ScotRail Trains appropriate policy document

This Policy Document explains SRT’s processing of special category personal data (SC) and criminal offence (CO) data and its policies with regard to the retention and erasure of personal data processed in reliance on these conditions. It satisfies the requirement of the Data Protection Act 2018 (DPA 18) Part 4 for a Data Controller to have in place an ‘appropriate policy document’. This should be read in conjunction with our Data Protection Policy.

This Policy covers all processing carried out by ScotRail:

  • which is subject to UK General Data Protection Regulation (GDPR) Articles 9 and 10
  • in reliance of the conditions set out in the Data Protection Act 2018, Schedule 1: Special categories of personal data and criminal convictions etc. data, in particular:
    • Part 1 Conditions relating to employment, health and research etc.
    • Part 3 Additional conditions relating to criminal convictions etc.

When we process special categories of personal data a condition under UK GDPR Article 9 must be satisfied. We will reference the following:

  • Explicit consent of the data subject
  • Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law
  • To protect the vital interests of the data subject
  • Where personal data has manifestly been made public by the data subject
  • Necessary for establishment, exercise or defence of legal claims
  • Necessary for reasons of substantial public interest
  • Health or social care
  • Necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with UK GDPR Article 89 (1)

Description of Data Processed

  • Racial/ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Data concerning health
  • Data concerning sex life or sexual orientation
  • Criminal offence data

Our Schedule 1 Conditions for Processing

Schedule 1 Part 1

Conditions relating to Employment, Social Security and Social Protection and for Health and Social Care purposes:

  • For the purpose of carrying out our obligations as an employer in connection with our rights under employment law or for guaranteeing the social protection of individuals
  • Processing data relating to criminal convictions under Article 10 UK GDPR in connection with our rights under employment law

Schedule 1 Part 2

Substantial Public Interest Conditions:

  • Complying with legal requirements, such as the requirement to disclose information in connection with legal proceedings

Equality of opportunity:

  • Processing necessary to ensure that SRT fulfils its public sector equality duty when carrying out its activities
  • To ensure compliance with obligations under legislation such as the Equality Act 2010
  • Monitoring equality of opportunity or treatment between groups of people with a view to enabling equality to be promoted or maintained

Racial and ethnic diversity at senior levels of the organisation:

  • Processing necessary to promote or maintain diversity, or to identify suitable individuals to hold senior positions

Preventing or detecting unlawful acts:

  • Processing criminal offence data without the consent of the data subject to prevent or detect unlawful acts and obtaining consent would prejudice those purposes

Protecting the public against dishonesty etc:

  • Assisting authorities and enforcement agencies in connection with their regulatory requirements
  • Carrying out investigations and disciplinary actions relating to employees

Preventing fraud

  • Processing necessary for the purposes of preventing fraud
  • Disclosure or processing in accordance with arrangements made by an anti-fraud organisation

Counselling

  • For the provision of counselling, advice or support or of another similar service provided confidentially

Safeguarding of children and individuals at risk

  • Protecting vulnerable children and or an individual aged over 18 at risk from neglect, physical, mental or emotional harm
  • Sharing information with relevant agencies for the purposes of safeguarding
  • Identifying individuals at risk during incidents or potential incidents

Insurance

  • Claims for loss or damage to SRT property
  • Claims for compensation made against SRT by third parties

Occupational pensions

  • Fulfilling our obligation to provide an occupational pension scheme
  • Determining the benefits payable to dependents of pension scheme members

Disclosure to elected representatives

  • Assisting elected representatives such as local government Councillors and Members of Parliament with requests for assistance on behalf of their constituents

Schedule 1 Part 3

Additional Conditions Relating to Criminal Convictions, etc:

  • Consent
  • Protecting vital interests
  • Personal data in the public domain
  • Legal proceedings (including prospective legal proceedings) and advice
  • Administration of accounts used in commission of indecency offences involving children
  • Extension of conditions in Part 2 of Schedule 1 referring to substantial public interest
  • Extension of insurance conditions


Ensuring Compliance with the Data Protection Principles

Accountability

We have in place appropriate technical, security and organisational measures to demonstrate our accountability. The Information Management Group is comprised of senior managers from across the organisation and reviews all areas of data protection and information security. Regular data protection and information management reports are submitted to the Executive.

Our measures include:

  • Implementing data protection and information security policies
  • Carrying out Data Protection Impact Assessments (DPIAs) when the processing is likely to result in high risk to individuals
  • Ensuring that we have written contracts in place with our data processors and data sharing agreements with our partners
  • A designated Data Protection Officer
  • Maintaining our personal data asset registers
  • Keeping training records
  • Maintaining logs of information security incidents and requests from data subjects

Principle A – Lawfulness, fairness and transparency

We will ensure that:

  • SC/ CO data is only processed where a lawful basis applies under Articles 6, 9 and 10 of the UK GDPR, and (where required) when a condition under Schedule 1 of the DPA Act (2018) has been identified
  • Data subjects are provided with clear and transparent information about why we process their personal data in our privacy notices and this policy document

Principle B – Purpose limitation
We will ensure that:

  • The SC/ CO data we process will be for specified purposes.
  • We only process this data where we have a lawful purpose for doing so
  • Data subjects will be informed of those purposes in a Privacy Notice
  • The data will not be processed for purposes incompatible with the original purpose it was collected for

Principle C – Data minimisation

We will ensure that:

  • SC/ CO data we process is adequate, relevant and limited to what is necessary for the purpose for which it is processed
  • Retained in accordance with our retention schedule

Principle D – Accuracy

We will ensure that:

  • SC/ CO data is kept up to date and accurate and make best endeavour to ensure it is rectified or erased without delay if we become aware it is out of date or inaccurate. Where we need to retain such information, we will record the reasons for this.
  • Requests from data subjects challenging the accuracy of the information we hold are acted upon and recorded

Principle E – Storage Limitation

We will ensure that:

  • SC/CO data is retained in line with our retention schedule unless we have identified the need to keep for public interest archiving, scientific or historical research, or statistical purposes
  • The retention period is based on our legal obligations and business needs and reviewed regularly and updated when necessary
  • We only keep personal data in identifiable form as long as is necessary for the purpose for which it is processed

Principle F – Integrity and Confidentiality

We will ensure that all SC/ CO data is protected against unauthorised processing and accidental loss, damage or destruction using appropriate technical and organisational measures, for example:

  • Appropriate physical and technical access control
  • Data classification
  • Encryption where appropriate
  • Robust Information Management and Cyber security policies and practices
  • Documented breach and incident management procedures
  • Supplier risk management

Retention and Erasure Policies

We will ensure that SC/ CO data is only held where it is necessary and disposed of in line with our retention schedule. We review and update our retention schedule regularly and this is published on our website and Intranet. When information is disposed of, it is done securely.

  • Employee information is held for the duration of employment with SRT plus 6 years in line with statutory requirements.
  • Claims information may be held for up to 10 years, or as required by our insurers.
  • Information relating to accidents or incidents will be held in line with statutory and regulatory requirements.
  • Information relating to fraud or potential fraud may be shared with law enforcement agencies and retained by us for 7 years.

Review

We will retain this document for at least 6 months after the processing has ceased. This document will be reviewed every three years, or sooner if required.