Appropriate Policy Document

Introduction

This Appropriate Policy Document (APD) explains how Cherwell District Council (CDC) processes special categories of Personal Data and Criminal Offence Data. 

The Data Protection Act 2018 (DPA 2018) requires an APD to be in place where any organisation processes special category and Criminal Offence Data under certain conditions. In particular, most substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018 require an APD, as well as processing relating to employment, social security, and social protection.

As part of its statutory and corporate functions, Cherwell District Council processes special category data and Criminal Offence Data in accordance with Article 9 and Article 10 of the UK General Data Protection Regulation (UK GDPR), and Schedule 1 of the Data Protection Act 2018.

This document:

  • sets out how CDC complies with the data protection principles in Article 5 UK GDPR
  • explains the Council’s procedures for handling this data
  • outlines retention and erasure arrangements

This document should be read alongside the Council’s privacy notices.

Processing of Personal Data for law enforcement purposes is not covered in this document and is addressed separately under Part 3 of the Data Protection Act 2018.

This document applies where CDC relies on Schedule 1 DPA 2018 conditions under the Data Protection Act 2018 that require an Appropriate Policy Document to be in place.

References to Articles in this policy are to those articles of the UK GDPR.

Definitions

Criminal Offence Data
Personal Data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.

Data Retention Schedule
Explains how the organisation classifies and manages the retention and disposal of its information. Time periods for retention are set out in the retention schedule.

Data Subject
A living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA)
Tools and assessments used to identify and reduce risks of a data processing activity. A DPIA should be conducted for all major system or business change programmes involving the Processing of Personal Data.

DPA 2018
The Data Protection Act 2018.

Data Protection Officer (DPO)
The person required to be appointed in specific circumstances under the UK GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the organisation's data privacy team with responsibility for data protection compliance.

UK GDPR
The retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR).

Personal Data
Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess. Personal Data includes Special Categories of Personal Data.

Privacy Notice
A separate notice setting out information that may be provided to Data Subjects when the organisation collects information about them.

Processing or Processes
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Special Category Data

Special category data is defined under Article 9 UK GDPR and includes Personal Data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data used for identification
  • health data
  • sex life or sexual orientation

Criminal Offence Data (Article 10)

CDC processes Criminal Offence Data where such processing is authorised by law and is necessary for the performance of its statutory functions. This includes functions relating to:

  • community safety and enforcement
  • licensing and regulatory responsibilities
  • safeguarding
  • fraud prevention and investigation
  • recruitment and employment checks

Processing is carried out with appropriate safeguards in place, including restricted access, confidentiality obligations, and compliance with the Council’s data protection policies and procedures.

Conditions for Processing

CDC processes special category data under the following lawful conditions:

Article 9(2)(a) – Explicit consent

Where individuals have given clear, affirmative consent. Examples:

  • requests for reasonable adjustments
  • participation in consultations or surveys
  • subscription to council communications

Article 9(2)(b) – Employment, social security and social protection

Where processing is necessary to meet obligations or exercise rights in employment or social protection law. Examples:

  • HR and payroll processing
  • occupational health
  • employee wellbeing support

Article 9(2)(c) – Vital interests

Where necessary to protect someone’s life. Examples:

  • sharing information in safeguarding or emergency situations

Article 9(2)(e) – Data made public by the individual

Where individuals have made their data public.

Article 9(2)(f) – Legal claims

Where required for legal proceedings or advice. Examples:

  • employment tribunals
  • litigation

Article 9(2)(g) – Substantial public interest

Where necessary to perform the Council’s statutory functions. Examples:

  • investigating complaints
  • regulatory functions
  • responding to Freedom of Information or Environmental Information requests
  • ensuring lawful and accountable decision-making

Article 9(2)(h) – Health and social care

Where necessary for the provision or management of care services. Examples:

  • housing-related support
  • safeguarding work

Article 9(2)(i) – Public health

Where required for public health functions.

Article 9(2)(j) – Archiving

Where necessary for public interest archiving purposes.

These activities are carried out in accordance with the relevant Schedule 1 (DPA 2018) conditions listed below, where applicable.

Schedule 1 DPA 2018 - Conditions for Processing

Where Cherwell District Council processes special category or Criminal Offence Data under Article 9(2)(b), (g), (h), or (i) and Article 10 UK GDPR, it relies on the following conditions set out in Schedule 1 of the Data Protection Act 2018:

  • Paragraph 1 – Employment, social security and social protection
  • Paragraph 6 – Statutory and government purposes
  • Paragraph 10 – Preventing or detecting unlawful acts
  • Paragraph 11 – Protecting the public against dishonesty, malpractice or improper conduct
  • Paragraph 18 – Safeguarding of children and individuals at risk
  • Paragraph 24 – Disclosure to elected representatives
  • Paragraph 8 – Equality of opportunity or treatment

These conditions are applied where the processing is necessary and proportionate for the Council to carry out its statutory functions, deliver services, and protect individuals and the public.

Lawful Processing basis Processing condition for Special Categories of Personal Data

Data concerning health

Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract with the Data Subject (Article 6(1)(b)).

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection.

(Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Racial or ethnic origin data

Compliance with a legal obligation (Article 6(1)(c)).

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection.

(Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Criminal Convictions Data

Compliance with a legal obligation (Article 6(1)(c)).

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts).(Paragraph 10(1), Schedule 1, DPA 2018.)

Equal opportunity data

In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.

Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

(Paragraph 8(1)(b), Schedule 1, DPA 2018.)

Criminal Offence Data (Article 10)

CDC processes Criminal Offence Data where authorised by law. Examples:

  • recruitment checks
  • community safety and enforcement
  • licensing and regulatory services
  • fraud prevention

Description of Data Processed

Cherwell District Council processes special category and Criminal Offence Data in several contexts:

  • Employees: health data, equality monitoring, trade union membership
  • Residents and service users: information required to deliver statutory services
  • Complaints and investigations: evidence gathered through enforcement or regulatory activity

CDC maintains records of processing activities in accordance with Article 30 UK GDPR.

Procedures for Compliance with Data Protection Principles

Accountability

CDC ensures accountability through:

  • appointment of a Data Protection Officer
  • documented processing activities
  • data protection policies and procedures
  • contracts with processors and partners
  • carrying out DPIAs
  • security measures and regular reviews
  • compliance with data protection law

Cherwell District Council ensures that appropriate safeguards are in place when processing special category and Criminal Offence Data. These include:

  • mandatory data protection training for staff
  • confidentiality obligations in contracts of employment
  • role-based access controls to limit access to sensitive data
  • secure handling, storage, and transmission of information
  • regular monitoring, review, and audit of data protection practices

Principle (a) - Lawfulness, Fairness and Transparency

CDC ensures it:

  • identifies and documents the lawful bases for processing of Personal Data, and only process for identified lawful bases.
  • provides clear privacy information, including Privacy Notices
  • ensures processing information is fair and understood

Principle (b) - Purpose Limitation

Personal Data is:

  • collected for specified, explicit purposes
  • not used for incompatible purposes
  • appropriately assessed before reuse

Principle (c) - Data Minimisation

CDC ensures:

  • only necessary data is collected
  • irrelevant data is deleted promptly

Principle (d) - Accuracy

The Council:

  • keeps data up to date
  • corrects or deletes inaccurate data without delay

Principal (e) - Storage Limitation

Data is:

  • retained only as long as necessary
  • managed in line with the Council’s Data Retention Schedule
  • reviewed regularly

Principle (f) - Integrity and Confidentiality (Security)

CDC protects Personal Data through:

  • secure IT systems and networks
  • role-based access controls
  • secure storage of physical records
  • regular security reviews

Retention and Erasure

Cherwell District Council maintains a corporate Data Retention Schedule which sets out:

  • how long data is kept
  • actions taken at the end of retention periods

Personal Data is retained only for as long as necessary for the purpose for which it was collected and is securely deleted or anonymised in accordance with the Council’s Data Retention Schedule.

Review of this Document

This Appropriate Policy Document:

  • will be retained for the duration of relevant processing and for at least six months afterwards
  • will be reviewed every two years, or sooner if required
  • will be provided to the Information Commissioner’s Office (ICO) upon request

Additional Processing

Where special category data is processed outside the scope requiring an APD, CDC still ensures:

  • lawful and fair processing
  • transparency through privacy information
  • protection of individuals’ rights

Policy Date: June 2026

Next Review Date: June 2027