Etico Group Limited Appropriate Policy Document

About This Policy

1. Etico Group Limited is a limited company whose registered offices are at St James House, Vicar Lane, Sheffield S1 2EX (company registration number 05942713) and for the purposes of the data protection rules is a data controller registered with the Information Commissioner’s Office with registration number Z3111862 (collectively referred to as Etico Group "we", "us" or "our").

2. This is Etico’s Appropriate Policy Document (‘APD’) referred to in our Privacy Policy.

3. In this APD we set out how we will protect Special Categories of Personal Data and Criminal Convictions Data.

4. This APD meets the requirement of the Data Protection Act 2018 that an Appropriate Policy Document be in place where processing of Special Categories of Personal Data and Criminal Convictions Data takes place.

Definitions

5. In this APD, where relevant, we use the definitions set out in our Privacy Policy. Where terms are not defined in our Privacy Policy, we use the following definitions:

a) Criminal Convictions Data: Personal Data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.

b) Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA should be conducted for all major system or business change programmes involving the processing of Personal Data.

c) Privacy Policy: Our Privacy Policy.

d) Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, trade union membership, genetic data, biometric data, sex life or sexual orientation, religious or similar beliefs, physical or mental health conditions.

Why We Process Special Categories of Personal Data and Criminal Convictions Data

6. The following are examples of the purposes for which we process Special Categories of Personal Data and Criminal Convictions Data:

a) Assessing an employee's or a potential employee’s fitness to work.

b) Complying with the Equality Act 2010.

c) Checking applicants' and employees' right to work in the UK.

d) Verifying that applicants and employees are suitable for employment or continued employment.

Personal Data Protection Principles

7. We will only process Special Categories of Personal Data or Criminal Convictions Data fairly if we have a lawful purpose and one of the specific processing conditions relating to Special Categories of Personal Data or Criminal Convictions Data applies. We will identify and record the legal grounds and specific processing conditions relied on for each activity.

Lawful Processing Basis	Processing Condition for Special Categories of Personal Data
Data Concerning Health Compliance with a legal obligation (Article 6 (1)(c) UK GDPR) or necessary for the performance of a contract (Article 6(1)(b) UK GDPR).	Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Racial or Ethnic Origin Data Compliance with a legal obligation (Article 6(1)(c) UK GDPR).	Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Convictions Data Compliance with a legal obligation (Article 6(1)(c) UK GDPR). Or In the organisation's legitimate interests (Article 6(1)(f) UK GDPR) which are not outweighed by the fundamental rights and freedoms of the individual.	Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts). (Paragraph 10(1), Schedule 1, DPA 2018.)
Equal Opportunity Data In Etico's legitimate interests (Article 6(1)(f) UK GDPR) which are not outweighed by the fundamental rights and freedoms of the individual	Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. (Paragraph 8(1)(b), Schedule 1, DPA 2018.)

Lawful Processing Basis

Processing Condition for Special Categories of Personal Data

Data Concerning Health

Compliance with a legal obligation (Article 6 (1)(c) UK GDPR) or necessary for the performance of a contract (Article 6(1)(b) UK GDPR).

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection.

(Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Racial or Ethnic Origin Data

Compliance with a legal obligation (Article 6(1)(c) UK GDPR).

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection.

(Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Convictions Data

Compliance with a legal obligation (Article 6(1)(c) UK GDPR).

In the organisation's legitimate interests (Article 6(1)(f) UK GDPR) which are not outweighed by the fundamental rights and freedoms of the individual.

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts). (Paragraph 10(1), Schedule 1, DPA 2018.)

Equal Opportunity Data

In Etico's legitimate interests (Article 6(1)(f) UK GDPR) which are not outweighed by the fundamental rights and freedoms of the individual

Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

(Paragraph 8(1)(b), Schedule 1, DPA 2018.)

Purpose Limitation

8. We will only collect Special Categories of Personal Data or Criminal Convictions Data for specified, explicit and legitimate purposes and will not further process them in any manner incompatible with those purposes.

9. We will not use Special Categories of Personal Data or Criminal Convictions Data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed you of the new purpose(s), and obtained your consent where necessary.

Data Minimisation

10. We will only collect Special Categories of Personal Data or Criminal Convictions Data adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy

11. We will ensure that the Special Categories of Personal Data or Criminal Convictions Data we hold and use are accurate, complete, kept up to date and relevant to the purpose for which they are collected by us. We check the accuracy of any Special Categories of Personal Data or Criminal Convictions Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Special Categories of Personal Data or Criminal Convictions Data.

Security, Integrity, Confidentiality

12. We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised processing of Special Categories of Personal Data or Criminal Convictions Data and against the accidental loss of, or damage to, Special Categories of Personal Data or Criminal Convictions Data.

Accountability Principle

13. We are responsible for, and able to demonstrate compliance with, these principles. Any questions about this policy should be submitted to compliance@eticogroup.co.uk

14. We will:

a) Ensure that records are kept of all Special Categories of Personal Data or Criminal Convictions Data processing activities, and that these are provided to the Information Commissioner on request.

b) Carry out a DPIA for any high-risk processing of Special Categories of Personal Data or Criminal Convictions Data and consult the Information Commissioner if appropriate.

c) Have internal processes to ensure that Special Categories of Personal Data or Criminal Convictions Data are only collected, used or handled in a way that is compliant with data protection law.

Retention and Erasure of Special Categories of Personal Data and Criminal Convictions Data

15. We take the security of Personal Data very seriously. We have administrative, physical and technical safeguards in place to protect Special Categories of Personal Data or Criminal Convictions Data against unlawful or unauthorised processing, or accidental loss or damage. We will ensure, where Special Categories of Personal Data or Criminal Convictions Data are processed, that:

a) The processing is recorded and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data.

b) Where we no longer require Special Categories of Personal Data or Criminal Convictions Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.

c) Where records are destroyed, we will ensure that they are safely and permanently disposed of.

Subject to the above, our Privacy Policy sets out how Personal Data will be handled including the period for which we will store Personal Data.

Review

16. This APD is reviewed on a yearly basis.

17. This APD will be retained where we Process Special Categories of Personal Data and Criminal Convictions Data and for a period of at least six months after we stop carrying out such processing.

18. A copy of this APD will be provided to the Information Commissioner on request and free of charge.

Dated: 10 November 2020

Review date: 10 November 2020

Next review: 10 November 2021

19. For further information about our compliance with data protection law, please contact our compliance team at:

Etico Group Ltd,
St James House,
Vicar Lane
Sheffield S1 2EX

Tel: 0114 478 3449

Email: compliance@eticogroup.co.uk