Make your Free Appropriate Policy Document (APD)

Create an appropriate policy document (APD) to outline your compliance measures and retention policies when processing special category or criminal offence personal data. Depending on why personal data is being processed, an APD may be required under a DPIA.

Recently reviewed by Lauren Delin, Solicitor.

This APD was last reviewed on 3 March 2022.

An APD is a document outlining your compliance measures and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures). 

An APD is needed such personal data is processed under a Data protection impact assessment (DPIA), to comply with your data protection obligations under the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018.

For more information, read Compliance for DPIAs.

A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

Use this APD:

• if you have carried out a DPIA

• if you are processing special category personal data and/or criminal offence data

• where you and the data subjects (ie the individuals the data relates to) are based in the UK

This APD covers:

• the types of personal data

• why you want to process the data (ie the purpose for processing)

• the further conditions for processing special category personal data

• the further conditions for processing criminal offence data

• how data protection principles are complied with

• your data retention and deletion policies

You need to have an APD when you process special category personal data or criminal offence data under certain specified conditions (as set out in a DPIA), as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing. 

For example, an APD is always needed if you process special category data under the ‘employment, social security and social protection’. If you process special category data under the ‘substantial public interest’ condition, an APD is only needed in certain circumstances, depending on the ‘associated conditions’ relied on (eg an APD is not needed for the journalism, academia, art and literature condition).

For criminal offence data, an APD must only be in place if you are processing criminal offence data by UK law in reliance on certain further conditions for processing (eg statutory and government purposes and administration of accounts used in the commission of indecency offences involving children).

For more information on when an APD is needed, read Appropriate policy documents.

Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).

There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law and includes information about:

• racial or ethnic origin

• political opinions

• religious or similar beliefs

• trade union membership

• physical or mental health or condition

• sexual life

• biometrics (eg fingerprint data/facial images) and genetics

While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls. 

For more information on personal data, read Data protection.

You need to comply with the data protection principles whenever you process personal data. These principles include:

• the accountability principle - you are responsible for and must be able to demonstrate compliance with the law on data protection
• lawfulness, fairness and transparency - any personal data collected must be processed fairly, lawfully and in a transparent manner
• purpose limitation - personal data should only be collected for specified, explicit and legitimate purposes
• data minimisation - personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed
• accuracy - any personal data must be accurate and kept up to date
• storage limitation - personal data must not be kept for longer than necessary
• integrity and confidentiality (security) - personal data must be processed in a way that ensures the appropriate security of the data

Your APD should cover these principles and set out your procedures for complying with them. For more information on the principles and how to comply with them, read Data protection principles.

If your purpose for processing personal data changes over time (or you want to process data for a new purpose), you can only do this if:

• the new purpose is compatible with your original purpose (eg because the processing is for archiving purposes in the public interest or because there is a clear connection between your original and new purpose)

• you obtain the data subject’s specific consent for the new purpose, or

• you have a clear legal basis requiring (or allowing) the new processing in the public interest (eg if the new processing is for a public authority function)

For more information, read Data protection principles.

What policies you should have in place will depend on the specifics of your situation. However, you should generally consider having at least some of the following in place:

• Data retention policy - setting out what data should be stored or archived, where that should happen and for how long

• Information security policy - outlining security and other related matters (eg access to equipment and business continuity arrangements identifying how any personal data will be protected and recovered)

• Privacy policy - outlining your practices about the collection, storage and use of personal data gathered on a website

• Privacy notice - informing data subjects about the ‘what, how, where, why and when?’ regarding how you process their personal data

Ask a lawyer if you require a bespoke policy drafted.

Ask a lawyer for advice if:

• you have any questions about APDs

• this document doesn’t meet your specific needs

This APD is governed by the law of England, Wales and Scotland.