Appropriate Policy Document
Introduction
Flagstone Group Limited processes special category personal data and criminal offence data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘UK GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
Internally, please read this policy in conjunction with the Data Protection Policy, which sets out the requirements for the processing of all categories of personal data.
Scope of application
Special category personal data
Special category personal data is defined at Article 9 of the UK GDPR as personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a person
- data about health
- data about a person’s sex life or sexual orientation
Criminal offence data
Article 10 of the UK GDPR covers processing data about criminal convictions and offences or related security measures. In addition, Section 11(2) of the DPA 2018 specifically confirms this includes personal data about the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
This policy document
Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an appropriate policy document (‘APD’) in place. This document sets out and explains our procedures for securing compliance with the principles in Article 5 and policies about retaining and erasing personal data.
This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.
In addition, it provides further information about how we process special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our privacy notices.
Conditions for processing special category and criminal offence data
We process special categories of personal data under the following UK GDPR Articles:
Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on Flagstone or the data subject in connection with employment, social security, or social protection.
An example of our processing includes staff sickness absence management.
Article 9(2)(g) – reasons of substantial public interest.
The Financial Conduct Authority regulates flagstone so, our processing of personal data in this context is for the purposes of substantial public interest and it is necessary for us to perform our duties to comply with financial regulations, including anti-money laundering legislation.
An example of our processing includes the information we seek when carrying out screening on clients to determine if they are politically exposed persons (PEPs).
Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
An example of our processing includes processing about any employment tribunal or other litigation.
Article 9(2)(a) – explicit consent
In circumstances where we seek consent, we make sure the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
An example of our processing includes staff dietary requirements and health information we receive from our customers who require additional support because they are vulnerable.
Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another person.
An example of our processing would be using health information about a member of staff in a medical emergency.
We process criminal offence data under Article 10 of the UK GDPR.
An example of our processing of criminal offence data includes pre-employment checks and declarations by an employee in line with contractual obligations.
Processing which requires an Appropriate Policy Document (APD)
Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security, and social protection data, require an APD (see Schedule 1 paragraphs 1 and 5).
This section of the policy is the APD for Flagstone. It demonstrates that the processing of special category and criminal offence data based on these specific Schedule 1 conditions is compliant with the requirements of the UK GDPR Article 5 principles.
Description of data processed
We process the special category data about our employees that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs, and their membership of any trade union. Find more information about this processing in our Employee Privacy Notice.
Our processing for reasons of substantial public interest relates to the data we receive or obtain to fulfil our statutory obligations as a regulated financial services entity. This may be the result of disclosure and barring service checks or the support we are required to provide to our vulnerable clients. Find more information about this processing in our Privacy Notice.
We also maintain a record of our processing activities in accordance with Article 30 of the UK GDPR.
Schedule 1 conditions for processing
Special category data:
We process special category data for the following purposes in Part 1 of Schedule 1:
- Paragraph 1(1) employment, social security, and social protection.
We process special category data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:
- Paragraph 6(1) and (2)(a) statutory, etc. purposes
- Paragraph 8(1) equality of opportunity or treatment
- Paragraph 10(1) preventing or detecting unlawful acts
- Paragraph 11(1) and (2) protecting the public against dishonesty
- Paragraph 12(1) and (2) regulatory requirements about unlawful acts and dishonesty
Criminal offence data:
We process criminal offence data for the following purposes in parts 1 and 2 of Schedule 1
- Paragraph 1 – employment, social security and social protection
- Paragraph 6(2)(a) – statutory, etc. purposes
Procedures for ensuring compliance with the principles
Accountability principle
We’ve put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- Employing a data protection officer who reports directly to our highest management level.
- Taking a ‘data protection by design and default’ approach to our activities.
- Maintaining documentation of our processing activities.
- Adopting and implementing data protection policies and ensuring we’ve written contracts in place with our data processors.
- Requiring fellow data controllers, for example banking partners and introducers, to enter into a data sharing agreement with us.
- Implementing appropriate security measures about the personal data we process.
- Carrying out data protection impact assessments for our high-risk processing.
We regularly review our accountability measures and update or amend them when required.
Principle (a): lawfulness, fairness, and transparency
Processing personal data must be lawful, fair, and transparent. It’s only lawful if and to the extent it’s based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.
We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices and this policy document.
Our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on Flagstone by the Financial Conduct Authority.
Our processing for the purposes of employment relates to our obligations as an employer.
Principle (b): purpose limitation
We process personal data for purposes of:
- substantial public interest as explained above when the processing is necessary for us to fulfil our statutory requirements
- complying with or assisting another to comply with a regulatory requirement to establish whether unlawful or improper conduct has occurred
- protecting the public from dishonesty, preventing or detecting unlawful acts or for disclosure to law enforcement.
We’re authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.
If we’re sharing data with another controller, we’ll document that they’re authorised by law to process the data for their purpose.
We will not process personal data for purposes incompatible with the original purpose it was collected for.
Principle (c): data minimisation
We collect personal data necessary for the relevant purposes and ensure it’s not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but isn’t relevant to our stated purposes, we’ll erase it.
Principle (d): accuracy
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it’s being processed, we’ll take every reasonable step to ensure we erase or rectify that data as soon as possible. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we’ll document our decision.
Principle (e): storage limitation
All special category data processed by us for the purpose of employment or substantial public interest is retained for the periods set out in our retention schedule. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. We review our retention schedule regularly and update when necessary.
Principle (f): integrity and confidentiality (security)
We process electronic information within our secure network. Our electronic systems and physical storage have appropriate access controls applied. The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
Review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
We’ll review this policy annually or revise it more frequently if necessary.