of processing activities (ROPA) register states:
- the condition relied upon
- the legal basis for processing personal information under Article 6 of the UK GDPR
- the legal basis for processing special category personal information under Article 9 of the UK GDPR
- the condition for processing sensitive personal information under the Data Protection Act 2018
4. CONDITIONS FOR PROCESSING UNDER THE DATA PROTECTION ACT (DPA) 2018
- We process Special Category personal data for the following purposes in Part 1 of Schedule 1 of the DPA 2018:
- Paragraph 1(1) employment, social security, and social protection.
- Paragraph 1(2)(b) the assessment of the working capacity of an employee,
- Paragraph 1(2)(d) the provision of health care or treatment
- Paragraph 1(2)(f) the management of health care systems
- Criminal offence data
- We also process criminal offence data for the following purposes in parts 1, 2 and 3 of Schedule 1 of the DPA 2018:
- Part 1 Paragraph 1 – employment, social security, and social protection
- Part 2 Paragraph 6(2)(a) – statutory purposes
- Part 2 Paragraph (10) (1) (a) – Employment and social protection
- Part 3 Paragraph (29) – if the data subject has given consent to the processing
- We also process criminal offence data for the following purposes in parts 1, 2 and 3 of Schedule 1 of the DPA 2018:
5. CONDITIONS FOR PROCESSING PERSONAL DATA UNDER THE UK GDPR ARE:
- Our legal basis for processing personal data under the UK GDPR are:
- Article 6 (1) (a) – where the data subject has given consent
- Article 6 (1) (b) – where the processing is necessary for the performance of a contract
- Article 6 (1) (c) – where processing is necessary for compliance with a legal obligation
- Article 6 (1) (d) – where processing is necessary to protect the vital interest of the data subject
- Article 6 (1) (f) – where processing is necessary for the purposes of our legitimate interests
- Our legal basis for processing special categories of personal data under the UK GDPR are:
- Article 9(2)(a) – explicit consent
- In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
- Examples of our processing include health information received from our staff or clients who require a reasonable adjustment to access our services.
- Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on The Better Health Generation or the data subject in connection with employment, social security, or social protection.
- Examples of our processing include staff sickness absences and right to work.
- Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
- An example of our processing would be using health information about a member of staff or a client in a medical emergency.
- Article 9(2)(f) – for the establishment, exercise, or defence of legal claims.
- Examples of our processing include processing relating to any employment tribunal or other litigation.
- Article 9(2)(g) – reasons of substantial public interest. The Better Health Generation provide a benefit to individuals employment status. Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for carrying out our services. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 5, 6, 8, 10, 11,14,16,17 & 19 of Schedule 1, Part 2 of the Data Protection Act 2018.
- Examples of our processing include the information we provide clinicians to support counselling.
- We may also process criminal offence data under Article 1 and 10 of the UK GDPR.
- Examples of our processing of criminal offence data include pre-employment checks and declarations by an employee in line with contractual obligations.
- For further information on our processing please refer to The Better Health Generation Privacy Notice on link Privacy Policy – The Better Health Generation
6. PROCEDURE
- Article 5 of the General Data Protection Regulation sets out the following data protection principles. The Better Health Generation adhere to these principles and provide policies and procedures to ensure that we comply with them.
- Principle 1
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- The Better Health Generation will:
- ensure that personal data is only processed where a lawful basis applies, and;
- only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing; and
- ensure the transparency of processing, including via the information provided in the privacy notice published on our website.
- Principle 2
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- The Better Health Generation will:
- only collect personal data for specified, explicit and legitimate purposes, and will inform data subjects what those purposes are in a published privacy notice.
- not use personal data for purposes that are incompatible with the purposes for which it was collected (unless doing so is permitted by a relevant legislation).
- Principle 3
- The Better Health Generation will ensure that Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, and we will complete a Data protection Impact Assessment when appropriate to ensure we have minimised data to properly fulfil these purposes.
- The Better Health Generation will only collect and/or disclose the minimum personal data that it needs for the purpose for which it is collected and/or disclosed. The Better Health Generation will ensure that the data it collects is adequate, relevant, and reviewed regularly.
- Principle 4
- Personal data shall be accurate and, where necessary, kept up to date in line with The Better Health Generation Records Management Policy.
- The Better Health Generation will ensure that personal data is accurate and kept up to date where necessary by taking particular care where its use of the personal data has a significant impact on individuals and follow The Better Health Generation Data Subject Rights procedures to ensure we record mistakes and/or challenges to the accuracy of our data and ensure compliance with the individual’s right to rectification.
- Principle 5
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Personal data that is not required for archiving purposes will be destroyed, in line with The Better Health Generation retention & disposal Policy or anonymised when no longer required.
- Principle 6
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. The Better Health Generation will regularly audit for compliance and follow its Information Security Policy.
- The Better Health Generation will ensure that personal data is shared only with those who are required to see it as part of their role and ensure that appropriate organisational and technical measures are in place to protect personal data. These include robust redactions processes that govern the protection of personal data. These processes ensure that – save where consent is provided by the data subject – only personal data necessary for The Better Health Generation performance of its functions will be disclosed outside of The Better Health Generation or to those instructed by us.
7. RETENTION AND ERASURE
- The Better Health Generation will ensure, where personal data, special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that that record will set out, where possible, the envisaged time limits for erasure of the different categories of personal data
- where we no longer require this personal data, special category, or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous in line with The Better Health Generation Data Retention Schedules.
- data subjects receive (via the privacy notice) full privacy information about how their data will be handled, the period for which the personal data will be stored as outlined in The Better Health Generation Data Retention & Disposal Policy & Data Retention Schedules, or if that is not possible, the criteria used to determine that period.
8. FURTHER INFORMATION
- The Better Health Generation is a data controller and a data processor, and our Data Protection Office can be contacted at the email and postal address below:
Email:
info@betterhealthgen.co.uk
dp@postofficehorizoninquiry.org.uk
Address:
Building 4,
Foundation Park,
Roxborough Way,
Maidenhead,
SL6 3UD
9. REVIEW
- This version of the Appropriate Policy was last updated February 2024 and will be reviewed on a Biennial basis unless any major changes to processing occurs.