Profile information Account settings
Sign up Log in

Make your Free Appropriate Policy Document (APD)

Create an appropriate policy document (APD) to outline your compliance measures and retention policies when processing special category or criminal offence personal data. Depending on why personal... ... Read more

Make document

How It Works

Create your document

Create your document

Answer a few simple questions to make your document in minutes

Save, print & share

Save, print & share

Save progress and finish on any device; download & print anytime

Sign & make it legal

Sign & make it legal

Securely sign online and invite others to sign

How to Make an Appropriate Policy Document (APD)

  • Summary of APD

    Create an appropriate policy document (APD) to outline your compliance measures and retention policies when processing special category or criminal offence personal data. Depending on why personal data is being processed, an APD may be required under a DPIA.

    Recently reviewed by Lauren Delin, Solicitor.

    This APD was last reviewed on 3 March 2022.

  • What is an APD?

    An APD is a document outlining your compliance measures and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures). 

    An APD is needed such personal data is processed under a Data protection impact assessment (DPIA), to comply with your data protection obligations under the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018.

    For more information, read Compliance for DPIAs.

  • What is a DPIA?

    A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

  • When should I use an APD?

    Use this APD:

    • if you have carried out a DPIA

    • if you are processing special category personal data and/or criminal offence data

    • where you and the data subjects (ie the individuals the data relates to) are based in the UK

  • What should an APD include?

    This APD covers:

    • the types of personal data

    • why you want to process the data (ie the purpose for processing)

    • the further conditions for processing special category personal data

    • the further conditions for processing criminal offence data

    • how data protection principles are complied with

    • your data retention and deletion policies

  • Do I need an APD?

    You need to have an APD when you process special category personal data or criminal offence data under certain specified conditions (as set out in a DPIA), as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing

    For example, an APD is always needed if you process special category data under the ‘employment, social security and social protection’. If you process special category data under the ‘substantial public interest’ condition, an APD is only needed in certain circumstances, depending on the ‘associated conditions’ relied on (eg an APD is not needed for the journalism, academia, art and literature condition).

    For criminal offence data, an APD must only be in place if you are processing criminal offence data by UK law in reliance on certain further conditions for processing (eg statutory and government purposes and administration of accounts used in the commission of indecency offences involving children).

    For more information on when an APD is needed, read Appropriate policy documents.

  • What is personal data?

    Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).

    There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law and includes information about:

    • racial or ethnic origin

    • political opinions

    • religious or similar beliefs

    • trade union membership

    • physical or mental health or condition

    • sexual life

    • biometrics (eg fingerprint data/facial images) and genetics

    While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls. 

    For more information on personal data, read Data protection.

  • What are the data protection principles?

    You need to comply with the data protection principles whenever you process personal data. These principles include:

    • the accountability principle - you are responsible for and must be able to demonstrate compliance with the law on data protection
    • lawfulness, fairness and transparency - any personal data collected must be processed fairly, lawfully and in a transparent manner
    • purpose limitation - personal data should only be collected for specified, explicit and legitimate purposes
    • data minimisation - personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed
    • accuracy - any personal data must be accurate and kept up to date
    • storage limitation - personal data must not be kept for longer than necessary
    • integrity and confidentiality (security) - personal data must be processed in a way that ensures the appropriate security of the data

    Your APD should cover these principles and set out your procedures for complying with them. For more information on the principles and how to comply with them, read Data protection principles.

  • Can personal data be used for a new purpose?

    If your purpose for processing personal data changes over time (or you want to process data for a new purpose), you can only do this if:

    • the new purpose is compatible with your original purpose (eg because the processing is for archiving purposes in the public interest or because there is a clear connection between your original and new purpose)

    • you obtain the data subject’s specific consent for the new purpose, or

    • you have a clear legal basis requiring (or allowing) the new processing in the public interest (eg if the new processing is for a public authority function)

    For more information, read Data protection principles.

  • What policies should I have in place?

    What policies you should have in place will depend on the specifics of your situation. However, you should generally consider having at least some of the following in place:

    • Data retention policy - setting out what data should be stored or archived, where that should happen and for how long

    • Information security policy - outlining security and other related matters (eg access to equipment and business continuity arrangements identifying how any personal data will be protected and recovered)

    • Privacy policy - outlining your practices about the collection, storage and use of personal data gathered on a website

    • Privacy notice - informing data subjects about the ‘what, how, where, why and when?’ regarding how you process their personal data

    Ask a lawyer if you require a bespoke policy drafted.

  • Further advice

    Ask a lawyer for advice if:

    • you have any questions about APDs

    • this document doesn’t meet your specific needs

    This APD is governed by the law of England, Wales and Scotland.

Other names for

UK APD, GDPR appropriate policy document, APD.

Last reviewed or updated 03/03/2022

Related documents

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors


Easy legal documents at your fingertips

Answer a few simple questions to make your document in minutes

Easily customisable
Make unlimited revisions and copies. Share and print anytime.
Legal and reliable
Our documents are vetted by lawyers and legal staff, so you can use them with confidence.
Sign online, anytime, anywhere
Get secure, digital signatures on any device in seconds.
Try Rocket Lawyer free for 7 days
Make your Premium document today and get back to doing what you love.

Looking for something else?