Introduction
This Appropriate Policy Document (APD) explains how Cherwell District Council (CDC) processes special categories of Personal Data and Criminal Offence Data.
The Data Protection Act 2018 (DPA 2018) requires an APD to be in place where any organisation processes special category and Criminal Offence Data under certain conditions. In particular, most substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018 require an APD, as well as processing relating to employment, social security, and social protection.
As part of its statutory and corporate functions, Cherwell District Council processes special category data and Criminal Offence Data in accordance with Article 9 and Article 10 of the UK General Data Protection Regulation (UK GDPR), and Schedule 1 of the Data Protection Act 2018.
This document:
- sets out how CDC complies with the data protection principles in Article 5 UK GDPR
- explains the Council’s procedures for handling this data
- outlines retention and erasure arrangements
This document should be read alongside the Council’s privacy notices.
Processing of Personal Data for law enforcement purposes is not covered in this document and is addressed separately under Part 3 of the Data Protection Act 2018.
This document applies where CDC relies on Schedule 1 DPA 2018 conditions under the Data Protection Act 2018 that require an Appropriate Policy Document to be in place.
References to Articles in this policy are to those articles of the UK GDPR.
Definitions
Criminal Offence Data
Personal Data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.
Data Retention Schedule
Explains how the organisation classifies and manages the retention and disposal of its information. Time periods for retention are set out in the retention schedule.
Data Subject
A living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA)
Tools and assessments used to identify and reduce risks of a data processing activity. A DPIA should be conducted for all major system or business change programmes involving the Processing of Personal Data.
DPA 2018
The Data Protection Act 2018.
Data Protection Officer (DPO)
The person required to be appointed in specific circumstances under the UK GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the organisation's data privacy team with responsibility for data protection compliance.
UK GDPR
The retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR).
Personal Data
Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess. Personal Data includes Special Categories of Personal Data.
Privacy Notice
A separate notice setting out information that may be provided to Data Subjects when the organisation collects information about them.
Processing or Processes
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Special Category Data
Special category data is defined under Article 9 UK GDPR and includes Personal Data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data used for identification
- health data
- sex life or sexual orientation
Criminal Offence Data (Article 10)
CDC processes Criminal Offence Data where such processing is authorised by law and is necessary for the performance of its statutory functions. This includes functions relating to:
- community safety and enforcement
- licensing and regulatory responsibilities
- safeguarding
- fraud prevention and investigation
- recruitment and employment checks
Processing is carried out with appropriate safeguards in place, including restricted access, confidentiality obligations, and compliance with the Council’s data protection policies and procedures.
Conditions for Processing
CDC processes special category data under the following lawful conditions:
Article 9(2)(a) – Explicit consent
Where individuals have given clear, affirmative consent. Examples:
- requests for reasonable adjustments
- participation in consultations or surveys
- subscription to council communications
Article 9(2)(b) – Employment, social security and social protection
Where processing is necessary to meet obligations or exercise rights in employment or social protection law. Examples:
- HR and payroll processing
- occupational health
- employee wellbeing support
Article 9(2)(c) – Vital interests
Where necessary to protect someone’s life. Examples:
- sharing information in safeguarding or emergency situations
Article 9(2)(e) – Data made public by the individual
Where individuals have made their data public.
Article 9(2)(f) – Legal claims
Where required for legal proceedings or advice. Examples:
- employment tribunals
- litigation
Article 9(2)(g) – Substantial public interest
Where necessary to perform the Council’s statutory functions. Examples:
- investigating complaints
- regulatory functions
- responding to Freedom of Information or Environmental Information requests
- ensuring lawful and accountable decision-making
Article 9(2)(h) – Health and social care
Where necessary for the provision or management of care services. Examples:
- housing-related support
- safeguarding work
Article 9(2)(i) – Public health
Where required for public health functions.
Article 9(2)(j) – Archiving
Where necessary for public interest archiving purposes.
These activities are carried out in accordance with the relevant Schedule 1 (DPA 2018) conditions listed below, where applicable.
Schedule 1 DPA 2018 - Conditions for Processing
Where Cherwell District Council processes special category or Criminal Offence Data under Article 9(2)(b), (g), (h), or (i) and Article 10 UK GDPR, it relies on the following conditions set out in Schedule 1 of the Data Protection Act 2018:
- Paragraph 1 – Employment, social security and social protection
- Paragraph 6 – Statutory and government purposes
- Paragraph 10 – Preventing or detecting unlawful acts
- Paragraph 11 – Protecting the public against dishonesty, malpractice or improper conduct
- Paragraph 18 – Safeguarding of children and individuals at risk
- Paragraph 24 – Disclosure to elected representatives
- Paragraph 8 – Equality of opportunity or treatment
These conditions are applied where the processing is necessary and proportionate for the Council to carry out its statutory functions, deliver services, and protect individuals and the public.
| Lawful Processing basis | Processing condition for Special Categories of Personal Data |
|---|---|
|
Data concerning health Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract with the Data Subject (Article 6(1)(b)). |
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) |
|
Racial or ethnic origin data Compliance with a legal obligation (Article 6(1)(c)). |
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) |
|
Criminal Convictions Data Compliance with a legal obligation (Article 6(1)(c)). |
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts).(Paragraph 10(1), Schedule 1, DPA 2018.) |
|
Equal opportunity data In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject. |
Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. (Paragraph 8(1)(b), Schedule 1, DPA 2018.) |
Criminal Offence Data (Article 10)
CDC processes Criminal Offence Data where authorised by law. Examples:
- recruitment checks
- community safety and enforcement
- licensing and regulatory services
- fraud prevention
Description of Data Processed
Cherwell District Council processes special category and Criminal Offence Data in several contexts:
- Employees: health data, equality monitoring, trade union membership
- Residents and service users: information required to deliver statutory services
- Complaints and investigations: evidence gathered through enforcement or regulatory activity
CDC maintains records of processing activities in accordance with Article 30 UK GDPR.
Procedures for Compliance with Data Protection Principles
Accountability
CDC ensures accountability through:
- appointment of a Data Protection Officer
- documented processing activities
- data protection policies and procedures
- contracts with processors and partners
- carrying out DPIAs
- security measures and regular reviews
- compliance with data protection law
Cherwell District Council ensures that appropriate safeguards are in place when processing special category and Criminal Offence Data. These include:
- mandatory data protection training for staff
- confidentiality obligations in contracts of employment
- role-based access controls to limit access to sensitive data
- secure handling, storage, and transmission of information
- regular monitoring, review, and audit of data protection practices
Principle (a) - Lawfulness, Fairness and Transparency
CDC ensures it:
- identifies and documents the lawful bases for processing of Personal Data, and only process for identified lawful bases.
- provides clear privacy information, including Privacy Notices
- ensures processing information is fair and understood
Principle (b) - Purpose Limitation
Personal Data is:
- collected for specified, explicit purposes
- not used for incompatible purposes
- appropriately assessed before reuse
Principle (c) - Data Minimisation
CDC ensures:
- only necessary data is collected
- irrelevant data is deleted promptly
Principle (d) - Accuracy
The Council:
- keeps data up to date
- corrects or deletes inaccurate data without delay
Principal (e) - Storage Limitation
Data is:
- retained only as long as necessary
- managed in line with the Council’s Data Retention Schedule
- reviewed regularly
Principle (f) - Integrity and Confidentiality (Security)
CDC protects Personal Data through:
- secure IT systems and networks
- role-based access controls
- secure storage of physical records
- regular security reviews
Retention and Erasure
Cherwell District Council maintains a corporate Data Retention Schedule which sets out:
- how long data is kept
- actions taken at the end of retention periods
Personal Data is retained only for as long as necessary for the purpose for which it was collected and is securely deleted or anonymised in accordance with the Council’s Data Retention Schedule.
Review of this Document
This Appropriate Policy Document:
- will be retained for the duration of relevant processing and for at least six months afterwards
- will be reviewed every two years, or sooner if required
- will be provided to the Information Commissioner’s Office (ICO) upon request
Additional Processing
Where special category data is processed outside the scope requiring an APD, CDC still ensures:
- lawful and fair processing
- transparency through privacy information
- protection of individuals’ rights
Policy Date: June 2026
Next Review Date: June 2027