Appropriate policy
Omagh Bombing Inquiry - appropriate policy document (PDF, 64.3 KB)
This policy has been developed to meet the requirements in the Data Protection Act 2018 (‘the DPA’) for an appropriate policy document setting out the basis for processing special category and criminal offence data, as well as the safeguards which are in place for such processing.
Special category and criminal offence data
Special category data is defined by Article 9 of the UK GDPR as personal data which reveals:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
Article 10 of the UK GDPR makes provision for the processing of personal data relating to criminal convictions and offences. Section 11(2) of the DPA provides that references to criminal convictions and offences include: (a) the alleged commission of offences; and (b) proceedings for an offence committed or alleged to have been committed or the disposal of such proceedings, including sentencing.
Lawful basis for processing
The Omagh Bombing Inquiry (‘the Inquiry’) is a statutory inquiry established under the Inquiries Act 2005. Its Terms of Reference are available on its website.
As part of the Inquiry’s functions, it will process special category and criminal offence data on the following bases:
- The processing being necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e));
- The processing being necessary for compliance with legal obligations (Article 6(1)(c));
- In the case of providers of services to the Inquiry, the processing being necessary for the performance of a contract to which the person is a party (Article 6(1)(b));
- In some limited cases, consent (Article 6(1)(c)).
The Inquiry’s Privacy Notice provides further information including the types of information processed by the Inquiry, how it is processed and individuals’ rights.
Conditions for processing special category data and criminal offence data
The Inquiry processes special category data under the following bases:
- The processing being necessary for reasons of substantial public interest (Article 9(2)(g));
- In some limited cases, the data subject has given explicit consent for one or more specified purposes (Article 9(2)(a)).
Article 10 of the UK GDPR permits the processing of personal data relating to criminal convictions and offences under the control of official authority or where the processing is lawfully authorised. The Inquiry therefore processes criminal offence data under Article 10 of the UK GDPR in circumstances where it is exercising official authority that enables it to do so; in this case exercising its functions under the Inquires Act 2005 and investigating its Terms of Reference.
Section 10(3) of the DPA provides that in order for the processing of special categories of personal data and criminal offence data to be necessary for reasons of substantial public interest, under Article 9(2)(g) of the UK GDPR, such processing must meet one of the conditions set out in Part 2 of Schedule 1. The Omagh Bombing Inquiry processes special category and criminal offence data in order to meet its statutory purposes (Schedule 1, Part 2 paragraph 6). In this context, the requirement for the processing of criminal offence data to be in the ‘substantial’ public interest is removed.
Compliance with the data protection principles
In accordance with the accountability principle, the Inquiry maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR and section 64 of the DPA 2018 for law enforcement processing to ensure data protection by design and default.
The Inquiry follows the data protection principles set out in Article 5 of the UK GDPR as follows:
Lawfulness, fairness and transparency
The Inquiry is a statutory inquiry established under the Inquiries Act 2005 (‘the Act’) with its Terms of Reference made under section 5 of the Act. The Inquiry’s proceedings are governed by the Act and the Inquiry Rules 2006. In particular, section 18 of the Act requires the Chair to take reasonable steps to enable members of the public to: attend at the Inquiry, hear a transmission of proceedings at the Inquiry and access evidence produced to the Inquiry.
Purpose limitation
The Inquiry does not process personal data for purposes that are incompatible with the purposes for which it is collected. When we process personal data to fulfil our statutory functions, we do so in accordance with the Inquiries Act 2005 and Inquiries Rules 2006 in order to investigate the matters stated in the published Terms of Reference.
When we share special category data, sensitive data or criminal offence data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts as necessary.
Data minimisation
We collect personal data that is adequate, relevant and limited to the relevant purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.
Accuracy
Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay.
Storage limitation
Personal data, special category data, criminal offence data and sensitive data for law enforcement processing collected as part of the evidence will be held by the Inquiry until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data held by the Inquiry will – where it is considered to form part of the historic record – be transferred for the purposes of indefinite retention of inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.
Integrity and confidentiality
We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.
We limit access to your personal information to those employees, or third parties who have a business or legal need to access it.
Third parties or contractors that the Inquiry engages will only process your personal information on our instructions or with our agreement, and where they do so they have agreed to treat the information confidentially and to keep it secure.
Review
This policy will be periodically reviewed and may be updated.