GDPR Privacy Statement


  1. This is Test Valley Borough Council’s ‘Appropriate Policy Document’, setting out how the Council will process and protect ‘special category’ and criminal conviction/ offence personal data and the lawful basis for processing. 

  1. ‘Special category’ personal data is personal data revealing:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade Union membership

  • Genetic data

  • Biometric data for the purpose of uniquely identifying a natural person

  • Data concerning health

  • Data concerning a natural person’s sex life or sexual orientation.

  1. Criminal Conviction and Offence data (and related security measures) include personal data relating to the alleged commission of offences by the data subject or proceedings for an office committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing. 

  1. Conditions for processing special category and criminal conviction data.  The Council may process special category data under Article 9 of the General Data Protection Regulation (GDPR) where that processing is necessary for:

  • Conditions relating to employment, health and research, social security and social protection. 

  • Reasons of substantial public interest.

Article 10 of the GDPR allows processing of personal data relating to criminal convictions and offences under the control of ‘official authority’.  The Council may therefore process criminal conviction data under Article 10 whilst exercising official authority within the meaning set out at section 8 of the Data Protection Act 2018.  

  • Conditions relating to employment, social security and social protection 

    • This covers situations where processing is necessary for carrying out the obligations and exercising the rights of Test Valley Borough Council or the data subject in the field of employment, social security or social protection law. 

    • Public health purposes

  • Substantial public interest conditions:

This includes processing of data for the following purposes. 

    • Statutory etc. and government purposes. This includes the exercise of the functions conferred on the Council by law.

    • For the administration of justice. 

    • Ensuring equality of opportunity or treatment.

    • Preventing or detecting unlawful acts.

    • Protecting the public against dishonesty.

    • Regulatory requirements relating to unlawful acts and dishonesty.

    • Preventing fraud.

    • Disclosure in respect of suspicion of terrorist financing or money laundering. 

    • Support for individuals with a particular disability or medical condition.

    • Safeguarding of children and individuals at risk.

    • Safeguarding of the economic wellbeing of certain individuals.

    • Insurance purposes. 

    • Occupational pension reasons.

    • Disclosure to elected representatives to assist with requests from constituents. 

  • Additional conditions relating to Criminal Convictions etc. 

    • Extension of the ‘substantial public interest conditions’ in Part 2 of Schedule 1 to the Data Protection Act 2018 

    •  The Council is a “competent authority” within the meaning of section 30 of the Data Protection Act 2018 to the extent that it holds statutory functions for law enforcement purposes which are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security and may process data accordingly. 

    • The Council may process Criminal Convictions data in the exercise of its statutory functions and as part of its employment/recruitment checks. 

  1. Compliance with Data Protection Principles.  

The Council complies with the data protection principles set out at Article 5 of the General Data Protection Regulation 2016. 

The Council will:

  1. process personal data lawfully, fairly and in a transparent matter;

  2. only collect personal data for specified, explicit and legitimate purposes and will not process it further in a manner incompatible with those purposes; 

  3. ensure the personal data it collects is adequate, relevant and limited to what is necessary for the purposes for which it is processed; 

  4. ensure that personal data is accurate, where necessary kept up to date and will take every reasonable step to ensure that any inaccurate personal data (having regard to the purposes for which it is held) is rectified or erased without delay;

  5. ensure that personal data is kept in a form which permits identification for no longer than is necessary for the purpose for which it is processed; and

  6. process personal data in a matter that ensures appropriate security of the personal data – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

The Council demonstrates its responsibility and accountability for compliance with the above principles in a number of ways including (but not necessarily limited to):

  • maintaining records of its data processing activities.

  • carrying out Data Privacy Impact Assessments (DPIAs) where appropriate and in particular for high risk processing.  

  • appointing a Data Protection Officer, who reports to the highest level of management.