Specia category data policy
This document sets out the policy of Middlebrooks Business Recovery & Advice Limited (“the Company”) on the way we process special category (sensitive) personal data and data relating to criminal offences. Special category data is data which the GDPR defines as sensitive personal information, needing a greater level of protection.
Criminal offence data is treated in a similar way under the legislation and so is also covered in this policy as the Company applies the same practical protections to it.
For the purposes of this policy, special category and criminal offence data are described as “sensitive personal information”.
Sensitive Personal Information
What is special category data?
The type of data considered to be “special category” is that which could create more significant risks to a person’s fundamental rights and freedoms, for example, by putting them at risk of unlawful discrimination. It includes personal data about:
- race;
- ethnic origin;
- politics;
- religion;
- trade union membership;
genetics; - biometrics (where used for ID purposes);
- health;
- sex life or sexual orientation.
We may from time to time hold such information about employees, advice clients or those involved in insolvency proceedings, where it is relevant to their employment or the insolvency case.
The most frequently occurring special category data that the Company processes will be health information. This may be volunteered to us by an employee or advice client or supplied to us in relation to an insolvency case by the insolvent party themselves, or other stakeholder in the insolvency process. This information in relation to an insolvency case may be relevant in legal proceedings in respect of their assets or liabilities.
Irrespective of the origins of the data, it will be afforded equal protection and privacy. See the relevant Privacy Notice for further information about the type of data we may hold about you.
Employees should refer to the Staff Handbook for further information about the policies and procedures as relate to them in that capacity.
Clients should refer to our Vulnerable Customers Policy, which explains in greater detail our approach to any vulnerabilities they may be experiencing.
What are the Company’s conditions for processing special category information?
Special category data may only be processed in situations where one (or more) of a number of conditions are met. In respect of special category data, we consider the following lawful bases will apply:
Lawful basis:
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
Example of data subjects:
Advice clients
Nature of processing:
Advice clients are invited to provide consent to such processing, which may be withdrawn (See also our Vulnerable Customers Policy)
Lawful basis:
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Example of data subjects:
Employees
Nature of processing:
As an employer, we will be lawfully processing a number of types of special category information about Staff Members, such as their sickness absence and/or disability information. (See the Staff Members and Job Applicants Privacy Notice for full details.)
Lawful basis:
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
Example of data subjects:
Any
Nature of processing:
Employees or Clients who suffer some unexpected loss of capacity may be subject to processing on this basis. We expect such circumstances to be extremely rare.
Lawful basis:
processing relates to personal data which are manifestly made public by the data subject
Example of data subjects:
Any
Nature of processing:
Where a party has made public special category information that we consider to be relevant to our functions as an employer or an insolvency Office Holder, we may retain a record of it. We consider this will be uncommon.
Lawful basis:
processing is necessary for the establishment, exercise or defence of legal claims
Example of data subjects:
Insolvent individuals and company officers in formal insolvency proceedings
Nature of processing:
This will be the most common basis for processing special category information in the context of insolvency proceedings. Processing will be restricted to circumstances where the data is considered “necessary” to the proper performance of the functions of the Office Holder.
Lawful basis:
the processing is necessary for the purposes of making a disclosure in good faith under either section 21CA of the Terrorism Act 2000 or section 339ZB of the Proceeds of Crime Act 2002
Example of data subjects:
Individual clients and prospective clients, and the directors, beneficial owners and person with significant control of corporate clients or prospective clients
Nature of processing:
Fulfilment of customer due diligence pursuant to the prevailing anti-money laundering legislation may contain special category information, such as biometric information.
We do not generally anticipate holding special category data in respect of training and compliance customers or business contacts, unless they have requested particular adjustments to meet a disability requirement. In such circumstances, we consider the “made public” basis would apply.
What is criminal offence data?
Criminal offence data includes any information about criminal allegations, proceedings or convictions. This would include information about prosecutions under the Insolvency 1986 Act or Company Directors Disqualification Act 1986 (and associated legislation) and to allegations of wrongdoing that are made by stakeholders in insolvency proceedings against the insolvent party.
What are the Company’s conditions for processing criminal offence data?
Criminal offence data may only be processed in situations where one (or more) of a number of conditions are met. In respect of the criminal offence data that we process, we consider the following lawful bases may apply:
Lawful basis:
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
Example of data subjects:
Advice clients
Nature of processing:
Advice clients may from time to time volunteer information about criminal offences. A record of such a disclosure may be maintained where it is relevant to their financial affairs and the Client provides express consent.
Lawful basis:
the processing is necessary in the substantial public interest and is undertaken in the exercise of a function conferred on an insolvency Office Holder by the Insolvency Act 1986
Example of data subjects:
Parties to formal insolvency proceedings
Nature of processing:
Investigations into the affairs and conduct of insolvent individuals and directors and beneficial owners of insolvent companies in the pursuance of the proper functions of an insolvency Office Holder may result in information about criminal offences.
Lawful basis:
the processing is necessary for the purposes of the prevention or detection of an unlawful act and must be carried out without the consent of the data subject so as not to prejudice those purposes and is necessary for reasons of substantial public interest.
Example of data subjects:
Directors (de jure, de facto or shadow) of insolvent companies
Nature of processing:
Production and submission of reports pursuant to the Company Directors Disqualification Act 1986 may contain information about criminal offences.
Lawful basis:
the processing is necessary for the purposes of making a disclosure in good faith under either section 21CA of the Terrorism Act 2000 or section 339ZB of the Proceeds of Crime Act 2002
Example of data subjects:
Individual clients and prospective clients, and the directors, beneficial owners and person with significant control of corporate clients or prospective clients
Nature of processing:
Fulfilment of suspicious activity reporting obligations pursuant to the prevailing anti-money laundering and terrorist financing legislation may contain information about criminal offences.
Lawful basis:
processing is necessary for the establishment, exercise or defence of legal claims
Example of data subjects:
Insolvent individuals and company officers in formal insolvency proceedings
Nature of processing:
Where criminal offence data is relevant to a claim being established or defended by an insolvency Office Holder we may retain a record of it that may be used in the course of those proceedings.
Lawful basis:
processing relates to personal data which are manifestly made public by the data subject
Example of data subjects:
Any
Nature of processing:
Where a party has made public criminal offence information which we consider to be relevant to our functions as an employer or an insolvency Office Holder we may process such data.
Lawful basis:
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Example of data subjects:
Employees
Nature of processing:
As an employer, we may lawfully process information about criminal offences where these are relevant to the employee’s suitability to be concerned in the administration of insolvency appointments, particularly where such offences relate to fraud or dishonesty.
Processing Sensitive Personal Information
The Company will ensure that its processing activities in relation to sensitive personal information are lawful, fair, transparent and in accordance with this policy.
Information will be retained in accordance with the Company’s Data Retention and Destruction Policy. How long we believe it to be necessary for us to hold different types of personal information is shown in our Data Processing Register.
Access to sensitive personal information is restricted to those members of our staff that have a specific and identifiable need to access it:
- Sensitive personal information about employees is only routinely available to the employee’s Line Manager, Office Manager and Executive Director responsible for HR. Where the information is substantially relevant to the conduct of the business, it may be made available to the Directors, for example, there is a business need to plan for long term absence or to conduct disciplinary proceedings.
- Sensitive personal information about Clients and those involved in formal insolvency proceedings is only accessible by Staff Members engaged in the conduct of insolvency administration. Staff members engaged in purely administrative, sales or marketing functions are restricted from accessing such information.
- The Company takes the privacy of sensitive personal information very seriously. Staff members are required to treat all sensitive personal information with appropriate levels of sensitivity and respect and failure to do so may result in disciplinary processes.
Any breach of this policy will be reported and recorded in accordance with the Company’s Data Breach Policy.
This policy, and all others pertaining to data privacy, will be reviewed in the event of a significant data breach and in any event, biennially.
