Appropriate Policy Document: Admission and Call to the Bar
Contents
1. Introduction
2. Description of data processed
3. Schedule 1 condition for processing
4. How we comply with the data protection principles
4.1 Accountability
4.2 Lawful, fair and transparent processing
4.5 Accuracy
4.7 Security
5. Retention and erasure policies
6. Appropriate Policy review date
7. Additional Special Category and Criminal Offence data processing
1. Introduction
The Honourable Society of the Middle Temple (“the Inn”) processes Special Category and Criminal Offence data in accordance with Articles 9 and 10 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act (2018) (DPA).
Schedule 1 Part 4 of the DPA requires the Inn to have in place an Appropriate Policy Document when certain conditions for processing Special Category and Criminal Offence data are relied on. This policy will tell you what Special Category and Criminal data the Inn processes with respect to Admission to the Inn and Call to the Bar, the lawful basis (Schedule 1 condition in the DPA) for processing it, the purposes for which it is processed, and how the Inn ensures compliance with the principles of data protection law provided in Article 5 of the UK GDPR.
2. Description of data processed
During the process of applying to be a member of the Inn and the process of Call to the Bar the Inn processes the following types of Special Category and Criminal Offence data:
Criminal Offence data
Applicants for admission and for Call to the Bar must disclose criminal records in accordance with the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (‘the Exceptions order’) as amended by the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (Amendment) (England and Wales) Order 2013. For those wishing to be Called on or after 1st July 2021 the Bar Standards Board requires that this information is provided via a ‘Standard’ DBS check.
Individuals must also disclose any other matters (other than protected convictions and cautions), which might reasonably be thought to call into question their fitness to become a practising barrister. This includes, but is not limited to, relevant orders e.g. civil orders (including, but not limited to, serious crime prevention orders, non-molestation orders, community prevention orders, civil restraint orders, financial reporting orders); convictions for disciplinary offences by a professional or regulatory body; bankruptcy orders, debt relief orders, or directors disqualification orders, bankruptcy restrictions orders, debt relief restrictions orders.
Health and disability
Individuals must also disclose if they suffer from serious incapacity due to mental disorder (within the meaning of the Mental Health Act 1983), addiction to alcohol or drugs, or any other condition which might impair their fitness to become a practising barrister.
3. Schedule 1 condition for processing
The Inn relies on the following Schedule 1 conditions for processing Criminal Offence data and health and disability data in order to determine an individual’s fitness to practice:
UK GDPR Article 6 lawful basis for processing: Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
UK GDPR Article 9 lawful basis for processing [for health and disability data]: Article 9(2)(g) – processing is necessary for reasons of substantial public interest (with a basis in law).
DPA 2018 Schedule 1 condition for processing: Schedule 1 Part 2 para 12 – Regulatory requirements relating to unlawful acts and dishonesty. Processing of Criminal Offence data is necessary to comply with Bar Standards Board fitness to practise requirements which involve taking steps to establish whether an individual has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.
4. How we comply with the data protection principles
Article 5(2) of the UK GDPR requires Data Controllers to demonstrate how they comply with the data protection principles provided in Article 5(1). The sub-sections below illustrate how the Inn ensures compliance with the principles of the UK GDPR and detail what measures the Inn has taken to demonstrate accountability for the personal data it processes.
4.1 Accountability
The Inn demonstrates its compliance with the data protection principles provided in Article 5 of the UK GDPR through the following measures and documents:
The Inn has appointed a Data Protection Officer whose role and responsibilities align with the provisions of Articles 37-39 of the UK GDPR.
The Inn has a Record of Processing Activities which sets out the personal data categories processed, the purposes, the lawful basis, retention periods for the data, any legitimate interests, Schedule 1 conditions for processing, recipients of personal data, any international transfers of data and the means of keeping data secure.
The Inn has a Data Protection Policy and Privacy Notices which explain to individuals how and why their data is processed, what their rights are, and how they can get in touch with the Data Protection Officer and the regulatory authority. These are available on the Inn’s website https://www.middletemple.org.uk/about-us/data-protection/privacy-policies-and-notices
When the Inn routinely and/or regularly shares data with third parties, written agreements are in place with Data Controllers and Data Processors which meet the provisions of Articles 26 and 28 of the UK GDPR respectively.
The Inn carries out data protection impact assessments (DPIA) for uses of personal data that are likely to result in a risk to individuals’ data protection rights and freedoms.
The Inn has appropriate security measures in place which are proportionate to the risk associated with the processing.
4.2 Lawful, fair and transparent processing
The Inn provides clear and transparent information to individuals in Privacy Notices about why their personal data is processed and the lawful basis for doing so. Applicants to join the Inn and applicants for Call to the Bar are provided with this privacy information when they complete the relevant forms or online application.
4.3 Purpose limitation
The Inn processes Special Category and Criminal Offence data collected at admission and at Call to the Bar in compliance with the legal obligation to determine whether an individual passes the fit and proper test to practise as a Barrister, as required by the Bar Standards Board.
It is possible that the Inn may process some Special Category and Criminal Convictions data for purposes not covered in this policy document. These conditions will either be covered by a separate Appropriate Policy Document, or are:
- where we ask for your explicit consent to process Special Category and Criminal Offence data;
- where processing is necessary to protect your vital interests; and
- for research, statistical and archival purposes.
Your personal data will not be processed for purposes which would be incompatible with the purpose for which the data was originally collected.
4.4 Data minimisation
At admission and Call to the Bar the Inn only collects the Special Category or Criminal Offence data necessary to achieve the purpose of determining whether an individual passes the fit and proper test to practise as a Barrister. This data is retained for long enough to fulfil this purpose, but for no longer than necessary, as set out in retention policies.
4.5 Accuracy
The majority of the Special Category and Criminal Offence data supplied to the Inn at admission and Call is provided by the individual concerned. Some information may be provided via the DBS conducted as part of the Call process. If an individual notifies the Inn that they believe the information held on them is inaccurate or out of date, the Inn will consider whether it is appropriate to rectify, replace or erase it as soon as possible and within one month. If there is a specific reason we cannot rectify or erase the data, for instance because the lawful basis does not permit it, we will record the decision.
4.6 Storage limitation
Special Category and Criminal Offence data processed by the Inn for the purpose of admission and Call will be retained for the periods set out in the Inn’s retention schedules. The retention policy for record categories is determined by legal and regulatory obligations, and business requirements. The retention schedules are available to view on request.
4.7 Security
The Inn stores electronic data on secure servers in the UK. There are appropriate security measures in place to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to personal data is limited to those employees, agents, contractors and other third parties who have a business need to know. There are procedures in place to deal with any suspected personal data breach and the Inn will notify you and any applicable regulator of a breach where we are legally required to do so.
5. Retention and erasure policies
The retention periods and disposal actions for records containing Special Category or Criminal Offence Data can be found on the Inn’s retention schedules which are available on request from the Data Protection Officer.
In summary, information obtained as part of the DBS check process will be securely destroyed after 1 year, although the Inn will retain a record of the result of the verification. In cases where the Inn requests to see a DBS certificate from individuals and where this is shared with the Inn’s Conduct Committee to determine eligibility for Call, this information will be retained as part of a member’s record.
6. Appropriate Policy review date
This policy will be retained for the duration of the processing, and for a minimum of 6 months thereafter.
The policy will be reviewed annually, or revised more frequently if necessary.
7. Additional Special Category and Criminal Offence data processing
The Inn may also process special category data and criminal offence data collected at admission and Call where an Appropriate Policy Document is not required e.g. for archival, research and statistical purposes. In these circumstances information will be provided about processing in the Inn’s Privacy Notices.
V01, 06 April 2021