Guidance

Independent Review of Prevent: appropriate policy

Updated 18 August 2021

1. Scope

This policy has been developed for the Independent Review of Prevent to meet the requirement in the Data Protection Act (DPA) 2018 for an appropriate policy document. The appropriate policy document details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data where we are required by law for either safeguarding and/or law enforcement purposes.

This policy covers:

  • substantial public interest processing for Independent Review of Prevent statutory and corporate functions
  • employment, and processing for recruitment purposes
  • processing for archiving, research and statistical purposes
  • law enforcement processing

The Independent Review of Prevent: privacy notice has more information about the Review’s data protection policy and procedures, including the kind of information we hold and what it is used for.

2. Definition of special category, sensitive and criminal offence data

Special category data (defined by Article 9 of the UK General Data Protection Regulation (UK GDPR) and sensitive data (defined by section 35 of the DPA 2018) is personal data which reveals:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Article 10 of the UK GDPR applies to the processing of personal data relating to criminal convictions and offences or related security measures.

Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences and related proceedings and sentencing. Information about victims and witnesses of crime is also included in the scope of data relating to criminal convictions and offences.

3. Lawful basis for Processing

The legal bases for processing personal data are set out below

The Independent Review of Prevent functions are derived from the Counter-Terrorism & Border Security Act 2019 which requires there to be an Independent Review of Prevent and report on the Government strategy for supporting people vulnerable to being drawn into terrorism. The steps that may be taken are set out in s.20, (8,9 &10) of the Counter-Terrorism & Border Security Act and include, but are not limited to:

a) Make arrangements for an independent review and report on the Government strategy for supporting people vulnerable to being drawn into terrorism.

b) The Review report and any recommendations of the review must be laid before both Houses of Parliament

c) The report and recommendations must be accompanied by a statement by the Secretary of State responding to each recommendation made as part of the independent review.

4. Conditions for processing special category data and criminal offence data

The lawful bases for the Review to process special categories of personal data are set out in articles 9(2)(g), and 9(2)(j) of the UK GDPR which states that; Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall not be prohibited if the; (g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 10 of the UK GDPR permits processing of personal data relating to criminal convictions and offences under the control of official authority. It follows that the Independent Review of Prevent may process criminal offence data under Article 10 of the UK GDPR when it is exercising official authority that enables it to do so. When processing is for the Review’s statutory functions within the meaning set out in section 8 of the DPA 2018, including corporate functions, the Review must meet one of the conditions in schedule 1 of the DPA 2018. The Independent Review of Prevent may process criminal offence data under any of the schedule 1 conditions listed in this document with the exception of paragraph 8 (information in section 5 of this document), which is only applicable to special category data.

The Independent Review of Prevent may further process criminal offence data when the additional processing conditions relating to criminal offence data are met under DPA 2018, part 3 of schedule 1:

  • paragraph 32 (personal data in the public domain)
  • paragraph 33 (legal claims)
  • paragraph 36 (substantial public interest)

The above does not apply to law enforcement processing which is covered by section 8 of this policy.

5. Substantial public interest

Section 10(3) of the DPA 2018 sets out that in order for processing of special categories of personal data and criminal offence data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.

6. Archiving purposes in the public interest

Under Article 9(2)(j) of the UK GDPR, the Independent Review of Prevent may process special category data where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on UK and EU or EU member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. We may also process criminal offence data for these purposes under the DPA 2018.

Under section 10(2) of the DPA 2018, the Independent Review of Prevent may process special category data and criminal offence data for the purposes of archiving, research, and statistics when a condition of Part 1 of Schedule 1 to the DPA 2018 is met.

7. Law enforcement processing

Section 31 of the DPA 2018 defines the law enforcement purposes as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The Independent Review of Prevent will take appropriate action to ensure that any safeguarding matters are reported to the responsible authorities for the purposes of law enforcement as described in paragraph 1 of Schedule 7 to the DPA 2018. The Independent Review of Prevent does not rely on the consent of the data subject to process such sensitive data.

Section 35(5) of the DPA 2018 sets out that where processing sensitive data is strictly required for law enforcement purposes, the Independent Review of Prevent must meet at least one of the conditions in Schedule 8. The Independent Review of Prevent processes sensitive data to meet its legal obligation and public interest purposes as set out in schedule 8 of the DPA 2018.

8. Compliance with the data protection principles

In accordance with the accountability principle, the Independent Review of Prevent maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR to ensure data protection by design and default.

The Independent Review of Prevent follows the data protection principles set out in Article 5 of the UK GDPR, and Part 3, Chapter 2 of the DPA 2018, as follows:

8.1 Lawfulness, fairness and transparency

We process personal data to obtain your views and opinions. We aim to acquire these from you, the public, and representatives of organisations and companies as part of the statutory review of the government’s strategy for supporting people vulnerable to being drawn into terrorism within the United Kingdom, under section 20 of the Counter Terrorism and Border Security Act 2019 s.20(8)-(10). Sections 17 to 22 of that Act sets out the way in which the Independent Review of Prevent may use the information it holds. We provide clear, transparent information to all those who provide personal data to us on our privacy notice.

8.2 Purpose limitation

The Independent Review of Prevent does not process personal data for purposes that are incompatible with the purposes for which it is collected. When we process personal data to fulfil our legal obligation or public interest purposes.

When we share special category data, sensitive data or criminal offence data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts.

8.3 Data minimisation

We collect personal data that is adequate, relevant and limited to the purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.

8.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay.

Storage limitation

The Independent Review of Prevent retains special category data, data related to safeguarding matters in accordance with the requirements of the agreed retentions periods and the DPA 2018. These categories of personal data may be retained for longer than the Review’s default standard retention period if required by statutory, regulatory, legal or security reasons.

8.5 Integrity and confidentiality

We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe. We limit access to your personal information to those employees, or third parties who have a business or legal need to access it. Third parties or contractors that the Independent Review of Prevent engages will only process your personal information on our instructions or with our agreement, and where they do so they have agreed to treat the information confidentially and to keep it secure. We will also disclose personal data to an agent if we receive the consent of the individual to whom the data concerns.

9. Policy review statement

This policy will be periodically reviewed and updated.