Appropriate Policy Document

1. PURPOSE

Our Appropriate Policy Document outlines how we process, protect, retain, and erase special category (SC) and criminal offence (CO) personal data.

This Document details how we will comply with the Article 5 Principles of the UK General Data Protection Regulations (UK GDPR). It covers the processing of sensitive personal data and criminal offense data by Bulletproof as per Schedule 1 Part 1 of the Data Protection Act 2018 (DPA 2018).

2. LEGISLATION

The DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) personal data under certain specified conditions.

If substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018 is relied upon, plus the condition for processing employment, social security and social protection data, there is a requirement for Bulletproof to have an APD in place. (See Schedule 1 Part 2 paragraphs 1(1)(b) and Part 2 paragraph (5) of the DPA 2018.)

3. PROCESSED DATA TYPES

We must process personal information for the purposes of our services and to enable us to carry out our work, including being able to comply with contracts we have entered into.

We also collect and process the following types of special category and criminal offence data for processing employment, social security, and social protection:

• Data concerning gender, sex life or sexual orientation
• Genetic data
• Biometric data for the purposes of uniquely identifying a natural person
• Disability status,
• Sickness & health details,
• Race or Ethnicity,
• Religion or philosophical beliefs,
• Trade Union memberships and
• Disclosure and Barring Service Checks.

Criminal Offence data is defined under Article 10 of the UK GDPR which covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as “criminal offence data”. 

4. SCHEDULE 1 CONDITION FOR PROCESSING

We have listed below the Schedule 1 condition in which are relying on to process sensitive data:

Schedule 1, Part 1, para 1 (employment and social protection), where Bulletproof needs to process Special Category/Criminal Offence data for the purposes of performing its obligations or rights as an employer, or for guaranteeing the social protection of individuals. Schedule 1, Part 2, as per Bulletproof’s employee privacy notice and RoPA it also collected SCD for equal opportunities monitoring and pension.

5. ACCOUNTABILITY PRINCIPLE

At Bulletproof, we prioritise our compliance with data protection principles. To demonstrate our compliance and accountability we have:

• A Data Protection Officer, who is accountable for ensuring the data protection principles are applied.
• Documented our processing activities within our Records of Processing Activities (RoPA), highlighting categories of personal data we process, the purposes, lawful bases for processing, retention periods for the personal data, recipients of personal data and international transfers of data.
• Outlined in our privacy notices how and why an individual's data is processed by Bulletproof.
• Carried out Data Protection Impact Assessments (DPIAs) for processes/changes of personal data that are likely to result in a risk to individual's data protection rights and freedoms.
• Implemented data protection policies and ensured that we have written contracts in place with our data processors.
• Adopted a “data protection by design and default” approach to our activities.
• Evidenced that the personal data is:
  • Processed lawfully, fairly and transparently;
  • Collected for specific and legitimate purposes and processed in accordance with those purposes;
  • Adequate, relevant and limited to what is necessary for the stated purposes;
  • Accurate and, where necessary, kept up to date;
  • Retained for no longer than necessary; and
  • Kept secure.

6. LAWFULNESS, FAIRNESS AND TRANSPARENCY

We only process data lawfully and have identified the most suitable lawful basis to do so. We carry out DPIAs for uses of personal data that are likely to result in high risk to individuals' interests, and track these within the RoPA.

Individuals are provided with fully transparent privacy notices which inform individuals how and why we process personal data. These are bespoke where appropriate, or direct to the Bulletproof Privacy Notice accessible on our website.

7. PURPOSE LIMITATION

Bulletproof does not process data for purposes outside of the original purposes for which it was collected. These purposes are clearly identified within our RoPA.

The purposes of all data collection and processing have been outlined within our privacy notices, which are clearly communicated. Personal data is not processed for other purposes without obtaining the Data Subject's consent, unless authorised by law.

If there are any changes to the purposes of data processing, we ensure that we have identified a suitable lawful basis for doing so, that any additional risks are accounted for, and we will document these and communicate these changes to the relevant people.

8. DATA MINIMISATION

We will only collect data that we need and nothing above what is necessary for the purposes for which the data was collected. We ensure that the data in which we collected is sufficient and relevant for the identified purposes.

Our DPIA Policy and Procedure ensures that the collected data is sufficient for purpose, but not excessive. This is also informed by our use of national guidance and relevant legislation to determine what information can and should be collected.

We periodically review this data, either annually or when necessary, and ensure that all data is deleted at the end of its retention period.

9. ACCURACY

All data processed by Bulletproof is accurate and kept up to date. Where we have become aware that personal data is incorrect, we take necessary steps to amend data that may be incorrect or outdated.

To ensure this, we review information regularly, and note who is responsible for ensuring the data is kept up to date. Additionally, settings are enabled within our systems that allow for rectification of inaccurate information, and the history of data changes (including source, and cause of mistake) must be recorded.

We have a Complaints Procedure, which would capture and manage any recorded complaints around data management. We also have a Data Breach Procedure, and an Individual's Rights Policy and Procedure.

10. STORAGE LIMITATION

Bulletproof retains personal data in accordance with our retention schedule, which is reviewed and updated regularly. Our retention schedule takes into account legal and regulatory obligations and business requirements. The schedule justifies the retention periods, lists how the data is deleted / destroyed / erased / anonymised, and clearly identifies any data that needs to be kept for archiving, scientific or historical research, or statistical purposes.

Our retention periods have been outlined within our Data Retention Schedule.

We review our data regularly (as noted in the RoPA) and destroy or archive it when it is no longer needed, as according to our Data Retention Procedure. We do so securely, using both physical and electronic destruction methods.

In addition, Data Subject's rights, including the “right to be forgotten” are explained in our Individual's Rights Policy and Procedure, and in our Privacy Notice on our website. In the event of a DSAR erasure request, we will delete the data as required by law.

11. INTEGRITY AND CONFIDENTIALITY

At Bulletproof, we have arranged appropriate technical, electronic, and physical security measures to protect the data we collect about individuals. We endure that it is collected, held, processed, and destroyed in line with our RoPA and Data Protection Policies.

Our staff receive regular training to inform them on how to keep information safe. We have enabled access controls in our systems and platforms to ensure that data only authorised personnel can view or edit the necessary data.

Our Information Security Policy outlines policies, processes and tools that are designed to protect personal data, assets and business information.

We have analysed the risks presented by our processing, and assessed and documented the appropriate level of security within our Information Risk Management Policy & Procedure and Data Protection Risk Log. There are higher security measures in place to protect sensitive data.

The company is ISO 27001 certified and also has Cyber Essentials and Cyber Essentials+ certifications.

12. FURTHER INFORMATION

Bulletproof is a Data Controller and a Data Processor for further information the Data Protection Officer can be contacted at:

Email: dpo@bulletproof.co.uk

Address: Unit H, Gateway 1000, Whittle Way, Stevenage, England, SG1 2FP

13. REVIEW

This version of the Appropriate Policy was last updated June 2024 and will be reviewed on a Biennial basis unless any major changes to processing occurs.