privacy impact assessment template...council policy change to withdraw from current choice-based...

Version 2 02/08/2013

PRIVACY IMPACT ASSESSMENT

Introduction A Privacy Impact Assessment (PIA) is a process whereby a project’s potential privacy issues and risks are identified and examined and an analysis is undertaken for ways to avoid or minimise privacy concerns. Where negative impacts on privacy are unavoidable, it provides clarity as to the business need that justifies them. Personal Information is any information which relates to a living individual who can be identified –(a) from that information, or (b) from that information and other information which is in the possession of, or is likely to come into the possession of, the Council. Sensitive Business Data, is any information that if compromised could: affect diplomatic relations adversely; cause substantial distress to individuals; cause financial loss or loss of earning potential to or facilitate improper gain or advantage for individuals or companies; to prejudice the investigation or facilitate the commission of crime; breach proper undertakings to maintain the confidence of information provided by third parties; breach statutory restrictions on disclosure of information; undermine the proper management of the public sector and its operations. The PIA form should also be completed where a Business Impact Assessment (BIA) is required for Sensitive Business Data. Note: The PIA must cover all forms of processing of information- Paper and Electronic.

Please refer to Appendix 1 to 3 for further information in relation to completing this template.

Privacy Impact Assessment Classification: Unclassified

Version 2 02/08/2013

Privacy Impact Assessment (PIA)

1. Project Sponsor: Peter Matthew

2. Project Manager: Robert Johnson

3. Project Title

Revised Housing Allocations Policy

4. What is the project? Policy/strategy

Function/procedure

Review

5. Is it a new or existing handling of Personal Information?

Existing

6. Information Asset (IA) and Information Asset Owner(IAO)

Peter Matthew (tbc)

7. Personal Information involved?

Personal Information (information about an identifiable individual)

Sensitive Personal Information (such as health information or

information about any offence) (*also tick Personal Information)

Over 1,000 records of Personal Information

8. Type Collecting new Personal Information

Re-using existing Personal Information

Sharing Personal Information with another organisation

9. Senior Officer responsible for completing the PIA:

Robert Johnson

10. Date completed: 31.08.2016 (provisional)


Version 2 02/08/2013

Sections to be completed: 1 Business Justification 2 Project Scope 3 Legal Justification 4 Type of data to be collected and processed 5 Storage, Retention and Disposal 6 Technological information 7 Information Security 8 3rd Party Access 9 Information Sharing- Multi-Agency working 10 Information Risk assessment – (You will be contacted by ICT Security to carry this out once your completed PIA is submitted.)


Version 2 02/08/2013

1. Business justification for the project/process change

1.1 Please provide a description of the

project/programme /System /Technology being assessed

Council policy change to withdraw from current choice-based lettings (CBL) system (hosted by a third-party supplier) and replace this with an in-house system, with all data being processed and managed in-house, rather than any part of that data being processed and managed off-site.

1.2 Please state if this initiative is a new initiative/project or a process change to an existing initiative/system/Technology?

This is change to an existing system, resulting in all data being brought in-house. Existing data currently held within the CBL (via LOCATA) will have to be transferred back to the Council for administration and processing. Allocations of any further properties in future will be via the Council’s in-house bespoke system.

1.3 Please state the Purpose/Objectives of the Initiative?

To achieve the Council’s policy objective to move from CBL to direct lettings of social housing properties and other multiple tenure offers (including the use private rented properties) managed and administrated by the Council, rather than a third party.


Version 2 02/08/2013

2 Project Scope

2.1. Does this involve and/or require the processing of business sensitive or Personal data? (including Sensitive Personal data)

Yes.

2.2. Does the project or initiative involve multiple organisations? (i.e. joined up government initiatives, outsourcing to public sector)

No.

2.3. Does the project/process change involve a procurement exercise of a new ICT system or a service or both an ICT system and a service?

No, not a new system, but possibly the actual applicant registration may change, which is yet to be decided. At present the applicant registration process is to be decided and there are options for in-house development or procurement of additional functionality from an existing supplier, to meet the Council’s stated objective.


Version 2 02/08/2013

3. Legal Justification- (to be completed if the project/initiative involves the use of personal data. Go to section 5 if no personal

data is involved)

3.1. Does any legislation (or regulation) explicitly require and/or govern the collection/use of specific personal information?

Yes. Each local housing authority is required to consider housing needs within its area, including the needs of homeless households, to whom local authorities have a statutory duty to provide assistance under the Housing (Homeless Persons) Act 1977, Housing Act 1996, and the Homelessness Act 2002. The ‘main homelessness duty’ is owed where the authority is satisfied that the applicant is eligible for assistance, unintentionally homeless and falls within a specified priority need group.

The ‘priority need groups’ include households with dependent children or a pregnant woman and people who are vulnerable in some way e.g. because of mental illness or physical disability. In 2002 an Order made under the 1996 Act extended the priority need categories to include applicants: aged 16 or 17; aged 18 to 20 who were previously in care; vulnerable as a result of time spent in care, in custody, or in HM Forces; vulnerable as a result of having to flee their home because of violence or the threat of violence.

The Council is not under a duty to maintain a housing register (often referred to as a housing waiting list) but must have an allocation scheme for determining priorities between applicants for housing which sets out the procedure to be followed when allocating housing accommodation. Part 6 of the Housing Act 1996 (as amended) governs the allocation of local authority housing stock in England; it was substantially amended, with effect from 31 January 2003, by the Homelessness Act 2002 and, more recently, by the Localism Act 2011.

The Council must ensure that, when allocating housing stock, it only allocates to “eligible persons” as defined in section 160ZA of the 1996 Act.

3.2. Does any legislation (or regulation) govern the general/collection/use of personal information?

Yes, the Data Protection Act 1998 (implemented by the Information Commissioner through the EU Directive on the protection of personal data). Further, the 2016 General Data Protection (EU Regulation 2016/679) aims to strengthen and unify data protection for individuals within the European Union (addressing the export of personal data outside the EU) and adopted on 27 April 2016 (entering into application 25 May 2018 after a two-year transition period), which the UK may or may not be party to after this date. In addition, the Freedom of Information Act 2000 (FoI) provides public access to information held by public authorities, whereby the Council may be obliged to publish certain information and members of the public are entitled to request information from public authorities. The Act covers any recorded information held by the authority. Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or

http://www.legislation.gov.uk/ukpga/1977/48/contents/enacted

http://www.legislation.gov.uk/ukpga/1996/52/contents



http://www.legislation.gov.uk/uksi/2002/2051/contents/made


Version 2 02/08/2013

video recordings. FoI does not give people access to their own personal data (information about themselves), such as their health records or credit reference file, and if a member of the public wants to see information that we hold about them they should make a subject access request under the Data Protection Act 1998.

3.3. Does the project involve any activity which is exempt from legislative privacy protections?

None.

3.4. Is the justification for the new data-handling clear and/or published?

Yes, the policy review has been widely disseminated and consulted upon.


Version 2 02/08/2013

4 Type of data to be collected and processed

4.1 Is the Personal data being obtained from existing data sets? If yes please state the existing data set.

Yes – existing data in OHMS.

4.2 If the Personal data is being obtained from an existing data set, please state whether the purpose of processing has changed?

No. The purpose of the processing has not changed, the data will be used for the same purposes but held in a different format.

4.3 Please state how you intend to notify data subjects if purpose of processing has changed?

N/A. If the purpose has changed significantly, for example in nominating applicants to private landlords, rather than just for social housing in the traditional sense of the word, then the applicant will be notified accordingly.

4.4 For processing of sensitive personal data, please state how you would obtain explicit consent or where consent cannot be obtained meet a schedule 2 and schedule 3 criteria?

Explicit consent is sought from all housing applicants, under the terms of the appropriate legislation (as outlined above) – also see 4.3 above. (Seek advice from the information Governance Team on schedule 2 and schedule 3 criteria.)

4.5 If the personal data is being obtained from a new source then please state the source from where it is being obtained from?

N/A.

4.6 Which specific categories of personal information are necessary in order for the project/process change to succeed?

Categories of data include, but are not exclusively limited to: name, address (current and past), date of birth, contact details (home and mobile telephone number, email address, correspondence (this can be general enquiries, supporting documents such as proof of identity, financial information relating to rent and arrears management, medical information in support of an application or casework or tenancy management issues such as unsocial behaviour), similar full details of all household members, medical details where relevant, landlord’s details, GP, social worker details (where applicable) and correspondence giving supporting evidence (this can be general enquiries, supporting documents such as proof of identity, financial information relating to rent and arrears management, medical information in support of an application or casework or tenancy management issues such as unsocial behaviour), etc.

4.7 Which specific categories of sensitive personal information are necessary in order for the project/process change to succeed?

Medical details relevant to application qualification criteria as set out in policy. Appendix B – Assessing health and housing needs - B1 Medical assessments – draft Housing Allocations Policy 2016: Appendix B explains in more detail the criteria used and evidence required to assess a number of types of housing category set out in the Bands in section 4.3.1 of the Housing Allocations Policy.


Version 2 02/08/2013

5. Storage, Access, Retention and Disposal

5.1 How will the information be stored (electronically

or manually) and where?

Electronically, using the Council’s in-house systems, existing or modified from existing facilities.

5.2 Who will access to the personal data/sensitive personal data/sensitive business information?

Staff/Applicants. Housing Staff only. However, not all housing staff will require or be granted access to the system. Access will be limited to those who currently access paper files in order to carry out their duties. The system has sophisticated security options and a lot of the initial setup will be around group setup for security and access. System security and access will be based upon user groups and roles related to document types. Some information may be sent as copy documents and any copies sent in this way will go via the Council’s secure email system. External partners will not be given direct access to tenant or applicant related documents, except for those essential to create legally valid and sustainable tenure for the applicant and their household.

5.3 How will the access be managed/ determined? Security of system, i.e. security groupings and secure login. The system has full audit trails for actions on/viewing of documents.

4.8 Which specific categories of business sensitive information are necessary in order for the project/process change to succeed?

N/A.

4.9 Can you demonstrate that the project/process change will not involve the collection/use of excessive information –i.e. it will only use adequate and relevant information?

Yes – Mirrors current data requirements – not changing what is collected.

4.10 Risk assessment: rate the likely negative impact to the individuals concerned if the personal data to be shared were lost or stolen or misused in any way.

• Rate the Impact if this occurred - 1 to 5 (1= low impact; 5 = major impact): 4

• Rate the likelihood of this happening: (1= unlikely; 5= most likely): 1

• Type of harm that could be caused to an individual: Loss of Life, Harm or Distress

• Potential number of people affected: Currently not known – in assessment (3K-5K)

4.11 If the information is lost, What emergency actions are to be taken?

Notifying relevant officers.


Version 2 02/08/2013

5.4 How long will the information be retained? Please state the legal justification where applicable.

As per the Council’s retention policy and schedule. The service complies with the Corporate retention schedule and data disposal procedures.

5.5 What process do you intend to have in place to review retention date and in particular ensure personal data is not kept longer than necessary?

Review process. The service complies with the Corporate retention schedule and data disposal procedures.

5.6 What disposal arrangements do you have in/intend to have in place for the personal data/sensitive personal data/sensitive business information?

As per the Council’s retention policy and schedule. The service complies with the Corporate retention schedule and data disposal procedures.

6. Technical information- For electronically held Information 6.1 Please state the location of where the information

or the application will be held? I.e. on the, desktop, shared drives, application server, hosted on internet only, hosted on intranet, etc.

LBH in-house application server.

6.2 Will the application be accessed by members of the public? Please state how (i.e. via public web portal, via access Council network i.e. not web portal based).

No.

6.3 If the information is held on an application or a database, please state the name of the application/database?

Northgate OHMS.

6.4 How will the application be supported by (internally by ICT or vendor)?

Internal ICT/Vendor ICT – General system support Vendor – Application updates/improvements.


Version 2 02/08/2013

6.5 Do you intend to have an SLA in place for support?

Support agreement already in place – existing system.

6.6 Will the application or database have an interface with another system? Please state the system(s)

No.

6.7 Do you intend to have a backup regime in place for the application?

Already in place – existing system.

6.8 Do you intend to have a system/hardware maintenance agreement with the vendor/ICT?

N/A – in-house server internally manged through Corporate ICT.


Version 2 02/08/2013

7. Information Security 7.1 Please state the technical security controls you

intend to have in place for electronically held information?

(Legislative or Compliance requirements)

Yes, as per existing system: username passwords, security groupings.

7.2 Please state the physical security controls you intend to have in place for manually and electronically held information?

Password protected and in line with LB Hounslow existing protocols and security. In addition, restrictions on printing for specified types of document (e.g. medical information about a tenant or applicant, Police report etc.) linked to user credentials. Printing of records is an action which is automatically recorded for audit purposes.

7.3 Will the information be saved on a removable media, such as a CD, USB, or hand held device? If so what technical and physical security do you intend to apply to it?

No.

7.4 Please state the technical and physical security controls the 3rd party/vendor has in place, if the application is being hosted off off-site/by the vendor. ( What accreditations they have.)

N/A.

7.5 Please state who (the departments) will be given access to the information?

Housing Staff/Services.

7.6 What auditing do you intend to have in place for transactions carried out on the information and access?

? Audit trails for data changes to data.

7.7 Please detail all the security Arrangements’ in place or you will have in place (Technical , Organisational and Physical) Includes:-

Technical

Systems

Office Security

People Management

Security when Transferring/Migrating

DR

Patching (Roadmap). All Security arrangements must be appropriate for the classification of the Information.

Technical and system security will be managed in accordance with the Council’s existing controls for ICT systems. Office locations are secure. The council has procedures in place for new starters/leavers to manage access to systems.


Version 2 02/08/2013

8. 3rd Party access 8.1 Will the information be disclosed/accessed by a

3rd Party including for vendor support?

Yes. - Housing Associations and Landlords.

8.2 Please state the reason for disclosure/access and whether it is necessary in order for the project or process to succeed?

Required to allow tenancies to be created – data would not relate to specific personal issues (i.e. medical) beyond generic information, e.g. ‘wheelchair user’.

8.3 Would any such disclosure / access be systematic or Ad-hoc?

Systematic.

8.4 Can you guarantee that only adequate and relevant information will be disclosed/ accessed by the 3rd party and that the no excessive information will be disclosed/ accessed?

Yes.

8.5 Will any processing of the manual or electronic information be carried out off-site by a 3rd Party?

No.

8.6 Please state whether the 3rd party is registered with the Information Commissioner’s Office and whether they have a Data Protection Policy, if the personal data/sensitive personal data is being processed by 3rd party?

N/A.

8.7 What processes will be used to ensure that Personal data/sensitive personal data/business sensitive information is not kept longer than necessary by 3rd Party/ Vendor and disposed of securely?

N/A.


Version 2 02/08/2013

9. Information Sharing: Multi-agency working (Includes information being processed by 3rd party on a joint initiative) 9.1 Will the information be used/ shared for Multi-

agency/joint working? Please state the organisations.

Yes.

9.2 For multi- agency working please state whether an Information Sharing Agreement/Protocol has been signed by the agencies?

Yes: MAPPA, MARAC, JIGSAW working, etc, with defined access levels (1-9) Please consult Information Governance for Information Sharing Agreement.

9.3 Will the 3rd party/ multi- agency staff be working on-site and be needing access to the LBH network and applications? If yes, please ensure that a Legal Agreement (Non Disclosure Agreement) NDA is completed.

No. Please consult Information Security or Legal for NDA


Version 2 02/08/2013

10. Overseas Transfer - Adequate Levels of Protection

10.1 Are you transferring personal data to a country or territory outside of the EEA? If no go to section 11

No.

10. 2 What are the types of data are transferred? (e.g. contact details, employee records)

N/A.

10.3 Are sensitive personal data transferred abroad? If yes please provide details.

N/A.

10.4 What are the main risks involved in the transfer of personal data to countries outside the EEA?

N/A.

10.5 Are measures in place to ensure an adequate level of security when the data are transferred to another country?

N/A.

10.6 Have you checked whether any non-EEA states to which data is to be transferred have been deemed as having adequate protection?

N/A.


Version 2 02/08/2013

11. Risk Assessment

Please contact the ICT Security Team to complete the Information Risk Assessment and Business Impact Assessment / Vulnerability Assessment once you have completed the Privacy Impact Assessment. Please email the completed PIA to- [email protected]

mailto:[email protected]


Version 2 02/08/2013

Appendix 1

1. What sort of information may be shared?

Aggregated data - is anonymous statistical information. Sometimes, even though data is statistical and aggregated, individuals may still be identifiable (e.g. data by postcode – where there is one property in a postcode and individual could be identifiable). Therefore care must be taken to check whether data could also be personal data. Personal data – is information which identifies a living individual – the Data Protection Act 1998 and related legislation must be complied with (e.g. a name of an individual and home address). Sensitive personal data – is information about a living individual which has a greater sensitivity. This is defined in part 1, section 2 of the Data Protection Act:

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

If a mix of personal and sensitive personal data is being shared then as a whole the information should be handled commensurate with the higher controls required for sensitive personal data.

2. Controls and assurances when sharing information

Controls, whether legislative or otherwise, need to correspond to the risk and be proportionate to the objective which is sought to be achieved. A risk assessment should be carried out to assist in the decision whether the risk of data loss and impact outweigh the benefit of sharing the information. The impact to an individual should be rated from 1 to 5, where 1


Version 2 02/08/2013

indicates a low impact. Examples of low impact include minor inconvenience to an individual and no financial loss; major impact includes exposure to identity theft and financial loss or theft.

3. Assurances

Accuracy of information – the accuracy of information is likely to be relied upon by the recipients of the information and therefore, the accuracy of information must be communicated to all parties (subject to legal obligations).

Updating of information – the information providing and receiving party should put arrangements in place to inform each other (and any other parties to the arrangement) of any relevant changes or updates to the information shared (after the information has been shared).

Information use – generally, whether aggregated or personal data, information should only be used for the purposes it has been shared. If the party receiving the information wishes to use it for purposes not clearly described in this document, a separate permission must be obtained from the party that has provided the information.

Disclosure – information should only be disclosed to any other party with the permission of the party providing the information or, where appropriate, (subject to certain exemptions under the Data Protection Act) the permission of the individual who the information is about.

The receiving party must put arrangements in place to guarantee data subject rights, including the right of subject access.

4. Security

Security measures should match with the type of information shared and the risk (e.g. impact and likelihood of loss, inappropriate disclosure etc). Any special security controls that need to be taken in regard to transfer, collection, holding and use of the information should be communicated to all parties involved in the handling of shared information. The party receiving the information should set out what security controls they plan to have in place; they are responsible for the security of that information. Where appropriate information should be protectively marked, further advice should be sought on the specific handling and care arrangements that need to be in place when dealing with that information.


Version 2 02/08/2013

Appendix 2 - Legislative controls include:

1. Data Protection Act 1998 (DPA)

First the legal basis for sharing information must be determined. Once this is done and the information can be shared, all parties must satisfy compliance with the DPA.

The DPA places duties on organisations on how to process personal data (‘process’ includes obtaining, holding, use of or disclosure of information). It also gives rights to individuals e.g. to access information about themselves. There are eight DPA principles which form the backbone of the Act.

Where personal data is shared, the principles of the DPA must be met. i. First principle: personal data should be processed fairly and lawfully. In addition, personal data should only be processed

where one or more of the conditions of processing (in schedule 2/3 of the DPA – depending on whether it is personal data or sensitive personal data) of the DPA are met.

ii. Second principle: personal data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

iii. Third principle: personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

iv. Fourth principle: personal data shall be accurate and, where necessary, kept up to date. v. Fifth principle: personal data processed for any purpose or purposes shall not be kept for longer than is necessary for

that purpose or those purposes. vi. Sixth principle: personal data shall be processed in accordance with the rights of the data subjects under this Act. vii. Seventh principle: appropriate technical and organisational measures shall be taken against unauthorised or unlawful

processing of personal data and against accidental loss or destruction of, or damage to, personal data. viii. Eighth principle: personal data shall not be transferred to a country or territory outside the European Economic Area

unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

2. Human Rights Act 1998: under Article 8 of the European Convention of Human Rights (brought into force by Human Rights Act 1998) individuals have the ‘right to respect for private and family life, home and correspondence’. As a general rule information sharing should not interfere with this right unless the interference has a clear legal basis, is necessary, and is proportionate to the aim, then the interference could be justified on the following grounds: national security, protection of economy public safety, protection of health morals, prevention of crime and disorder, and the protection of the rights and freedoms of others.

3. Law of confidentiality: even though there may be legal powers to share, the law of confidence still applies (even after the death of the individual, who the information is about). This means that anyone proposing to disclose information not publicly available and obtained in circumstances giving rise to a duty of confidence will need to establish whether there is an overriding justification for doing so. If not, then consent would need to be obtained.


Version 2 02/08/2013

Appendix 3 - Conditions for processing personal and sensitive data Schedule 2 condition relevant for purposes of the first principle: processing of any personal data 1 The data subject has given his consent to the processing.

2 The processing is necessary—

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 The processing is necessary in order to protect the vital interests of the data subject.


(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.


Version 2 02/08/2013

SCHEDULE 3 Conditions relevant for purposes of the first principle: processing of sensitive personal data 1 The data subject has given his explicit consent to the processing of the personal data.

2 (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2) The Secretary of State may by order—

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.


(a) in order to protect the vital interests of the data subject or another person, in a case where—

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4 The processing—

(a) is carried out in the course of its legitimate activities by any body or association which—

(i) is not established or conducted for profit, and

(ii) exists for political, philosophical, religious or trade-union purposes,

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.


Version 2 02/08/2013

5 The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6 The processing—

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

7 (1) The processing is necessary—

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under an enactment, or

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

(2) The Secretary of State may by order—

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

8 (1) The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.


Version 2 02/08/2013

9 (1) The processing—

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2) The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

10 The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

privacy impact assessment template...council policy change to withdraw from current choice-based...

Documents