Processing of special categories of personal data and criminal convictions - Appropriate policy document
Who are we?
The Crown Office and Procurator Fiscal Service (COPFS) is Scotland’s prosecution service and death investigation authority. We receive reports about crimes from the police and other reporting agencies and then decide what action to take, including whether to prosecute someone.
We also look into deaths that need further explanation and investigate allegations of criminal conduct against police officers.
We play an important part in the justice system, working with others to make Scotland safe from crime, disorder and danger.
We make our decisions independently and in the public interest. We follow the process set out in the Prosecution Code to make decisions.
Our headquarters are located at Crown Office, 25 Chambers Street, Edinburgh, EH1 1LA
The purpose of this policy
This policy explains COPFS’ procedures for ensuring compliance with the data protections principles relating to the processing of special categories for applicable records, as well as relevant erasure and retention policies.
This policy is a requirement under Schedule 1, Part 4 of the Data Protection Act 2018.
What are special categories of data?
UK GDPR states the following types of personal data are known as special category data:
- Personal data revealing racial or ethnic origin;
- Personal data revealing political opinions;
- Personal data revealing religious or philosophical beliefs;
- Personal data revealing trade union membership;
- Genetic data;
- Biometric data (where used for identification purposes);
- Data concerning health;
- Data concerning a person’s sex life; and
- Data concerning a person’s sexual orientation.
These types of personal data are likely to be more sensitive and therefore require additional safeguards when processing. Article 9(1) prohibits processing of these unless any condition listed under Article 9(2) is met.
In addition, Parts 1 and 2 of Schedule 1 of the Data Protection Act also include conditions, one of which must also be met to allow the lawful processing of such data.
The Data Protection Principles
The UK GDPR sets out the following key principles:
1. Lawfulness, fairness and transparency
COPFS’ privacy notices detail why and how we process personal data and our lawful basis for doing so.
As the prosecution and death investigation service for Scotland, our processing is necessary for a purpose of significant public interest.
2. Purpose limitation
COPFS will ensure that processing will be restricted to that which is necessary to allow us to fulfil our obligations as a criminal prosecution and death investigation service and will not be used for any other matter unless it is reasonable and authorised by law to do so.
3. Data minimisation
Personal data held by COPFS is restricted to that which is necessary only for the purposes of processing.
4. Accuracy
COPFS recognises the importance of accurate data. Staff are made aware of the need for accuracy and any inaccuracy identified will be rectified where appropriate.
Where this is not possible, an addendum will be added to that data advising and any reasons for not amending the data will also be recorded.
5. Storage limitation
The COPFS Records Management Manual dictates the length of time material, including personal data, should be kept in certain circumstances.
Where consent for processing has previously been provided and subsequently withdrawn, the data will be destroyed in line with legislative requirements.
6. Integrity and confidentiality
COPFS employs both stringent technical and organisational measures to ensure the security of the data we hold.
Technical
COPFS maintains an IT Security Management System to ensure the security of data, information, IT systems and services.
Security controls, policies, and procedures are compliant with UK and Scottish Government cybersecurity strategies and standards.
COPFS security controls and configurations are subject to annual independent audit, health check and accreditation under the UK Home Office and UK Cabinet Office PSN, PSN-P, Cyber Essentials + schemes.
COPFS deploys security industry best practices and tools, including the Microsoft E5 security suite incorporating MS Purview, Data, Data Classification, Data Loss Prevention, and e-Discovery.
COPFS operates an organisational-wide SOC and MDR Service, actively monitoring, identifying, and responding to vulnerabilities and threats to its IT and Information assets.
Organisational
All entrants to COPFS are required to undergo an Enhanced Disclosure Scotland check prior to appointment and once employed, are required to undertake mandatory data protection learning.
All COPFS staff are provided with training on relevant systems and are subject to relevant policies such as our Clear Desk policy (including handling of materials in line with the Government Protective Marking Scheme) and our Acceptable Computer Use policy.
All COPFS sites are secured and accessible only to those with relevan permissions.
CCTV is also used across the COPFS estate.
Erasure of personal data
Requests for the erasure of personal data will be dealt with in accordance with Article 17 of the UK GDPR, and, in accordance with Article 19, we will keep you informed of our response to any such requests made, unless this proves impossible or involves disproportionate effort.
Any such decisions will be recorded.
Retention and review of this document
This policy will be reviewed on an annual basis and updated as necessary.
This document was last reviewed on 19 September 2024.
Thank you for your feedback.