Contact us

INTO Qualifications Special Category Personal Data Policy

Date of issue: August 2025

APPROPRIATE POLICY DOCUMENT: OUR PROCESSING OF SPECIAL CATEGORY AND CRIMINAL OFFENCE DATA

1.

As part of our business operations, we process both Special Category ("SC") data and Criminal Offence ("CO") data. When we undertake such processing we comply with the UK’s General Data Protection Regulation (the "UK GDPR") and Data Protection Act 2018 (the "DPA") which may be amended from time to time by the Data (Use and Access) Act 2025, together with any further laws, codes of practice or guidance in relation to processing personal data and privacy which are either enacted or published by a relevant supervisory authority and which are applicable to us from time to time.

2.

2. The purpose of this policy document is to explain how our processing of SC and CO data is consistent, where applicable, with Articles 9 and 10 of the UK GDPR, Schedule 1 of the DPA, and the Data Protection Principles set out in the UK GDPR, as well as to tell you about the length of time we need to hold such data.

3.WHAT IS SC DATA?

3.1

Article 9 of the UK GDPR defines SC data as being personal data which includes or reveals:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data for the purpose of uniquely identifying a natural person;
  • Data concerning health; and
  • Data concerning a natural person’s sex life or sexual orientation.
3.2

Article 10 of the UK GDPR covers the processing of personal data which relates to criminal convictions, criminal offences, or related security measures.

3.3

Data protection law says that we can only process SC data if one of the conditions in Article 9(2) UK GDPR and/or in Schedule 1 of the DPA applies. If we process CO data, then this too must be on the basis of one of the Schedule 1 conditions.

3.4

Most of the conditions for processing SC or CO data also require us to have this Appropriate Policy Document in place to explain our procedures for compliance, and for the retention and erasure of the data.

4DESCRIPTION OF THE DATA WE PROCESS

4.1

SC data will be processed about our current and former employees, including data in relation to disabilities for the purpose of reasonable access adjustments, or medical data, physical or mental health data, passport details and details in relation to equal opportunities monitoring. In each case, we process this data because it is necessary for us to fulfil our obligations or exercise our rights as an employer.

4.2

We process CO data about our employees, prospective employees and former employees as a part of our background checks, or where we need to comply with a legal obligation.

4.3

We also process SC and CO data about our students and prospective students that may include data in relation to disabilities for reasonable access adjustments, passport details for ID verification purposes, or details relating to equal opportunities reporting.

5.SCHEDULE 1 CONDITIONS

We rely on the following Schedule 1 conditions when we process SC data:

  • Part 1, Schedule 1 – Employment, Health and Research etc
    Paragraph 1(1)(a) employment, social security and social protection.
  • Part 2, Schedule 1 – Substantial Public Interest Conditions
    Paragraph 6(1) and(2)(a) statutory, etc. purposes
    Paragraph 8(1) equality of opportunity or treatment.
    Paragraph 10(1) preventing or detecting unlawful acts.

We only process CO data where such processing is consistent with the following purposes in Parts 1 and 2 of Schedule 1:

Paragraph 1(1)(a) employment, social security and social protection.
Paragraph 6(1) and 6(2)(a) statutory, etc. purposes.
Paragraph 10(1) preventing or detecting unlawful acts.

6.PROCEDURES FOR COMPLYING WITH THE PRINCIPLES

6.1

The UK GDPR sets out a number of principles in relation to the processing of personal data. These are set out below, together with measures we have taken to ensure that our processing of SC and CO data is in compliance with them.

6.2

Accountability:

6.2.1

The UK GDPR requires us not only to comply with the data protection principles set out below, but to be able to demonstrate that we comply with them.

6.2.2

We have adopted several measures to meet this accountability requirement, including:

(A)

carrying out annual data protection refresher training for our employees to ensure that data protection is at the heart of our decision making;

(B)

implementing and maintaining an accurate record of our processing activities;

(C)

implementing technical and organisational measures to protect the personal data that we process;

(D)

putting a process in place to ensure that appropriate agreements are in place with organisations with whom we share personal data;

(E)

ensuring we have appropriate privacy policies in place, and that our processing is consistent with them; and

(F)

carrying out, where necessary, data privacy impact assessments.

We regularly review our accountability measures and update or amend them when required.

6.3

Principle (a): processing must be lawful, fair and transparent

6.3.1

UK GDPR states that processing must be lawful, fair and transparent. For processing to be lawful, it must be specifically consented to by the data subject or be necessary for one of the reasons set out in Article 6 of the UK GDPR. If the processing relates to SC or CO data, one of the Schedule 1 conditions must also apply.

6.3.2

We have identified a lawful basis for our processing, and a further Schedule 1 condition where the processing involves SC or CO data.

6.3.3

We set out our lawful bases for our processing (and the further conditions on which we rely) in our privacy notice, in greater detail in our Record of Processing Activities, and in this document. Our privacy notice provide transparent information about our processing.

6.3.4

We only process personal data in ways people would reasonably expect and use data privacy impact assessments and legitimate interests assessments to ensure that our processing is fair.

6.3.5

We are open and honest when we collect SC or CO data and do not mislead people about how we use it.

6.4

Principle (b): personal data must be collected for specific and legitimate purposes and processed in accordance with those purposes

6.4.1

Our privacy notice explains the purposes for which we process personal data, and we do not process personal data for purposes other than these.

6.4.2

We process SC data and CO data only where it is necessary for the purposes set out in one of the Schedule 1 conditions.

6.4.3

We do not process personal data for purposes which are incompatible with the purposes for which they were originally collected (unless this is to comply with a legal obligation, or to exercise a function which is set out in law).

6.5

Principle (c): personal data must be adequate, relevant and limited to what is necessary for the stated purposes

6.5.1

We aim to ensure we have sufficient SC and CO data for the purposes set out in the Schedule 1 conditions above, but do not collect or otherwise process SC or CO data in excess of what we require for these purposes.

6.5.2

If we become aware that personal data is provided to us which is not relevant for our purposes, we will require employees to erase it.

6.5.3

We use national guidance and take external advice to help us determine what information we need to process.

6.6

Principle (d): personal data must be accurate and, where necessary, kept up to date

6.6.1

We have processes in place to check the accuracy of the SC and CO data we hold, and we record the source of such data.

6.6.2

We correct any inaccuracies in the SC and CO data we hold when data subjects exercise their rights under Article 16.

6.6.3

We keep a record of any challenges to the accuracy of the personal data we hold.

6.7

Principle (e): personal data must be retained for no longer than necessary

6.7.1

We are considering how long we need to process the SC and CO data for to enable us to justify the retention period we decide upon.

6.7.2

As part of our personal data retention review, we will implement reviews of the SC and CO data we hold and seek to erase it when it is no longer necessary for the purposes for which it was collected.

6.8

Principle (f): personal data must be kept securely

6.8.1

Encryption and pseudonymisation are used where it is considered appropriate for the level of sensitivity of the SC or CO data that we are processing.

6.8.2

We train our employees in the secure handling of SC and CO data in particular, and personal data in general.

6.8.3

We limit access to personal data to those of our employees, agents, contractors and third parties who have a business need to know the information.

6.8.4

We ensure that organisations that process personal data on our behalf implement technical and organisational measures which are sufficient to ensure the security of the data being processed.

7.RETENTION AND ERASURE

7.1

As set out above, we aim to retain personal data only for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements (for example, to comply with reporting requirements in relation to the Office for Students, or UK Visas and Immigration, or tax reporting requirements to HMRC). We may also retain personal data for a period after this time if it is necessary and relevant for our legitimate operations.

7.2

In some circumstances we may anonymise personal data (so that it can no longer be associated with an individual) for statistical purposes, in which case we may use this information indefinitely.

7.3

Once an employee, worker or contractor leaves the company or a student is no longer studying with us, we will retain or destroy SC or CO data in accordance with applicable laws and regulation.

8.REVIEW DATE

8.1

This Appropriate Policy Document will be reviewed annually.