Appropriate policy document
This appropriate policy document provides information about the legal basis and our safeguards at the Welsh Revenue Authority (WRA) for sensitive processing of special categories of personal data and criminal offence data.
This policy has been developed to meet the Data Protection Act (DPA) 2018 requirement for an appropriate policy document which details the lawful basis and conditions for processing special category, criminal offence and sensitive data for law enforcement purposes and the safeguards we have put in place when we process it.
This policy covers:
- substantial public interest processing for the WRA’s statutory and corporate functions
- employment, social security and social protection law for HR processing purposes
- law enforcement processing
2. Lawful basis for Processing
The WRA is a statutory body with statutory functions and a statutory duty of confidentiality which are set out in the Tax Collection and Management (Wales) Act 2016 (TCMA). As part of the WRA’s statutory and corporate functions, we process special category and criminal conviction data under these Articles of the UK General Data Protection Regulation (UK GDPR):
- Article 6(a) of the UK GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes)
- Article 6(b) of the UK GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
- Article 6(c) of the UK GDPR (processing is necessary for compliance with a legal obligation to which the WRA is subject)
- Article 6(e) of the UK GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the WRA)
The WRA processes sensitive data for law enforcement purposes under section 35 of the DPA 2018.
3. Definition of special category, sensitive and criminal conviction data
Special category data (defined by Article 9 of the UK GDPR) and sensitive data (defined by section 35 of the DPA 2018) is personal data which reveals:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
Section 11(2) of the DPA 2018 states that criminal conviction data includes data which relates to the alleged commission of offences and related proceedings and sentencing.
4. Conditions for processing special category data and criminal conviction data
The WRA processes special category data under the following paragraphs of Article 9 of the UK GDPR:
- paragraph 2(a) (the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (e.g. for biometric authentication)
- paragraph 2(b) (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the WRA or the data subject in the field of employment and social security and social protection law)
- paragraph 2(g) (processing is necessary for reasons of substantial public interest)
Article 10 of the UK GDPR permits processing of personal data relating to criminal convictions and offences under the control of official authority. The WRA may therefore process criminal conviction data under Article 10 of the UK GDPR as it is exercising official authority within the meaning set out in section 8 of the DPA 2018.
5. Substantial public interest
The WRA processes special category data where it is for reasons of substantial public interest.
Section 10(3) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.
The WRA processes special category data in the performance of its statutory and corporate functions when the following conditions set out in the following paragraphs of
Part 2 of Schedule 1 to the DPA 2018 are met:
- paragraph 6 (Statutory etc and government purposes)
- paragraph 8 (Equality of opportunity or treatment)
- paragraph 10 (Preventing or detecting unlawful acts)
These conditions apply to the WRA’s statutory and corporate functions. All processing is for the first listed purpose and might also be for others, depending on the context.
6. Employment, social security and social protection law
Section 10(2) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for the purposes of carrying out the obligations and exercising specific rights of the WRA or of the data subject in the field of employment, social security and social protection law under Article 9(2)(b) of the UK GDPR, that processing must meet one of the conditions set out in Part 1 of Schedule 1.
The WRA processes special category data for employment purposes when the condition set out in paragraph 1 of Part 1 of Schedule 1 to the DPA 2018 is met.
7. Statistical purposes
Under Article 9(2)(j) of the UK GDPR, the WRA may process special category data where it is necessary for statistical purposes in accordance with Article 89(1), provided the processing is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. We may also process criminal conviction data for these purposes under the DPA 2018.
Under section 10(2) of the DPA 2018, the WRA may process special category data and criminal conviction data for the purposes of archiving, research and statistics when a condition of Part 1 of Schedule 1 to the DPA 2018 is met.
8. Law enforcement processing
Section 31 of the DPA 2018 defines the law enforcement purposes as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The WRA is listed as a competent authority for the purposes of law enforcement in paragraph 22 of Schedule 7 to the DPA 2018 and does not rely on the consent of the data subject to process sensitive data.
Section 35(5) of the DPA 2018 sets out that where processing is strictly required for law enforcement purposes, the WRA must meet at least one of the conditions in Schedule 8.
The WRA processes data for the law enforcement purposes when the conditions set out in the following paragraphs of Schedule 8 to the DPA 2018 are met:
- paragraph 1 (Statutory etc purposes)
- paragraph 5 (Personal data already in the public domain)
- paragraph 6 (Legal claims)
- paragraph 8 (Preventing fraud)
- paragraph 9 (Archiving etc)
All processing is for the first listed purpose and might also be for others dependent on the context.
9. The WRA’s compliance with the data protection principles
In accordance with the accountability principle, the WRA maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR and section 64 of the DPA 2018 for law enforcement processing to ensure data protection by design and default.
The WRA follows the data protection principles set out in Article 5 of the UK GDPR, and Part 3, Chapter 2 of the DPA 2018 for law enforcement processing, as follows:
9.1 Lawfulness, fairness and transparency
We are a Welsh tax authority and the revenue we collect and manage funds public services in Wales.
Sections 12 to 15 of the Tax Collection and Management (Wales) Act 2016 (TCMA) set out the WRA’s functions.
9.2 Purpose limitation
The WRA does not process personal data for purposes that are incompatible with the purposes for which it is collected. When we process personal data to fulfil our statutory functions, we do so in accordance with sections 12 to 15 of the TCMA.
When we share special category data, sensitive data or criminal conviction data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts.
9.3 Data minimisation
We collect personal data that is adequate, relevant and limited to the relevant purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.
Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to take appropriate corrective action for that data without delay.
9.5 Storage limitation
The WRA retains special category data, criminal conviction data and sensitive data for law enforcement processing in accordance with the retention and disposal schedule, published on https://gov.wales/welsh-revenue-authority. These categories of personal data may be retained for longer than the WRA’s default standard retention period if required by statutory, regulatory, legal or security reasons.
9.6 Integrity and confidentiality
We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards, and all our staff and those who process personal data on our behalf get regular training about how to keep information safe. We limit access to your personal information to those employees, or third parties who have a business or legal need to access it.
Third parties or contractors that the WRA engages will only process your personal information on our instructions or with our agreement, and where they do so they have agreed to treat the information confidentially and to keep it secure. We will also disclose personal data to an agent if we receive the consent of the individual to whom the data concerns.
10. Policy review statement
This policy will be periodically reviewed and updated.