General privacy notice

Appropriate Policy Document – our processing of special categories of personal data and criminal offence data

As part of the CAA’s statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).

Special category data

Special category data is defined at Article 9 GDPR as personal data revealing:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic data;
• Biometric data for the purpose of uniquely identifying a natural person;
• Data concerning health; or
• Data concerning a natural person’s sex life or sexual orientation.

Criminal conviction data

Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

This policy document

Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.                

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.

In addition, it provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our General Privacy Notice.

Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information see our Safeguards Policy for sensitive law enforcement processing.

Conditions for processing special category and criminal offence data

We process special categories of personal data under the following GDPR Articles:

• Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the CAA or the data subject in connection with employment, social security or social protection.

Examples of our processing include staff sickness absences.

• Article 9(2)(g) - reasons of substantial public interest.

Schedule 1 of the DPA 2018, Part 2, Paragraph 12 - Regulatory requirements relating to unlawful acts and dishonesty etc

The Civil Aviation Authority is the statutory corporation which oversees and regulates all aspects of civil aviation in the United Kingdom. Our principal functions and duties are set out in primary legislation (the Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012) and in secondary legislation (principally the Air Navigation Order 2016). Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the carrying out of our role.

Examples of our processing include the information we seek or receive as part of investigating a complaint.

•  Article 9(2)(j) – for archiving purposes in the public interest.

The relevant purpose we rely on is Schedule 1 Part 1 paragraph 4 – archiving.

An example of our processing is the transfers we make to the National Archives as part of our obligations under the Public Records Act 1958.

• Article 9(2)(f) – for the establishment, exercise or defence of legal claims.

Examples of our processing include processing relating to any employment tribunal or other litigation.

• Article 9(2)(a) – explicit consent

In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.

• Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.

An example of our processing would be using health information about a member of staff in a medical emergency.  

• Article 9(2)(h) – Health or social care

An example of our processing would be using medical diagnosis during issuance of a licence.

We process criminal offence data under Article 10 of the GDPR

Examples of our processing of criminal offence data include vetting individuals we regulate, pre-employment checks and declarations by an employee in line with contractual obligations.

Processing which requires an Appropriate Policy Document

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD (see Schedule 1 paragraphs 1 and 5).

This section of the policy is the APD for the CAA. It demonstrates that the processing of special category (‘SC’) and criminal offence (‘CO’) data based on these specific Schedule 1 conditions is compliant with the requirements of the GDPR Article 5 principles.

Description of data processed 

We process the special category data about our colleagues that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union.

Our processing for reasons of substantial public interest relates to the data we receive or obtain in order to fulfil our statutory function as a regulator. Further information about this processing can be found in our General Privacy Notice.

We also maintain a record of our processing activities in accordance with Article 30 of the GDPR.

Schedule 1 conditions for processing

Special category data

We process SC data for the following purposes in Part 1 of Schedule 1:

• Paragraph 1(1) employment, social security and social protection.

We process SC data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

• Paragraph 6(1) and (2)(a) statutory, etc. purposes
• Paragraph 8(1)equality of opportunity or treatment
• Paragraph 10(1) preventing or detecting unlawful acts
• Paragraph 11(1) and (2) protecting the public against dishonesty
• Paragraph 12(1) and (2) regulatory requirements relating to unlawful acts and dishonesty

Criminal offence data

We process criminal offence data for the following purposes in parts 1 and 2 of Schedule 1:

• Paragraph 1 – employment, social security and social protection
• Paragraph 6(2)(a) – statutory, etc. purposes
• Paragraph 10(1) – Preventing or detecting unlawful acts

Procedures for ensuring compliance with the principles

Accountability principle 

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

• The appointment of a data protection officer who reports directly to our highest management level.
• Taking a ‘data protection by design and default’ approach to our activities.
• Maintaining documentation of our processing activities.
• Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
• Implementing appropriate security measures in relation to the personal data we process.
• Carrying out data protection impact assessments for our high risk processing.

We regularly review our accountability measures and update or amend them when required.

Principle (a): lawfulness, fairness and transparency

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.

We provide clear and transparent information about why we process personal data including our lawful basis for processing in our general privacy notice, colleague privacy notice and this policy document.                

Our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on the CAA by the legislation for which we act as a regulator e.g. The Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012 and in secondary legislation (principally the Air Navigation Order 2016).

We act as the regulator in all aspects of civil aviation in the United Kingdom.

Our processing for the purposes of employment relates to our obligations as an employer.

We also process special category personal data to comply with other obligations imposed on the CAA in its capacity as a public authority e.g. the Equality Act.

Principle (b): purpose limitation

We process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our statutory functions, where it is necessary for complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, to protect the public from dishonesty, preventing or detecting unlawful acts or for disclosure to elected representatives.           

We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

We will not process personal data for purposes incompatible with the original purpose it was collected for.

Principle (c): data minimisation

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.

Principle (d): accuracy

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

Principle (e): storage limitation

All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our retention schedules. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary.

Principle (f): integrity and confidentiality (security)

Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.

APD review date

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed annually or revised more frequently if necessary.

Sensitive processing for law enforcement purpose

The CAA are responsible for enforcing UK consumer laws that apply specifically to aviation. This includes legislation relating to price transparency, contract terms, passenger rights during flight disruption and access to air travel for passengers with reduced mobility. We also have concurrent powers with the Competition and Markets Authority (CMA) to enforce general consumer law in the aviation sector. This covers airlines, airports, tour operators and travel agents.

We also have concurrent powers with the Competition and Markets Authority (CMA) to enforce general consumer law in the aviation sector. This covers airlines, airports, tour operators and travel agents. 

The CAA also has civil powers to take enforcement action in relation to a range of passenger rights legislation and general consumer law. These powers come from Part 8 of the Enterprise Act 2002, and the CAA can seek undertakings from businesses that require them to comply with the law. If undertakings are not provided, or are breached, the CAA can seek an Enforcement Order from the Court.

As part of the CAA’s statutory functions, we can investigate and prosecute both companies and individuals for breaches of the legislation it is tasked with enforcing, for example breaches of The Air Navigation Order 2016. Investigations into alleged breaches of the law are carried out by the Investigations & Enforcement Team, in accordance with our Code of Practice.

The UK Civil Aviation Authority is a competent authority for the purpose of Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at section 31 DPA 2018 and include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.

Sensitive processing

Part 3 of the DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing sensitive personal data for law enforcement purposes.

Sensitive processing is defined in Part 3 section 35(8) and is equivalent to GDPR special category data. This includes:

• the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
• the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
• the processing of data concerning health;
• the processing of data concerning an individual’s sex life or sexual orientation.

This policy document

This policy document outlines our sensitive processing for law enforcement purposes and explains:

1. Our procedures for securing compliance with the law enforcement data protection principles;
2. Our policies as regards the retention and erasure of personal data, giving an indication of how long the personal data is likely to be retained.

Our policy document – our processing of special categories of personal data and criminal conviction data explains our general processing of special category data when our processing is not for the primary purpose of law enforcement. Additional information about our more general processing can also be found in our general privacy notice.

Description of data processed

We carry out sensitive processing for law enforcement purposes during Criminal Investigations into offences committed under the legislation we regulate.

We carry out sensitive processing of all of the categories of data defined in Part 3 section 35(8).

Consent or Schedule 8 condition for processing

We carry out sensitive processing under section 35(3) DPA 2018 only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in schedule 8 of the DPA 2018.

The relevant schedule 8 condition for our processing is Schedule 8 paragraph 1 – statutory purposes.

Where personal data is retained as a public record to be transferred to The National Archives, our condition is Schedule 8 paragraph 9 – that the processing is necessary for archiving purposes in the public interest.

Procedures for ensuring compliance with the principles

Accountability principle

We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:

• The appointment of a data protection officer who reports directly to our highest management level.
• Taking a ‘data protection by design and default’ approach to our activities.
• Maintaining documentation of our processing activities.
• Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
• Implementing appropriate security measures in relation to the personal data we process.
• Carrying out data protection impact assessments for our high risk processing.

We regularly review our accountability measures and update or amend them when required.

Principle (1): lawfulness and fairness

Processing for law enforcement must be lawful and fair. Sensitive processing is only permissible if it is:

• based on the consent of the data subject - section 35(4);

or

• is strictly necessary for the law enforcement purpose and is based on a Schedule 8 condition - section 35(5).

Our processing of sensitive data for law enforcement purposes satisfies the first Schedule 8 condition that it is necessary for the exercise of a function conferred on the CAA by the legislation for which we act as a regulator e.g. The Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012 and is necessary for reasons of substantial public interest. We are required to seek to prevent, detect, investigate and prosecute possible offences contained in the relevant legislation.

In circumstances where we seek consent, we make sure:

• The consent is unambiguous
• The consent is given by an affirmative action
• The consent is recorded as the condition for processing

Principle (2): purpose limitation

We process personal data for all of the law enforcement purposes listed at section 31 DPA 2018. These are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. The Civil Aviation Authority is tasked by the Department for Transport to investigate and prosecute breaches of aviation safety rules and some aviation related consumer protection and health and safety requirements.

We are authorised by law to carry out sensitive processing for any of these purposes. We may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose.

We will only use data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

Principle (3): data minimisation

We do not systematically collect or harvest sensitive personal data for law enforcement purposes. The information we process is necessary for and proportionate to our purposes. It is processed in the context of us carrying out processes which enable us to meet our stated purposes for processing.

Where sensitive personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.

Principle (4): accuracy

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

We, as far as possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions and mark the file to reflect the distinction. There are circumstances where this is not possible.

We, where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as

• People suspected of committing an offence
• People convicted of a criminal offence
• Known or suspected victims of a criminal offence
• Witnesses or other people with information about offences

We only do this where the personal data is relevant to the purpose being pursued.

We do this by marking the file in our records. Should the status of a data subject change our systems allow us to note the reason and amend the file.

We take reasonable steps to ensure that personal data which is inaccurate, incomplete or out of date is not transmitted or made available for any of the law enforcement purposes. We do this by verifying any data before sending it externally. We also provide the recipient with the necessary information we hold to assess the accuracy, completeness and reliability of the data.

If we discover, after transmission that the data was incorrect or should not have been transmitted, we will tell the recipient as soon as possible.

We document our decision to make personal data available for any of the law enforcement purposes.

Principle (5): storage limitation

We have corporate retention schedules and retain information processed for the purposes of law enforcement for 6 years from closure of the matter unless there is a legitimate reason to retain it for longer.

Principle (6): security

Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Where it is necessary for us to share information with third parties we consider the technical or organisational security measures they have in place before allowing access or transmitting data.

Electronic and hard copy information processed for the law enforcement purposes is only available to staff who carry out the processing for these purposes. Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data for law enforcement purposes allow us to erase or update personal data at any point in time. They also allow us to log the following information:

• Collection
• Alteration
• Consultation (access)
• Identity of person who accessed
• Disclosures
• Combination of records
• Erasure

APD review date

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.

This policy will be reviewed annually or revised more frequently if necessary.

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering a contract and the processing is automated.